์ „์ฒด ๊ธ€

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

seccomp

seccomp ๋ฌธ์ œ ํ’€์ด ๋ณดํ˜ธ๊ธฐ๋ฒ•์€ ์ค€์ˆ˜ํ•  ์ •๋„๋กœ NX์™€ Canary.., Partial RELRO๊ฐ€ ์žˆ๋Š” ๋ชจ์Šต ASLR์€ ๋‹น์—ฐํžˆ ๊ธฐ๋ณธ์œผ๋กœ ๋˜์–ด ์žˆ๊ฒ ๋„ค์š”.. ใ…  ์ „์ด๋ž‘ ๋ณดํ˜ธ๊ธฐ๋ฒ•์ด ๋„˜ ใ…  ์ด๋ฒˆ์—” filter_list๊ฐ€ ์•„๋‹Œ strict๋ชจ๋“œ๋ผ์„œ read, write,exit..์ •๋„์˜ ์‹œ์Šคํ…œ ์ฝœ๋งŒ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ์•„ํ‚คํ…์ฒ˜๊ฐ€ 64๋‹ˆ๊นŒ ์ฝœ๋ฒˆํ˜ธ๊ฐ€ ์ดˆ๊ณผํ•˜์ง€ ์•Š์œผ๋ฉด ํ˜ธ์ถœ์ด๋‹ˆ๊นŒ.. 0x400..์„ ๋งž์ถ”๊ณ  seccomp์„ ์šฐํšŒํ•˜๋Š” ๊ฑด ์ž˜ ์•ˆ๋  ๋“ฏ ์‹ถ๋„ค์š” ๊ทธ๋ž˜์„œ ๋ฐฉ๋ฒ•์„ ์ฐพ๋˜ ๋„์ค‘ SECCOMP_MODE_STRICT์— ์ง‘์ค‘ ๊ตฌ๊ธ€๋งํ•œ๊ฒฐ๊ณผ Linux seccomp Linux์˜ Process Sandboxing ๊ธฐ๋ฒ•์ธ seccomp์„ ๋ถ„์„ํ•œ๋‹ค. ssup2.github.io seccomp(2) - Linux manual page sec..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

Bypass SECCOMP-1

Bypass SECCOMP-1 ๋ฌธ์ œ ํ’€์ด ๋ณดํ˜ธ๊ธฐ๋ฒ•์€ ์ค€์ˆ˜ํ•  ์ •๋„๋กœ NX์™€ PIE, FULL ELRO๊ฐ€ ์žˆ๋Š” ๋ชจ์Šต ASLR์€ ๋‹น์—ฐํžˆ ๊ธฐ๋ณธ์œผ๋กœ ๋˜์–ด ์žˆ๊ฒ ๋„ค์š”.. ใ…  ์šฐ๋ฆฌ๊ฐ€ ๋ฐฐ์› ๋˜ sendbox๊ฐ€ ์žˆ๋Š” ๋ชจ์Šต seccomp๊ฐ€ ์นœํžˆ ๊ฑธ๋ ค์žˆ๋Š”๊ตฐ์š” ์ฝ๊ธฐ, ์“ฐ๊ธฐ, ์‹คํ–‰ ๊ถŒํ•œ์ด ์žˆ๋Š” ํŽ˜์ด์ง€๋ฅผ ํ• ๋‹นํ•˜๊ณ  ์ด์šฉ์ž๋กœ๋ถ€ํ„ฐ ์ž…๋ ฅ๋œ ๊ฐ’์„ ์‚ฌ์šฉํ•œ๋‹ค.. sendbox์˜ ํ•จ์ˆ˜์— allow์˜ ๋ฆฌ์ŠคํŠธ๋ฅผ ๊ธฐ๋ฐ˜ํ•œ๋‹ค๋ฉด execve์™€ open, write๊ฐ€ ์•ˆ๋˜๋„ค์š”.. ์ ˆ๋ง์ ์ธ๋ฐ? Exploit ์„ค๊ณ„ ๊ฐ™์€ ๊ธฐ๋Šฅ์„ ํ•˜๋Š” ์‹œ์Šคํ…œ ์ฝœ์ด ์žˆ๋Š”์ง€ ํ™•์ธํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค. ์‹œ์Šคํ…œ ์ฝœ์— ๋Œ€ํ•œ ์ •๋ณด๋Š” ์•„๋ž˜ ๋งํฌ์— Linux System Call Table for x86 64 · Ryan A. Chapman Linux 4.7 (pulled from github.com/to..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

