본문 바로가기
[ ★ ]Study/PWNABLE

ROP 쓰기 가능한 영역 확인

by nroses-taek 2018. 12. 7.
반응형

read, write, pop;ret 를 통한 ROP 공부중에 쓰는 글...


알아야 될 것들

- 쓰기 가능한 메모리

- PLT, GOT 섹션이


gdb-peda$ ps -ef | grep rop
nroses    6551 12251  0 22:05 pts/2    00:00:00 gdb -q rop-32
nroses   29468  6551  0 22:11 pts/2    00:00:00 /home/nroses/CTF/tech/ROP/rop-32
nroses   29714  6551  0 22:19 pts/2    00:00:00 bash -c ps -ef | grep rop
nroses   29721 29714  0 22:19 pts/2    00:00:00 grep rop



gdb-peda$ cat /proc/29468/maps
08048000-08049000 r-xp 00000000 fd:02 1076003437                         /home/nroses/CTF/tech/ROP/rop-32
08049000-0804a000 r--p 00000000 fd:02 1076003437                         /home/nroses/CTF/tech/ROP/rop-32
0804a000-0804b000 rw-p 00001000 fd:02 1076003437                         /home/nroses/CTF/tech/ROP/rop-32
f7dfe000-f7dff000 rw-p 00000000 00:00 0
f7dff000-f7fc3000 r-xp 00000000 fd:00 67360289                           /usr/lib/libc-2.17.so
f7fc3000-f7fc4000 ---p 001c4000 fd:00 67360289                           /usr/lib/libc-2.17.so
f7fc4000-f7fc6000 r--p 001c4000 fd:00 67360289                           /usr/lib/libc-2.17.so
f7fc6000-f7fc7000 rw-p 001c6000 fd:00 67360289                           /usr/lib/libc-2.17.so
f7fc7000-f7fca000 rw-p 00000000 00:00 0
f7fd8000-f7fd9000 rw-p 00000000 00:00 0
f7fd9000-f7fda000 r-xp 00000000 00:00 0                                  [vdso]
f7fda000-f7ffc000 r-xp 00000000 fd:00 67167981                           /usr/lib/ld-2.17.so
f7ffc000-f7ffd000 r--p 00021000 fd:00 67167981                           /usr/lib/ld-2.17.so
f7ffd000-f7ffe000 rw-p 00022000 fd:00 67167981                           /usr/lib/ld-2.17.so
fffdd000-ffffe000 rw-p 00000000 00:00 0                                  [stack]


gdb-peda$ shell objdump -h rop-32
rop-32:     file format elf32-i386
Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .interp       00000013  08048154  08048154  00000154  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .note.ABI-tag 00000020  08048168  08048168  00000168  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .note.gnu.build-id 00000024  08048188  08048188  00000188  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .gnu.hash     00000020  080481ac  080481ac  000001ac  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynsym       00000060  080481cc  080481cc  000001cc  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .dynstr       00000050  0804822c  0804822c  0000022c  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .gnu.version  0000000c  0804827c  0804827c  0000027c  2**1
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .gnu.version_r 00000020  08048288  08048288  00000288  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  8 .rel.dyn      00000008  080482a8  080482a8  000002a8  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  9 .rel.plt      00000018  080482b0  080482b0  000002b0  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 10 .init         00000023  080482c8  080482c8  000002c8  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 11 .plt          00000040  080482f0  080482f0  000002f0  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 12 .plt.got      00000008  08048330  08048330  00000330  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 13 .text         000001c2  08048340  08048340  00000340  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 14 .fini         00000014  08048504  08048504  00000504  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 15 .rodata       00000017  08048518  08048518  00000518  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 16 .eh_frame_hdr 00000034  08048530  08048530  00000530  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 17 .eh_frame     000000d0  08048564  08048564  00000564  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 18 .init_array   00000004  08049f08  08049f08  00000f08  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 19 .fini_array   00000004  08049f0c  08049f0c  00000f0c  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 20 .jcr          00000004  08049f10  08049f10  00000f10  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 21 .dynamic      000000e8  08049f14  08049f14  00000f14  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 22 .got          00000004  08049ffc  08049ffc  00000ffc  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 23 .got.plt      00000018  0804a000  0804a000  00001000  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 24 .data         00000004  0804a018  0804a018  00001018  2**0
                  CONTENTS, ALLOC, LOAD, DATA
 25 .bss          00000004  0804a01c  0804a01c  0000101c  2**0
                  ALLOC
 26 .comment      0000002d  00000000  00000000  0000101c  2**0
                  CONTENTS, READONLY



결론

- 쓰기 가능한 메모리 영역에

data, bss, got.plt가 포함 된다.


0804a000-0804b000 rw-p 00001000 fd:02 1076003437                         /home/nroses/CTF/tech/ROP/rop-32

반응형
저작자표시

'[ ★ ]Study > PWNABLE' 카테고리의 다른 글

쓰기 가능한 영역 찾기  (0) 2019.01.01
[TIP] 파이썬 쉘에서 인자 바로 넘기기  (0) 2019.01.01
ROPgadget 이용  (0) 2018.12.05
Calling Convention  (0) 2018.12.05
함수 에필로그 leave ret;  (0) 2018.11.16

관련글

댓글

티스토리툴바