½Ã½ºÅÛ ÇØÅ·

 1574, 3/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ka0r1
   argv[2]ÀÇ ÁÖ¼Ò¸¦ ¾Ë°í ½Í½À´Ï´Ù.

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1942 [º¹»ç]


[wolfman@localhost wolfman]$ ls
darkelf  darkelf.c
[wolfman@localhost wolfman]$ cat darkelf.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkelf
        - egghunter + buffer hunter + check length of argv[1]
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        // check the length of argument
        if(strlen(argv[1]) > 48){
                printf("argument is too long!\n");
                exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}
[wolfman@localhost wolfman]$









argv[1]ÀÌ 48ÀÌ ³Ñ¾î°¡¹ö¸®¸é ÇÁ·Î±×·¥ÀÌ Á¾·á°¡ µÇ´Â ÇÁ·Î±×·¥À̳׿ä.
Á¦°¡ ¹®¶à »ý°¢³µ´Âµ¥ argv[2]ÀÇ ÀÎÀÚ·Î ½©Äڵ带 ¿Ã¸®°í
argv[1][44]~argv[1][47]·Î argv[2]ÀÇ ÁÖ¼Ò¸¦ ³ÖÀ¸¸é µÇÁö ¾ÊÀ»±î?¶ó´Â ¾ÆÀ̵ð¾î°¡ ¶°¿Ã¶ú½À´Ï´Ù.
±×·±µ¥ °ø±³·Ó°Ôµµ... argv[2]ÀÇ ÁÖ¼Ò¸¦ ¾Ë ¼ö ÀÖ´Â ¹æ¹ýÀ» ¸ð¸¨´Ï´Ù.
gdb·Î µð¹ö±ëÇÏ¸é ¾Ë ¼öµµ Àְڴµ¥...
¾î¶»°Ô ÇÏ¸é ¾Ë ¼ö ÀÖ³ª¿ä?
  Hit : 2337     Date : 2018/09/23 04:19


    
ka0r1 ½º½º·Î ´äÀ» ã¾Ò½À´Ï´Ù.
(gdb) r `python -c 'print "A"*47+"\xbf"` `python -c 'print "B"*1000'`
±×¸®°í x/1000x $esp ÀÌ·±½ÄÀ¸·Î Çϸé argv[2]ÀÇ ÁÖ¼Ò°¡ º¸ÀÌ±ä º¸À̳׿ä.
Ŭ¸®¾î ¿Ï·á!		 2018/09/23  
±ºÀÎ start, main ½ÃÀÛ µÇ´Â ºÎºÐ¿¡ bp ¹Ù·Î °É°í º¸¼Åµµ µË´Ï´Ù.... 2018/10/20  
1534   shell code ÀÛ¼º[3]     turttle2s
 12/22 1786
1533   ½Ã½ºÅÛ ÇØÅ· Æ÷Æ®Æ÷¿öµù Áú¹®[5]     qwaszx587
 12/20 2038
1532   '½Ã½ºÅÛ ÇØÅ·' À̶ó´Â ¿ë¾î¿¡ ´ëÇؼ­[2]     choboKing
 12/15 2049
1531   pwnable.kr bof ¹®Á¦!!![2]     hackxx123
 12/12 2504
1530   ÅøÅ°µð °ü·Ã Áú¹Ã[2]     qwaszx587
 12/03 2038
1529   ½Ã½ºÅÛ ÇØÅ· : ¸®´ª½º ±âÃÊÆí(¾ÆÀÌÇǺ¸´Â¹ý)[1]     rjsdn1578
 11/03 3341
1528   FTZ level4 Áú¹®[8]     turttle2s
 11/02 1893
1527   RTLÁú¹®![1]     Sp4wn
 10/20 2112
1526   LOB ¼¼±×¸ÕÆ® µðÆúÆ® ¿À·ù.. Á» ¾Ë·ÁÁÖ¼¼¿ä ¤Ð[2]     qustkdrn
 10/06 1676
  argv[2]ÀÇ ÁÖ¼Ò¸¦ ¾Ë°í ½Í½À´Ï´Ù.[2]     ka0r1
 09/23 2336
1524   LOB °íºí¸° Ŭ¸®¾î Çß½À´Ï´Ù¸¸ ±Ã±ÝÇÑ°Ô Àֳ׿ä.[3]     ka0r1
 09/23 1911
1523   F.T.Z 14´Ü°è[4]     ka0r1
 09/21 1961
1522   L.O.B goblin[1]     ka0r1
 09/16 1939
1521   Æ÷¸Ë½ºÆ®¸µ Ãë¾àÁ¡ Áú¹®[1]     bufferover
 09/14 2795
1520   ftz level11¹ø ¹®Á¦¿¡ ´ëÇÑ Áú¹®ÀÌ ÀÖ½À´Ï´Ù.[3]     in_reason
 09/10 1877
1519   ftz level4 ÆÄÀÏÀÌ ¾È¸¸µé¾îÁý´Ï´Ù..[1]     m914
 08/20 1781
1518   ftz level5 ¸µÅ©¿À·ù?     don1004
 08/09 1849
1517   ¼¾Å佺¿¡¼­ ¸Æ ¿ø°ÝÁ¢¼Ó     ig0102
 07/21 1998
1516   FTZ level4¹ø ¹®Á¦ ±Ã±ÝÇÑ Á¡ÀÌ ÀÖ¾î Áú¹® µå¸³´Ï´Ù.     in_reason
 07/18 1744
1515   ftz ¸ÆÀ¸·Î ssh Á¢¼Ó [1]     bunggl
 06/30 2364
[1][2] 3 [4][5][6][7][8][9][10]..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org