HeyOn https://typemiss.tistory.com/ ko Tue, 7 Apr 2026 22:10:34 +0900 TISTORY 100 Lifer [Pwnable] libc 주어졌을 때 바이너리에 링킹 &amp; 디버깅 (when LD_PRELOAD making segmenation fault) https://typemiss.tistory.com/2 <p style="text-align: left;" data-ke-size="size16">- 보통 문제에서 elf, libc 가 주어짐</p> <p style="text-align: left;" data-ke-size="size16">- 익스하는 os 의 libc 버전과 문제에서 준 libc 버전이 안맞아서 LD_PRELOAD 걸어도 segmentation fault 뜨는 경우 있음</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">1. 주어진 libc 에 대응되는 custom loader 가 추가로 필요</p> <p style="text-align: left;" data-ke-size="size16">- 문제에서 ld 도 주는 경우 있음</p> <p style="text-align: left;" data-ke-size="size16">- 안주면?... 주어진 libc 에 대응되는 os version 에서 로더만 추출해서 같이 사용하면 되지 않을까..</p> <p style="text-align: left;" data-ke-size="size16">&nbsp; &nbsp;- <a href="https://github.com/matrix1001/welpwn/tree/master/PwnContext/libs/ld.so">https://github.com/matrix1001/welpwn/tree/master/PwnContext/libs/ld.so</a></p> <figure id="og_1597540945620" contenteditable="false" data-ke-type="opengraph" data-og-type="object" data-og-title="matrix1001/welpwn" data-og-description=" CTF pwn framework. Contribute to matrix1001/welpwn development by creating an account on GitHub." data-og-host="github.com" data-og-source-url="https://github.com/matrix1001/welpwn/tree/master/PwnContext/libs/ld.so" data-og-url="https://github.com/matrix1001/welpwn" data-og-image="https://scrap.kakaocdn.net/dn/RIhWx/hyG9ukFvlp/zVyl4nbEscfdyCtbKaFoIK/img.png?width=400&amp;height=400&amp;face=0_0_400_400"><a href="https://github.com/matrix1001/welpwn/tree/master/PwnContext/libs/ld.so" target="_blank" rel="noopener" data-source-url="https://github.com/matrix1001/welpwn/tree/master/PwnContext/libs/ld.so"> <div class="og-image" style="background-image: url('https://scrap.kakaocdn.net/dn/RIhWx/hyG9ukFvlp/zVyl4nbEscfdyCtbKaFoIK/img.png?width=400&amp;height=400&amp;face=0_0_400_400');">&nbsp;</div> <div class="og-text"> <p class="og-title">matrix1001/welpwn</p> <p class="og-desc"> CTF pwn framework. Contribute to matrix1001/welpwn development by creating an account on GitHub.</p> <p class="og-host">github.com</p> </div> </a></figure> <p style="text-align: left;" data-ke-size="size16">&nbsp; - 각 libc 버전에 따른 로더 파일들을 위의 링크에서 발견할 수 있었다. ld-"md5 of libc".so.2 형식으로 로더 파일들의 리스트가 존재한다. 문제에서 로더가 주어지지 않는 경우 libc의 md5 를 확인하고 알맞는 로더를 해당 링크에서 다운로드 하자 (테스트는 안해봄)</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">2. custom libc, loader 를 바이너리가 사용하게끔 패치</p> <p style="text-align: left;" data-ke-size="size16"><a href="https://github.com/NixOS/patchelf" target="_blank" rel="noopener">github.com/NixOS/patchelf</a>&nbsp;</p> <figure data-ke-type="opengraph" data-og-title="NixOS/patchelf" data-og-description="A small utility to modify the dynamic linker and RPATH of ELF executables - NixOS/patchelf" data-og-host="github.com" data-og-source-url="https://github.com/NixOS/patchelf" data-og-image="https://scrap.kakaocdn.net/dn/cBKkaM/hyGZWAtlye/2V3Obg50mQbTtKTa9QeEK1/img.png?width=322&amp;height=322&amp;face=0_0_322_322" data-og-url="https://github.com/NixOS/patchelf"><a href="https://github.com/NixOS/patchelf" target="_blank" rel="noopener" data-source-url="https://github.com/NixOS/patchelf"> <div class="og-image" style="background-image: url('https://scrap.kakaocdn.net/dn/cBKkaM/hyGZWAtlye/2V3Obg50mQbTtKTa9QeEK1/img.png?width=322&amp;height=322&amp;face=0_0_322_322');">&nbsp;</div> <div class="og-text"> <p class="og-title">NixOS/patchelf</p> <p class="og-desc">A small utility to modify the dynamic linker and RPATH of ELF executables - NixOS/patchelf</p> <p class="og-host">github.com</p> </div> </a></figure> <p style="text-align: left;" data-ke-size="size16">patchelf 라는 툴을 이용해 바이너리자체를 수정 --&gt; 링킹을 새로걸어버리면 됨</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent"><span data-url="https://blog.kakaocdn.net/dn/yM53S/btqGbO7kyuK/mt2dx6x87aItSWU3jT9tA1/img.png" data-phocus="https://blog.kakaocdn.net/dn/yM53S/btqGbO7kyuK/mt2dx6x87aItSWU3jT9tA1/img.png" data-alt="interpreter 설정, libc 교체"><img src="https://blog.kakaocdn.net/dn/yM53S/btqGbO7kyuK/mt2dx6x87aItSWU3jT9tA1/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FyM53S%2FbtqGbO7kyuK%2Fmt2dx6x87aItSWU3jT9tA1%2Fimg.png" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';"/></span><figcaption>interpreter 설정, libc 교체</figcaption> </figure> </p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">--&gt; 이제 실행 가능</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">3. 