http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=20 [º¹»ç]
°Àdz»¿ëÀÌ ¾ÆÁ÷ ¾î·Á¿îºÎºÐÀÌ Á»Àִ°Ű°¾Æ¿ä ¤§¤§
ÀÏ´Ü ÇöÀç±îÁö ÁøÇàµÈ¸¸Å¸¸ ¿Ã¸®µµ·ÏÇÏ°Ú½À´Ï´Ù. (¸¶°¨½Ã°£º¸´Ù ´ÊÀº°Ç Á˼ÛÇÕ´Ï´Ù)
Á¶±Ý¾¿ ÁøÇàµÉ¶§¸¶´Ù ±ÛÀÌ ¼öÁ¤µÉ¼öµµ ÀÖ±¸¿ä..
À¸ ¤Ð0¤Ð ¾î·Æ³×¿ä ¤»¤»
======================
**º°Ç¥**³ª (°ýÈ£) Ç¥½Ã°¡ µÈ ºÎºÐÀº ºÒÈ®½ÇÇÑ ºÎºÐÀΰ͵µ ÀÖ°í
Çؼ®ÆíÀÇ»ó »ý·«ÇÏ°í ½ÍÀº ºÎºÐµµ ÀÖ¾î¿ä.
Àß ¾Èµé¸®´Â ºÎºÐÀº ÃÖ´ëÇÑ µé¸®´Â´ë·Î¸¸ Àû¾ú½À´Ï´Ù.
0:00
And, what would happen if "strlen" tries to calculate the length of it?
±×¸®°í, ¸¸¾à strlen ÇÔ¼ö°¡ ±× ¹®ÀÚ¿ÀÇ ±æÀ̸¦ °è»êÇÏ·Á°í ÇÏ¸é ¹«½¼ ÀÏÀÌ ¹ß»ýÇÒ±î¿ä?
So when it tries to calculate the length and **calcurs the just tag**
±æÀ̸¦ °è»êÇÏ·Á°í ½ÃµµÇÏ°í *** ÇÑ´Ù¸é
it's going to cause the problem.
¹®Á¦¸¦ ÀÏÀ¸Å°°Ô µÉ °ÍÀÔ´Ï´Ù.
It's going to overflow, ok?
¿À¹öÇ÷ο찡 ¹ß»ýÇÏÁÒ.
0:20
conditional termination
Á¶°ÇºÎ Á¾·á //0:20~2:20 ºÎºÐÀº °Àdz»¿ëÀ» ¾ÆÁ÷ ÀÌÇظ¦¸øÇؼ ºóÄÀ̸¹¾Æ¿ä.. Â÷Â÷ ¼öÁ¤µÉ µí ÇÕ´Ï´Ù..
**the (ints) are at the very bottom, (they sured in the last three lines)**
??
Anyone?
0 :40
What would happen if the first clause is completed with the while loop?
(ÀÇ¿ª) while¹®ÀÇ Ã¹¹ø° Á¶°ÇÀ» ¸¸Á·ÇÏ´Â µ¿¾È¿¡´Â ¹«½¼ ÀÏÀÌ ¹ß»ýÇÒ±î¿ä? //ÀÇ¿ªÀÌ ¸Â´ÂÁö´Â È®½Åx
See it says, while index is less than buffer length,
¿©±æ º¸¸é, indexÀÇ °ªÀÌ BufferLengthº¸´Ù ÀÛ°Ô À¯ÁöµÇ´Â µ¿¾È¿¡´Â
and, it is not terminated
¹Ýº¹¹®ÀÌ Á¾·áµÇÁö ¾Ê½À´Ï´Ù.
so it's tries to see extra(?) to to take a string,
µû¶ó¼ ¹Ýº¹¹®Àº, ¹®ÀÚ¿ÀÇ µÞºÎºÐÀ» Ãß°¡ÀûÀ¸·Î º¸°Ô µÇ°í
(itÀÌ ¹«¾ùÀ» °¡¸£Å°³Ä¿¡ µû¶ó¼ ´Ù¸¥Çؼ® °¡´É:
"µû¶ó¼ ¹Ýº¹¹®Àº, whileÀÇ µÎ¹ø° Á¶°Ç¹®À» Ãß°¡ÀûÀ¸·Î °Ë»çÇÏ°Ô µÇ°í")
1:00
which is, and looking for,
(´õµë±â)
it should be less than buffer length
±×°ÍÀÇ Å©±â´Â BufferLength º¸´Ù À۾ƾßÇÕ´Ï´Ù //±×°ÍÀÌ Á¤È®È÷ ¹«¾ó °¡¸£Å°´ÂÁö´Â ¸ð¸£°Ú½À´Ï´Ù
in this case 20 characters
ÀÌ ¿¹Á¦¿¡¼´Â 20±ÛÀÚº¸´Ù À۾ƾßÇÏÁÒ
and it should be not terminated
±× µ¿¾È¿¡´Â Á¾·áµÇÁö ¾Ê¾Æ¿ä.
