์ „์ฒด ๊ธ€

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

Exploit Tech: Return to Shellcode

Return Address OverWrite ์นด๋‚˜๋ฆฌ ์šฐํšŒ์™€ ์…ธ ์ฝ”๋“œ๋ฅผ ์ด์šฉํ•ด ์…ธ์„ ํš๋“ํ•˜๋Š” ๋ฐฉ๋ฒ• // Name: r2s.c // Compile: gcc -o r2s r2s.c -zexecstack #include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int main() { char buf[0x50]; init(); printf("Address of the buf: %p\n", buf); printf("Distance between buf and $rbp: %ld\n", (char*)__builtin_frame_address(0) - buf); printf("[1] Leak the canary\n"); pri..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

Mitigation: Stack Canary

์Šคํƒ ์นด๋‚˜๋ฆฌ(Stack Canary) ์Šคํƒ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋กœ๋ถ€ํ„ฐ ๋ฐ˜ํ™˜ ์ฃผ์†Œ๋ฅผ ๋ณดํ˜ธํ•˜๋Š” ๊ธฐ๋ฒ• ํ•จ์ˆ˜์˜ ํ”„๋กค๋กœ๊ทธ์—์„œ ์Šคํƒ ๋ฒ„ํผ์™€ ๋ฐ˜ํ™˜ ์ฃผ์†Œ ์‚ฌ์ด์— ์ž„์˜์˜ ๊ฐ’์„ ์‚ฝ์ž…ํ•˜๊ณ , ํ•จ์ˆ˜์˜ ์—ํ•„๋กœ๊ทธ์—์„œ ํ•ด๋‹น ๊ฐ’์˜ ๋ณ€์กฐ๋ฅผ ํ™•์ธํ•˜๋Š” ๋ณดํ˜ธ ๊ธฐ๋ฒ•์ž…๋‹ˆ๋‹ค. ์นด๋‚˜๋ฆฌ ๊ฐ’์˜ ๋ณ€์กฐ๊ฐ€ ํ™•์ธ๋˜๋ฉด ํ”„๋กœ์„ธ์Šค ๊ฐ•์ œ ์ข…๋ฃŒ! BOF๋กœ RET๋ฅผ ๋ฎ์œผ๋ ค๋ฉด ๋ฐ˜๋“œ์‹œ ์นด๋‚˜๋ฆฌ๋ฅผ ๋จผ์ € ๋ฎ์–ด์•ผํ•˜๋ฏ€๋กœ ์นด๋‚˜๋ฆฌ ๊ฐ’์„ ๋ชจ๋ฅด๋Š” ๊ณต๊ฒฉ์ž๋Š” ๋ฐ˜ํ™˜ ์ฃผ์†Œ๋ฅผ ๋ฎ์„ ๋•Œ ์นด๋‚˜๋ฆฌ ๊ฐ’์„ ๋ณ€์กฐํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌํ•˜๋‹ค๋ฉด ๋ณ€์กฐ๊ฐ€ ํ™•์ธ๋˜์–ด ๊ณต๊ฒฉ์ž๋Š” ์‹คํ–‰ ํ๋ฆ„์„ ํš๋“ํ•˜์ง€ ๋ชปํ•˜๊ฒŒ๋ฉ๋‹ˆ๋‹ค. TMI. ์นด๋‚˜๋ฆฌ๋ผ๋Š” ์ด๋ฆ„์˜ ์œ ๋ž˜ ์นด๋‚˜๋ฆฌ ๋ณดํ˜ธ ๊ธฐ๋ฒ•์˜ ์ด๋ฆ„์€ ์นด๋‚˜๋ฆฌ์•„(Canary)๋ผ๋Š” ์ƒˆ์—์„œ ์œ ๋ž˜๋˜์—ˆ์Šต๋‹ˆ๋‹ค. 19์„ธ๊ธฐ, 20์„ธ๊ธฐ์—๋Š” ์ผ์‚ฐํ™”ํƒ„์†Œ ๋†๋„์˜ ์ธก์ • ๊ธฐ์ˆ ์ด ๋ถ€์กฑํ–ˆ๊ณ , ํƒ„๊ด‘์—์„œ ์œ ์ถœ๋œ ์ผ์‚ฐํ™”ํƒ„์†Œ์— ๊ด‘๋ถ€๊ฐ€ ์ค‘๋…์‚ฌํ•˜๋Š” ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

