![[pwnable.xyz] executioner trick(?)](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FQJeq2%2Fbtq8zxRjymC%2FX4lL4fkiTZlqIRLSGvzHnk%2Fimg.png)
๐งก executioner ๋ฌธ์ ์๊ฐ
int __cdecl main(int argc, const char **argv, const char **envp)
{
_QWORD *v4; // rax
int i; // [rsp+0h] [rbp-20h]
int fd; // [rsp+4h] [rbp-1Ch]
setup();
solve_pow();
puts("Shellcode executioner");
fd = open("/dev/urandom", 0);
if ( fd != -1 )
{
read(fd, key, 0x7FuLL);
close(fd);
printf("Input: ", key);
read(0, inpt, 0x7FuLL);
for ( i = 0; i < strlen(inpt); ++i )
inpt[i] ^= key[i];
v4 = mmap(0LL, 0x1000uLL, 7, 34, 0, 0LL);
*v4 = *(_QWORD *)inpt;
v4[1] = qword_202288;
v4[2] = qword_202290;
v4[3] = qword_202298;
v4[4] = qword_2022A0;
v4[5] = qword_2022A8;
v4[6] = qword_2022B0;
v4[7] = qword_2022B8;
v4[8] = qword_2022C0;
v4[9] = qword_2022C8;
v4[10] = qword_2022D0;
v4[11] = qword_2022D8;
v4[12] = qword_2022E0;
v4[13] = qword_2022E8;
v4[14] = qword_2022F0;
v4[15] = qword_2022F8;
JUMPOUT(__CS__, v4);
}
puts("error");
return 1;
}๋ด๊ฐ ์ ๋ ฅํ ์์ฝ๋์ ๊ธธ์ด๋งํผ XOR ์ฐ์ฐ์ ์ํํ๊ณ ๋ฉ๋ชจ๋ฆฌ๋ฅผ mapping ํ์ฌ ๊ทธ ์ฅ์๋ก jump ํ๋ ๋ฌธ์ ์ด๋ค.
๐งก executioner trick
์ฌ์ค ํธ๋ฆญ์ด๋ผ๊ณ ํ ๊ฒ๋ ์์ด strlen์ '\x00' byte๋ฅผ ๊ธฐ์ค์ผ๋ก ๋ฌธ์์ด์ ๊ธธ์ด๋ฅผ ํ๋จํ๊ธฐ ๋๋ฌธ์ ์์ ๋๋ฐ์ดํธ ๋ช ๊ฐ๋ฅผ ๋ฃ์ด์ฃผ๊ณ ์์ฝ๋๋ฅผ ์์ฑํด์ฃผ๋ฉด ๋๋ค. ๋ด๊ฐ ์ ์ผ๋ ค๋ ๊ฒ์ ์ด๊ฒ ์๋๋ผ ๋ด๊ฐ ์ด ๋ฌธ์ ๋ฅผ ํ๊ณ ๋ค๋ฅธ ๋ถ๋ค์ ํ์ด๋ฅผ ๊ตฌ๊ฒฝํด๋ดค๋๋ฐ ๋ด๊ฐ ๋น๊ต์ ? ๊ฐ๋จํ๊ฒ ํ ๊ฒ ๊ฐ์์ ์ ์ด๋ณด๋ ค๊ณ ํ๋ค. ๋ฌผ๋ก 64bit /bin/sh code๋ฅผ ์ฌ์ฉํ์ ๋ถ๋ ๊ณ์ จ๋ค.
๋๋ main์์ mapping๋ memory๋ก jump ํ ๋ r12๊ฐ _start๋ฅผ ๊ฐ๋ฆฌํค๊ณ ์๋ค๋ ์ ์ ์ด์ฉํด add instruction์ ์ด์ฉํ์ฌ ๋ฌธ์ ๋ฅผ ํด๊ฒฐํ์๋ค.
'Wargame > pwnable.xyz' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
| [pwnable.xyz] fishing - thread (0) | 2021.07.12 |
|---|---|
| [pwnable.xyz] Heap - House of Force ๋ณต์ต (note v3) (2) | 2021.07.09 |
| [pwnable.xyz] executioner v2 ์ฝ์ง (2) | 2021.07.03 |
| [pwnable.xyz] Free spirit trick ์๊ฐ (2) | 2021.06.26 |
| [pwnable.xyz] ๋ชฉํ (0) | 2021.06.25 |