-
[LOB] Level7: darkelf → orge (renew)
orge /* The Lord of the BOF : The Fellowship of the BOF - orge - check argv[0] */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // here is changed! if(strlen(argv[0]) != 77){ printf("argv[0] error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(a..
-
[LOB] Level6: wolfman → darkelf (renew)
darkelf keyword : /* The Lord of the BOF : The Fellowship of the BOF - darkelf - egghunter + buffer hunter + check length of argv[1] */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf(..
-
[LOB] Level5: orc → wolfman (renew)
wolfman keyword : egghunter+bufferhunter /* The Lord of the BOF : The Fellowship of the BOF - wolfman - egghunter + buffer hunter */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("st..
-
[LOB] Level4: goblin → orc (renew)
orc keyword : BoF+egghunter /* The Lord of the BOF : The Fellowship of the BOF - orc - egghunter */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); ex..
-
[LOB] Level3: cobolt → goblin (renew)
goblin keyword : BoF+env+argv /* The Lord of the BOF : The Fellowship of the BOF - goblin - small buffer + stdin */ int main() { char buffer[16]; gets(buffer); printf("%s\n", buffer); } 0x01. Static Analysis 앞서 문제 cobolt와 다른점은 cobolt에서는 main함수의 argv로 입력값을 받았다면, 지금 문제는 gets를 이용하여 문제를 받는다. 따라서 값을 넘겨주는 방식의 차이만 있을 뿐 앞 문제와 풀이 과정은 동일하다. 0x02. Dynamic Analysis & Exploit cobolt 문제와 동일하게 환경변수에 쉘코드를 넣고 문제..