basic_exploitation_001

basic_exploitation_001 ๋ฌธ์ œ ํ’€์ด ์ž ๋“ค์–ด๊ฐ€๊ธฐ ์ „์— ๋ฌธ์ œ๊ฐ€ ๋ฐœ์ƒํ–ˆ์Šต๋‹ˆ๋‹ค.. ๋ฐ”๋กœ NX๊ฐ€ ์ ์šฉ๋œ ์ฝ”๋“œ๋ผ๋Š” ๊ฒƒ์ด์ฃ  ์ฐธ๊ณ ๋กœ 32-little endian linux์ด๊ณ ์š” ๊ทธ๋Ÿผ ๋“ค์–ด๊ฐ€๊ธฐ ์•ž์จ์„œ NX์— ๋Œ€ํ•ด ์•Œ์•„๋ด์•ผ๊ฒ ์ฃ ? NX(Bit | MS : DEP) NX-Bit(Never eXecute Bit; ์‹คํ–‰ ๋ฐฉ์ง€ ๋น„ํŠธ) - ํ”„๋กœ์„ธ์Šค ๋ช…๋ น์–ด๋‚˜ ์ฝ”๋“œ ๋˜๋Š” ๋ฐ์ดํ„ฐ ์ €์žฅ์„ ์œ„ํ•œ ๋ฉ”๋ชจ๋ฆฌ ์˜์—ญ ๋ถ„๋ฆฌ CPU์˜ ๊ธฐ์ˆ  - NX ํŠน์„ฑ์œผ๋กœ ์ง€์ •๋œ ๋ชจ๋“  ๋ฉ”๋ชจ๋ฆฌ ๊ตฌ์—ญ์€ ๋ฐ์ดํ„ฐ ์ €์žฅ์„ ์œ„ํ•ด์„œ๋งŒ ์‚ฌ์šฉ๋จ - ํ”„๋กœ์„ธ์Šค ๋ช…๋ น์–ด๊ฐ€ ๊ทธ๊ณณ์— ์ƒ์ฃผํ•˜์ง€ ์•Š๊ฒŒ ์‹คํ–‰์‹œ์ผœ์คŒ DEP(Data Execution Prevention) - MS windows OS์— ํฌํ•จ๋œ ๋ณด์•ˆ ๊ธฐ๋Šฅ์ด๋ฉฐ, ์•…์˜์  ์ฝ”๋“œ ์‹คํ–‰ ๋ฐฉ์ง€๋ฅผ ์œ„ํ•œ ๋ฉ”๋ชจ๋ฆฌ ํ™•์ธ ๊ธฐ์ˆ  - DEP๋Š” ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

basic_exploitation_000

basic_exploitation_000 ๋ฌธ์ œํ’€์ด(pwntools์™€ shellcode) ๋ฐ‘์— ๋งํฌ๋Š” ์•ž์œผ๋กœ ๊ธฐ์žฌ๋  ๋ฌธ์ œ ํ’€์ด์—์„œ ํฐ ๋„์›€์ด ๋ ๊ฑฐ์˜ˆ์š” ์ถ”๊ฐ€๋กœ ํ•„์š”ํ•œ ์ •๋ณด๋Š” ์ฐจ์ฐจ ๊ธฐ์žฌํ• ๊ป˜์š” Memory Corruption: Stack Buffer Overflow ์Šคํƒ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ(Stack Buffer Overflow) ์„ธ๊ณ„ ์ตœ์ดˆ์˜ ์›œ์ด๋ผ๊ณ  ๋ถˆ๋ฆฌ๋Š” ๋ชจ๋ฆฌ์Šค ์œ”๋„ ์ด ๊ณต๊ฒฉ์„ ํ†ตํ•ด ์ „ํŒŒ๋จ ๋ณด์•ˆ ๊ณต๋ถ€๋ฅผ ๋ชจ๋ฅด๋Š” ๊ฐœ๋ฐœ์ž๋„ ์•Œ๋งŒํผ ์œ ๋ช…ํ•˜๊ณ  ์—ญ์‚ฌ๊ฐ€ ์˜ค๋ž˜๋œ ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค. ์ด๋ ‡๊ฒŒ dystopia050119.tistory.com //file name : basic_exploitation_000.c //Complie : gcc -o basic_exploitation_000 basic_exploitation_000.c #inc..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

