½Ã½ºÅÛ ÇØÅ·

 1576, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   SmileBedge
   ½©ÄÚµå ¼¼±×¸ÕÆ®¿À·ù;;

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1509 [º¹»ç]


¿î¿µÃ¼Á¦´Â ·¹µåÇò9 2.4xxxÀÔ´Ï´Ù

ÀÏ´Ü ±â°è¾î "\xe8\xdd\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x00\x90\x55\x89\xe5\x56"
"\xba\x0b\x00\x00\x00\x59\xbb\x01\x00\x00\x00\xb8\x04\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80"

¸¦

code[] = "" ³Ö°í

ÀÎÅͳݿ¡ µ¹°íÀÖ´ø ÄÚµå µÎ°¡Áö
1.
int main()
{
        int *run;
  
           run = (int *)&run+2;
           (*run) = (int) code;

    return 0;
}
2.
int main()
{
  void (*rub)(void);
        run = (void *)code;
        run();

      return 0;
}
À¸·Î µ¹·Áº¼°æ¿ì ¼¼±×¸ÕÆ®¿À·ù°¡³ª³×¿ä...

Á¦°¡ ¾îµð¼­ À߸øÇѰɱî¿ä...
  Hit : 3848     Date : 2011/07/29 10:21


    
´¾´¾ \00¶§¹®¿¡ ±×·±°Å ¾Æ´Ò±î¿ä \00ÀÌ »ó´çÈ÷ ¸¹ÀÌ µé¾î°¡³×¿ä 2011/07/29  
W.H. \x00 ÀÌ ½©Äڵ忡 ÀÖÀ¸¸é Á¦´ë·Î ½ÇÇà ¾ÊµÇ¿ä 2011/07/30  
pwn3r ¤¤ NULLÀÌ ÇÊ¿äÇÑÄڵ忡 NULLÀ» ¾ø¾Ö¸é ½ÇÇàÀÚü°¡ ¾ÈµÇ¿ä ~

µð½º¾î¼ÀºíÇغ¸´Ï Hello World¸¦ Ãâ·ÂÇϽ÷Á´ø°Å°°À¸½Åµ¥ FTZ±âÁØÀ¸·Î ù¹ø° ½©ÄÚµåÀÇ ½ÃÀۺκÐÀÌ ÀÌ»óÇϳ׿ä

0x08049440 <code+0>: call 0x8049422 <data_start+2> // ¿ä±âÀÌ»ó

0x08049445 <code+5>: dec %eax // "Hello World"
0x08049446 <code+6>: gs // "Hello World"
0x08049447 <code+7>: insb (%dx),%es:(%edi)// "Hello World"
0x08049448 <code+8>: insb (%dx),%es:(%edi)// "Hello World"
0x08049449 <code+9>: outsl %ds:(%esi),(%dx)// "Hello World"
0x0804944a <code+10>: and %dl,0x6f(%edi)// "Hello World"
0x0804944d <code+13>: jb 0x80494bb <_DYNAMIC+67>// "Hello World"
0x0804944f <code+15>: add %dl,%fs:0x56e58955(%eax)// "Hello World"
0x08049456 <code+22>: mov $0xb,%edx // 11±ÛÀÚ
0x0804945b <code+27>: pop %ecx // "Hello World" »Ì¾Æ³»±â
0x0804945c <code+28>: mov $0x1,%ebx // stdout
0x08049461 <code+33>: mov $0x4,%eax // write
0x08049466 <code+38>: int $0x80 // 0x80 inturrupt
0x08049468 <code+40>: mov $0x1,%eax // exit
0x0804946d <code+45>: mov $0x0,%ebx // 0
0x08049472 <code+50>: int $0x80 // 0x80 inturrupt

µð½º¾î¼ÀºíÇÑ ÄÚµåÁß code+0ºÎºÐÀÇ ¹ÙÀÌÆ®Äڵ尡 \xe8\xdd\xff\xff\xffÀε¥ , code+5¿Í code+22ÀÇ offsetÀº 0x11ÀÌ¿¡¿ä. (code + 5 ~ code + 21Àº "Hello World")
±×·¡¼­ \xe8\x11\x00\x00\x00 ·Î ¹Ù²ãÁֽøé Àߵ˴ϴ٠:)



ÀÎÁõ¼¦

[guest@ftz guest]$ cat pwn3r.c
http://www.hackerschool.org/HS_Boards/skin/guta_green/cw_write.gif
char code2[] = "\xe8\x11\x00\x00\x00\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x00\x90\x55\x89\xe5\x56"
"\xba\x0b\x00\x00\x00\x59\xbb\x01\x00\x00\x00\xb8\x04\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80";
int main()
{
int *run;

run = (int *)&run+2;
(*run) = (int) code2;

return 0;
}

[guest@ftz guest]$ ./pwn3r
Hello World[guest@ftz guest]$		 2011/07/30