½Ã½ºÅÛ ÇØÅ·

 1576, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   supershop
   Phrack 14-49 ¹®¼­ ³»¿ë Áß Áú¹®ÀÔ´Ï´Ù.

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1500 [º¹»ç]


bof °øºÎ¸¦ ÇÏ·Á°í ¸ÕÀú Phrack 14-49 ¹®¼­¸¦ Àаí Àִµ¥¿ä,
½©ÄÚµå ÀÛ¼ºÀ» À§ÇØ execve ÇÔ¼ö¸¦ ºÐ¼®ÇÏ´Â ºÎºÐ¿¡ ´ëÇØ Àǹ®ÀÌ ÀÖ½À´Ï´Ù.

=== execve ÇÔ¼ö È£Ã⠺κР===
0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)        ; name[0] = "/bin/sh";
0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)                  ; name[1] = NULL;
0x8000144 <main+20>:    pushl  $0x0
0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax
0x8000149 <main+25>:    pushl  %eax
0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax
0x800014d <main+29>:    pushl  %eax
0x800014e <main+30>:    call   0x80002bc <__execve>                 ; execve(name[0], name, NULL);

=== execve ÇÔ¼ö ³»ºÎ¿¡¼­ Ä¿³Î ¸ðµå ÁøÀÔ ºÎºÐ ===
0x80002bf <__execve+3>: pushl  %ebx
0x80002c0 <__execve+4>: movl   $0xb,%eax
0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx
0x80002c8 <__execve+12>:        movl   0xc(%ebp),%ecx
0x80002cb <__execve+15>:        movl   0x10(%ebp),%edx
0x80002ce <__execve+18>:        int    $0x80

À§ Äڵ尡 ¾î¶»°Ô µ¹¾Æ°¡´ÂÁö´Â ÀÌÇØ°¡ °¬´Âµ¥, À̸¦ ±â¹ÝÀ¸·Î ½© Äڵ带 ÀÛ¼ºÇÏ´Â ºÎºÐÀ» ¼³¸íÇÏ´Â ºÎºÐÀÌ ÀÌÇØ°¡ ¾È °©´Ï´Ù.

a) Have the null terminated string "/bin/sh" somewhere in memory.
b) Have the address of the string "/bin/sh" somewhere in memory
    followed by a null long word.
c) Copy 0xb into the EAX register.
d) Copy the address of the address of the string "/bin/sh" into the
    EBX register.
e) Copy the address of the string "/bin/sh" into the ECX register.
f) Copy the address of the null long word into the EDX register.
g) Execute the int $0x80 instruction.

ÀÌ ºÎºÐ¿¡¼­¿ä, EBX¿Í ECX ·¹Áö½ºÅÍ¿¡ µé¾î°¡¾ßÇÒ ºÎºÐÀÌ ¼­·Î µÚ¹Ù²ï °Ô ¾Æ´Ñ°¡¿ä?
½ºÅà ±×¸² ±×·Á³õ°í ¾Æ¹«¸® »ìÆìºÁµµ Àú µÑÀÌ µÚ¹Ù²ï °Å °°Àºµ¥...
Á¦°¡ Ʋ·È´Ù¸é ¿Ö ±×·±°ÇÁö ÀÚ¼¼ÇÑ ¼³¸í Á» ºÎŹµå¸®°Ú½À´Ï´Ù (__)
  Hit : 3595     Date : 2011/07/09 04:46


    
W.H. À½... Á¦°¡ ÀÌÇØ·ÂÀÌ ºÎÁ·ÇÑ°ÇÁö ÀÌÇظ¦ ¸øÇϰٳ׿ä..

http://www.hackerschool.org/HS_Boards/data/Lib_system/aleph.txt

ÀÌ°Ô ÇÑ±Û ¹ø¿ªº»Àε¥ ÀÌ°Å Çѹø º¸¼¼¿ä

¾Æ ÀÌÇØÇ߳׿ä

d) ¹®ÀÚ¿­ "/bin/sh"ÀÇ ÁÖ¼ÒÀÇ ÁÖ¼Ò¸¦ EBX ·¹Áö½ºÅÍ¿¡ º¹»çÇÑ´Ù.
e) ¹®ÀÚ¿­ "/bin/sh"ÀÇ ÁÖ¼Ò¸¦ ECX ·¹Áö½ºÅÍ¿¡ º¹»çÇÑ´Ù.
ÀÌ°í

¼Ò½º¿¡¼±

0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx

"/bin/sh"ÀÇ ÁÖ¼Ò¸¦ EBX·Î º¹»çÇÑ´Ù.

0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx

name[]ÀÇ ÁÖ¼Ò¸¦ ECX·Î º¹»çÇÑ´Ù.

Àε¥

/bin/sh °¡ 0x00010000¿¡ ÀÖ´Ù°í ÇÏ°í

0x10101010¿¡ 0x00010000¶õ °ªÀÖÀ¸¸é

¾Æ±Ô¸ÕÆ®¿¡´Â ±× 0x00010000À̶õ °ªÀÌ ¾Æ´Ï¶ó 0x00010000À» °¡¸®Å°°í ÀÖ´Â 0x10101010ÀÌ µé¾î°¡¾ß Çϴ°̴ϴÙ.

±×·¡¼­

d) ¹®ÀÚ¿­ "/bin/sh"ÀÇ ÁÖ¼ÒÀÇ ÁÖ¼Ò¸¦ EBX ·¹Áö½ºÅÍ¿¡ º¹»çÇÑ´Ù.

ÀÔ´Ï´Ù.		 2011/07/12  
supershop ´äº¯ °¨»çÇÕ´Ï´Ù. Á¦°¡ ÀÌ»óÇÏ°Ô ¿©°å´ø °ÍÀº ½ºÅÃÀ» ±×·Á°¡¸ç ºÐ¼®À» Çغ¸¸é /bin/shÀÇ ÁÖ¼ÒÀÇ ÁÖ¼Ò´Â ECX¿¡ ÀúÀåµÇ°í /bin/shÀÇ ÁÖ¼Ò´Â EBX¿¡ ÀúÀåÀÌ µÇ±â ¶§¹®ÀÔ´Ï´Ù.
±×¸®°í Àú a)~g) ´ÙÀ½¿¡ º¸¸é,

movl string_addr,string_addr_addr
movb $0x0,null_byte_addr
movl $0x0,null_addr
movl $0xb,%eax
movl string_addr,%ebx ; /bin/shÀÇ ÁÖ¼Ò¸¦ EBX¿¡ º¹»ç
leal string_addr,%ecx ; /bin/shÀÇ ÁÖ¼ÒÀÇ ÁÖ¼Ò¸¦ ECX¿¡ º¹»ç
leal null_string,%edx
int $0x80
movl $0x1, %eax
movl $0x0, %ebx
int $0x80
/bin/sh string goes here.

ó·³ d)¿Í e)¶û ¾Æ±Í°¡ ¸ÂÁö ¾Ê½À´Ï´Ù.
À̸¦ ÀúÀÚ°¡ ½Ç¼ö·Î d)¿Í e)¸¦ À߸ø ¾´°ÍÀÌ ¾Æ´Ñ°¡¿ä?		 2011/07/12