Search results for 'smashthestack'

  1. 2010.01.18 -- level1
  2. 2009.08.17 -- hey JJAAPPPHH ~ 4

level1

2010. 1. 18. 15:11

level1@io:~$ cd /levels
level1@io:/levels$ ls
level1     level11.c     level13    level15.c     level16.pass  level18.c  level20  level3.c  level5.c  level7.c  level9.c
level10    level12       level14    level15.pass  level17       level19    level21  level4    level6    level8
level10.c  level12.c     level14.c  level16       level17.c     level19.c  level22  level4.c  level6.c  level8.c
level11    level12.pass  level15    level16.c     level18       level2     level3   level5    level7    level9


위와같이 levels 디렉토리에 바이너리들이 레벨 별로 있습니다.
level1을 실행해보았습니다.

level1@io:/levels$ ./level1
Usage: ./level1 <password>

evel1@io:/levels$ gdb ./level1
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) disas main
Dump of assembler code for function main:
0x080483f4 <main+0>:    lea    0x4(%esp),%ecx
0x080483f8 <main+4>:    and    $0xfffffff0,%esp
0x080483fb <main+7>:    pushl  0xfffffffc(%ecx)
0x080483fe <main+10>:   push   %ebp
0x080483ff <main+11>:   mov    %esp,%ebp
0x08048401 <main+13>:   push   %edi
0x08048402 <main+14>:   push   %ecx
0x08048403 <main+15>:   sub    $0x30,%esp
0x08048406 <main+18>:   mov    %ecx,0xffffffe0(%ebp)
0x08048409 <main+21>:   movl   $0x80485c8,0xfffffff4(%ebp)     
 
0x08048410 <main+28>:   mov    0xffffffe0(%ebp),%eax       
0x08048413 <main+31>:   cmpl   $0x2,(%eax)                      이부분은 if(argc<2) { printf("Usage: %s <password>\n");}
0x08048416 <main+34>:   je     0x8048439 <main+69>             argc가 2면 <main+69>로 점프
0x08048418 <main+36>:   mov    0xffffffe0(%ebp),%edx
0x0804841b <main+39>:   mov    0x4(%edx),%eax
0x0804841e <main+42>:   mov    (%eax),%eax
0x08048420 <main+44>:   mov    %eax,0x4(%esp)
0x08048424 <main+48>:   movl   $0x80485d4,(%esp)
0x0804842b <main+55>:   call   0x804832c <printf@plt>
0x08048430 <main+60>:   movl   $0x1,0xffffffe4(%ebp)
0x08048437 <main+67>:   jmp    0x80484b2 <main+190>
0x08048439 <main+69>:   mov    0xfffffff4(%ebp),%eax
0x0804843c <main+72>:   mov    $0xffffffff,%ecx
0x08048441 <main+77>:   mov    %eax,0xffffffdc(%ebp)
0x08048444 <main+80>:   mov    $0x0,%al
0x08048446 <main+82>:   cld   
0x08048447 <main+83>:   mov    0xffffffdc(%ebp),%edi
0x0804844a <main+86>:   repnz scas %es:(%edi),%al
0x0804844c <main+88>:   mov    %ecx,%eax
0x0804844e <main+90>:   not    %eax
0x08048450 <main+92>:   lea    0xffffffff(%eax), edx              
0x08048453 <main+95>:   mov    0xffffffe0(%ebp),%ecx
0x08048456 <main+98>:   mov    0x4(%ecx),%eax
0x08048459 <main+101>:  add    $0x4,%eax
0x0804845c <main+104>:  mov    (%eax),%ecx
0x0804845e <main+106>:  mov    %edx,0x8(%esp)               .
0x08048462 <main+110>:  mov    0xfffffff4(%ebp),%eax
0x08048465 <main+113>:  mov    %eax,0x4(%esp)
0x08048469 <main+117>:  mov    %ecx,(%esp)
0x0804846c <main+120>:  call   0x804830c <strncmp@plt>      strncmp 함수의 인자 edx, eax, ecx
0x08048471 <main+125>:  test   %eax,%eax
0x08048473 <main+127>:  jne    0x804849f <main+171>
0x08048475 <main+129>:  movl   $0x80485ea,(%esp)
0x0804847c <main+136>:  call   0x80482fc <puts@plt>
0x08048481 <main+141>:  movl   $0x0,0x8(%esp)
0x08048489 <main+149>:  movl   $0x80485ef,0x4(%esp)
0x08048491 <main+157>:  movl   $0x80485f2,(%esp)
0x08048498 <main+164>:  call   0x80482ec <execl@plt>
0x0804849d <main+169>:  jmp    0x80484ab <main+183>
0x0804849f <main+171>:  movl   $0x80485fa,(%esp)
0x080484a6 <main+178>:  call   0x80482fc <puts@plt>
0x080484ab <main+183>:  movl   $0x0,0xffffffe4(%ebp)
0x080484b2 <main+190>:  mov    0xffffffe4(%ebp),%eax
0x080484b5 <main+193>:  add    $0x30,%esp
0x080484b8 <main+196>:  pop    %ecx
0x080484b9 <main+197>:  pop    %edi
0x080484ba <main+198>:  pop    %ebp
0x080484bb <main+199>:  lea    0xfffffffc(%ecx),%esp
0x080484be <main+202>:  ret   
0x080484bf <main+203>:  nop   
End of assembler dump.



