HackMD
ropsynth
問題概要
ジャンル
Binary
Binary PPC
点数
400 points
問題文
ropsynth
ropsynth.pwn.seccon.jp:10000
Read "secret" and output the content such as the following code.
==
fd = open("secret", 0, 0);
len = read(fd, buf, 256);
write(1, buf, len);
==
フラグ
???
挑戦者
K_atc
解法
議論
これは見掛け倒しの問題では
なにこれ
ROPのパズル問か
surface anlysis
[katc@K_atc dist]$ file launcher.elf
launcher.elf: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=3ae0cc9b881cf70a67c89900b162295185fd845b, not stripped
first impression
Exploit対象は launch.elf
ROPガジェットを標準入力から与えられるが、サーバー側で用意されたものを 使用できる。
gadgetsは当然実行可能領域。
gadgets = mmap((void*)0x00800000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
fread(gadgets, 1, 4096, stdin);
# generate gadgets
gadgets = generate_gadgets()
encoded_gadgets = binascii.b2a_base64(gadgets).strip()
ROP chainを標準入力から与えられる。4096バイトまで
char ropchain[4096];
fread(ropchain, 1, sizeof(ropchain), stdin);
dataはrw専用領域。
data = mmap((void*)0x00a00000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
strcpy(data, "secret");
バイナリ中でユーザーが与えたROP chainを実行してくれる(山勘)
この後すべきこと(予想):
- 許可されたsyscallだけで"secret"ファイルの中身を読み取る
- 文字列"secret"はdataの先頭に用意されている
ROP gadgets
サーバーから与えられるgadgetsの例:
0: f4 hlt
1: f4 hlt
2: f4 hlt
3: f4 hlt
4: f4 hlt
5: f4 hlt
6: 0f 05 syscall
8: 5b pop rbx
9: 48 81 f3 54 26 b6 25 xor rbx,0x25b62654
10: 48 81 c3 e0 b6 0c 22 add rbx,0x220cb6e0
17: 48 81 c3 38 64 d0 54 add rbx,0x54d06438
1e: 48 81 fb 9f 22 10 6a cmp rbx,0x6a10229f
25: 74 05 je 0x2c
27: f4 hlt
28: f4 hlt
29: f4 hlt
2a: f4 hlt
2b: f4 hlt
2c: 41 5e pop r14
2e: 49 81 f6 de 04 e3 50 xor r14,0x50e304de
35: 49 81 c6 8b 71 79 1a add r14,0x1a79718b
3c: 49 81 f6 01 30 30 34 xor r14,0x34303001
43: 49 81 ee c3 52 b7 36 sub r14,0x36b752c3
4a: 49 81 fe 97 79 81 56 cmp r14,0x56817997
51: 74 02 je 0x55
53: f4 hlt
54: f4 hlt
55: c3 ret
56: f4 hlt
57: f4 hlt
58: f4 hlt
59: 58 pop rax
5a: 41 5b pop r11
5c: 49 81 eb 0c a2 5a 53 sub r11,0x535aa20c
63: 49 81 fb 04 ce df 47 cmp r11,0x47dfce04
6a: 74 02 je 0x6e
6c: f4 hlt
6d: f4 hlt
6e: 41 5b pop r11
70: 49 81 eb 39 d2 7c 44 sub r11,0x447cd239
77: 49 81 f3 6e e5 ba 56 xor r11,0x56bae56e
7e: 49 81 c3 20 c5 de 53 add r11,0x53dec520
85: 49 81 f3 6a 5e d7 09 xor r11,0x9d75e6a
8c: 49 81 fb fc ae 0c 20 cmp r11,0x200caefc
