pwn6 (135pt)
Description
An homage to pwny.racing, we present… speedrun pwn challenges.
These bite-sized challenges should serve as a nice warm-up for your pwning skills.
Attachment
Analysis
an warming up task of fini_array
attack. 64-bit ELF, statically linked and no PIE.
Overview
main
function:
1 | __int64 sub_400C22(){ |
part of sub_400B7E
function:
1 | while ( dword_6D7330 <= 0 ){ |
In sub_400B7E
we can modify one byte of target address by XOR :*v7 ^= 1LL << v6;
.
But in this function, only one time can we modify, so we need to modify dword_6D7330
(the variable that control the loop) firstly.
We can modify one byte to any value by xor for many times, here is the helper function:
1 | def modify(addr,data): |
Solution
infinite loop
modify 0x6D7330
with 0x80000000
, then dword_6D7330
will become a negative number:
1 | modify(0x6D7330,0x80000000) |
modify fini array
function in fini_array
would be executed after main, so we can modify them to hijack rip.
1 | # gadget |
finally, SYS_execve('/bin/sh',0,0)
was executed
More
you can download full exp from my github
see more about fini_array
attack: ROP-with-fini-array