http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8583 [º¹»ç]
PS C:\Users\mark> ssh cmd1@pwnable.kr -p2222
cmd1@pwnable.kr's password:
____ __ __ ____ ____ ____ _ ___ __ _ ____
| \| |__| || \ / || \ | | / _] | |/ ]| \
| o ) | | || _ || o || o )| | / [_ | ' / | D )
| _/| | | || | || || || |___ | _] | \ | /
| | | ` ' || | || _ || O || || [_ __ | \| \
| | \ / | | || | || || || || || . || . \
|__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|
- Site admin : daehee87@khu.ac.kr
- irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
You have mail.
Last login: Tue Oct 22 20:36:27 2024 from
cmd1@pwnable:~$ ls -al
total 40
drwxr-x--- 5 root cmd1 4096 Mar 23 2018 .
drwxr-xr-x 116 root root 4096 Oct 30 2023 ..
d--------- 2 root root 4096 Jul 12 2015 .bash_history
-r-xr-sr-x 1 root cmd1_pwn 8513 Jul 14 2015 cmd1
-rw-r--r-- 1 root root 320 Mar 23 2018 cmd1.c
-r--r----- 1 root cmd1_pwn 48 Jul 14 2015 flag
dr-xr-xr-x 2 root root 4096 Jul 22 2015 .irssi
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
cmd1@pwnable:~$
cmd1@pwnable:~$ cat cmd1.c
#include <stdio.h>
#include <string.h>
int filter(char* cmd){
int r=0;
r += strstr(cmd, "flag")!=0;
r += strstr(cmd, "sh")!=0;
r += strstr(cmd, "tmp")!=0;
return r;
}
int main(int argc, char* argv[], char** envp){
putenv("PATH=/thankyouverymuch");
if(filter(argv[1])) return 0;
system( argv[1] );
return 0;
}
cmd1@pwnable:~$
Äڵ带 Çؼ®ÇÏÀÚ¸é putenv·Î ȯ°æº¯¼ö¸¦ µî·ÏÇÏ°í
filterÇÔ¼ö°¡ ÂüÀ» ¸®ÅÏÇϸé ÇÁ·Î±×·¥À» Á¾·áÇÑ´Ù.
»ý°¢À» °õ°õÈ÷ Çغ¸´Ï ȯ°æº¯¼ö·Î ±ÇÇÑ »ó½ÂÀ» ÇÏ´Â °æ¿ì¿Í
ÇÊÅÍ ÇÔ¼ö°¡ °ÅÁþÀ» ¸®ÅÏÇßÀ» ¶§, systemÇÔ¼ö·Î argv[1]°ªÀ»
½ÇÇàÇÏ´Â °ÍÀÌ ÀÖ´Â °Í °°Àºµ¥...
ÀÏ´ÜÀº ½¬¿î ¹æ¹ýÀÌ ÇÊÅÍ ÇÔ¼ö°¡ °ÅÁþ(0ÀÇ °ªÀ» ¸®ÅÏÇÑ´Ù¸é)À» ¸®ÅÏÇϸé¼
/bin/sh, /bin/bash¿Í °°Àº ½©À» ½ÇÇà½ÃÅ°¸é ±ÇÇÑ »ó½Â°ú ÇÔ²²
°ø°ÝÀÌ °¡´ÉÇÏ´Ù´Â °á·ÐÀ» µµÃâÇÏ°Ô µÇ¾ú´Ù.
filter ÇÔ¼ö¸¦ ÀÚ¼¼È÷ ºÃ´Ù.
int filter(char* cmd){
int r=0;
r += strstr(cmd, "flag")!=0;
r += strstr(cmd, "sh")!=0;
r += strstr(cmd, "tmp")!=0;
return r;
}
filterÇÔ¼ö°¡ returnÇßÀ» ¶§ ±× °ªÀÌ 0ÀÌ ¾Æ´Ñ °ªÀ» ¸®ÅÏÇÑ´Ù¸é
system(argv[1])¸¦ ½ÇÇàÇÒ °ÍÀÌ ¾Æ´Ñ°¡?
filterÇÔ¼ö¸¦ Çؼ®Çغ¸´Ï 'flag'¹®ÀÚ¿Í 'sh'¹®ÀÚ¿Í 'tmp'¹®ÀÚ°¡ ÀÖ´Ù¸é
0À» ¸®ÅÏÇÏ¿© mainÇÔ¼ö¿¡¼ systemÇÔ¼ö¸¦ ½ÇÇà½Ãų ¼ö ¾ø°Ô µÈ´Ù´Â
°á·ÐÀ» µµÃâÇÒ ¼ö ÀÖ´Ù.
