¸®´ª½º

 3916, 1/196 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ewqqw
   setuid¸¦ ÀÌ¿ëÇÑ ±ÇÇÑ »ó½Â

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=4453 [º¹»ç]


./rc ¸¦ ½ÇÇà½ÃÅ°¸é¼­ ÀÌ ÇÁ·Î±×·¥ÀÇ fget ÇÔ¼ö¸¦ ¹ßµ¿½Ãų ¼ö ÀÖ´Â ¹æ¹ýÀÌ ¾ø³ª¿ä?

./rc ¸¸ ½ÇÇà½ÃÅ°¸é ±×³É /tmp/RC¸¸ »ç¶óÁö°í ³¡³³´Ï´Ù¸¸...

#include <stdio.h>
#include <stdlib.h>

int main() {
        FILE *fp,*fo;
        char key[40];
        
        
        system("rm /tmp/RC");

        fo=fopen("/home/rc/flag","r");
        fp=fopen("/tmp/RC","w");
        
        if(!fo)
                printf("failed to open flag ask to admin\n");
        if(!fp)
                printf("failed to open RC file ask to admin\n");

        fgets(key,40,fo);
        fprintf(fp,"%s\n",key);

        fclose(fp);
        fclose(fo);
        
        system("rm /tmp/RC");

        return 0;
}
  Hit : 3784     Date : 2017/03/29 02:14


    
ÇØÄð·¯ fgetsÀÇ ¼¼¹ø°ÀÎÀÚ°¡ fpÀε¥ fp¿¡ stdinÀÌ ¾Æ´Ï¶ó fopen("flag")°¡ µé¾î°¬ÁÒ
Ç÷¡±×ÆÄÀÏÀ» ¸¸µé°í Å°¸¦ ¾²°í Áö¿ì±â¸¦ ¹Ýº¹Çϴ°̴ϴÙ
Ç÷¡±×°¡ /home/rc/flag¿¡ ¿øº»ÀÌ ÀÖ°í ÀÌ°É °è¼Ó /tmp/RC¿¡ ¾²°í »èÁ¦ÇÏ°í ¾²°í »èÁ¦ÇÏ°í Çϴ°ÅÁÒ
ÀüÇüÀûÀÎ ·¹À̽ºÄÁµð¼Ç ¹®Á¦Àε¥
while [ 1 ] ; do ./rc; done À» ÇسõÀ¸½Ã°í
Çϳª¿¡¼­´Â
while [ 1 ] ; do cat /tmp/RC; done À» ÇسõÀ¸½Ã¸é µÎ¹ø° Å͹̳ο¡¼­ Ç÷¡±×°¡ ³ª¿É´Ï´Ù		 2017/03/29  
ewqqw µÎ ¸í·É¹®ÀÇ Â÷À̸¦ ÆÄ°íµé¾î¼­ setuid¸¦ ¾ò´Â °ÍÀ̱º¿ä.... °¨»çÇÕ´Ï´Ù 2017/03/29