½Ã½ºÅÛ ÇØÅ·

 1576, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   hj7933
   http://¾øÀ½
   perl, python À» ÀÌ¿ëÇØ ¸Þ¸ð¸® \xff ÀÔ·Â ¹æ¹ý ¾Æ½Ã´Â ºÐ~

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1496 [º¹»ç]


¾È³çÇϼ¼¿ä

perl -e 'print "\x53\xf5\xff\xbf"' ¹¹ ÀÌ·± °ªÀ» ÀÎÀÚ°ªÀ¸·Î ³Ñ±â·Á°í Çϴµ¥

³Ñ±äµÚ µð¹ö±ëÇؼ­ ½ºÅÃÀÇ ¸Þ¸ð¸®¸¦ º¸¸é \xff ºÎºÐÀÌ 00 À¸·Î ó¸® µÇ¾î ÀÖ°í ¾Õ \xbfµµ ¾Èº¸ÀÌ´ø±º¿ä.

C·Î ÀÛ¼ºÇÏ¿© ¸Þ¸ð¸®¿¡ Á÷Á¢ ÁÖ¼Ò°ªÀ» ÀÔ·ÂÇÏ¸é ¹®Á¦°¡ ¾ø´Âµ¥ ¿Ö ½ºÅ©¸³Æ® ¾ð¾î·Î ÀÛ¼º½Ã¿¡ ¹®Á¦°¡

¹ß»ýÇÏ´ÂÁö ¸ð¸£°Ú³×¿ä. ´Ù¸¥ºÐµéÀº À߸¸ ÇϽôøµ¥;;

°°Àº °æÇèÇؼ­ ÇØ°áÇϽźÐ~~ ´ä±Û ´Þ¾ÆÁÖ¼¼¿ä~~

  Hit : 4181     Date : 2011/06/23 02:32


    
hj7933 Redhat 6.2 ÀÔ´Ï´Ù. ¹æ±Ý CentOS ÃÖ±Ù ¹öÁ¯¿¡¼­ Å×½ºÆ® Çߴµ¥ °Å±â¼­´Â Àßµé¾î°¡³×¿ä;;
Perl ½ºÅ©¸³Æ® ¶Ç´Â OSÀÇ ¾ð¾îÆÑ ¹®Á¦ ÀÏ ¼öµµ Àְڳ׿ä..		 2011/06/23  
hj7933 Çä;; BOF¿øÁ¤´ë 1¹ø ¹®Á¦ ¿¡¼­ Å×½ºÆ® Çغôµ¥ °Å±â¼­µµ ¸¶Âù°¡Áö³×¿ä Perl, Python ¹öÁ¯ ¹®Á¦?? ¾Æ½Ã´ÂºÐ ´äÁ»¿È~~¤Ð¤Ð 2011/06/23  
W.H. bash2 ½ÇÇàÇϽðí Çغ¸¼¼¿ä ¹ö±×¶«½Ã bash¿¡¼± 0xff°¡ Àß ¾Ê¸ÔÈü´Ï´Ù. 2011/06/23  
hj7933 ±×·¨±º¿ä.. ´äº¯ °¨»çÇÕ´Ï´Ù ^^

´Ù¸¥ ºÐµéÀ» À§ÇØ Å×½ºÆ® ºÙ¿© ³Ö±â

[root@BOF /home]# printenv
PWD=/home
HOSTNAME=BOF
LESSOPEN=|/usr/bin/lesspipe.sh %s
ENV=/root/.bashrc
USER=root
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
MACHTYPE=i386-redhat-linux-gnu
MAIL=/var/spool/mail/root
INPUTRC=/etc/inputrc
LANG=en_US
LOGNAME=root
SHLVL=1
SHELL=/bin/bash2 <-- /bin/bash2 »ç¿ë
USERNAME=root
HOSTTYPE=i386
OSTYPE=linux-gnu
HISTSIZE=1000
TERM=vt100
HOME=/root
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:/root/bin
_=/usr/bin/printenv
OLDPWD=/root
[root@BOF /home]# ls
bof0x01 bof0x02 ftp httpd lost+found
[root@BOF /home]# cd bof0x01
[root@BOF bof0x01]# ls
1.NOP 2.ENV 3.HEAP 4.Func_overflow 5.Format_String 6.DTOR My_exploit_Tools
[root@BOF bof0x01]# cd 1.NOP/
[root@BOF 1.NOP]# gdb vuln
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) disass main
Dump of assembler code for function main:
0x80483d0 <main>: push %ebp
0x80483d1 <main+1>: mov %esp,%ebp
0x80483d3 <main+3>: sub $0x1f4,%esp
0x80483d9 <main+9>: mov 0xc(%ebp),%eax
0x80483dc <main+12>: add $0x4,%eax
0x80483df <main+15>: mov (%eax),%edx
0x80483e1 <main+17>: push %edx
0x80483e2 <main+18>: lea 0xfffffe0c(%ebp),%eax
0x80483e8 <main+24>: push %eax
0x80483e9 <main+25>: call 0x8048308 <strcpy>
0x80483ee <main+30>: add $0x8,%esp
0x80483f1 <main+33>: xor %eax,%eax
0x80483f3 <main+35>: jmp 0x80483f5 <main+37>
0x80483f5 <main+37>: leave
0x80483f6 <main+38>: ret
End of assembler dump.
(gdb) b *main+9
Breakpoint 1 at 0x80483d9: file vuln.c, line 3.
(gdb) b *main+30
Breakpoint 2 at 0x80483ee: file vuln.c, line 3.
(gdb) r `perl -e 'print "\x45\x45\xff\xff\xff\xff\x45\x45"'`
Starting program: /home/bof0x01/1.NOP/vuln `perl -e 'print "\x45\x45\xff\xff\xff\xff\x45\x45"'`

Breakpoint 1, main (argc=2, argv=0xbffffb64) at vuln.c:3
3 strcpy( buffer, argv[1] );
(gdb) info reg esp
esp 0xbffff924 -1073743580
(gdb) c
Continuing.

Breakpoint 2, 0x80483ee in main (argc=2, argv=0xbffffb64) at vuln.c:3
3 strcpy( buffer, argv[1] );
(gdb) x/4 0xbffff924
0xbffff924: 0xffff4545 0x4545ffff 0x00000000 0x400139d0
(gdb)


Àß µé¾î°¡³×¿ä. °¨»çÇÕ´Ï´Ù.		 2011/06/28