xavius / throw me away [xavius@localhost xavius]$ /bin/bash2[xavius@localhost xavius]$ export SHELL=/bin/bash2 [ death_knight.c ]1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 #include #include #include #include #include #include #include #include #include main(){ char buffer[40]; int server_fd, client_fd; struct sockaddr_in se..

nightmare / beg for me[nightmare@localhost nightmare]$ /bin/bash2[nightmare@localhost nightmare]$ export SHELL=/bin/bash2 [ xavius.c ] 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647#include #include #include main(){ char buffer[40]; char *ret_addr; // overflow! fgets(buffer, 256, stdin); printf("%s\n", buffer); if(*(buffer+47) == '\xbf') { printf("stack ret..

zombie_assassin / no place to hide/bin/bash2export SHELL=/bin/bash2 [ succubus.c ]1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 /* The Lord of the BOF : The Fellowship of the BOF - succubus - calling functions continuously*/ #include #include #include // the ins..

assassin / pushing me away[assassin@localhost assassin]$ /bin/bash2[assassin@localhost assassin]$ export SHELL=/bin/bash2 [ zombieassassin.c ] 123456789101112131415161718192021222324252627282930 #include #include main(int argc, char *argv[]){ char buffer[40]; if(argc EBP: Fake EBP 2> main retpop eip=> EIP: &leaveret 3> leavemov esp,ebp=> ESP: Fake EBP(&buffer+4)pop ebp=> EBP: &buffer+4에 있는 값 4> ..

giant / one step closer[giant@localhost giant]$ /bin/bash2[giant@localhost giant]$ export SHELL=/bin/bash2 [ assassin.c ]123456789101112131415161718192021222324252627282930313233 #include #include main(int argc, char *argv[]){ char buffer[40]; if(argc 스택 사용x if(argv[1][47] == '\x40') { printf("library retbayed you, too!!\n"); exit(0); } => 라이브러리 사용 x strcpy(buffer, argv[1]); printf("%s\n", buffe..

bugbear / new divide[bugbear@localhost bugbear]$ /bin/bash2[bugbear@localhost bugbear]$ export SHELL=/bin/bash2 [ giant.c ]1234567891011121314151617181920212223242526272829303132333435363738394041#include #include #include main(int argc, char *argv[]){ char buffer[40]; FILE *fp; char *lib_addr, *execve_offset, *execve_addr; char *ret; if(argc execve ( &"/bin/sh" , 배열 { &/bin/sh,NULL} 의 주소, NULL ..