thumbnail
[DreamHack System Hacking] __eviron
2022. 9. 21. 21:46 DreamHack/SystemHacking
๋ฌธ์ œ ์ฝ”๋“œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค. // Name: environ.c // Compile: gcc -o environ environ.c #include #include #include #include #include void sig_handle() { exit(0); } void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); signal(SIGALRM, sig_handle); alarm(5); } void read_file() { char file_buf[4096]; int fd = open("/home/environ_exercise/flag", O_RDONLY); read(fd, file_buf, sizeof(file_buf) - 1); close(f..
thumbnail
[DreamHack System Hacking] Linux Library exploit > __environ
2022. 9. 21. 21:33 DreamHack/SystemHacking
ํ”„๋กœ์„ธ์Šค๋Š” ํ™˜๊ฒฝ ๋ณ€์ˆ˜ ์ •๋ณด๋ฅผ ์ €์žฅํ•˜๊ณ , ํ•„์š”ํ•  ๋•Œ๋งˆ๋‹ค ๋ถˆ๋Ÿฌ์™€ ์‚ฌ์šฉํ•œ๋‹ค. ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ํ•จ์ˆ˜์—์„œ ํ™˜๊ฒฝ ๋ณ€์ˆ˜ ํฌ์ธํ„ฐ์™€ ๊ด€๋ จ๋œ ๊ณต๊ฒฉ์— ๋Œ€ํ•ด ์•Œ์•„๋ณด๊ณ ์ž ํ•œ๋‹ค. ์ด์ „์— ํ™˜๊ฒฝ ๋ณ€์ˆ˜๋ฅผ ์–ด๋Š ์˜์—ญ์— ์ €์žฅํ•˜๊ณ , ์–ด๋–ป๊ฒŒ ์ฐธ์กฐํ•˜๋Š”์ง€ ์•Œ๊ณ  ์žˆ์–ด์•ผ ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ๋จผ์ € ์•Œ์•„๋ณด์ž. ์‹ค์Šต ์ฝ”๋“œ๋Š ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค. // Name: environ.c // Compile: gcc -o environ environ.c #include #include #include #include #include void sig_handle() { exit(0); } void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); signal(SIGALRM, sig_handle); alarm(5); } vo..
thumbnail
[DreamHack System Hacking] Linux Library exploit > overwrite _rtld_global
2022. 9. 21. 13:32 DreamHack/SystemHacking
ํ”„๋กœ๊ทธ๋žจ์—์„œ ๋ฆฌํ„ด ๋ช…๋ น์–ด๋ฅผ ์ˆ˜ํ–‰ํ•˜๋ฉด ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์™€ ๋กœ๋”์—์„œ ๋‹ค์–‘ํ•œ ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•˜๋ฉด์„œ ์ •์ƒ ์ข…๋ฃŒํ•œ๋‹ค. ์ฝ๊ณ  ์“ธ ์ˆ˜ ์žˆ๋Š” ์˜์—ญ์— ์กด์žฌํ•˜๋Š” ํ•จ์ˆ˜ ํฌ์ธํ„ฐ๋ฅผ ํ˜ธ์ถœํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ž„์˜ ์ฃผ์†Œ ์“ฐ๊ธฐ ์ทจ์•ฝ์ ์ด ์žˆ๋‹ค๋ฉด ํ•ด๋‹น ํฌ์ธํ„ฐ๋ฅผ ๋ฎ์–ด์จ์„œ ํ”„๋กœ๊ทธ๋žจ์˜ ์‹คํ–‰ ํ๋ฆ„์„ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค. _rtld_global ๋ฎ์–ด์“ฐ๊ธฐ ์‹ค์Šต ์˜ˆ์ œ // Name: ow_rtld.c // Compile: gcc -o ow_rtld ow_rtld.c #include #include void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int main() { long addr; long data; int idx; init(); printf("stdout: %p\n", stdout); whil..
thumbnail
[DreamHack System Hacking] Linux Library exploit > _rtld_global
2022. 9. 20. 20:52 DreamHack/SystemHacking
๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ์ฝ”๋“œ๋ฅผ ๋ถ„์„ํ•˜๋ฉด์„œ ์–ด๋–ค ๋ฐฉ์‹์œผ๋กœ ํ”„๋กœ์„ธ์Šค๋ฅผ ์ข…๋ฃŒํ•˜๋Š”์ง€ ์•Œ์•„๋ณด์ž. _rtld_global ์‹ค์Šต ์˜ˆ์ œ // Name: rtld.c // Compile: gcc -o rtld rtld.c int main() { return 0; } ๋‹ค์Œ์˜ ์ฝ”๋“œ๋Š” ์ข…๋ฃŒํ•˜๋Š” ๊ณผ์ •์„ ์•Œ์•„๋ณด๊ธฐ ์œ„ํ•œ ์˜ˆ์ œ ์ฝ”๋“œ์ด๋‹ค. _rtld_global __Gl_exit ์•ž์„œ ์ปดํŒŒ์ผ ํ•œ ์˜ˆ์ œ ์ฝ”๋“œ๋Š” ๋ณ„๋‹ค๋ฅธ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜์ง€ ์•Š๊ณ  ํ”„๋กœ๊ทธ๋žจ์„ ์ข…๋ฃŒํ•œ๋‹ค. ๋””๋ฒ„๊น…์„ ํ†ตํ•ด ๋” ์ž์„ธํžˆ ์•Œ์•„๋ณด์ž. main ํ•จ์ˆ˜ ๋‚ด์— ๋ฆฌํ„ดํ•˜๋Š” ๋ช…๋ น์–ด์— ๋ธŒ๋ ˆ์ดํฌ ํฌ์ธํŠธ๋ฅผ ์„ค์ •ํ•œ๋‹ค. step into (si)๋ฅผ ํ†ตํ•ด ๋‹ค์Œ ์ฝ”๋“œ๋ฅผ ํ™•์ธํ•œ๋‹ค. ๋””๋ฒ„๊น… ๊ฒฐ๊ณผ๋ฅผ ํ™•์ธํ•ด๋ณด๋ฉด, main ํ•จ์ˆ˜ ๋‚ด์—์„œ ๋ฆฌํ„ด ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ–ˆ์„ ๋•Œ ์Šคํƒ ์ตœ์ƒ๋‹จ์— ์žˆ๋Š” __libc_start_main+231 ..