tcache_dup2

tcache_dup2 ๋ฌธ์ œ ํ’€์ด ์ด์ „์ด๋ž‘ ๋ณดํ˜ธ๊ธฐ๋ฒ•๋„ ๋˜‘๊ฐ™๊ณ  ์ฝ”๋“œ๋งŒ ์‚ด์ง ๋ฐ”๋€ ๋ชจ์Šต์œผ๋กœ ์ด์ „๊ณผ ๊ฐ™์ด ์‹คํ–‰ํ•˜๋ฉด ๋ฌดํ•œ๋ฃจํ”„์— ๋น ์ง€๊ธฐ์— ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด p64 ๋ฐ์ดํ„ฐ ์ „์†ก ๊ณผ์ •์—์„œ ์ „์†กํ•œ ๋ฐ์ดํ„ฐ์™€ ๋‹ค๋ฅธ ๋ฐ์ดํ„ฐ๊ฐ€ ์ฐํžˆ๋Š” ๋ฌธ์ œ๊ฐ€ ์žˆ์—ˆ๋„ค์š” ์‹คํ–‰ํ•ด๋ณด๋ฉด์„œ ๋งŽ์ด ๋ง‰ํ˜”๋Š”๋ฐ ๊ทธ ๋ถ€๋ถ„๋งŒ ์ˆ˜๋™์œผ๋กœ ๋ฐ”๊ฟ”์„œ ํ•˜๋ฉด ๋  ๋“ฏ ํ•ฉ๋‹ˆ๋‹ค. Exploit ์„ค๊ณ„ ๋‹ค๋ฅธ ๋ถ€๋ถ„๋„ ๋งˆ์ฐฌ๊ฐ€์ง€๊ณ  ์ถ”๊ฐ€์ ์ธ ์ธ์ž๋ฅผ ์ž…๋ ฅํ•˜์—ฌ ํ™•์ธํ•˜๋Š” ๋ถ€๋ถ„๊ณผ modify๊ฐ€ ์ถ”๊ฐ€๋œ ๋ชจ์Šต์ž…๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ ๊ทธ๋Ÿฌํ•œ ๋ถ€๋ถ„์€ idx๊ฐ€ 8์„ ์ดˆ๊ณผํ•˜๋ฉด ์•ˆ๋œ๋‹ค.. ์„ค๋ช…์€ ์ด์ „ ๋‚ด์šฉ์—์„œ ๋ฌด์ง€ ๋งŽ์ด ํ–ˆ์œผ๋ฏ€๋กœ ์—ฌ๊ธฐ์„  ์ด์ „ ์ฝ”๋“œ๋ฅผ ํ™œ์šฉํ•ด์„œ ์ž‘์„ฑํ•ด๋ณผ๊นŒ์š”? ๊ณต๊ฒฉ๊ธฐ๋ฒ•์˜ ์ ‘๊ทผ ๋ฐฉ์‹๋„ ์œ ์‚ฌํ•˜๋ฏ€๋กœ.. Exploit ์œ„์—์„œ ๋‹ค ์„ค๋ช…ํ–ˆ์œผ๋‹ˆ ์ถ”๊ฐ€์ ์ธ ๋ถ€๋ถ„๋งŒ ๊ฐ„๋‹จํžˆ ์„ค๋ช…ํ•˜๊ณ  ๋„˜์–ด๊ฐ€๊ฒ ์Šต๋‹ˆ๋‹ค. ์ด ๋ถ€๋ถ„์€ DFB์˜ ๋ถ€๋ถ„์˜ ๊ธฐ๋ณธ์ด๋ฏ€๋กœ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

