120, 1/6 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ¸Û¸Û
   http://www.hackerschool.org
   ** ¼Ò½ºÄÚµå ¿ÀµðÆà ¹®Á¦ Á¤´äÀÔ´Ï´Ù. **

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=124 [º¹»ç]


#include <syslog.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFLEN 16
#define WORDSIZE 2
#define DWORDSIZE WORDSIZE+WORDSIZE

void mylog(intkind, char *msg){
        // 3¹ø Ãë¾àÁ¡, Æ÷¸Ë½ºÆ®¸µ
        syslog(LOG_USER | kind, msg);
}

void mycpy(char *dst, char *src){
        if(strlen(src) < BUFLEN -1)
                while(*src)
                        *dst++ = *src++;
        *dst= '\x00';
}

int main(int argc, char *argv[]){
        char buf1[16];
        char buf2[16];
        char buf3[BUFLEN];
        char *buf4;
        char *buf5;
        char buf6[16];
        char *buf7;
        int i, len;

        if(argc != 12)
                exit(0);
        
        // 1¹ø Ãë¾àÁ¡
        // argv[1]ÀÇ ±æÀÌ°¡ 17¹ÙÀÌÆ® ÀÌ»óÀÏ °æ¿ì NULLÀÌ º¹»çµÇÁö ¾ÊÀ½
        // Áï, buf1ÀÌ NULL ¾ø´Â ¹®ÀÚ¿­ÀÌ µÇ¾î¹ö¸²        
        // ÀÌ·Î ÀÎÇØ Â÷ÈÄ ÀÌ»óÀÛµ¿ ȤÀº Ãë¾àÁ¡ÀÌ ¹ß»ý ÇÒ ¼ö ÀÖÀ½
        strncpy(buf1, argv[1], sizeof(buf1));
        len= atoi(argv[2]);
        
        if (len< 16)
                // 2¹ø Ãë¾àÁ¡
                // integer overflow ¹ß»ý
                // ¿¹¸¦ µé¾î argv[3]ÀÇ °ªÀ» -4·Î ÁÙ °æ¿ì -4=4294967296°¡ µÇ¾î¹ö¸²
                memcpy(buf2, argv[3], len);
        else {
                char *buf= malloc(len+ 20);
                if(buf){
                        // Ãë¾àÁ¡ ¾øÀ½
                        snprintf(buf, len+20, "String too long: %s", argv[3]);

                        // 3¹ø Ãë¾àÁ¡, Æ÷¸Ë½ºÆ®¸µ
                        mylog(LOG_ERR, buf);
                }
        }

        // Ãë¾àÁ¡ ¾øÀ½
        mycpy(buf3, argv[4]);
                
        // 4¹ø Ãë¾àÁ¡
        // À§ mycpy¿¡ ÀÇÇØ buf3ÀÌ °¡µæ Âû °æ¿ì ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý
        strncat(buf3, argv[5], sizeof(buf3)-1);

        if(fork()){
                // Ãë¾àÁ¡ ¾øÀ½
                execl("/bin/ls", "/bin/ls", argv[6], 0);
        }

        // filter metacharacters
        char *p;
        if(p = strchr(argv[7], '&'))
                *p = 0;
        if(p = strchr(argv[7], '`'))
                *p = 0;
        if(p = strchr(argv[7], ';'))
                *p = 0;
        if(p = strchr(argv[7], '|'))
                *p = 0;
        if(strlen(argv[7]) < 1024){
                buf4 = malloc(20 + strlen(argv[7]));
                // Ãë¾àÁ¡ ¾øÀ½
                sprintf(buf4, "/bin/cat %s", argv[7]);

                // 5¹ø Ãë¾àÁ¡
                // $ Ư¼ö ¹®ÀÚ¸¦ ÀÌ¿ëÇÏ¿© ½Ã½ºÅÛ ¸í·É ½ÇÇà °¡´É
                // > Ư¼ö ¹®ÀÚ¸¦ ÀÌ¿ëÇÏ¿© root ±ÇÇÑ ÆÄÀÏ º¹»ç °¡´É
                system(buf4);
        }

        // 6¹ø Ãë¾àÁ¡
        // integer overflow + Null Pointer Dereference
        // argv[8]°ú argv[9]ÀÇ ±æÀÌ°¡ °¢°¢ 0x7fffffff(-1)ÀÏ °æ¿ì °á°ú´Â malloc(0)ÀÌ µÊ
        // ¸®ÅÏ °ªÀº 0 = Null Pointer Dereference
        buf5 = malloc(strlen(argv[8]) + strlen(argv[9]) + 2);
        strcpy(buf5, argv[8]);
        strcat(buf5, argv[9]);

        // 7¹ø Ãë¾àÁ¡, ¹öÆÛ ¿À¹öÇ÷οì
        memcpy(buf6, argv[10], strlen(argv[10]));

        // 8¹ø Ãë¾àÁ¡, ¸ÅÅ©·Î ¿ì¼±¼øÀ§ ¿À·ù
        // #define WORDSIZE 2
        // #define DWORDSIZE WORDSIZE+WORDSIZE
        // buf7 = malloc(4 * DWORDSIZE);
        // 4*2+2=10
        buf7 = malloc(4 * DWORDSIZE);
        for(i=0; i<4; i++){
                // ÃÑ º¹»ç ±æÀÌ : 4+4+4+4=16
                memcpy(buf7 + 4 * i, argv[11] + 4 * i, DWORDSIZE);
        }
        printf("\nGot%s, (%d) %s, %s, %s, %s, %s, %s\n", buf1, len, buf2,buf3, buf4, buf5, buf6, buf7);
}
  Hit : 3940     Date : 2012/09/02 11:52


    
±î¹³´Ù¸£³¢ °¨»çÇÕ´Ï´Ù ÁÁÀº °æÇèÇÏ°í °¡¿ä~ 2012/09/02