(it is) not the proper method of doing it
ÀÌ°Ç ¿Ã¹Ù¸¥ ¹æ¹ýÀÌ ¾Æ´Õ´Ï´Ù
(ÀÇ¿ª: ÀÌ·± ½ÄÀ¸·Î Á¶°Ç¹®À» ÀÛ¼ºÇÏ´Â °ÍÀº ¿Ã¹Ù¸£Áö ¾Ê½À´Ï´Ù.)
if you do it, simply pass (lo slive zero wall??)
¸¸¾à ±×·¸°Ô Çß´Ù¸é, ???
(ºÒÈ®½ÇÇÑ Çؼ®: ¸¸¾à ±×·¸°Ô Çß´Ù¸é, ±× ÇÁ·Î±×·¥¿¡ ???¸¦ ÀÎÀÚ·Î ³Ñ°ÜÁÜÀ¸·Î½á)
it's going to try to read (..and read) the whole thing
ÇÁ·Î±×·¥Àº ¹®ÀÚ¿À» ³¡±îÁö ÀÐÀ¸·Á°í ÇÒ °ÍÀÔ´Ï´Ù.
1:20
and StringLength is going to be what?
±×·¯¸é StringLength ÀÇ °ªÀº ¹«¾ùÀÌ µÉ±î¿ä?
It's going to be 12 over there
À̺κп¡¼ 12°¡ µÉ °Ì´Ï´Ù.
it could be **R** where
??
when it encounters either one of them, it should proceed forward
//(´Ü¾î´Â ½¬¿îµ¥ Á¤È®ÇÑ Çؼ®ÀÌ ¾î·Æ³×¿ä..)
and it should say, ok **¾î³ª´õ½º ¿£ ÄÁÄ¿**
??
so go ahead and actually terminate the that point of (type)
??
1:42
the other problem over here is that
À̺κп¡¼ ¶Ç´Ù¸¥ ¹®Á¦Á¡Àº
it just presumes that the while loop succedes
(ÇÁ·Î±×·¥ÀÇ ÀÔÀå¿¡¼´Â), while¹®ÀÌ Á¤»óÀûÀ¸·Î ³¡³µ´Ù°í »ý°¢ÇÑ´Ù´Â Á¡ÀÔ´Ï´Ù.
It Actually went through properly and, OK i did this,
±×°ÍÀº ¿Ã¹Ù¸£°Ô ½ÇÇàµÇ¾ú°í,
i got the right value,
³ ¿Ã¹Ù¸¥ °ªÀ» ¾ò¾ú°í,
everything is working fine
¸ðµç °ÍÀÌ Àß µ¹¾Æ°¡°í ÀÖ°í,
I did the value-checking
³ª´Â °ª °Ë»çµµ Çß°í,
and everything is working fine
¸ðµç °Ô Àß µ¹¾Æ°¡°í ÀÖ´Ù, ÀÌ·¸°Ô »ý°¢ÇÏÁÒ.
what will happen if just the first (start index) is less than BufferLength
¸¸¾à indexÀÇ ÃʱⰪÀÌ BufferLengthº¸´Ù ÀÛ´Ù¸é ¹«½¼ ÀÏÀÌ ¹ß»ýÇÒ±î¿ä?
(it's poofed)
it'll cause a problem
¹®Á¦°¡ ¹ß»ýÇÕ´Ï´Ù
It'll just jump out of the loop
·çÇÁ¹®ÀÇ ¹ÛÀ¸·Î ºüÁ®³ª¿À°Ô µÇ°í
and StringLength value would be 12, ok?
StringLengthÀÇ °ªÀº 12°¡ µË´Ï´Ù. OK?
2:20
the next one, premature termination
´ÙÀ½ ÁÖÁ¦, "³Ê¹« À̸¥ Á¾·á(?)"
there's another thing that seems so awkward, and a..
¿©±â ¶Ç´Ù¸¥ ¿¹Á¦°¡ Àִµ¥, ²Ï ¾î»öÇØ º¸ÀÌÁÒ.
it's in the second input ****
(À½..)
(Çлý: it doesn't work!)
Çлý: ±× ÄÚµå ÀÛµ¿ ¾ÈÇÏÀݾƿä..
2:40
That's,
(´õµë±â)
it's really for examples, these are..
ÀÌ°Ç ±×³É ¿¹Á¦ÀÏ »ÓÀÌ¿¡¿ä, À̰͵éÀº..
Go ahead.
¸»¾¸Çϼ¼¿ä.
(Çлý:??)
??
Exactly.
Á¤È®ÇÕ´Ï´Ù.
