HackMD- Yuki MIZUNO·Last edited by Yuki MIZUNO on Dec 11, 2016Linked with GitHub
tinypad
問題概要
ジャンル
exploit
点数
300points
問題文
Host : tinypad.pwn.seccon.jp
Port : 57463
Heap Fun as a Service!
tinypad (SHA1 : 0e6d01f582e5d8f00283f02d2281cc2c661eba72)
libc-2.19.so (SHA1 : 8674307c6c294e2f710def8c57925a50e60ee69e)
フラグ
???
挑戦者
pinksawtooth
解法
議論
初動調査
root@kali:~/Desktop# file tinypad
tinypad: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1333a912c440e714599a86192a918178f187d378, not stripped
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : FULL
root@kali:~/Desktop# readelf -r ./tinypad
Relocation section '.rela.dyn' at offset 0x520 contains 13 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000601f98 000600000006 R_X86_64_GLOB_DAT 0000000000000000 free@GLIBC_2.2.5 + 0
000000601fa0 000a00000006 R_X86_64_GLOB_DAT 0000000000000000 __errno_location@GLIBC_2.2.5 + 0
000000601fa8 000700000006 R_X86_64_GLOB_DAT 0000000000000000 _exit@GLIBC_2.2.5 + 0
000000601fb0 000b00000006 R_X86_64_GLOB_DAT 0000000000000000 strcpy@GLIBC_2.2.5 + 0
000000601fb8 000300000006 R_X86_64_GLOB_DAT 0000000000000000 toupper@GLIBC_2.2.5 + 0
000000601fc0 000800000006 R_X86_64_GLOB_DAT 0000000000000000 write@GLIBC_2.2.5 + 0
000000601fc8 000400000006 R_X86_64_GLOB_DAT 0000000000000000 strlen@GLIBC_2.2.5 + 0
000000601fd0 000c00000006 R_X86_64_GLOB_DAT 0000000000000000 __stack_chk_fail@GLIBC_2.4 + 0
000000601fd8 000500000006 R_X86_64_GLOB_DAT 0000000000000000 read@GLIBC_2.2.5 + 0
000000601fe0 000100000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0
000000601fe8 000200000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
000000601ff0 000900000006 R_X86_64_GLOB_DAT 0000000000000000 malloc@GLIBC_2.2.5 + 0
000000601ff8 000d00000006 R_X86_64_GLOB_DAT 0000000000000000 atoi@GLIBC_2.2.5 + 0
mallocとfreeを確認。
root@kali:~/Desktop# ./tinypad
============================================================================
// _|_|_|_|_| _|_|_| _| _| _| _| _|_|_| _|_| _|_|_| \\
|| _| _| _|_| _| _| _| _| _| _| _| _| _| ||
|| _| _| _| _| _| _| _|_|_| _|_|_|_| _| _| ||
|| _| _| _| _|_| _| _| _| _| _| _| ||
\\ _| _|_|_| _| _| _| _| _| _| _|_|_| //
============================================================================
+------------------------------------------------------------------------------+
# INDEX: 1
# CONTENT:
+------------------------------------------------------------------------------+
# INDEX: 2
# CONTENT:
+------------------------------------------------------------------------------+
# INDEX: 3
# CONTENT:
+------------------------------------------------------------------------------+
# INDEX: 4
# CONTENT:
+- MENU -----------------------------------------------------------------------+
| [A] Add memo |
| [D] Delete memo |
| [E] Edit memo |
| [Q] Quit |
+------------------------------------------------------------------------------+
(CMD)>>> A
(SIZE)>>> 257
(CONTENT)>>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Added.
+------------------------------------------------------------------------------+
# INDEX: 1
# CONTENT: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
root@kali:~/Desktop# python -c "print len('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')"
256
256文字以上は保存されない
