ropsynth - HackMD

--- lang: ja-jp breaks: true --- ropsynth === ## 問題概要 ### ジャンル ~~Binary~~ <span sytle="font-size: larger">Binary PPC</span> ### 点数 400 points ### 問題文 ropsynth ropsynth.pwn.seccon.jp:10000 Read "secret" and output the content such as the following code. \== fd = open("secret", 0, 0); len = read(fd, buf, 256); write(1, buf, len); \== ### フラグ ??? ### 挑戦者 K_atc ## 解法 ## 議論これは見掛け倒しの問題ではなにこれ ROPのパズル問か ### surface anlysis ``` [katc@K_atc dist]$ file launcher.elf launcher.elf: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=3ae0cc9b881cf70a67c89900b162295185fd845b, not stripped ``` ### first impression Exploit対象は launch.elf ROPガジェットを標準入力から与えられるが、__サーバー側で用意されたものを__ 使用できる。 gadgetsは当然実行可能領域。 ```clike gadgets = mmap((void*)0x00800000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); fread(gadgets, 1, 4096, stdin); ``` ```python # generate gadgets gadgets = generate_gadgets() encoded_gadgets = binascii.b2a_base64(gadgets).strip() ``` ROP chainを標準入力から与えられる。4096バイトまで ```clike char ropchain[4096]; fread(ropchain, 1, sizeof(ropchain), stdin); ``` dataはrw専用領域。 ``` data = mmap((void*)0x00a00000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); strcpy(data, "secret"); ``` バイナリ中でユーザーが与えたROP chainを実行してくれる（山勘）この後すべきこと（予想）： * 許可されたsyscallだけで"secret"ファイルの中身を読み取る * 文字列"secret"はdataの先頭に用意されている ### ROP gadgets サーバーから与えられるgadgetsの例： ``` 0: f4 hlt 1: f4 hlt 2: f4 hlt 3: f4 hlt 4: f4 hlt 5: f4 hlt 6: 0f 05 syscall 8: 5b pop rbx 9: 48 81 f3 54 26 b6 25 xor rbx,0x25b62654 10: 48 81 c3 e0 b6 0c 22 add rbx,0x220cb6e0 17: 48 81 c3 38 64 d0 54 add rbx,0x54d06438 1e: 48 81 fb 9f 22 10 6a cmp rbx,0x6a10229f 25: 74 05 je 0x2c 27: f4 hlt 28: f4 hlt 29: f4 hlt 2a: f4 hlt 2b: f4 hlt 2c: 41 5e pop r14 2e: 49 81 f6 de 04 e3 50 xor r14,0x50e304de 35: 49 81 c6 8b 71 79 1a add r14,0x1a79718b 3c: 49 81 f6 01 30 30 34 xor r14,0x34303001 43: 49 81 ee c3 52 b7 36 sub r14,0x36b752c3 4a: 49 81 fe 97 79 81 56 cmp r14,0x56817997 51: 74 02 je 0x55 53: f4 hlt 54: f4 hlt 55: c3 ret 56: f4 hlt 57: f4 hlt 58: f4 hlt 59: 58 pop rax 5a: 41 5b pop r11 5c: 49 81 eb 0c a2 5a 53 sub r11,0x535aa20c 63: 49 81 fb 04 ce df 47 cmp r11,0x47dfce04 6a: 74 02 je 0x6e 6c: f4 hlt 6d: f4 hlt 6e: 41 5b pop r11 70: 49 81 eb 39 d2 7c 44 sub r11,0x447cd239 77: 49 81 f3 6e e5 ba 56 xor r11,0x56bae56e 7e: 49 