본문 바로가기

워게임/protostar

heap3 개고생했는데 일단 아직못풀었습니다.. 그냥풀이과정적어놨습니다 일단 (gdb) disas main Dump of assembler code for function main:0x08048889 :push ebp0x0804888a :mov ebp,esp0x0804888c :and esp,0xfffffff00x0804888f :sub esp,0x20 0x08048892 :mov DWORD PTR [esp],0x200x08048899 :call 0x8048ff2 0x0804889e :mov DWORD PTR [esp+0x14],eax0x080488a2 :mov DWORD PTR [esp],0x200x080488a9 :call 0x8048ff2 0x080488ae :mov DWORD PTR [esp+0x18],ea.. 더보기
heap2 (gdb) disas mainDump of assembler code for function main:0x08048934 : push ebp0x08048935 : mov ebp,esp0x08048937 : and esp,0xfffffff00x0804893a : sub esp,0x90 0x08048940 : jmp 0x8048943 0x08048942 : nop 0x08048943 : mov ecx,DWORD PTR ds:0x804b5f80x08048949 : mov edx,DWORD PTR ds:0x804b5f40x0804894f : mov eax,0x804ad700x08048954 : mov DWORD PTR [esp+0x8],ecx0x08048958 : mov DWORD PTR [esp+0x4],ed.. 더보기
heap1 (gdb) disas mainDump of assembler code for function main:0x080484b9 : push ebp0x080484ba : mov ebp,esp0x080484bc : and esp,0xfffffff00x080484bf : sub esp,0x20 0x080484c2 : mov DWORD PTR [esp],0x80x080484c9 : call 0x80483bc //malloc(0x8) 0x080484ce : mov DWORD PTR [esp+0x14],eax0x080484d2 : mov eax,DWORD PTR [esp+0x14]0x080484d6 : mov DWORD PTR [eax],0x1 할당받은 주소를 esp+0x14에 넣음그리고 eax가 가리키는 곳(esp+0.. 더보기
heap0 (gdb) disas mainDump of assembler code for function main:0x0804848c : push ebp0x0804848d : mov ebp,esp0x0804848f : and esp,0xfffffff00x08048492 : sub esp,0x20 0x08048495 : mov DWORD PTR [esp],0x40 //인자가 40byte0x0804849c : call 0x8048388 0x080484a1 : mov DWORD PTR [esp+0x18],eax // 0x804a008이 data가 할당된 위치고, esp+0x18에 정의됨. 0x080484a5 : mov DWORD PTR [esp],0x40x080484ac : call 0x8048388 0x080484b1 .. 더보기
stack6,7 (gdb) disas mainDump of assembler code for function main:0x080484fa :push ebp0x080484fb :mov ebp,esp0x080484fd :and esp,0xfffffff00x08048500 :call 0x8048484 //바로 점프0x08048505 :mov esp,ebp0x08048507 :pop ebp0x08048508 :ret End of assembler dump.(gdb) disas getpathDump of assembler code for function getpath:0x08048484 :push ebp0x08048485 :mov ebp,esp0x08048487 :sub esp,0x68//0x68byte 할당0x0804848a .. 더보기
stack5 0x080483c4 :push ebp0x080483c5 :mov ebp,esp0x080483c7 :and esp,0xfffffff00x080483ca :sub esp,0x500x080483cd :lea eax,[esp+0x10]0x080483d1 :mov DWORD PTR [esp],eax0x080483d4 :call 0x80482e8 0x080483d9 :leave 0x080483da :ret 뭐 아까하고 비슷하네요 버퍼,더미, SFP까지 총 76byte 있고 EIP 조작하는 문제네요. 단지 EIP를 쉘코드가 있는 주소로 점프시켜 root를 따야할 것 같습니다. 쉘코드는 "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\.. 더보기
stack4 (gdb) disas mainDump of assembler code for function main:0x08048408 :push ebp0x08048409 :mov ebp,esp0x0804840b :and esp,0xfffffff00x0804840e :sub esp,0x500x08048411 :lea eax,[esp+0x10]//입력받은 값을 저장할 버퍼0x08048415 :mov DWORD PTR [esp],eax0x08048418 :call 0x804830c 0x0804841d :leave 0x0804841e :ret End of assembler dump.(gdb) disas winDump of assembler code for function win:0x080483f4 :push ebp0x080.. 더보기
stack3 생김새가 함수 포인터로 점프하나봅니다.Dump of assembler code for function main:0x08048438 :push ebp0x08048439 :mov ebp,esp0x0804843b :and esp,0xfffffff00x0804843e :sub esp,0x60//60byte 할당0x08048441 :mov DWORD PTR [esp+0x5c],0x0//modified = 00x08048449 :lea eax,[esp+0x1c]//eax = *buffer0x0804844d :mov DWORD PTR [esp],eax0x08048450 :call 0x8048330 //유저 인풋0x08048455 :cmp DWORD PTR [esp+0x5c],0x0//cmp(modified == 0).. 더보기
stack2 GREENIE라는 환경변수 설정하라고하네요.값 암거나 주고 설정해도 결과에는 변함없었어요. 어셈을 봅시다. Dump of assembler code for function main:0x08048494 :push ebp0x08048495 :mov ebp,esp0x08048497 :and esp,0xfffffff00x0804849a :sub esp,0x60//0x60byte 할당0x0804849d :mov DWORD PTR [esp],0x80485e0//GREENIE 라는 문자열을 esp에0x080484a4 :call 0x804837c //getenv("GREENIE");0x080484a9 :mov DWORD PTR [esp+0x5c],eax//있으면 eax에 환경변수 값이 들어감 getenv()는 대응하는.. 더보기
stack1 인자로 받아들인 값을 주소값처럼 활용하나보네요 이런식으로 생겼어요 0x08048464 :push ebp0x08048465 :mov ebp,esp0x08048467 :and esp,0xfffffff00x0804846a :sub esp,0x60//0x60byte 할당0x0804846d :cmp DWORD PTR [ebp+0x8],0x1//첫번째 파라미터0x08048471 :jne 0x8048487 //0x1이랑 다르면 점프. 인자 없으면 0x1임0x08048473 :mov DWORD PTR [esp+0x4],0x80485a00x0804847b :mov DWORD PTR [esp],0x10x08048482 :call 0x8048388 0x08048487 :mov DWORD PTR [esp+0x5c],0x0//.. 더보기

티스토리툴바