¿©±â¼ ÇÑ °¡Áö, LinuxÀÇ bin µð·ºÅ͸®¿¡ ´ëÇØ ¾Ë°í ³Ñ¾î°¡º¸ÀÚ ÇÑ´Ù.
bin µð·ºÅ͸®¶õ?
¸®´ª½ºÀÇ /bin µð·ºÅ͸®´Â ½Ã½ºÅÛÀÇ ±âº» ¸í·É¾îµéÀÌ À§Ä¡ÇÑ µð·ºÅ͸®´Ù.
ÀÌ µð·ºÅ͸®¿¡´Â ÀÏ¹Ý »ç¿ëÀÚ¿Í ½Ã½ºÅÛ °ü¸®ÀÚ ¸ðµÎ°¡ »ç¿ëÇÒ ¼ö ÀÖ´Â
ÇÙ½ÉÀûÀÎ ¸í·É¾îµéÀÌ Æ÷ÇԵǾî ÀÖ´Ù.
/binÀÇ ÁÖ¿ä Ư¡Àº ´ÙÀ½°ú °°´Ù:
1. ±âº» ¸í·É¾î À§Ä¡
/bin¿¡´Â ÆÄÀÏ ½Ã½ºÅÛÀÇ ±âº» °ü¸®, ³×Æ®¿öÅ© ¼³Á¤, ÆÄÀÏ Á¶ÀÛ µîÀÇ ÀÛ¾÷À»
¼öÇàÇÏ´Â µ¥ ÇÊ¿äÇÑ ¸í·É¾îµéÀÌ Æ÷ÇԵǾî ÀÖ´Ù.
¿¹¸¦ µé¾î, ls, cp, mv, rm, cat, echo µîÀÌ ¿©±â¿¡ ¼ÓÇÑ´Ù.
¶ÇÇÑ ºñ½ÁÇÑ µð·ºÅ͸®·Î /usr/binÀÌ Àִµ¥,
/usr/bin¿¡´Â ºÎÆà ÀÌÈÄ ÀϹÝÀûÀÎ ÀÛ¾÷¿¡ »ç¿ëµÇ´Â ¸í·É¾îµéÀÌ Æ÷ÇԵȴÙ.
/bin°ú´Â ´Þ¸® /usr/binÀº Çʼö ½Ã½ºÅÛ ¸í·É¾î ¿Ü¿¡
Ãß°¡ÀûÀÎ ÀÀ¿ë ÇÁ·Î±×·¥À» Á¦°øÇÑ´Ù.
¸®´ª½º ¸í·É¾îÁß¿¡ ÆÄÀÏ ³»¿ëÀ» Àд ¸í·É¾îÀÎ catÀ̶ó´Â ¸í·É¾î°¡ ÀÖ´Ù.
±×¸®°í flag¶ó´Â °ªÀ» Àоî¾ß µÇ´Âµ¥ *(¾Ö½ºÅ͸®½ºÅ©¶ó°í ºÎ¸§)¸¦ ÀÔ·ÂÇϸé...
'ab*'¶ó°í ÀÔ·ÂÇϸé flµÚ¿¡ ¾î¶² ¹®ÀÚ°¡ ¿Àµç ab¸¸ ¿Â´Ù¸é ¸ðµç ¹®ÀÚ¸¦ Æ÷ÇÔÇÏ°í
'*cd'¶ó°í ÀÔ·ÂÇϸé 'cd'¹®ÀÚ ¾Õ¿¡ ¾î¶² ¹®ÀÚ°¡ ¿Àµç ¸ðµç ¹®ÀÚ¸¦ Æ÷ÇÔÇÑ´Ù.
»ç½Ç ³»°¡ ¾²°íµµ ³»°¡ ¹«½¼ ¸» ÇÏ´ÂÁö ¸ð¸£°Ú´Âµ¥
ÇÊÀÚÀÇ ºÎÁ·ÇÑ ÇÊ·ÂÀ» ÀÌÇØÇÏ±æ ¹Ù¶õ´Ù...
cmd1@pwnable:~$ ./cmd1 "/bin/cat fl*"
ÀÌ·¸°Ô ÀÔ·ÂÇϸé cmd1ÀÇ flag°ªÀÌ Ãâ·ÂµÈ´Ù. |
Hit : 265 Date : 2024/10/23 10:04
|