블로그? 썸네일형 리스트형 level 13 -> 14 [bugbear@localhost bugbear]$ cat giant.c /* The Lord of the BOF : The Fellowship of the BOF - giant - RTL2*/ #include #include #include main(int argc, char *argv[]){char buffer[40];FILE *fp;char *lib_addr, *execve_offset, *execve_addr;char *ret; if(argc < 2){printf("argv error\n");exit(0);} // gain address of execvefp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print.. 더보기 level 12 -> 13 [darkknight@localhost darkknight]$ cat bugbear.c /* The Lord of the BOF : The Fellowship of the BOF - bugbear - RTL1*/ #include #include main(int argc, char *argv[]){char buffer[40];int i; if(argc < 2){printf("argv error\n");exit(0);} if(argv[1][47] == '\xbf'){printf("stack betrayed you!!\n");exit(0);} strcpy(buffer, argv[1]); printf("%s\n", buffer);} 와 드디어 RTL 문제가 나왔군요.. 간단하게 시스템 함수와 환경변수를 이용해 .. 더보기 level 11 -> 12 [golem@localhost golem]$ cat darkknight.c /* The Lord of the BOF : The Fellowship of the BOF - darkknight - FPO*/ #include #include void problem_child(char *src){char buffer[40];strncpy(buffer, src, 41);printf("%s\n", buffer);} main(int argc, char *argv[]){if(argc 더보기 level 10 -> 11 [skeleton@localhost skeleton]$ lsgolem golem.c[skeleton@localhost skeleton]$ cat golem.c /* The Lord of the BOF : The Fellowship of the BOF - golem - stack destroyer*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; if(argc < 2){printf("argv error\n");exit(0);} if(argv[1][47] != '\xbf'){printf("stack is still your friend.\n");exit(0);} strcpy(buffer, .. 더보기 level 9 -> 10 [vampire@localhost vampire]$ cat skeleton.c /* The Lord of the BOF : The Fellowship of the BOF - skeleton - argv hunter*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i, saved_argc; if(argc < 2){printf("argv error\n");exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf'){printf("stack is s.. 더보기 level 8 -> 9 [troll@localhost test]$ cat ../vampire.c /* The Lord of the BOF : The Fellowship of the BOF - vampire - check 0xbfff*/ #include #include main(int argc, char *argv[]){char buffer[40]; if(argc < 2){printf("argv error\n");exit(0);} if(argv[1][47] != '\xbf'){printf("stack is still your friend.\n");exit(0);} // here is changed! if(argv[1][46] == '\xff') { printf("but it's not forever\n"); exit(0); } .. 더보기 level 7 -> 8 [orge@localhost orge]$ cat troll.c /* The Lord of the BOF : The Fellowship of the BOF - troll - check argc + argv hunter*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; // here is changedif(argc != 2){printf("argc must be two!\n");exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf'){pri.. 더보기 level 6 -> 7 [darkelf@localhost darkelf]$ cat orge.c /* The Lord of the BOF : The Fellowship of the BOF - orge - check argv[0]*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; if(argc < 2){printf("argv error\n");exit(0);} // here is changed!if(strlen(argv[0]) != 77){ printf("argv[0] error\n"); exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, .. 더보기 level 5 -> 6 [wolfman@localhost wolfman]$ cat darkelf.c /* The Lord of the BOF : The Fellowship of the BOF - darkelf - egghunter + buffer hunter + check length of argv[1]*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; if(argc < 2){printf("argv error\n");exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != .. 더보기 level 4 -> 5 [orc@localhost orc]$ cat wolfman.c/* The Lord of the BOF : The Fellowship of the BOF - wolfman - egghunter + buffer hunter */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is .. 더보기 이전 1 ··· 3 4 5 6 7 8 다음