thumbnail
[DreamHack System Hacking] master_canary
2022. 9. 19. 22:05 DreamHack/SystemHacking
๋ฌธ์ œ ์ฝ”๋“œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค. // gcc -o master master.c -pthread #include #include #include #include #include char *global_buffer; void alarm_handler() { puts("TIME OUT"); exit(-1); } void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); signal(SIGALRM, alarm_handler); alarm(60); } void get_shell() { system("/bin/sh"); } void *thread_routine() { char buf[256]; global_buffer = b..
thumbnail
[DreamHack System Hacking] Master Canary - (2)
2022. 9. 19. 21:54 DreamHack/SystemHacking
๋ฌธ์ œ ์ฝ”๋“œ // Name: mc_thread.c // Compile: gcc -o mc_thread mc_thread.c -pthread -no-pie #include #include #include #include void giveshell() { execve("/bin/sh", 0, 0); } void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } int read_bytes (char *buf, int len) { int idx = 0; int read_len = 0; for (idx = 0; idx < len; idx++) { int ret; ret = read(0, buf+idx, 1); if (ret < 0) { return rea..
thumbnail
[DreamHack System Hacking] Master Canary - (1)
2022. 9. 19. 18:44 DreamHack/SystemHacking
์‹ค์Šต ์˜ˆ์ œ ์ฝ”๋“œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค. // Name: mc_thread.c // Compile: gcc -o mc_thread mc_thread.c -pthread -no-pie #include #include #include #include void giveshell() { execve("/bin/sh", 0, 0); } void init() { setvbuf(stdin, 0, 2, 0); setvbuf(stdout, 0, 2, 0); } void thread_routine() { char buf[256]; int size = 0; printf("Size: "); scanf("%d", &size); printf("Data: "); read(0, buf, size); } int main() { pthread_..
thumbnail
[DreamHack System Hacking] Master Canary
2022. 9. 19. 17:06 DreamHack/SystemHacking
Thread Local Storage Thread Local Storage (TLS)๋Š” ๋ช…์นญ ๊ทธ๋Œ€๋กœ ์Šค๋ ˆ๋“œ์˜ ์ €์žฅ ๊ณต๊ฐ„์„ ์˜๋ฏธํ•œ๋‹ค. ELF ๋ฐ”์ด๋„ˆ๋ฆฌ๋ฅผ ์‚ดํŽด๋ณด๋ฉด, ๊ฐ๊ฐ์˜ ๋ชฉ์ ์„ ๊ฐ€์ง„ ์„น์…˜์—์„œ ๋ฐ์ดํ„ฐ๋ฅผ ๊ด€๋ฆฌํ•œ๋‹ค. ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜๊ธฐ ์œ„ํ•œ .text, ์ดˆ๊ธฐํ™”๋˜์ง€ ์•Š์€ ์ „์—ญ ๋ณ€์ˆ˜๋ฅผ ์œ„ํ•œ .data๋“ฑ์„ ์˜ˆ์‹œ๋กœ ๋“ค ์ˆ˜ ์žˆ๋‹ค. TLS ์˜์—ญ์€ ์ด์™€ ๋‹ฌ๋ฆฌ ์Šค๋ ˆ๋“œ์˜ ์ „์—ญ ๋ณ€์ˆ˜๋ฅผ ์ €์žฅํ•˜๊ธฐ ์œ„ํ•œ ๊ณต๊ฐ„์œผ๋กœ, ๋กœ๋”(Loader)์— ์˜ํ•ด ํ• ๋‹น๋œ๋‹ค. ๋‹ค์Œ์€ ๋กœ๋”์—์„œ TLS ์˜์—ญ์„ ํ• ๋‹นํ•˜๊ณ  ์ดˆ๊ธฐํ™”ํ•˜๋Š” ํ•จ์ˆ˜์ธ init_tls์˜ ์ฝ”๋“œ์ด๋‹ค. static void * init_tls (void) { /* Construct the static TLS block and the dtv for the initial thread. For some pla..
๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค!

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”