BOF Feat Lo B http symnoisy tistory com
BOF 기초부터 응용까지~! Feat. Lo. B http: //symnoisy. tistory. com/ 0
INDEX. 4 5 RTL? What The. . . (feat. Level 13) Remote BOF? 리모콘? (feat. Level 20) 2
2 BOF! 기초 디버 Feat. gdb 깅 v CALLING CONVENTION – CDECL – STD CALL printf() SUB – FAST CALL(생략) 5
2 BOF! 기초 디버 Feat. gdb 깅 [gate@localhost kucis]$ cat basic. c #include<stdio. h> int main(int argc, char* argv[]) { char buffer[1024]; strcpy(buffer, argv[1]); puts(buffer); } 6
3 BOF! 난 정말 잘하고 있 Feat. Level 1 는 걸까? [gate@localhost gate]$ cat gremlin. c /* The Lord of the BOF : The Fellowship of the BOF - simple BOF */ int main(int argc, char *argv[]) { char buffer[256]; if(argc < 2){ printf("argv errorn"); exit(0); } strcpy(buffer, argv[1]); printf("%sn", buffer); } 8
3 BOF! 난 정말 잘하고 있 Feat. Level 1 는 걸까? int main(int argc, char *argv[]) EX). /test ``perl –e ‘print “ABCD”`’` ``perl –e ‘print “EFGH”’`` Argc: 3 Argv: [0], [1], [2] 9
3 BOF! 난 정말 잘하고 있 Feat. Level 1 는 걸까? BUF 256 SFP RET 10
4 RTL? WHAT THE. . . 13
4 RTL? WHAT THE. . . . Feat. Level 13 • Canary • DEP/NX • ASCII Armor • ASLR 14
4 RTL? WHAT THE. . . . Feat. Level 13 if(argv[1][47] == 'xbf') { printf("stack betrayed you!!n"); exit(0); } #include <stdio. h> #include <stdlib. h> main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv errorn"); exit(0); } strcpy(buffer, argv[1]); printf("%sn", buffer); } if(argc < 2){ printf("argv errorn"); exit(0); } 15
4 RTL? WHAT THE. . . . Feat. Level 13 if(argv[1][47] == 'xbf') { printf("stack betrayed you!!n"); exit(0); } strcpy(buffer, argv[1]); printf("%sn", buffer); } 16
4 RTL? WHAT THE. . . . Feat. Level 13 공격 GO! 17
4 RTL? WHAT THE. . . . Feat. Level 13 buf | SFP | &system | &exit | &sh 18
5 Remote BOF? 리모콘. . . ? ? 19
5 Remote BOF? Feat. Level 20 콘. . . . #include #include #include <stdio. h> <stdlib. h> <errno. h> <string. h> <sys/types. h> <netinet/in. h> <sys/socket. h> <sys/wait. h> <dumpcode. h> main() { char buffer[40]; 리모 int server_fd, client_fd; struct sockaddr_in server_addr; struct sockaddr_in client_addr; int sin_size; if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("socket"); exit(1); } server_addr. sin_family = AF_INET; server_addr. sin_port = htons(6666); 20
5 Remote BOF? Feat. Level 20 콘. . . . server_addr. sin_addr. s_ad dr = INADDR_ANY; bzero(&(server_addr. sin_zer o), 8); 리모 if(listen(server_fd, 10) == -1){ perror("listen"); exit(1); } while(1) { if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){ perror("bind"); exit(1); } sin_size = sizeof(struct sockaddr_in); if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){ perror("accept"); continue; } 21
5 Remote BOF? Feat. Level 20 콘. . . . if (!fork()){ send(client_fd, "Death Knight : Not even death can save you from me!n", 52, 0); send(client_fd, "You : ", 6, 0); recv(client_fd, buffer, 256, 0); 리모 close(client_fd); while(waitpid(1, NULL, WNOHANG) > 0); } close(server_fd); close(client_fd); break; } 22
5 Remote BOF? Feat. Level 20 콘. . . . 리모 공격 GO! 23
THANK YOU! Q&A symnoisy. tistory. com 24
- Slides: 25