ftz 16

보안_기타/ftz

ftz 16

정지홍 2024. 8. 23. 09:17

192.168.174.128
Level16 Password is "about to cause mass".

[level16@ftz level16]$ cat hint


#include <stdio.h>

void shell() {
  setreuid(3097,3097);
  system("/bin/sh");
}

void printit() {
  printf("Hello there!\n");
}

main()
{ int crap;
  void (*call)()=printit;
  char buf[20];
  fgets(buf,48,stdin);
  call();
}

(gdb) disas shell
Dump of assembler code for function shell:
0x080484d0 <shell+0>:   push   ebp
0x080484d1 <shell+1>:   mov    ebp,esp
0x080484d3 <shell+3>:   sub    esp,0x8
0x080484d6 <shell+6>:   sub    esp,0x8
0x080484d9 <shell+9>:   push   0xc19
0x080484de <shell+14>:  push   0xc19
0x080484e3 <shell+19>:  call   0x80483b4 <setreuid>
0x080484e8 <shell+24>:  add    esp,0x10
0x080484eb <shell+27>:  sub    esp,0xc
0x080484ee <shell+30>:  push   0x80485b8
0x080484f3 <shell+35>:  call   0x8048364 <system>
0x080484f8 <shell+40>:  add    esp,0x10
0x080484fb <shell+43>:  leave
0x080484fc <shell+44>:  ret
0x080484fd <shell+45>:  lea    esi,[esi]
End of assembler dump.

(gdb) disas printit
Dump of assembler code for function printit:
0x08048500 <printit+0>: push   ebp
0x08048501 <printit+1>: mov    ebp,esp
0x08048503 <printit+3>: sub    esp,0x8
0x08048506 <printit+6>: sub    esp,0xc
0x08048509 <printit+9>: push   0x80485c0
0x0804850e <printit+14>:        call   0x80483a4 <printf>
0x08048513 <printit+19>:        add    esp,0x10
0x08048516 <printit+22>:        leave
0x08048517 <printit+23>:        ret
End of assembler dump.

(gdb) disas main
Dump of assembler code for function main:
0x08048518 <main+0>:    push   ebp
0x08048519 <main+1>:    mov    ebp,esp
0x0804851b <main+3>:    sub    esp,0x38 # 56bytes
0x0804851e <main+6>:    mov    DWORD PTR [ebp-16],0x8048500 # printit의 함수의 시작 지점을 가르킴.여기에 shell함수넣어야함
0x08048525 <main+13>:   sub    esp,0x4 # 4bytes
0x08048528 <main+16>:   push   ds:0x80496e8 # 이는 buf의 주소로 보임 
0x0804852e <main+22>:   push   0x30 # 48
0x08048530 <main+24>:   lea    eax,[ebp-56] # buf의 주소를 로드 함
0x08048533 <main+27>:   push   eax
0x08048534 <main+28>:   call   0x8048384 <fgets>
0x08048539 <main+33>:   add    esp,0x10
0x0804853c <main+36>:   mov    eax,DWORD PTR [ebp-16]
0x0804853f <main+39>:   call   eax
0x08048541 <main+41>:   leave
0x08048542 <main+42>:   ret
0x08048543 <main+43>:   nop
0x08048544 <main+44>:   nop
0x08048545 <main+45>:   nop
0x08048546 <main+46>:   nop
0x08048547 <main+47>:   nop
0x08048548 <main+48>:   nop
0x08048549 <main+49>:   nop
0x0804854a <main+50>:   nop
0x0804854b <main+51>:   nop
0x0804854c <main+52>:   nop
0x0804854d <main+53>:   nop
0x0804854e <main+54>:   nop
0x0804854f <main+55>:   nop
End of assembler dump.