junsoo STUDY

darkknight

/* The Lord of the BOF : The Fellowship of the BOF - bugbear - RTL1 */ #include #include main(int argc, char *argv[]) { char buffer[40]; int i; if(argc == 으로 바뀌었다. 즉, return 되는 주소가 스택에 있으면 안된다는 뜻이다. 맨 위 주석..

golem

/* The Lord of the BOF : The Fellowship of the BOF - darkknight - FPO */ #include #include void problem_child(char *src) { char buffer[40]; strncpy(b , src, 41); printf("%s\n", buffer); } main(int argc, char *argv[]) { if(argc problem_child 함수 leave 명령어 수행 후 ebp가 가리켜야하는 주소 노란색 -> main 함수 leave 명령어 수행 후 esp가 가리켜야하는 주소, 값으로는 파란색 주소가 들어가야한다. 파란색 -> main 함수 ret 명령 수행 후 eip가 가리켜야하는 주소, 값으로는 shellcode..

skeleton

/* The Lord of the BOF : The Fellowship of the BOF - golem - stack destroyer */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); // stack destroyer! memset(buffer, 0, 44); m..

vampire

/* The Lord of the BOF : The Fellowship of the BOF - skeleton - argv hunter */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i, saved_argc; if(argc < 2){ printf("argv error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } ..

troll

/* The Lord of the BOF : The Fellowship of the BOF - vampire - check 0xbf ff */ #include #include main(int argc, char *argv[]) { char buffer[40]; if(argc < 2){ printf("argv error\n"); exit(0); } if(argv[1][47] != '\xbf') { printf("stack is still your friend.\n"); exit(0); } // here is changed! if(argv[1][46] == '\xff') { printf("but it's not forever\n"); exit(0); } strcpy(buffer, argv[1]); print..

orge

/* The Lord of the BOF : The Fellowship of the BOF - troll - check argc + argv hunter */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; // here is changed if(argc != 2){ printf("argc must be two!\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still your..

darkelf

/* The Lord of the BOF : The Fellowship of the BOF - orge - check argv[0] */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // here is changed! if(strlen(argv[0]) != 77){ printf("argv[0] error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1..

wolfman

/* The Lord of the BOF : The Fellowship of the BOF - darkelf - egghunter + buffer hunter + check length of argv[1] */ #include #include extern char **environ; main(int argc, char *argv[]) { char buffer[40]; int i; if(argc < 2){ printf("argv error\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still yo..