zj3t

[wolfman@localhost wolfman]$ cat darkelf.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkelf
        - egghunter + buffer hunter + check length of argv[1]
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
char buffer[40];
int i;

if(argc < 2){
printf("argv error\n");
exit(0);
}

// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}

// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}

strcpy(buffer, argv[1]);
printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);
}

// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}

가 추가됬는데 지금까지 한 argv[2] 방법을 유도하는 거 같아요

따라서 하던 방법으로 공격하면 됩니다.