http://www.hackerschool.org/HS_Boards/zboard.php?desc=desc&no=1726 [º¹»ç]
ftz±¸ÃàÇؼ ·¹º§12¹ø ¹®Á¦ Ç®°íÀִµ¥¿ä
gdb·Î ÁÖ¼Ò È®ÀÎÇÏ·Á°í Çϴµ¥
È®ÀÎÇÒ¶§¸¶´Ù esp°ªÀÌ °è¼Ó¹Ù²î¾î¼ retÁÖ¼Ò¸¦ ¸øã°Ú½À´Ï´Ù...
Àú¿Í°°ÀººÐÀÇ ±ÛÀÌ ÀÖ¾î¼ ´äº¯À»º¸´Ï ½ºÅÿ¡ ASLRÀÌ °É·ÁÀִ°Ͱ°´Ù°í Çϼ̴µ¥
ÀÌ·²°æ¿ì ¾î¶»°Ô Çؾߵdzª¿ä?;
°¡¶àÀ̳ª ½©ÄÚµå°ø°ÝÇϴ°͵µ À߸ô¶ó¼ Ã¥º¸¸é¼ µû¶óÇÏ°íÀִµ¥
Ã¥±×´ë·ÎÇصµ ¾ÈµÇ´Ï Áøµµ¸¦¸ø³ª°¡°Ú³×¿ä ¤Ð¤Ð¤Ð¤Ð
0x08048470 <main+0>: push %ebp
0x08048471 <main+1>: mov %esp,%ebp
0x08048473 <main+3>: sub $0x108,%esp
0x08048479 <main+9>: sub $0x8,%esp
0x0804847c <main+12>: push $0xc15
0x08048481 <main+17>: push $0xc15
0x08048486 <main+22>: call 0x804835c <setreuid>
0x0804848b <main+27>: add $0x10,%esp
0x0804848e <main+30>: sub $0xc,%esp
0x08048491 <main+33>: push $0x8048538
0x08048496 <main+38>: call 0x804834c <printf>
0x0804849b <main+43>: add $0x10,%esp
0x0804849e <main+46>: sub $0xc,%esp
0x080484a1 <main+49>: lea 0xfffffef8(%ebp),%eax
0x080484a7 <main+55>: push %eax
0x080484a8 <main+56>: call 0x804831c <gets>
0x080484ad <main+61>: add $0x10,%esp
0x080484b0 <main+64>: sub $0x8,%esp
0x080484b3 <main+67>: lea 0xfffffef8(%ebp),%eax
0x080484b9 <main+73>: push %eax
0x080484ba <main+74>: push $0x804854c
0x080484bf <main+79>: call 0x804834c <printf>
0x080484c4 <main+84>: add $0x10,%esp
0x080484c7 <main+87>: leave
0x080484c8 <main+88>: ret
0x080484c9 <main+89>: lea 0x0(%esi),%esi
0x080484cc <main+92>: nop
0x080484cd <main+93>: nop
0x080484ce <main+94>: nop
0x080484cf <main+95>: nop
End of assembler dump.
(gdb) b *0x080484bf <--ºê·¹ÀÌÅ© °ÉÀ½
(gdb) r <--- ½ÇÇà
Starting program: /home/level12/tmp/attackme
¹®ÀåÀ» ÀÔ·ÂÇϼ¼¿ä.
AAAA <--- °ª ÀÔ·Â
Breakpoint 1, 0x080484bf in main ()
(gdb) x/12x $esp <---esp °ª È®ÀÎ
0xbfffdfb0: 0x0804854c 0xbfffdfc0 0xbfffdfe0 0x00000001
0xbfffdfc0: 0x41414141 0x00000000 0x00000000 0x078e530f
0xbfffdfd0: 0xbfffe070 0x40015a38 0x0029656e 0x00000000
(gdb) r <--- ´Ù½Ã ½ÇÇà
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/level12/tmp/attackme
¹®ÀåÀ» ÀÔ·ÂÇϼ¼¿ä.
AAAA
Breakpoint 1, 0x080484bf in main ()
(gdb) x/12x $esp (°ª ´Þ¶óÁü)
0xbfffe6b0: 0x0804854c 0xbfffe6c0 0xbfffe6e0 0x00000001
0xbfffe6c0: 0x41414141 0x00000000 0x00000000 0x078e530f
0xbfffe6d0: 0xbfffe770 0x40015a38 0x0029656e 0x00000000
(gdb)
|
Hit : 3881 Date : 2014/01/17 06:36
|