ÇÁ·Î±×·¡¹Ö

 3198, 1/160 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   onlyvb
   [C¾ð¾î] BOF °­Á º¸´Ù°¡ ÀÌÇصÇÁö ¾Ê´Â °ÍÀÌ ÀÖ¾î Áú¹®ÇÕ´Ï´Ù.

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=3143 [º¹»ç]


¾È³çÇϼ¼¿ä.

BOF °­Á¸¦ µû¶ó ÇÏ´Ù°¡ ÀÌÇصÇÁö ¾Ê´Â °ÍÀÌ ÀÖ¾î Áú¹®µå¸³´Ï´Ù.

¾Æ·¡ ÄÚµå´Â BOF °­Á "15°­ - [½Ç½À] Æ®·¹ÀÌ´× ÄÚ½º : ¸Þ¸ð¸® ÁÖ¼Ò º¯Á¶Çϱâ" ¿¡¼­ ¹ßÃéÇÑ °ÍÀÔ´Ï´Ù.

   #include <stdio.h>

   main()
   {
             char    buff[20] = {0, };
             int      *ptr_to_ret = (int *)(buff+24);
    
             printf("buff ÁÖ¼Ò : [0x%08x]\n\n", &buff);
             printf("ptr_to_ret ÁÖ¼Ò : [0x%08x]\n", &ptr_to_ret);
             printf("ptr_to_ret °ª : 0x%08x\n\n", *ptr_to_ret);
    }

À§ Äڵ带 ½ÇÇàÇϸé,
(vmware À̹ÌÁö¸¦ »ç¿ëÇÏ¸é ¹é½ºÆäÀ̽º ÀԷ½à °è¼Ó ´Ù¿î µÇ¾î, winxp ÀÇ cygwin ȯ°æ¿¡¼­ ½ÇÇà.)

     $ ./test
      buff ÁÖ¼Ò : [0x0022cd40]

      ptr_to_ret ÁÖ¼Ò : [0x0022cd3c]
      ptr_to_ret °ª : 0x0022cd98

¿Í °°ÀÌ µË´Ï´Ù.


¿©±â¼­ Á¦°¡ ÀÌÇصÇÁö ¾Ê´Â °ÍÀº,

¿Ö, ptr_to_ret °ªÀÌ 0x~58(= buff ÁÖ¼Ò 0x.~40 + 24(0x18)) ÀÌ ¾Æ´Ï°í 0x~98 ÀÌ µÇ´ÂÁö ±Ã±ÝÇÕ´Ï´Ù.


½Å±âÇÑ °ÍÀº, dumpcode() ÇÔ¼ö·Î ¸Þ¸ð¸®¸¦ º¸¸é 0x~58 ·Î Ç¥½ÃµÈ´Ù´Â °ÍÀÔ´Ï´Ù.

  
°¨»çÇÕ´Ï´Ù.
  Hit : 4911     Date : 2011/08/23 09:49