¸®´ª½º

 3916, 1/196 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ewqqw
   SETUID¸¦ ÀÌ¿ëÇÑ ±ÇÇÑ ¾ò±â ¼Ò½º ºÐ¼® ºÎŹ µå¸³´Ï´Ù

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=4445 [º¹»ç]


¸çĥ° Çظްí Àֳ׿ä

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int main(){
    char command[256];
    char expand[256];
    printf("I will let you execute a single command...\n");
    printf("Try and get a shell with the command!\n");  

    fgets(command, 255, stdin);
    readlink(strtok(command, "\n"), expand, 255);

    if(strncmp(expand, "/bin/sh", 7) && strncmp(expand, "dash", 4)){
        printf("Nope! You always want to run /bin/sh\n");
        exit(0);
    }
    
    if(strstr(command, "sh")){
        printf("Almost... try to use a different name!\n");
        exit(0);
    }

    system(command);

    return 0;
}
  Hit : 2705     Date : 2017/03/07 06:42


    
pwn2on °£´ÜÇÏ°Ô ¼³¸íÇÑ´Ù¸é,
ÇØ´ç ÄÚµå´Â ¹®ÀÚ¿­À» ÀԷ¹޾ÆÁÖ°í ±× ¹®ÀÚ¿­À» ¸í·É¾î·Î ½ÇÇà½ÃÄÑÁÖ´Â ÇÁ·Î±×·¥ÀÔ´Ï´Ù.
command¶ó´Â º¯¼ö¿¡ 256 Byte¸¸Å­ µ¥ÀÌÅ͸¦ ÀԷ¹ްí
readlink ÇÔ¼ö´Â °æ·Î°¡ ½Éº¼¸¯ ¸µÅ©¶ó¸é ±×°ÍÀ» ÀúÀåÇØÁÖ´Â ÇÔ¼öÀÔ´Ï´Ù.
strtok()´Â ƯÁ¤ ¹®ÀÚ¿­À» ±âÁØÀ¸·Î Data¸¦ Split ÇØÁÖ´Â ±â´ÉÀ̱¸¿ä.

ÀÌ·±½ÄÀ¸·Î ºÐ¼®ÇØ ³ª°¡¸é¼­ setuidÀÇ exploitÀ» ½ÃµµÇغ¸½Ã¸é µÉ°Å °°½À´Ï´Ù.		 2017/03/07  
ÇØÄð·¯ command´Â ¿øº» ¹®ÀÚ¿­, expand´Â readlink¸¦ ÇÑ °á°úÁÒ
°á±¹ µÑ´Ù ÀԷ¿¡ ÀÇÁ¸ÇÏ´Â µ¥ÀÌÅ͵éÀÌÁö¸¸ ÇÊÅ͸µÇÏ´Â ¹æ½ÄÀÌ ´Ù¸¨´Ï´Ù
command¿¡´Â sh°¡ ¾øÁö¸¸, ±× command·Î µé¾î¿Â ÇÁ·Î±×·¥ÀÌ ½Éº¼¸¯ ¸µÅ©µÈ ÆÄÀÏÀÌ°í, /bin/sh³ª dash¸¦ °¡¸£Å°°Ô ÇÏ¸é µÇ´Â°ÅÁÒ
ln -s /bin/sh /tmp/hack ÀÌ·±½ÄÀ¸·Î ÇϽŴÙÀ½¿¡
¹®Á¦¸¦ ½ÇÇàÇϼż­
¹®Á¦ÀÇ fgets¿¡ /tmp/hack À» ÀÔ·ÂÇÏ½Ã¸é µË´Ï´Ù		 2017/03/07  
ewqqw °¨»çÇÕ´Ï´Ù~~ ÇØ°áµÇ¾ú¾î¿ä 2017/03/08