http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1942 [º¹»ç]
[wolfman@localhost wolfman]$ ls
darkelf darkelf.c
[wolfman@localhost wolfman]$ cat darkelf.c
/*
The Lord of the BOF : The Fellowship of the BOF
- darkelf
- egghunter + buffer hunter + check length of argv[1]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
[wolfman@localhost wolfman]$
argv[1]ÀÌ 48ÀÌ ³Ñ¾î°¡¹ö¸®¸é ÇÁ·Î±×·¥ÀÌ Á¾·á°¡ µÇ´Â ÇÁ·Î±×·¥À̳׿ä.
Á¦°¡ ¹®¶à »ý°¢³µ´Âµ¥ argv[2]ÀÇ ÀÎÀÚ·Î ½©Äڵ带 ¿Ã¸®°í
argv[1][44]~argv[1][47]·Î argv[2]ÀÇ ÁÖ¼Ò¸¦ ³ÖÀ¸¸é µÇÁö ¾ÊÀ»±î?¶ó´Â ¾ÆÀ̵ð¾î°¡ ¶°¿Ã¶ú½À´Ï´Ù.
±×·±µ¥ °ø±³·Ó°Ôµµ... argv[2]ÀÇ ÁÖ¼Ò¸¦ ¾Ë ¼ö ÀÖ´Â ¹æ¹ýÀ» ¸ð¸¨´Ï´Ù.
gdb·Î µð¹ö±ëÇÏ¸é ¾Ë ¼öµµ Àְڴµ¥...
¾î¶»°Ô ÇÏ¸é ¾Ë ¼ö ÀÖ³ª¿ä? |
Hit : 2337 Date : 2018/09/23 04:19
|