디버깅</p> <p style="text-align: left;" data-ke-size="size16">- 그냥 실행시 libc 에 디버깅 심볼이 없어 메인아레나 주소 못 가져오고 peda의 parseheap, heapinfo 등이 안먹힘</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent"><span data-url="https://blog.kakaocdn.net/dn/bGVQcF/btqGbNN96MN/cer1FTNKTWr3DvWgnX7HXk/img.png" data-phocus="https://blog.kakaocdn.net/dn/bGVQcF/btqGbNN96MN/cer1FTNKTWr3DvWgnX7HXk/img.png"><img src="https://blog.kakaocdn.net/dn/bGVQcF/btqGbNN96MN/cer1FTNKTWr3DvWgnX7HXk/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbGVQcF%2FbtqGbNN96MN%2Fcer1FTNKTWr3DvWgnX7HXk%2Fimg.png" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';"/></span></figure> </p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">- gdb 에서<b> set verbose on&nbsp;</b>치고 실행시키면 심볼 로딩 안됐다는 것을 볼 수 있음</p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent"><span data-url="https://blog.kakaocdn.net/dn/djfk60/btqGbOfbtTM/Sb01Vxmn6G6kRbKoNeHoak/img.png" data-phocus="https://blog.kakaocdn.net/dn/djfk60/btqGbOfbtTM/Sb01Vxmn6G6kRbKoNeHoak/img.png"><img src="https://blog.kakaocdn.net/dn/djfk60/btqGbOfbtTM/Sb01Vxmn6G6kRbKoNeHoak/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2Fdjfk60%2FbtqGbOfbtTM%2FSb01Vxmn6G6kRbKoNeHoak%2Fimg.png" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';"/></span></figure> </p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16">- 우리에게 필요한건 libc6-dbg 패키지라 각 버전에 맞는 패키지를 인터넷에 검색해서 다운받으면 됨.</p> <p style="text-align: left;" data-ke-size="size16">- 그러나 가끔씩 안나오는 버전들이 있음 (<b>obsolete)</b></p> <p style="text-align: left;" data-ke-size="size16">- <a href="http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc/">http://old-releases.ubuntu.com/ubuntu/pool/main/g/glibc/</a> 여기서 찾아주면 됨.</p> <p style="text-align: left;" data-ke-size="size16">ex) libc6-dbg_2.29-0ubuntu2_amd64.deb</p> <p style="text-align: left;" data-ke-size="size16">- dpkg -x ./<span style="color: #333333;">libc6-dbg_2.29-0ubuntu2_amd64.deb ./&lt;output_folder&gt; 명령어로 적당한 곳에 압축풀기</span></p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16"><span style="color: #333333;">- 압축풀면 폴더가 겁나 많은데 &lt;output dir&gt;/usr/lib/debug/lib/x86_64-linux-gnu 에 가면 디버깅 심볼 파일들이 있음</span></p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16"><span style="color: #333333;">- 다른 폴더들 쓸 때 없고 </span><span style="color: #333333;">x86_64-linux-gnu 이것만 있으면 됨</span></p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16"><span style="color: #333333;">- gdb 상에서 set debug-file-directory </span><span style="color: #333333;">&lt;output dir&gt;/</span><span style="color: #333333;">usr/lib/debug/lib/x86_6</span><span style="color: #333333;">4-linux-gnu 로 하고 run 하면 심볼로딩되고 디버깅시 main_arena 주소 불러옴</span></p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p><figure class="imageblock alignCenter" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent"><span data-url="https://blog.kakaocdn.net/dn/bSMq41/btqGevk0kif/Li7nqjtyxpiEA2R6URp5M0/img.png" data-phocus="https://blog.kakaocdn.net/dn/bSMq41/btqGevk0kif/Li7nqjtyxpiEA2R6URp5M0/img.png"><img src="https://blog.kakaocdn.net/dn/bSMq41/btqGevk0kif/Li7nqjtyxpiEA2R6URp5M0/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbSMq41%2FbtqGevk0kif%2FLi7nqjtyxpiEA2R6URp5M0%2Fimg.png" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';"/></span></figure> <figure class="imageblock alignCenter" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent"><span data-url="https://blog.kakaocdn.net/dn/bSHpJu/btqGdAm1HuI/Ez6dDtJ2B4DUaqtrK4LfuK/img.png" data-phocus="https://blog.kakaocdn.net/dn/bSHpJu/btqGdAm1HuI/Ez6dDtJ2B4DUaqtrK4LfuK/img.png"><img src="https://blog.kakaocdn.net/dn/bSHpJu/btqGdAm1HuI/Ez6dDtJ2B4DUaqtrK4LfuK/img.png" srcset="https://img1.daumcdn.net/thumb/R1280x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FbSHpJu%2FbtqGdAm1HuI%2FEz6dDtJ2B4DUaqtrK4LfuK%2Fimg.png" data-origin-width="0" data-origin-height="0" data-ke-mobilestyle="widthContent" onerror="this.onerror=null; this.src='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png'; this.srcset='//t1.daumcdn.net/tistory_admin/static/images/no-image-v1.png';"/></span></figure> </p> <p style="text-align: left;" data-ke-size="size16">&nbsp;</p> <p style="text-align: left;" data-ke-size="size16"><span style="color: #333333;">--&gt; 힙분석 하면 됨</span></p> pwnable Debug glibc-2.29 Heap LD LIBC patchelf peda pwnable Lifer https://typemiss.tistory.com/2 https://typemiss.tistory.com/2#entry2comment Sun, 2 Aug 2020 10:58:49 +0900