22019, 1/1101 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ¹éÆ®·¢
   Rop°øºÎÁß ±Ã±ÀÇÑ°Ô...

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=24316 [º¹»ç]


http://www.a3sc.co.kr/newsletter/022011/alert.html

ÀÌ ¹®¼­¸¦ º¸¸é¼­ °ÅÀÇ µû¶óÇϱ⠼öÁØÀ¸·Î ÇÏ°íÀִµ¥¿ä
pop ecx ; pop ebx ; leave ;; = 0x8048624
ÀÌ ºÎºÐÀÌ Àִµ¥ ¿Ö ÇÏÇÊ ecx¿¡ ÀúÀåÀ» ÇØÁÖ³ª¿ä?
±×¸®°í 0x8048624 À̺κÐÀ» È®ÀÎ Çغ¸¸é
pop %ecx
ÀÌ·¸°Ô µÇÀִµ¥ pop ebx´Â ¾îµðÀÕ³ªÈ®ÀÎÇغ¸¸é
x/i 0x80484b4  ÀÌ·¸°Ô º¸´Ï pop %ebx ºÎºÐÀε¥
¿Ö ÀÌ·¸°Ô µÇ´Â°Ç°¡¿ä??

±×¸®°í exploit¿¡ÀÖ´Â 0x8048574 À̺κÐÀº ¾î¶²°É ¸»ÇØÁִ°ǰ¡¿ä??

¸»¼Ø¾¾°¡ ºÎÁ·Çؼ­ µÎ¼­¾øÀÌ Áú¹®ÇÑ°Å°°³×¿ä...¤Ì
  Hit : 8464     Date : 2012/08/24 10:14


    
cd80 pop ecx ; pop ebx ; leave ;; = 0x8048624
ÀÌ ¼¼ ÀνºÆ®·°¼ÇÀº ¸ðµÎ ´ÜÀϹÙÀÌÆ® ¸í·ÉÀÔ´Ï´Ù
pop ecx = 0x59
pop ebx = 0x5b
leave = 0xc9

¶§¹®¿¡ ½ÃÀÛÁ¡ÀÎ 0x8048624¿¡¼­ 1À» ´õÇÑ 0x8048625¿£ pop ebx°¡ µé¾î°¡ÀÖ°í
0x8048625¿¡¼­ 1À» ´õÇÑ 0x8048626¿£ leave°¡ µé¾î°¡ÀÖ½À´Ï´Ù

¶Ç 0x8048574 ´Â objdump -d ./ÇÁ·Î±×·¥¸í | grep ret Çغ¸½Ã¸é ¾Æ½Ã°ÚÁö¸¸
¸¹Àº retµéÁß Çϳª¸¦±×³É

bhus10 return oriented programming À¸·Î °Ë»öÇؼ­ ³ª¿À´Â ¹®¼­¿¡ ÀÖ´Â vuln ÇÁ·Î±×·¥¿¡¼­
ret µéÀ» ãÀº °á°úÀÔ´Ï´Ù
5¹ø°¿¡ 0x8048574°¡ ÀÖ½À´Ï´Ù

[cd80@localhost ropeme-bhus10]$ objdump -d ./vuln | grep ret
8048387: c3 ret
80484b5: c3 ret
80484e3: c3 ret
8048560: c3 ret
8048574: c3 ret
80485d9: c3 ret
80485dd: c3 ret
804860a: c3 ret
8048627: c3 ret
[cd80@localhost ropeme-bhus10]$		 2012/08/25