[Plaid 2014] pwnable : kappa 본문
[Plaid 2014] pwnable : kappaZero Day 2016.08.27 16:24
This chal is also stripped x86 elf.
zero@ubuntu:~/Desktop/ctf/plaid2014$ file kappa
kappa: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.26, stripped
And applied memory protections are...
zero@ubuntu:~/Desktop/ctf/plaid2014$ gdb -q ./kappa
Reading symbols from ./kappa...(no debugging symbols found)...done.
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : disabled
Surely NX is enabled and also ASLR.
Overall explain about this program... just pokemon game!
There are 3 types of pokemons.
- 'Bird Jesus'
No 1 pokemon ( 'Bird Jesus' ) is basically given, No 2 and 3 can be caught by kind of hunting(?)
And player can only have maxinum 5 pokemons.
when player catches 6th pokemons, player 6th pm(pokemon) has to be replaced with another one.
puts("Oh no! you don't have any more room for a Pokemon! Choose a pokemon to replace!");
v8 = Select_Pokemon();
if ( v8 )
if ( v8 <= 4 )
free(*(&::ptr + v8));
*(&::ptr + v8) = ptr;
And problem goes on...
There are 3 types of pokemons but that codes never check TYPE!
As we know, different pokemons, diffenernt structures.
0xf ~ 0x204 or 0xf ~ 0x5ec are spaces where each artworks saved.
Anyway, we can overwrite 'Kakuna' with using 'Charizard'.
There is scenario,
First, just catch 4 Kakuna and we got 5 pokemons ( one is Bird Jesus, the others are Kakuna )
Second, just 'walk_into_the_tall_grass' 2 times and run away because of making 'i' to 12 for meeting 'Charizard' next time.
Third, this time we can meet 'Charizard' but before catching it, we need to make 'Charizard's health under 20 for catching.
puts("You throw a Pokeball!");
if ( health <= 20 )
printf("You couldn' t catch %s!\n", buf);
Forth, replace it to '2' slot.
Fifth, file data what we want in artworks
Then, we can leak any address and exploit using that!
I just use 'printf' to leak address and get libc, system address.
And write "/bin/sh" on 'name'. It would be on ebp + 8.
Final Exploit Codes...
'CTFs > Plaid 2014' 카테고리의 다른 글
|[Plaid 2014] pwnable : tenement & sass (0)||2016.08.27|
|[Plaid 2014] pwnable : kappa (0)||2016.08.27|
|[Plaid 2014] pwnable : ezhp (0)||2016.08.27|
|[Plaid 2014] reversing : hudak (0)||2016.08.27|
|[Plaid 2014] forensic : zfs (0)||2016.08.27|
|[Plaid 2014] forensic : rsa (0)||2016.08.27|