strncmp 함수가 호출되기 전에 브레이크 포인트를 설정한 후 프로그램에 인자를 줘서 실행합니다

(gdb) break *main+117
Breakpoint 1 at 0x8048469
(gdb) r AAAAA
Starting program: /levels/level1 AAAAA

Breakpoint 1, 0x08048469 in main ()


(gdb) info reg
eax            0x80485c8        134514120
ecx            0xbfffde8a       -1073750390
edx            0xb      11
ebx            0xec9ff4 15507444
esp            0xbfffdcd0       0xbfffdcd0
ebp            0xbfffdd08       0xbfffdd08
esi            0x0      0
edi            0x80485d4        134514132
eip            0x8048469        0x8048469 <main+117>
eflags         0x200282 [ SF IF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51



위의 내용을 따라 함수 호출을 유추해서 주소의 문자열을 찍어보았습니다.

strncmp(0xbfffde8a, 0x80485c8, 11);

(gdb) x/s 0xbfffde8a
0xbfffde8a:      "AAAAA"
(gdb) x/s 0x80485c8
0x80485c8 <_IO_stdin_used+4>:    "omgpassword"


패스워드를 입력 후 홈 디렉토리로 가서 ,pass 파일의 내용을 확인 :$

level1@io:/levels$ ./level1 omgpassword
Win.
sh-3.1$ id
uid=1001(level1) gid=1001(level1) euid=1002(level2) groups=1001(level1)

sh-3.1$ cd /home/level2
sh-3.1$ cat .pass
ef4artie    >  ep4kbyqe----> WE5aVWRwYPhX

다시 풀어볼까 해서 끄적대는데.. 패스워드가 다 바뀌어 있네요.
저작자표시 비영리

'War game > io.smashthestack.org' 카테고리의 다른 글

io smashthestack level24  (0) 2014.02.09
level9  (0) 2010.01.21
level8  (0) 2010.01.21
level7  (0) 2010.01.19
level6  (0) 2010.01.19
level5  (8) 2010.01.19
level4  (8) 2010.01.18
level3  (0) 2010.01.18
level2  (0) 2010.01.18
level10  (1) 2009.05.04

badcob War game/io.smashthestack.org

hey JJAAPPPHH ~

2009. 8. 17. 18:14

 
Oops, sorry for late. 

0x080483b4 <main+0>:    push   %ebp
0x080483b5 <main+1>:    mov    %esp,%ebp
0x080483b7 <main+3>:    sub    $0xa8,%esp                        extended 168
0x080483bd <main+9>:    and    $0xfffffff0,%esp
0x080483c0 <main+12>:   mov    $0x0,%eax                   
0x080483c5 <main+17>:   sub    %eax,%esp
0x080483c7 <main+19>:  cmpl   $0x1,0x8(%ebp)           agrc is at ebp+8
0x080483cb <main+23>:   jg     0x80483d9 <main+37>              if(agrc < 1)
0x080483cd <main+25>:   movl   $0x1,0xffffff74(%ebp)                return 1;
0x080483d7 <main+35>:   jmp    0x8048413 <main+95>
0x080483d9 <main+37>:   mov    0xc(%ebp),%eax            argv is at ebp+12
0x080483dc <main+40>:   add    $0x4,%eax                          address of argv + 4  means argv[1]
0x080483df <main+43>:   mov    (%eax),%eax                       eax = *argv[1]
0x080483e1 <main+45>:   mov    %eax,0x4(%esp)             
0x080483e5 <main+49>:   lea    0xffffff78(%ebp),%eax             eax = ebp-136 
0x080483eb <main+55>:   mov    %eax,(%esp)                
0x080483ee <main+58>:   call   0x80482d4 <strcpy@plt>         so call strcpy(ebp-136, argv[1])
0x080483f3 <main+63>:   lea    0xffffff78(%ebp),%eax       
0x080483f9 <main+69>:   mov    %eax,0x4(%esp)
0x080483fd <main+73>:   movl   $0x8048524,(%esp)
0x08048404 <main+80>:   call   0x80482b4 <printf@plt>          printf("%s", ebp-136)
0x08048409 <main+85>:   movl   $0x0,0xffffff74(%ebp)       
0x08048413 <main+95>:   mov    0xffffff74(%ebp),%eax         return 0;
0x08048419 <main+101>:  leave
0x0804841a <main+102>:  ret

Have you checked the stack in gdb? I can`t see [?3] in disassembled code.
Stack looks like this IMAO.

   ----------
   argv            ebp + 0C
   ----------
   argc            ebp + 8
   ----------
   return address  ebp + 4
   ----------
   ebp         
   ----------
   dummy          8bytes
   ----------
   buf            128byes
   ----------
 
Stack was extened 168 bytes, but it only uses 140bytes.
(dunno why extened 168bytes. i think that it`s up to the version of compiler, or something else. :$)

'Sabzil' 카테고리의 다른 글

Linux Oracle GUI client  (0) 2013.05.15
Ubuntu 12.10 에서 libboost1.48-all-dev 가 설치 되지 않을 때  (3) 2013.02.14
how to set debug environment for android  (0) 2012.09.14
oracle sql injection with rownum  (0) 2011.09.01
Shellcode site  (0) 2009.09.29
hey JaPH  (1) 2009.08.12
6회 kisa 해킹방어대회 6번  (0) 2009.07.09
ABI (Application Binary Interface)  (0) 2009.03.17
Nefif_rx  (0) 2009.03.17
usleep에 대해서  (0) 2009.01.08

badcob Sabzil

티스토리툴바