http://www.hackerschool.org/HS_Boards/zboard.php?id=bof_fellowship_2round&no=32 [º¹»ç]
talos->dark_mare ¹®Á¦ÀÔ´Ï´Ù.
¾Æ¹«¸® »ý°¢ÇغÁµµ ÃâÁ¦Àǵµ´Â BSS¿¡ Buffer¸¦ ¿À¹öÇ÷οì½ÃÄÑ func ÇÔ¼öÆ÷ÀÎÅ͸¦ º¯Á¶Çؼ °ø·«Ç϶ó´Â °Í °°Àºµ¥¿ä.
±×·±µ¥ ÇöÀç À̹ÌÁö»óÀÇ ¹®Á¦¸¦ º¸¸é
0x8049784 <data_start>: 0x00000000
(gdb)
0x8049788 <completed.5731>: 0x00000000
(gdb)
0x804978c <dtor_idx.5733>: 0x00000000
(gdb)
0x8049790 <func>: 0x08048454
(gdb)
0x8049794 <buffer>: 0x41414141
(gdb)
0x8049798: 0x41414141
(gdb)
0x804979c: 0x00000000
´ÙÀ½°ú °°ÀÌ bufferÀÇ ÁÖ¼Ò°¡ ÇÔ¼öÆ÷ÀÎÅͺ¸´Ù ³ôÀº °÷¿¡ ÀÖ½À´Ï´Ù.
(¿À¹öÇ÷ο찡 ºÒ°¡´ÉÇÑ »óÅÂÀÌÁö¿ä)
¸î°³ Å×½ºÆ® Çغ¸´Ï ¼±¾ð ¼ø¼¿¡ »ó°ü¾øÀÌ Æ÷ÀÎÅÍ º¯¼ö°¡ ÀÏ¹Ý º¯¼öº¸´Ù ´õ ³·Àº °÷¿¡ À§Ä¡ÇÏ°Ô µÇ´Â °Í °°½À´Ï´Ù.
¸Ó ´Ù¸¥ ¹æ¹ýÀÌ ÀÖ´Â °Ç°¡ ¸¹ÀÌ Ã£¾ÆºÃ´Âµ¥¿ä
ÇöÀç ¹®Á¦¿¡¼´Â ¾Æ¹«¸® »ý°¢Çصµ ºÒ°¡´É ÇÑ °Í °°½À´Ï´Ù...
¹®Á¦ È®ÀÎ Á» ÇØÁÖ¼¼¿ä!
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buffer[4];
void (*func)(int, int, int);
void dummy(int argc1, int argc2, int argc3)
{
printf("Do you wonna exploit me?\n");
exit(1);
}
int main(int argc, char *argv[])
{
if(argc != 2)
{
printf("argc Error!!\n");
exit(-1);
}
// initializing buffer
memset(buffer, 0, sizeof(buffer));
func = dummy;
// buffer overflow!!
strcat(buffer, argv[1]);
// initializing dummy registers
asm("xor %ebx, %ebx");
asm("xor %ecx, %ecx");
asm("xor %edx, %edx");
// jump into blackhole!
func(0, 0, 0);
}
|
Hit : 4143 Date : 2012/10/13 05:59
|