And you would be surprised how many times this to see
ÀÌ·¯ÇÑ ½Ç¼ö°¡ ¾ó¸¶³ª ÀÚÁÖ ÀϾ´ÂÁö º¸°Ô µÈ´Ù¸é ³î¶ö°Å¿¡¿ä
3:00
There're so many times they'll do in this exact code
So many times, ±×µéÀº ÀÌ°Í°ú ¶È°°Àº ÄÚµù ½Ç¼ö¸¦ ÇÕ´Ï´Ù.
yeah,
yeah, it's nothing significant, but
³×, ÀÌ°Ç ±×´Ú Áß¿äÇÑ(ÀǹÌÀÖ´Â) °Ç ¾Æ´ÏÁö¸¸,
so many times you'll see that
ÀÌ·¯ÇÑ °æ¿ì¸¦ ¸Å¿ì ÀÚÁÖ º¸°Ô µÉ °Ì´Ï´Ù
it tries to do some kind of validation?
if¹®À» ÅëÇØ ÀÏÁ¾ÀÇ È®ÀÎÀ» ÇÏ·Á°í ÇÏÁö ¾Ê½À´Ï±î?
and they'll accidentally put a semicolon
±×·±µ¥ ½Ç¼ö·Î ¹®ÀåÀÇ ³¡¿¡ ¼¼¹ÌÄÝ·ÐÀ» ³ÖÀ½À¸·Î½á
and the entire validation goes out of the bench.
¸ðµç È®ÀÎ(if¹®À» ÅëÇÑ È®ÀÎ)ÀÌ ¹«È¿°¡ µÇ¹ö¸³´Ï´Ù.
3:20
(**first three lengths**)
??
Pretty classic
²Ï ÀüÇüÀûÀÎ ¿¹Á¦ÀÔ´Ï´Ù.
Yes, it is classic, it's classic strcpy problem, right?
ÀüÇüÀûÀÎ strcpy ¹®Á¦ÀÔ´Ï´Ù, ¸ÂÁÒ?
Getting in argument from command line
Ä¿¸Çµå ¶óÀÎÀ¸·ÎºÎÅÍ ÀÎÀÚ¸¦ ¹Þ¾Æ¿Í¼
and passing it into "var" which is 20 bytes
Å©±â°¡ 20ÀÎ var ¹è¿¿¡ º¹»çÇÕ´Ï´Ù.
It's going to causes a problem.
ÀÌ°Ç ¹®Á¦¸¦ ÀÏÀ¸Å°°Ô µË´Ï´Ù.
Reading from the network
³×Æ®¿öÅ©·ÎºÎÅÍ Àбâ
This i put in because
Á¦°¡ ÀÌ ÁÖÁ¦¸¦ ³ÖÀº ÀÌÀ¯´Â
this was i found one of our team very very similar to this.
¿ì¸® ÆÀ Áß Çϳª°¡ ÀÌ¿Í ¸Å¿ì¸Å¿ì ºñ½ÁÇÑ ½Ç¼ö¸¦ ÇÑ °ÍÀ» È®ÀÎÇÑ ÀûÀÌ Àֱ⠶§¹®ÀÔ´Ï´Ù.
Again this is the classic strcpy problem (because)
À̰͵µ ÀüÇüÀûÀÎ strcpy ¹®Á¦¶ó°í ÇÒ¼öÀִµ¥¿ä, (±×ÀÌÀ¯´Â)
receiving data it was expecting 5 thousand
5000 ¹ÙÀÌÆ®ÀÇ µ¥ÀÌÅ͸¦ ¹Þ±â À§ÇØ ±â´Ù¸®°í ÀÖ½À´Ï´Ù.
but actually allocated local allocation was only 2000
±×·±µ¥ Áö¿ªº¯¼ö·Î ÇÒ´çµÈ ¸Þ¸ð¸®ÀÇ Å©±â´Â 2000¹ÙÀÌÆ®ÀÌÁÒ.
and again we have buffer overflow there
Again, Àú °÷¿¡¼ ¹öÆÛ¿À¹öÇ÷ο찡 ¹ß»ýÇÕ´Ï´Ù.
So always keep your variable length consistent
µû¶ó¼, º¯¼öÀÇ ±æÀÌ´Â Ç×»ó ÀÏÁ¤ÇÏ°Ô À¯ÁöÇϵµ·Ï Çϼ¼¿ä.
(´Ù¸¥Çؼ®: µû¶ó¼, º¯¼öÀÇ ±æÀÌ´Â Ç×»ó »ó¼ö·Î ´Ù·çµµ·Ï Çϼ¼¿ä.)
Think about that, don't forget that
À¯ÀÇÇϽðí, ÀØÁö ¸¶½Ã±â ¹Ù¶ø´Ï´Ù.
4:14 //¿©±â¼ºÎÅÏ ÀÏ´Ü º¸·ùÇÏ°Ú½À´Ï´Ù. (³»¿ëÀÌÇØ°¡ Èûµë!..)
Exported functions
You can kind-a see the solution
but i prefer if you does very (bill?) code there
basically the first line is a exporter
it's exporting this dll
it's exporting ex_func
but it's taking a (filing) and length whenever you call it
right?
(Çлý:untrusted input)
untrusted input
those are very very typical example of untrusted input
again these kind of things in (¾Æ½ÎÀÌÇÇ)s
(per pri-free ¾Æ½ÎÀÌÇÇ) you find it all the time
ÀÏ´Ü ¿©±â±îÁöÀÔ´Ï´Ù.. |
Hit : 1645 Date : 2011/05/11 02:34
|