Exploit Tech: Return Address Overwrite

์„œ๋ก  ์ด์ œ ์Šคํƒ ์˜ค๋ฒ„ ํ”Œ๋กœ์šฐ๋ฅผ ํ™œ์šฉํ•œ RET๋ฅผ ๋ณ€์กฐํ•ด ์…ธ์„ ํš๋“ํ•˜๋Š”.. ๊ทธ๋Ÿฐ ์›Œ๊ฒŒ์ž„์„ ํ•ด๋ด…์‹œ๋‹ค ์•„๋ž˜๋Š” ์˜ˆ์ œ์˜ˆ์š” // Name: rao.c // Compile: gcc -o rao rao.c -fno-stack-protector -no-pie #include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } void get_shell() { char *cmd = "/bin/sh"; char *args[] = {cmd, NULL}; execve(cmd, args, NULL); } int main() { char buf[0x28]; init(); printf("Input: "); scanf("%s", buf); return ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

Return Address Overwrite

๋ฌธ์ œํ’€์ด ๋„ˆ๋ฌด ์ง€์ณ์„œ.. ๋ฌธ์ œ ํ’€์ด๋Š” ํ•˜๋‚˜๋งŒ ํ• ๊นŒ์š”? get_shell ํ•จ์ˆ˜๋ฅผ ํ™œ์šฉ // Name: rao.c // Compile: gcc -o rao rao.c -fno-stack-protector -no-pie #include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } void get_shell() { char *cmd = "/bin/sh"; char *args[] = {cmd, NULL}; execve(cmd, args, NULL); } int main() { char buf[0x28]; init(); printf("Input: "); scanf("%s", buf); return 0; } ์œ„ ์ฝ”๋“œ๊ฐ€ ๋ฌธ์ œ์—์„œ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

Memory Corruption: Stack Buffer Overflow

์Šคํƒ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ(Stack Buffer Overflow) ์„ธ๊ณ„ ์ตœ์ดˆ์˜ ์›œ์ด๋ผ๊ณ  ๋ถˆ๋ฆฌ๋Š” ๋ชจ๋ฆฌ์Šค ์œ”๋„ ์ด ๊ณต๊ฒฉ์„ ํ†ตํ•ด ์ „ํŒŒ๋จ ๋ณด์•ˆ ๊ณต๋ถ€๋ฅผ ๋ชจ๋ฅด๋Š” ๊ฐœ๋ฐœ์ž๋„ ์•Œ๋งŒํผ ์œ ๋ช…ํ•˜๊ณ  ์—ญ์‚ฌ๊ฐ€ ์˜ค๋ž˜๋œ ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค. ์ด๋ ‡๊ฒŒ ์˜ค๋žœ ์—ญ์‚ฌ๋ฅผ ์ž๋ž‘ํ•˜๋Š” ์ด ์ทจ์•ฝ์ ์€ ์•„์ง๋„ ๋งŽ์€ SW์—์„œ ๋ฐœ๊ฒฌ๋ฉ๋‹ˆ๋‹ค. CVE details์— ๋”ฐ๋ฅด๋ฉด ์Šคํƒ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋ฅผ ํฌํ•จํ•œ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ์ทจ์•ฝ์ ์€ ๋งŽ์ด ๋†’์•„์š”(4์œ„) ๊ทธ๋Ÿผ ์Šคํƒ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๊ฐ€ ๋ฐœ์ƒํ•˜๋Š” ์›์ธ์ด ๋ฌด์—‡์ธ์ง€, ๊ทธ๋ฆฌ๊ณ  ์ด ์ทจ์•ฝ์ ์ด ์–ด๋–ค ๋ฌธ์ œ๋กœ ์ด์–ด์งˆ์ง€ ๊ณต๋ถ€ ใ„ฑ BOF์— ํ•„์š”ํ•œ ์šฉ์–ด ๊ฐ„๋‹จ ์ •๋ฆฌ ๋ฒ„ํผ๋Š” ๋ฐ์ดํ„ฐ๊ฐ€ ์ €์žฅ๋˜๋Š” ๊ณต๊ฐ„ sfp๋Š” ์Šคํƒ ๋ฒ ์ด์Šค ๊ฐ’์„ ์˜๋ฏธ - sfp๋Š” ์Šคํƒ ์ฃผ์†Œ๊ฐ’์„ ๊ณ„์‚ฐํ•  ๋•Œ ํ˜„์žฌ ์Šคํƒ๊ฐ’์˜ ๊ธฐ์ค€ ํ•„์š”ํ•œ ํ”„๋ ˆ์ž„ ํฌ์ธํ„ฐ ๊ฐ’ ์ง€์ •(4 or 8byte) rbp(or ebp)๋Š” ํ•œ ..