sint

sint ๋ฌธ์ œ ํ’€์ด ์ด์   ์—ฌ๊ธฐ์„  ๊ธฐ๋ณธ์ ์ธ ๋ณดํ˜ธ๊ธฐ๋ฒ•์ด ๊ฑธ๋ ค์žˆ์Šต๋‹ˆ๋‹ค NX์™€ Partial RELRO์ด์ฃ .. ๋ณด์‹œ๋ฉด.. Type Error๋ฅผ ์œ ๋ฐœํ•˜๋ผ๊ณ  ํ•˜๋Š”๋ฐ.. 38๋ฒˆ ๋ผ์ธ์˜ ๊ฒ€์‚ฌ์—์„œ 0์€ ๊ฒ€์‚ฌ๋ฅผ ์•ˆํ•˜๋Š” ๋ถ€๋ถ„์„ ํ™•์ธ ์ฆ‰, ์ž…๋ ฅ ํ•œ๋„๋ฅผ ๋„˜์„ ์ˆ˜ ์žˆ์„ ์ˆ˜ ์žˆ๊ธฐ์— payload์˜ ์ž…๋ ฅ์ด ์ž์œ ๋กœ์›Œ์ง„๋‹ค! ์ฆ‰, 0์„ ๋„ฃ๊ณ  bof๋ฅผ ์ผ์œผ์ผœ์„œ get_shell์„ ํ•˜๋Š”๊ฑฐ์ฃ  ๋˜ํ•œ signal์ด ๋ฌด์Šจ ํ•จ์ˆ˜์ผ๊นŒ ๊ฒ€์ƒ‰ํ•ด๋ณด๋‹ˆ๊นŒ.. Segment fault ์ฆ‰ ๊ตฌ๋ฌธ ์˜ค๋ฅ˜ ๋‚˜๋ฉด get_shell์„ ์‹คํ–‰ํ•˜๋„ค์š” ๊ทธ๋Ÿผ ์ด๋ฒˆ์—๋Š” pwn๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ์•Š๊ณ  ํ•  ์ˆ˜ ์žˆ๊ฒ ๋„ค์š”? Exploit ์„ค๊ณ„ esp๊ฐ€ 0x104๋กœ ์žกํ˜€์žˆ๋„ค์š”.. 256byte๋กœ ํ• ๋‹น๋ฌ๋Š”๋ฐ ๊ทธ๋Ÿผ 0x100์ด์—ฌ์•ผํ•˜๋Š”๋ฐ ์ตœ์ ํ™” ๋‹จ๊ณ„์—์„œ 0x104๋กœ ๋˜์—ˆ์œผ๋ฏ€๋กœ sfp์™€ ret ๋ถ€๋ถ„๋งŒ ์ฑ„์›Œ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

tcache_dup

tcache_dup ๋ฌธ์ œ ํ’€์ด NX์™€ Partial RELRO ๊ทธ๋ฆฌ๊ณ  Canary๋ผ๋‹ˆ.. ์ฝ”๋“œ๋ฅผ ์‚ดํŽด๋ณด๊ณ  ์ทจ์•ฝ์ ์„ ์œ ์ถ”ํ•ด์•ผ๊ฒ ์Šต๋‹ˆ๋‹ค ์ œ๋ชฉ์—์„œ ๋ณด๋“ฏ์ด ์•„๋งˆ DFB๊ฒ ๋‹ค๋งŒ.. ์ฝ”๋“œ๋ฅผ ๋ณด์‹œ๋ฉด.. deleteํ•จ์ˆ˜ ๋ถ€๋ถ„์„ ๋ณด๋ฉด, ptr[idx]์„ ํ•ด์ œ ํ›„ ptr ํฌ์ธํ„ฐ๋ฅผ ์ดˆ๊ธฐํ™”๋ฅผ ํ•˜์ง€ ์•Š์œผ๋ฏ€๋กœ DFB ์ทจ์•ฝ์ ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค ๋˜ํ•œ get_shell์ด ์žˆ๊ธฐ์— NX์€ ๊ฑฑ์ • ์—†๋„ค์š” ์ทจ์•ฝ์ ์„ ๊ทธ๋Ÿผ ๋‹ค์‹œ ํ•œ ๋ฒˆ ์ƒ๊ฐํ•ด๋ณธ๋‹ค๋ฉด GOT overwrite๋„ ๊ฐ€๋Šฅํ•ด๋ณด์ž…๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๊ธฐ์— ์ฒญํฌ๋ฅผ ํ• ๋‹น ํ›„ ๋‘ ๋ฒˆ ํ•ด์ œ double free์—์„œ ๊ทธ ๋‚ด์šฉ์„ ์กฐ์ž‘ ๊ทธ๋ฆฌ๊ณ  printf์˜ got ์ฃผ์†Œ๋ฅผ ๋„ฃ๊ณ  ํ›„์— get_shell์˜ ์ฃผ์†Œ๋ฅผ ๋„ฃ์–ด overwrite.. Exploit ์„ค๊ณ„ ํž™ ํ• ๋‹น ํ›„ Double free๋ฅผ ํ•ฉ๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์„œ ์ฒญํฌ์˜ next์˜ ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

