http://www.hackerschool.org/HS_Boards/zboard.php?desc=asc&no=1945 [º¹»ç]
¾È³çÇϼ¼¿ä À̹ø¿¡ ´Þ°í³ª´Ô BOF¹®¼ º¸°í »õ·Î ½ÃÀÛÇÏ°ÔµÈ »ç¶÷ÀÔ´Ï´Ù
¹è¿ì´Ù°¡ ±Ã±ÝÇÑ°Ô ÀÖ¾î¼ Áú¹®µå¸³´Ï´Ù!
gdb) disass main
Dump of assembler code for function main:
0x080481d0 <main+0>: push %ebp
0x080481d1 <main+1>: mov %esp,%ebp
0x080481d3 <main+3>: sub $0x8,%esp
0x080481d6 <main+6>: and $0xfffffff0,%esp
0x080481d9 <main+9>: mov $0x0,%eax
0x080481de <main+14>: sub %eax,%esp
0x080481e0 <main+16>: call 0x8048898 <system>
0x080481e5 <main+21>: leave
0x080481e6 <main+22>: ret
0x080481e7 <main+23>: nop
End of assembler dump.
(gdb) disass __libc_system
Dump of assembler code for function system:
0x08048898 <system+0>: push %ebp
0x08048899 <system+1>: mov %esp,%ebp
0x0804889b <system+3>: push %esi
0x0804889c <system+4>: push %ebx
0x0804889d <system+5>: mov 0x8(%ebp),%ebx
0x080488a0 <system+8>: test %ebx,%ebx
0x080488a2 <system+10>: je 0x80488da <system+66>
0x080488a4 <system+12>: mov 0x80a4b14,%eax
0x080488a9 <system+17>: test %eax,%eax
0x080488ab <system+19>: jne 0x80488b8 <system+32>
0x080488ad <system+21>: mov %ebx,0x8(%ebp)
0x080488b0 <system+24>: lea 0xfffffff8(%ebp),%esp
0x080488b3 <system+27>: pop %ebx
0x080488b4 <system+28>: pop %esi
0x080488b5 <system+29>: leave
0x080488b6 <system+30>: jmp 0x80488f4 <do_system>
0x080488b8 <system+32>: call 0x804e548 <__libc_enable_asynccancel>
0x080488bd <system+37>: sub $0xc,%esp
0x080488c0 <system+40>: push %ebx
0x080488c1 <system+41>: mov %eax,%esi
0x080488c3 <system+43>: call 0x80488f4 <do_system>
0x080488c8 <system+48>: mov %eax,%ebx
0x080488ca <system+50>: mov %esi,%eax
0x080488cc <system+52>: call 0x804e58c <__libc_disable_asynccancel>
0x080488d1 <system+57>: mov %ebx,%eax
0x080488d3 <system+59>: lea 0xfffffff8(%ebp),%esp
0x080488d6 <system+62>: pop %ebx
0x080488d7 <system+63>: pop %esi
0x080488d8 <system+64>: leave
0x080488d9 <system+65>: ret
¸ÞÀÎÇÔ¼ö¿¡ system()ÇÔ¼ö¸¸ ³ÖÀºÃ¤·Î systemÇÔ¼öÀÇ argument°úÁ¤À» µð½º¾î¼Àºí¸®ÇÑ °á°úÀä ÇÔ¼ö ÇÁ·Ñ·Î±× ¸¶Ä¡°í ebp±âÁØ +8ÀÇ ÁÖ¼Ò°ªÀ» ebx¿¡ ³Ö´Â°Å±îÁö´Â ¾Ë°Í°°Àºµ¥ ±× ¾Æ·¡ÀÖ´Â °úÁ¤µéÀ» ¸ð¸£°Ú¾î¿ä ¤Ð.¤Ð
0x080488a0 <system+8>: test %ebx,%ebx
0x080488a2 <system+10>: je 0x80488da <system+66>
0x080488a4 <system+12>: mov 0x80a4b14,%eax
0x080488a9 <system+17>: test %eax,%eax
0x080488ab <system+19>: jne 0x80488b8 <system+32>
0x080488ad <system+21>: mov %ebx,0x8(%ebp)
0x080488b0 <system+24>: lea 0xfffffff8(%ebp),%esp
0x080488b3 <system+27>: pop %ebx
0x080488b4 <system+28>: pop %esi
0x080488b5 <system+29>: leave
0x080488b6 <system+30>: jmp 0x80488f4 <do_system>
0x080488b8 <system+32>: call 0x804e548 <__libc_enable_asynccancel>
0x080488bd <system+37>: sub $0xc,%esp
0x080488c0 <system+40>: push %ebx
0x080488c1 <system+41>: mov %eax,%esi
0x080488c3 <system+43>: call 0x80488f4 <do_system>
0x080488c8 <system+48>: mov %eax,%ebx
0x080488ca <system+50>: mov %esi,%eax
0x080488cc <system+52>: call 0x804e58c <__libc_disable_asynccancel>
0x080488d1 <system+57>: mov %ebx,%eax
0x080488d3 <system+59>: lea 0xfffffff8(%ebp),%esp
0x080488d6 <system+62>: pop %ebx
0x080488d7 <system+63>: pop %esi
0x080488d8 <system+64>: leave
0x080488d9 <system+65>: ret
Á¦°¡ ¸ð¸£°Ú´Â ºÎºÐÀԴϴ٠Ȥ½Ã ÀÚ¼¼ÇÏ°Ô ¼³¸íÇØÁֽǼöÀÖ´Â ºÐ
Á¦¹ß ¼³¸íÇØÁÖ½Ã¸é °¨»çÇÏ°Ú½À´Ï´Ù¤Ð¤Ð |
Hit : 2213 Date : 2018/10/20 10:44
|