Wargame 썸네일형 리스트형 [Level 10] vampire -> skeleton /* The Lord of the BOF : The Fellowship of the BOF - skeleton - argv hunter*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i, saved_argc; if(argc < 2){printf("argv error\n");exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf'){printf("stack is still your friend.\n");exit(0);} // check the.. [Level 9] troll -> vampire /* The Lord of the BOF : The Fellowship of the BOF - vampire - check 0xbfff*/ #include #include main(int argc, char *argv[]){char buffer[40]; if(argc < 2){printf("argv error\n");exit(0);} if(argv[1][47] != '\xbf'){printf("stack is still your friend.\n");exit(0);} // here is changed! if(argv[1][46] == '\xff') { printf("but it's not forever\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", b.. [Level 8] orge -> troll /* The Lord of the BOF : The Fellowship of the BOF - troll - check argc + argv hunter*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; // here is changedif(argc != 2){printf("argc must be two!\n");exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf'){printf("stack is still your friend.\n".. [Level 7] darkelf -> orge /* The Lord of the BOF : The Fellowship of the BOF - orge - check argv[0]*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; if(argc < 2){printf("argv error\n");exit(0);} // here is changed!if(strlen(argv[0]) != 77){ printf("argv[0] error\n"); exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '.. [Level 6] wolfman -> darkelf /* The Lord of the BOF : The Fellowship of the BOF - darkelf - egghunter + buffer hunter + check length of argv[1]*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; if(argc < 2){printf("argv error\n");exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf'){printf("stack is still your friend... [Level 5] orc -> wolfman /* The Lord of the BOF : The Fellowship of the BOF - wolfman - egghunter + buffer hunter*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; if(argc < 2){printf("argv error\n");exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf'){printf("stack is still your friend.\n");exit(0);}strcpy(buffe.. [Level 4] goblin -> orc /* The Lord of the BOF : The Fellowship of the BOF - orc - egghunter*/ #include #include extern char **environ; main(int argc, char *argv[]){char buffer[40];int i; if(argc < 2){printf("argv error\n");exit(0);} // egghunter for(i=0; environ[i]; i++)memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf'){printf("stack is still your friend.\n");exit(0);} strcpy(buffer, argv[1]); printf.. [Level 3] cobolt -> goblin /* The Lord of the BOF : The Fellowship of the BOF - goblin - small buffer + stdin*/ int main(){ char buffer[16]; gets(buffer); printf("%s\n", buffer);} 이 전과 다르게 프로그램을 시작 할 때 인자를 받지 않고 프로그램 내에서 gets함수를 이용해 값을 받아온다. | buf | sfp | ret | arguments | environment ~ |접근은 이 전과 비슷하게 ret를 arguments 부분으로 설정하고 nop sled를 이용하는 방법을 생각했다. 문제는 gets 함수를 사용하기 때문에 이 전 처럼 페이로드를 인자로 삽입 할 수 없다는 것이다. 그래서 프로그램이 실행 된 후 .. 이전 1 2 다음