validator

validator ๋ฌธ์ œ ํ’€์ด ๋ณดํ˜ธ๊ธฐ๋ฒ•์ด ๊ฑฐ์˜ ์—†๋‹ค๊ณ  ํ•  ์ •๋„๋„ค์š”..? ์ฐธ๊ณ ๋กœ ์ด๋ฒˆ ๋ฌธ์ œ๋Š” ๋ฐ”์ด๋„ˆ๋ฆฌ๋งŒ ์ฃผ์–ด์„œ ์ด๋ ‡๊ฒŒ IDA๋ฅผ ์‚ฌ์šฉํ–ˆ์Šต๋‹ˆ๋‹น ๊ธฐ๋ณธ์ ์œผ๋ก  ์œ„์™€ ๊ฐ™์ด ํ˜•์„ฑ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค emeset์„ ํ•œ ํ›„ validate ํ•จ์ˆ˜๋ฅผ ์‹คํ–‰ํ•˜๋„ค์š” ๊ทธ ์ธ์ž๋กœ๋Š” s์™€ 128์„ ์ฃผ๊ณ ์š” ๊ฐ ๋ฐ˜๋ณต๋ฌธ๋งˆ๋‹ค ์กฐ๊ฑด๋ฌธ์ด ์žˆ๋„ค์š” ์ฃผ์„์œผ๋กœ DREAMHACK์ด๋ผ๊ณ  ์•Œ๋ ค์ฃผ๋„ค์š”.. ๋ฆฌ๋ฒ„์‹ฑ ๋ชปํ•˜๋Š”๋ฐ ๊ฐ์‚ฌํ•ฉ๋‹ˆ๋‹ค ใ… ใ…  ์šฐ์„  ์ธ์ž๋กœ ๋„˜๊ธด ๋ฐฐ์—ด์ด DREAMHACK!์œผ๋กœ ์‹œ์ž‘ํ•˜๋ฉฐ, ์œ„์— ํ•จ์ˆ˜์—์„œ j = 11๋ถ€ํ„ฐ j < 0x128๋งŒํผ s์˜ ๊ฐ ๋ฌธ์ž๊ฐ€ ์—†์–ด์ง€๋‚˜์š”? ๋จผ์ € ์ž…๋ ฅ ๊ฐ’์— ๋Œ€ํ•ด DREAMHACK! ๋ฌธ์ž์—ด๊ณผ ํ•œ ๋ฐ”์ดํŠธ์”ฉ ๋น„๊ตํ•˜๊ณ , 9 ๊ฐœ์˜ ๋ฌธ์ž ์ค‘ ๋™์ผํ•˜์ง€ ์•Š์€ ๋ฌธ์ž๊ฐ€ ์žˆ๋‹ค๋ฉด exit ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ํ”„๋กœ๊ทธ๋žจ์„ ์ข…๋ฃŒํ•ฉ๋‹ˆ๋‹ค. ์œ„ ์กฐ๊ฑด์„ ๋งŒ์กฑํ•˜๋ฉด ์‚ฌ์šฉ์ž๊ฐ€ ์ž…๋ ฅํ•œ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