93: 74 07 je 0x9c
95: f4 hlt
96: f4 hlt
97: f4 hlt
98: f4 hlt
99: f4 hlt
9a: f4 hlt
9b: f4 hlt
9c: 41 5b pop r11
9e: 49 81 c3 ac 61 36 06 add r11,0x63661ac
a5: 49 81 c3 74 98 9b 5c add r11,0x5c9b9874
ac: 49 81 fb 21 f2 a7 4b cmp r11,0x4ba7f221
b3: 74 03 je 0xb8
b5: f4 hlt
b6: f4 hlt
b7: f4 hlt
b8: c3 ret
b9: f4 hlt
ba: f4 hlt
bb: f4 hlt
bc: 5e pop rsi
bd: 41 5f pop r15
bf: 49 81 ef 1d 8a 01 38 sub r15,0x38018a1d
c6: 49 81 f7 8d b9 24 1f xor r15,0x1f24b98d
cd: 49 81 ef 57 ff 0d 25 sub r15,0x250dff57
d4: 49 81 ff 0a 17 e0 51 cmp r15,0x51e0170a
db: 74 07 je 0xe4
dd: f4 hlt
de: f4 hlt
df: f4 hlt
e0: f4 hlt
e1: f4 hlt
e2: f4 hlt
e3: f4 hlt
e4: 5b pop rbx
e5: 48 81 eb cf 18 58 5f sub rbx,0x5f5818cf
ec: 48 81 c3 82 fe 28 1b add rbx,0x1b28fe82
f3: 48 81 c3 3f c8 b5 0e add rbx,0xeb5c83f
fa: 48 81 eb 5b 82 a3 6d sub rbx,0x6da3825b
101: 48 81 f3 17 91 3f 23 xor rbx,0x233f9117
108: 48 81 fb 7c 14 fa 70 cmp rbx,0x70fa147c
10f: 74 03 je 0x114
111: f4 hlt
112: f4 hlt
113: f4 hlt
114: 41 5d pop r13
116: 49 81 f5 3e c8 f6 09 xor r13,0x9f6c83e
11d: 49 81 fd 5a ba a4 09 cmp r13,0x9a4ba5a
124: 74 08 je 0x12e
126: f4 hlt
127: f4 hlt
128: f4 hlt
129: f4 hlt
12a: f4 hlt
12b: f4 hlt
12c: f4 hlt
12d: f4 hlt
12e: 41 5f pop r15
130: 49 81 f7 84 18 42 4a xor r15,0x4a421884
137: 49 81 c7 14 2f f6 41 add r15,0x41f62f14
13e: 49 81 c7 f1 f4 21 41 add r15,0x4121f4f1
145: 49 81 ff c6 38 ee 65 cmp r15,0x65ee38c6
14c: 74 09 je 0x157
14e: f4 hlt
14f: f4 hlt
150: f4 hlt
151: f4 hlt
152: f4 hlt
153: f4 hlt
154: f4 hlt
155: f4 hlt
156: f4 hlt
157: 41 5c pop r12
159: 49 81 f4 db 18 86 6b xor r12,0x6b8618db
160: 49 81 f4 01 bb 01 03 xor r12,0x301bb01
167: 49 81 fc 9c ac 13 28 cmp r12,0x2813ac9c
16e: 74 08 je 0x178
170: f4 hlt
171: f4 hlt
172: f4 hlt
173: f4 hlt
174: f4 hlt
175: f4 hlt
176: f4 hlt
177: f4 hlt
178: 5b pop rbx
179: 48 81 eb 43 93 54 61 sub rbx,0x61549343
180: 48 81 f3 b3 69 ca 52 xor rbx,0x52ca69b3
187: 48 81 f3 29 c7 fe 0a xor rbx,0xafec729
18e: 48 81 eb 4f 9d b7 05 sub rbx,0x5b79d4f
195: 48 81 f3 c3 73 15 26 xor rbx,0x261573c3
19c: 48 81 c3 0b 08 2f 07 add rbx,0x72f080b
1a3: 48 81 fb b3 30 9a 37 cmp rbx,0x379a30b3
1aa: 74 09 je 0x1b5
1ac: f4 hlt
1ad: f4 hlt
1ae: f4 hlt
1af: f4 hlt
1b0: f4 hlt
1b1: f4 hlt