81 c3 20 c5 de 53 add r11,0x53dec520 85: 49 81 f3 6a 5e d7 09 xor r11,0x9d75e6a 8c: 49 81 fb fc ae 0c 20 cmp r11,0x200caefc 93: 74 07 je 0x9c 95: f4 hlt 96: f4 hlt 97: f4 hlt 98: f4 hlt 99: f4 hlt 9a: f4 hlt 9b: f4 hlt 9c: 41 5b pop r11 9e: 49 81 c3 ac 61 36 06 add r11,0x63661ac a5: 49 81 c3 74 98 9b 5c add r11,0x5c9b9874 ac: 49 81 fb 21 f2 a7 4b cmp r11,0x4ba7f221 b3: 74 03 je 0xb8 b5: f4 hlt b6: f4 hlt b7: f4 hlt b8: c3 ret b9: f4 hlt ba: f4 hlt bb: f4 hlt bc: 5e pop rsi bd: 41 5f pop r15 bf: 49 81 ef 1d 8a 01 38 sub r15,0x38018a1d c6: 49 81 f7 8d b9 24 1f xor r15,0x1f24b98d cd: 49 81 ef 57 ff 0d 25 sub r15,0x250dff57 d4: 49 81 ff 0a 17 e0 51 cmp r15,0x51e0170a db: 74 07 je 0xe4 dd: f4 hlt de: f4 hlt df: f4 hlt e0: f4 hlt e1: f4 hlt e2: f4 hlt e3: f4 hlt e4: 5b pop rbx e5: 48 81 eb cf 18 58 5f sub rbx,0x5f5818cf ec: 48 81 c3 82 fe 28 1b add rbx,0x1b28fe82 f3: 48 81 c3 3f c8 b5 0e add rbx,0xeb5c83f fa: 48 81 eb 5b 82 a3 6d sub rbx,0x6da3825b 101: 48 81 f3 17 91 3f 23 xor rbx,0x233f9117 108: 48 81 fb 7c 14 fa 70 cmp rbx,0x70fa147c 10f: 74 03 je 0x114 111: f4 hlt 112: f4 hlt 113: f4 hlt 114: 41 5d pop r13 116: 49 81 f5 3e c8 f6 09 xor r13,0x9f6c83e 11d: 49 81 fd 5a ba a4 09 cmp r13,0x9a4ba5a 124: 74 08 je 0x12e 126: f4 hlt 127: f4 hlt 128: f4 hlt 129: f4 hlt 12a: f4 hlt 12b: f4 hlt 12c: f4 hlt 12d: f4 hlt 12e: 41 5f pop r15 130: 49 81 f7 84 18 42 4a xor r15,0x4a421884 137: 49 81 c7 14 2f f6 41 add r15,0x41f62f14 13e: 49 81 c7 f1 f4 21 41 add r15,0x4121f4f1 145: 49 81 ff c6 38 ee 65 cmp r15,0x65ee38c6 14c: 74 09 je 0x157 14e: f4 hlt 14f: f4 hlt 150: f4 hlt 151: f4 hlt 152: f4 hlt 153: f4 hlt 154: f4 hlt 155: f4 hlt 156: f4 hlt 157: 41 5c pop r12 159: 49 81 f4 db 18 86 6b xor r12,0x6b8618db 160: 49 81 f4 01 bb 01 03 xor r12,0x301bb01 167: 49 81 fc 9c ac 13 28 cmp r12,0x2813ac9c 16e: 74 08 je 0x178 170: f4 hlt 171: f4 hlt 172: f4 hlt 173: f4 hlt 174: f4 hlt 175: f4 hlt 176: f4 hlt 177: f4 hlt 178: 5b pop rbx 179: 48 81 eb 43 93 54 61 sub rbx,0x61549343 180: 48 81 f3 b3 69 ca 52 xor rbx,0x52ca69b3 187: 48 81 f3 29 c7 fe 0a xor rbx,0xafec729 18e: 48 81 eb 4f 9d b7 05 sub rbx,0x5b79d4f 195: 48 81 f3 c3 73 15 26 xor rbx,0x261573c3 19c: 48 81 c3 0b 08 2f 07 add rbx,0x72f080b 1a3: 48 81 fb b3 30 9a 37 cmp rbx,0x379a30b3 1aa: 74 09 je 0x1b5 1ac: f4 hlt 1ad: f4 hlt 1ae: f4 