oiehso0

[orc@localhost orc]$ cat wolfman.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - wolfman
        - egghunter + buffer hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
        {
                printf("stack is still your friend.\n");
                exit(0);
        }
        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}

(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>:       push   %ebp
0x8048501 <main+1>:     mov    %esp,%ebp
0x8048503 <main+3>:     sub    $0x2c,%esp
0x8048506 <main+6>:     cmpl   $0x1,0x8(%ebp)
0x804850a <main+10>:    jg     0x8048523 <main+35>
0x804850c <main+12>:    push   $0x8048640
0x8048511 <main+17>:    call   0x8048410 <printf>
0x8048516 <main+22>:    add    $0x4,%esp
0x8048519 <main+25>:    push   $0x0
0x804851b <main+27>:    call   0x8048420 <exit>
0x8048520 <main+32>:    add    $0x4,%esp



                        (중간 생략)

0x80485ae <main+174>:   mov    %esi,%esi
0x80485b0 <main+176>:   mov    0xc(%ebp),%eax
0x80485b3 <main+179>:   add    $0x4,%eax
0x80485b6 <main+182>:   mov    (%eax),%edx
0x80485b8 <main+184>:   push   %edx
0x80485b9 <main+185>:   lea    0xffffffd8(%ebp),%eax
0x80485bc <main+188>:   push   %eax //strcpy 실행 이전에 bp를 걸었다. argv주소를 이용했기 때문이다.
0x80485bd <main+189>:   call   0x8048440 <strcpy>
0x80485c2 <main+194>:   add    $0x8,%esp //<---물론 이쪽에 bp를 걸고 버퍼의 주소를 이용해도 된다.
0x80485c5 <main+197>:   lea    0xffffffd8(%ebp),%eax
0x80485c8 <main+200>:   push   %eax
0x80485c9 <main+201>:   push   $0x8048669
0x80485ce <main+206>:   call   0x8048410 <printf>
0x80485d3 <main+211>:   add    $0x8,%esp
0x80485d6 <main+214>:   push   $0x28
0x80485d8 <main+216>:   push   $0x0
---Type <return> to continue, or q <return> to quit---
0x80485da <main+218>:   lea    0xffffffd8(%ebp),%eax
0x80485dd <main+221>:   push   %eax
0x80485de <main+222>:   call   0x8048430 <memset>
0x80485e3 <main+227>:   add    $0xc,%esp
0x80485e6 <main+230>:   leave
0x80485e7 <main+231>:   ret
0x80485e8 <main+232>:   nop
0x80485e9 <main+233>:   nop

(gdb) b*main+188
Breakpoint 1 at 0x80485bc
(gdb) r `python -c 'print "\xbf"*48'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/orc/./wolfma1 `python -c 'print "\xbf"*48'`

0xbffffc38:     0x00000000      0x69000000      0x00363836      0x6d6f682f
0xbffffc48:     0x726f2f65      0x2f2e2f63      0x666c6f77      0x0031616d
0xbffffc58:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffc68:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffc78:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf //<--우리가 덮어쓸 ret주소
0xbffffc88:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffc98:     0x00000000      0x00000000      0x00000000      0x00000000

[goblin@localhost goblin]$ cat orc.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - orc
        - egghunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
        char buffer[40];
        int i;

        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }

        // egghunter 환경변수 메모리 부분을 0으로 초기화 시킨다.. 한마디로 막혔다.
        for(i=0; environ[i]; i++)
                memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf') //메모리 시작주소는 0xbf를 사용하라는 코드인데 스택 영역을 사용하라는 말이다. 
        {
                printf("stack is still your friend.\n");
                exit(0);
        }

        strcpy(buffer, argv[1]); //문자열 길이를 체크하지 않는다.
        printf("%s\n", buffer);
}

[goblin@localhost goblin]$ gdb ./orc1
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>:       push   %ebp
0x8048501 <main+1>:     mov    %ebp,%esp
0x8048503 <main+3>:     sub    %esp,44
0x8048506 <main+6>:     cmp    DWORD PTR [%ebp+8],1
0x804850a <main+10>:    jg     0x8048523 <main+35>
0x804850c <main+12>:    push   0x8048630
0x8048511 <main+17>:    call   0x8048410 <printf>
                        

(중간 생략)

0x80485ae <main+174>:   mov    %esi,%esi
0x80485b0 <main+176>:   mov    %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>:   add    %eax,4
0x80485b6 <main+182>:   mov    %edx,DWORD PTR [%eax]
0x80485b8 <main+184>:   push   %edx
---Type <return> to continue, or q <return> to quit---
0x80485b9 <main+185>:   lea    %eax,[%ebp-40]
0x80485bc <main+188>:   push   %eax
0x80485bd <main+189>:   call   0x8048440 <strcpy>
0x80485c2 <main+194>:   add    %esp,8
0x80485c5 <main+197>:   lea    %eax,[%ebp-40]
0x80485c8 <main+200>:   push   %eax  //<--strcpy후에 스택을 보기위해 브레이크포인트를 거는 지점
0x80485c9 <main+201>:   push   0x8048659
0x80485ce <main+206>:   call   0x8048410 <printf>
0x80485d3 <main+211>:   add    %esp,8
0x80485d6 <main+214>:   leave
0x80485d7 <main+215>:   ret
0x80485d8 <main+216>:   nop
0x80485d9 <main+217>:   nop
End of assembler dump.

(gdb) b*main+200
Breakpoint 1 at 0x80485c8
(gdb) r `python -c 'print "\xbf"*48'`
Starting program: /home/goblin/./orc1 `python -c 'print "\xbf"*48'`

Breakpoint 1, 0x80485c8 in main ()
(gdb) x/100x $esp
0xbffffabc:     0x00000015      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffacc:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffadc:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffaec:     0xbfbfbfbf      0x00000000      0xbffffb34      0xbffffb40 //<--0xbffffaec에 ret값이 들어가는데 그값을 nop주소로 바꾼다.
0xbffffafc:     0x40013868      0x00000002      0x08048450      0x00000000

[cobolt@localhost cobolt]$ cat goblin.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - goblin
        - small buffer + stdin
*/

int main()
{
    char buffer[16];
    gets(buffer); //이전 문제와 차이가 있다면 stdin을 이용하여 값을 넘긴다는 점이다. 역시 문자열길이를 체크하지 않음.
    printf("%s\n", buffer);
}

[cobolt@localhost cobolt]$ gdb goblin
(gdb) set disassembly-set intel
No symbol "disassembly" in current context.
(gdb) disas main
Dump of assembler code for function main:
0x80483f8 <main>:       push   %ebp
0x80483f9 <main+1>:     mov    %esp,%ebp
0x80483fb <main+3>:     sub    $0x10,%esp //버퍼의 크기 0x10(16bytes)
0x80483fe <main+6>:     lea    0xfffffff0(%ebp),%eax
0x8048401 <main+9>:     push   %eax
0x8048402 <main+10>:    call   0x804830c <gets>
0x8048407 <main+15>:    add    $0x4,%esp
0x804840a <main+18>:    lea    0xfffffff0(%ebp),%eax
0x804840d <main+21>:    push   %eax
0x804840e <main+22>:    push   $0x8048470
0x8048413 <main+27>:    call   0x804833c <printf>
0x8048418 <main+32>:    add    $0x8,%esp
0x804841b <main+35>:    leave
0x804841c <main+36>:    ret
0x804841d <main+37>:    nop
0x804841e <main+38>:    nop
0x804841f <main+39>:    nop