1b2: f4 hlt
1b3: f4 hlt
1b4: f4 hlt
1b5: c3 ret
1b6: f4 hlt
1b7: f4 hlt
1b8: f4 hlt
1b9: f4 hlt
1ba: 50 push rax
1bb: 5f pop rdi
1bc: 41 5d pop r13
1be: 49 81 c5 35 f7 ba 20 add r13,0x20baf735
1c5: 49 81 fd b7 7b 21 40 cmp r13,0x40217bb7
1cc: 74 02 je 0x1d0
1ce: f4 hlt
1cf: f4 hlt
1d0: c3 ret
1d1: f4 hlt
1d2: 50 push rax
1d3: 5a pop rdx
1d4: 41 5e pop r14
1d6: 49 81 f6 3e 26 d2 76 xor r14,0x76d2263e
1dd: 49 81 fe 9c 70 2e 03 cmp r14,0x32e709c
1e4: 74 05 je 0x1eb
1e6: f4 hlt
1e7: f4 hlt
1e8: f4 hlt
1e9: f4 hlt
1ea: f4 hlt
1eb: 41 5f pop r15
1ed: 49 81 ef 77 6e b2 1c sub r15,0x1cb26e77
1f4: 49 81 ef b9 b9 c7 40 sub r15,0x40c7b9b9
1fb: 49 81 ff bb fd 13 6b cmp r15,0x6b13fdbb
202: 74 02 je 0x206
204: f4 hlt
205: f4 hlt
206: 41 5e pop r14
208: 49 81 ee cb bf 05 5e sub r14,0x5e05bfcb
20f: 49 81 c6 4e 13 33 79 add r14,0x7933134e
216: 49 81 ee ab 63 ae 2f sub r14,0x2fae63ab
21d: 49 81 fe 0c d3 94 5e cmp r14,0x5e94d30c
224: 74 06 je 0x22c
226: f4 hlt
227: f4 hlt
228: f4 hlt
229: f4 hlt
22a: f4 hlt
22b: f4 hlt
22c: 59 pop rcx
22d: 48 81 f1 bd 91 63 23 xor rcx,0x236391bd
234: 48 81 c1 49 43 f5 2b add rcx,0x2bf54349
23b: 48 81 f9 e4 21 01 20 cmp rcx,0x200121e4
242: 74 04 je 0x248
244: f4 hlt
245: f4 hlt
246: f4 hlt
247: f4 hlt
248: 41 5d pop r13
24a: 49 81 f5 a0 38 af 5d xor r13,0x5daf38a0
251: 49 81 ed 7e 6b 0e 2e sub r13,0x2e0e6b7e
258: 49 81 fd b6 a8 b7 10 cmp r13,0x10b7a8b6
25f: 74 06 je 0x267
261: f4 hlt
262: f4 hlt
263: f4 hlt
264: f4 hlt
265: f4 hlt
266: f4 hlt
267: c3 ret
1つのでかいROPガジェットで十分では?【見当違い】
mov rdi, data
xor rsi, rsi # flags = 0
xor rdx, rdx # mode = "r"
mov rax, 2
syscall
mov rdi, rax
mov rsi, data + 8
mov rdx, 256
mov rax, 0
syscall
mov rsi, data + 8
mov rdx, rax
mov rax, 1
syscall
ret
TOOD: python コードに
[katc@K_atc dist]$ rasm2 -o0 "mov eax,ebx; nop"
89d890
[katc@K_atc dist]$ rasm2 -o0 "pop rdi; ret"
5fc3
[katc@K_atc dist]$ rasm2 -o0 "pop rsi; ret"
5ec3
[katc@K_atc dist]$ rasm2 -o0 "pop rax; ret"
58c3
[katc@K_atc dist]$ rasm2 -o0 "pop rdx; ret"
5ac3
[katc@K_atc dist]$ rasm2 -o0 "syscall"
0f05
動かん
http://www.pmel.noaa.gov/maillists/tmap/ferret_users/fu_2014/msg00101.html
You might have higher version of shared object, doesn't matter symbolic link is important
これはリモートに接続してなんとかする問題