hlt 1af: f4 hlt 1b0: f4 hlt 1b1: f4 hlt 1b2: f4 hlt 1b3: f4 hlt 1b4: f4 hlt 1b5: c3 ret 1b6: f4 hlt 1b7: f4 hlt 1b8: f4 hlt 1b9: f4 hlt 1ba: 50 push rax 1bb: 5f pop rdi 1bc: 41 5d pop r13 1be: 49 81 c5 35 f7 ba 20 add r13,0x20baf735 1c5: 49 81 fd b7 7b 21 40 cmp r13,0x40217bb7 1cc: 74 02 je 0x1d0 1ce: f4 hlt 1cf: f4 hlt 1d0: c3 ret 1d1: f4 hlt 1d2: 50 push rax 1d3: 5a pop rdx 1d4: 41 5e pop r14 1d6: 49 81 f6 3e 26 d2 76 xor r14,0x76d2263e 1dd: 49 81 fe 9c 70 2e 03 cmp r14,0x32e709c 1e4: 74 05 je 0x1eb 1e6: f4 hlt 1e7: f4 hlt 1e8: f4 hlt 1e9: f4 hlt 1ea: f4 hlt 1eb: 41 5f pop r15 1ed: 49 81 ef 77 6e b2 1c sub r15,0x1cb26e77 1f4: 49 81 ef b9 b9 c7 40 sub r15,0x40c7b9b9 1fb: 49 81 ff bb fd 13 6b cmp r15,0x6b13fdbb 202: 74 02 je 0x206 204: f4 hlt 205: f4 hlt 206: 41 5e pop r14 208: 49 81 ee cb bf 05 5e sub r14,0x5e05bfcb 20f: 49 81 c6 4e 13 33 79 add r14,0x7933134e 216: 49 81 ee ab 63 ae 2f sub r14,0x2fae63ab 21d: 49 81 fe 0c d3 94 5e cmp r14,0x5e94d30c 224: 74 06 je 0x22c 226: f4 hlt 227: f4 hlt 228: f4 hlt 229: f4 hlt 22a: f4 hlt 22b: f4 hlt 22c: 59 pop rcx 22d: 48 81 f1 bd 91 63 23 xor rcx,0x236391bd 234: 48 81 c1 49 43 f5 2b add rcx,0x2bf54349 23b: 48 81 f9 e4 21 01 20 cmp rcx,0x200121e4 242: 74 04 je 0x248 244: f4 hlt 245: f4 hlt 246: f4 hlt 247: f4 hlt 248: 41 5d pop r13 24a: 49 81 f5 a0 38 af 5d xor r13,0x5daf38a0 251: 49 81 ed 7e 6b 0e 2e sub r13,0x2e0e6b7e 258: 49 81 fd b6 a8 b7 10 cmp r13,0x10b7a8b6 25f: 74 06 je 0x267 261: f4 hlt 262: f4 hlt 263: f4 hlt 264: f4 hlt 265: f4 hlt 266: f4 hlt 267: c3 ret ``` ~~1つのでかいROPガジェットで十分では？~~【見当違い】 ``` mov rdi, data xor rsi, rsi # flags = 0 xor rdx, rdx # mode = "r" mov rax, 2 syscall mov rdi, rax mov rsi, data + 8 mov rdx, 256 mov rax, 0 syscall mov rsi, data + 8 mov rdx, rax mov rax, 1 syscall ret ``` ~~TOOD: python コードに~~ ``` [katc@K_atc dist]$ rasm2 -o0 "mov eax,ebx; nop" 89d890 [katc@K_atc dist]$ rasm2 -o0 "pop rdi; ret" 5fc3 [katc@K_atc dist]$ rasm2 -o0 "pop rsi; ret" 5ec3 [katc@K_atc dist]$ rasm2 -o0 "pop rax; ret" 58c3 [katc@K_atc dist]$ rasm2 -o0 "pop rdx; ret" 5ac3 [katc@K_atc dist]$ rasm2 -o0 "syscall" 0f05 ``` ### 動かん > http://www.pmel.noaa.gov/maillists/tmap/ferret_users/fu_2014/msg00101.html > You might have higher version of shared object, doesn't matter symbolic link is important これはリモートに接続してなんとかする問題