๐ŸŒ‡โ”‚System_Study/๐Ÿ“•โ”‚Dreamhack_Hacking

Background: Calling Convention

ํ•จ์ˆ˜ ํ˜ธ์ถœ ๊ทœ์•ฝ๐Ÿค™ ํ•จ์ˆ˜์˜ ํ˜ธ์ถœ ๋ฐ ๋ฐ˜ํ™˜์˜ ์•ฝ์† ํ•œ ํ•จ์ˆ˜์—์„œ ๋‹ค๋ฅธ ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœ ์‹œ, ํ”„๋กœ๊ทธ๋žจ์˜ ์‹คํ–‰ ํ๋ฆ„์€ ๋‹ค๋ฅธ ํ•จ์ˆ˜๋กœ ์ด๋™ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ํ˜ธ์ถœ๋œ ํ•จ์ˆ˜๊ฐ€ ๋ฐ˜ํ™˜๋˜๋ฉด ๋‹ค์‹œ ์›๋ž˜์˜ ํ•จ์ˆ˜๋กœ ๋Œ์•„์™€ ๊ธฐ์กด์˜ ์‹คํ–‰ ํ๋ฆ„์„ ์ด์–ด๊ฐ€์ฃ . ํ•จ์ˆ˜ ํ˜ธ์ถœ ์‹œ ๋ฐ˜ํ™˜๋œ ์ดํ›„๋ฅผ ์œ„ํ•ด ํ˜ธ์ถœ์ž(Caller)์˜ ์ƒํƒœ(Stack frame) ๋ฐ ๋ฐ˜ํ™˜ ์ฃผ์†Œ(Return Address)๋ฅผ ์ €์žฅํ•ด์•ผ ํ•จ! ๋˜ํ•œ, ํ˜ธ์ถœ์ž๋Š” ํ”ผํ˜ธ์ถœ์ž(Callee)๊ฐ€ ์š”๊ตฌํ•œ ์ธ์ž๋ฅผ ์ „๋‹ฌํ•˜๋ฉฐ, ํ”ผํ˜ธ์ถœ์ž์˜ ์‹คํ–‰์ด ์ข…๋ฃŒ ์‹œ ๋ฐ˜ํ™˜ ๊ฐ’์„ ์ „๋‹ฌ ๋ฐ›์•„์•ผํ•จ ํ•จ์ˆ˜ ํ˜ธ์ถœ ๊ทœ์•ฝ ์ ์šฉ์€ ์ผ๋ฐ˜์ ์œผ๋ก  ์ปดํŒŒ์ผ์˜ ๋ชซ์ด๋ฉฐ, ํ”„๋กœ๊ทธ๋ž˜๋ฐ ์–ธ์–ด์— ๋งž๊ฒŒ ํ˜ธ์ถœ ๊ทœ์•ฝ์„ ์•Œ๋งž๊ฒŒ ์ ์šฉ์— ์ปดํŒŒ์ผํ•ฉ๋‹ˆ๋‹ค. ํ˜ธ์ถœ ๊ทœ์•ฝ์€ ์—ฌ๋Ÿฌ๊ฐ€์ง€๊ฐ€ ์žˆ์œผ๋ฉฐ, ์ฝ”๋“œ์— ๋ช…์‹œ๊ฐ€ ์•ˆ๋˜์–ด ์žˆ๋‹ค๋ฉด ์ปดํŒŒ์ผ์—์„œ ์ง€์›ํ•˜๋Š” ํ˜ธ์ถœ ๊ทœ์•ฝ ์ค‘ CUP์˜ ์•„ํ‚คํ…์ฒ˜์— ..

Jastes
Jastes