cmd_center

cmd_center ๋ฌธ์ œ ํ’€์ด ์–ด์งœํ”ผ cmd_injection์ด๋ผ์„œ ๋ณดํ˜ธ๊ธฐ๋ฒ•์€ ์˜๋ฏธ๊ฐ€ ์—†์„ ๊ฑฐ ๊ฐ™์€๋ฐ.. system ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•˜๋ฏ€๋กœ command injection์ด ๋ฐœ์ƒํ•  ๊ฐ€๋Šฅ์„ฑ์ด ๋†ํ›„ํ•ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ read(0, center_name, 100)์˜ ๋ถ€๋ถ„์—์„œ BOF๊ฐ€ ๋ฐœ์ƒํ•˜๋ฏ€๋กœ ์ด๋ฅผ ์ด์šฉํ•˜์—ฌ cmd_ip๊ฐ’์„ ์กฐ์ž‘ํ•ด๋ด…์‹œ๋‹ค! Exploit ์„ค๊ณ„ ์šฐ๋ฆฐ center_name๊ณผ cmd_ip์˜ offset๋งŒ ๊ตฌํ•ด์„œ ๋„ฃ๊ณ  cmd injectionํ•˜๋ฉด ๋˜๊ฒ ์ฃ  ๋ณด์‹œ๋ฉด offset = 0x20๋งŒํผ ์ฐจ์ด๊ฐ€ ๋‚˜๋Š”๊ตฐ์š” Exploit ์œ„์—์„œ ๋‹ค ์„ค๋ช…ํ–ˆ์œผ๋‹ˆ ์ถ”๊ฐ€์ ์ธ ๋ถ€๋ถ„๋งŒ ๊ฐ„๋‹จํžˆ ์„ค๋ช…ํ•˜๊ณ  ๋„˜์–ด๊ฐ€๊ฒ ์Šต๋‹ˆ๋‹ค. ์ด ๋ฌธ์ œ๋„ exploit.py๋ฅผ ๊ตณ์ด ์‚ฌ์šฉํ•  ํ•„์š”๊ฐ€ ์—†๊ตฐ์š” A*0x20์— ifconfig(ip์ฐพ๋Š” ๋ช…๋ น์–ด);/b..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

uaf_overwr

uaf_overwrite ๋ฌธ์ œ ํ’€์ด ๋ชจ๋“  ๋ณดํ˜ธ ๊ธฐ๋ฒ•์ด ์ ์šฉ๋˜์–ด ์žˆ๋„ค์š”.. ์™€์šฐ Dangling Pointer๋Š” ์œ ํšจํ•˜์ง€ ์•Š์€ ๋ฉ”๋ชจ๋ฆฌ ์˜์—ญ์„ ๊ฐ€๋ฆฌํ‚ค๋Š” ํฌ์ธํ„ฐ๋กœ์จ.. ์ฝ”๋“œ๊ฐ€ ์ƒํผํ•˜๋„ค์š” Dangling Pointer๊ฐ€ ์žˆ๋‹ค๊ณ  ๊ผญ ์œ„ํ—˜ํ•œ ๋ถ€๋ถ„์€ ์•„๋‹ˆ์ง€๋งŒ ๊ฒฝ์šฐ์— ๋”ฐ๋ผ ๋‹ฌ๋ผ์ง€๋ฏ€๋กœ ์—ฌ๊ธฐ์„  ์œ„ํ—˜ํ•˜๊ฒ ์ฃ  Human์ด๋ž‘ Robot์€ ๊ตฌ์กฐ์ฒด๋กœ ๊ฐ ๊ตฌ์กฐ์ฒด ๋ณ€์ˆ˜์™€ ํฌ๊ธฐ ๋™์  ํ• ๋‹น ํ•ด์ œ๋ฅผ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค human_funcํ•จ์ˆ˜์™€ robot_func ํ•จ์ˆ˜๋ฅผ ์‚ดํŽด๋ณด๋ฉด, ๊ตฌ์กฐ์ฒด ๋ณ€์ˆ˜๋ฅผ ์œ„ํ•œ ๋ฉ”๋ชจ๋ฆฌ ์˜์—ญ์„ ํ• ๋‹น ์‹œ, ์ดˆ๊ธฐํ™” X memset()ํ•˜๋ผ๋Š” ์ด์•ผ๊ธฐ๊ตฌ๋‚˜! ๋ผ๋Š” ๊ฑธ ํ•œ์ฐธ ๋’ค์— ์•Œ๊ฒ ๋ฌ์Šต๋‹ˆ๋‹ค ์ €๋Š” ํ• ๋‹นํ•ด์ œํ•˜๋ฉด ์•Œ์•„์„œ ์ดˆ๊ธฐํ™” ๋˜๋Š”์ค„ ์•Œ์•˜๋Š”๋ฐ.. ๊ทธ๋Ÿผ Human ๊ตฌ์กฐ์ฒด์™€ Robot ๊ตฌ์กฐ์ฒด์˜ ํฌ๊ธฐ๋Š” ๊ฐ™์œผ๋ฏ€๋กœ, ํ•œ ๊ตฌ์กฐ์ฒด๋ฅผ ํ•ด์ œ ๋‹ค๋ฅธ ๊ตฌ์กฐ์ฒด๋ฅผ ..

Jastes
Jastes